Strategic Performance & Risk Integration
Mihai Ionescu - Senior Strategy Consultant, Owner Balanced Scorecard Romania, Author
Although this is not a new topic, we still see from time to time people asking questions about how to integrate the Strategic Performance and Risk.
Rather than presenting all sorts of principles and theories, we'll take a more applicative and hands-on approach. Take a look at the diagram below (a picture worth a thousand words :)
You can find the slide on Issuu (.pdf) at http://issuu.com/mihaiionescu7/docs/strategic_performance-risk_integrat and on SlideShare (.ppt) at http://www.slideshare.net/slideshow/embed_code/45280328
The integration of Strategic Performance and Risk revolves around the Strategic Objectives. We plan to take specific actions to achieve our Strategic Objectives, to change, transform, improve our operational processes, set of competencies, management systems, etc. We do that through the Strategic Initiatives that we associate with our objectives and we monitor the performance of achieving the objectives through a set of KPI Measures that we link to each objective. However, we often find out that our efforts are counter-balanced by one or more negative events that have an opposite effect, denying the full achievement of the Strategic Objectives and reducing or cancelling the positive effects of our initiatives. These are the Risk Events that are triggered by external or internal factors, which can have an effect in areas related to the operational processes, competencies, systems, relationships, etc. that we are targeting and changing for achieving the Strategic Objectives. Some of these events cannot be foreseen (the unknown-unknowns or black swan events), but others can be anticipated in terms of probability/likelihood of occurrence and magnitude of impact or estimated consequences. Some of them may negatively affect the achievement of certain Strategic Objectives more than of others, which means that we can create for each of our objectives a list of potential Risk Events that may affect their achievement.
Strategic Risks Planning Methodology
❶ Take each Strategic Objective in your Strategy Map and list the Risk factors (or risk areas) that may affect its achievement. You might list Risk factors/areas such as: commercial, operational, legal, regulatory compliance, IT/communications, security, safety, human, managerial, etc.
❷ Under each Risk factor/area that is relevant for the objective, list the Risk Eventsthat may affect its accomplishment. Rate the Risk Events in the list and create a short-list with the most important risks that should be considered. Remember, you are creating a model, which is a prioritized simplification of reality. Example: Within the IT/security Risk factor/area, we can define as important the risk of 'Unauthorized access to our IT systems' (ERP, Billing, CRM, SFA, Intranet, Customer Portal, etc.).
❸ For each top-ranking Risk Event in objective's short-list, identify at least one KRI Measure (Key Risk Indicator) that can reflect the variations in the Probability of Risk Event's occurrence (also named Likelihood of occurrence) and at least one KRI Measure for the Consequences level (also named Impact level). Define for each of them a formula that links each KRI measured values to a 1-5 scale.
NOTE: If you have a significant proportion of the Risk Events that have a high variability of either Probability or Consequences levels, you might want to use a scale of 1-10, instead of 1-5, but in this case is highly advisable that you should use the same scale for all your Risk Events, to avoid confusions.
❹ For each Risk Event, define a Risk Appetite level (1-25 or 1-100), which is conceptually equivalent to the Target of the KPI Measures. By comparing the Exposure level (= Probability level * Consequences level) to the Risk Appetite level, you can calculate the Risk Exposure Status of the Risk Event.
Example: We can measure the Probability level of the risk in the example above ('Unauthorized access to our IT systems') by monitoring the number of daily, weekly, or monthly failed unauthorized access attempts to our IT systems (if the number of attempts is high enough, a breach may occur, sooner or later). We can measure the Consequences level by calculating the ratio between the number of failed unauthorized access attempts to our critical IT systems (ERP, Billing, CRM, SFA, etc.) and those to less critical IT systems (Intranet, Customer Portal, etc.).
❺ Define the Weight of each Risk Event, which is required to calculate Objective's Risk Exposure Status, as weighted average of Risk Events' Exposure Statuses.
❻ For each Risk Event, identify the Risk Mitigation Initiative(s) that may reduce the exposure (the probability, the consequences, or both). If the Risk Exposure level is already close to the Risk Appetite level, you can schedule the Risk Mitigation Initiative(s) in the planning stage, in the same way you do for the [performance] Strategic Initiatives. Otherwise, place the Risk Mitigation Initiatives on hold and launch them only when the Risk Exposure level gets closer to the Risk Appetite level.
NOTE: There are at least two other parameters that define a Risk Event, besides the Probability and Consequences. One of them is Predictability, which defines the level of the KRI Measures' capability to reliably detect the variations in Risk Event's Probability and/or Consequences. Another one is the Speed of Onset, which is reflecting the dynamics of the Risk Event (how quick it may occur, once the increase of Probability is detected, reducing our available mitigation time). You might want to launch the Risk Mitigation Initiatives at lower levels of Exposure for those Risk Events that have a lower Predictability level and/or a higher Speed of Onset.
NOTE: Another observation can be made, in the balance between the Strategic Performance and Risk, about the magnitude of the negative effects of a Risk Event's occurrence. The term 'strategic drift' is another representation of risk's negative consequences/impact (by how much % will the Risk Event X negatively affect the accomplishment of the Objective Y). However, the risk mitigation actions cannot be planned or taken only on this basis, because it may be less economical to allocate the limited resources we have available (time and money) for preventing a Risk Event A with a consequence level of 4 and a probability level of 1 (exposure level 4 = 4 x 1), than for preventing a Risk Event B with a lower consequence level of 3, but with a higher probability level of 2 (exposure level 6 = 3 x 2).
