‘Risk management and performance management need to work in synch’ is a statement with which very few would disagree, especially in the wake of recent corporate collapses. It is apparent that a number of organisations took disproportionate risk without considering reasonable, long-term performance expectations. But less clear is how this statement can be made to work in practice.

A growing body of work seems very keen on solutions that promise ‘alignment’ between risk and performance management. The various bits of risk and performance management (e.g., strategy, business objectives, performance indicators; risk assessments, risk appetite, risk metrics) are literally ‘lined up’; proximity is fostered through formal arrangements that include coordinating roles, joint deadlines and milestones, use of common inputs, shared information platforms.

Indeed, the evolution of risk and performance management systems reveals parallels that might foster alignment. Both are: focused on business objectives’ achievement