In other words, the risk A will cause a higher 'strategic drift', but because the occurrence probability of the risk B is twice higher, we allocate more resources to mitigate the risk B than the risk A, even if the potential negative impact of the risk B is 25% lower than of the risk A.
❼ Build your Risk Scorecard, which is similar to the Performance Scorecard, except that under each Strategic Objective you show the Risk Events defined for the Objective and under each Risk Event its KRI Measures.
❽ In the Strategy Map, add a Risk Exposure Status visualization (a semaphore, a R-Y-G status bulb, etc.) besides the Performance Status visualization for each Strategic Objective, in order to monitor both the performance and risk statuses for that objective.
❾ Draw the Objectives - Risk Mitigation Initiatives matrix, in order to better see which initiatives help reduce the risk of which objectives (a many-to-many relationship). Align the Risks throughout the organization, in the same way you align the Objectives, cascade the KPI Measures and the Strategic Initiatives.
Frequent trap: Lack of Performance vs. Risk Event
A final note, based on the practical experience of identifying relevant Risk Events for our Strategic Objectives. The biggest challenge here is to avoid the trap of considering that the lack of performance in achieving an objective is the same thing as a risk event affecting that objective. Let me give an example: The Strategic Objective is 'Improve the competencies for the new technologies employed'. The lack of performance would be the increase of the level of issues, errors or scrap, once the new technology is used. This may be driven by the failure of the designated employees to participate in the required training sessions and then pass the exam that certifies their new acquired competencies. But that's not a risk event. It's just an inefficiency of the 'New competencies training program' Strategic Initiative, which should be spotted by the KPI Measures that are linked to the objective. The risk event would be the cancellation of the contract by the training course & exam provider. Or an urgent customer project that takes over the time initially allocated for training and examination. Or the breaking of the examination platform. Or a sooner-than-expected change in the technology employed that renders the current training obsolete. I'm sure you get the idea.
Strategic Risk integration and the Strategy Map
The Strategy Map, as representation of the Strategy on a single page, integrates the Strategic Performance and Risk in two ways.
One has been mentioned above. It's the visualization for each Objective on the map of its Performance and Risk Exposure statuses. A 'green' status on Performance, together with a 'red' status on Risk represents a cause for concern, for obvious reasons. However, if we wouldn't have integrated the Strategic Performance with the Strategic Risk, the 'green' status on Performance would have indicated a good evolution towards Objective's accomplishment. You can easily understand the possible consequences.
The other way to integrate the Strategic Performance and Risk is by splitting the Strategic Objectives in three categories, depending on the dependency of their accomplishment on Performance Actions and/or on Risk Actions. The diagram below represents in a symbolic manner these three categories.
Performance & Risk Objectives
The most relevant observations here are for the first and for the last of the three categories. The Performance Objectives are those Strategic Objectives for which we could not identify any meaningful and relevant risk that may negatively impact their accomplishment. That is seldom the case, but it can happen, especially in established industries or stable or slow-changing contexts in which allocating resources for preventing risks that have negligible effects on certain objectives does not have a lot of economic justification.
The Risk Objectives are a reality in any strategic context. Before speaking about their specifics, we would reference a military analogy of 'positions to be conquered' and 'positions to be defended', which is self-explanatory. It is quite normal that certain existing Core Capabilities of an organization can be 're-used' to support a part of the Strategic Choices in the new Transient Competitive Advantage that we are building, as part of the Strategy. They are at the required maturity/functionality level, therefore we don't need to change/adapt/improve them. However, they are important components of our Strategy. These are the 'positions to be defended', because we have 'conquered' them before. For example, we might have a very good and efficient direct distribution logistic system, which we are using in the distribution of the new categories of products that our new Strategy is mandating. Or we might have an advanced project management capability, except that in the new Strategy we are using it for delivering new types of services to a different category of customers. What would happen if, while we are focused on creating or developing the required new Core Capabilities that we are missing or that need to be upgraded or enhanced (the 'positions to be conquered'), the quality or the adequacy of the Core Capabilities we already have and which are important in the new Strategy has degraded significantly? What if people with Core Competencies we were counting on are leaving the company? What if some unforeseen changes happen in the economic, competitive or technology context, making our existing Core Capabilities obsolete, insufficient or inadequate?
How do we deal with these events that might affect the success of our Strategy, even if the Performance, or the achievement of certain Strategic Objectives and closing of certain Strategic Gaps is not the case here, at least not at the moment in time when we are formulating our new Strategy and launching the execution of the new Strategic Plan?
The answer is based on the Risk Objectives. They don't have KPI Measures or Strategic Initiatives linked to them, as these objectives are already accomplished, at the time we are planning our Strategy Execution, and they wouldn't even be included in a pure-Performance Strategy Map and Scorecard.
But because we count on these Objectives to remain accomplished along the execution cycle of our Strategic Plan and because they are important to our new Strategy, we have to monitor them. More precisely, we have to look at any Risk factors/areas and Risk Events that may degrade, cancel or deny their accomplishment level. We need to place them on the Strategy Map and, although they have no Performance status or visualization (status semaphore, dial or R-Y-G bulb), they have a Risk Exposure status and the corresponding status visualization. This involves evaluating the most relevant Risk Events that may negatively impact their already-accomplished status, identifying and monitoring the required KRI Measures and planning or preparing Risk Mitigation Initiatives, to prevent the respective risks from occurring or to reduce their consequences, if they do.
I hope this article will help you in your quest to better integrate the Strategic Performance and Risk in your organization. Good luck!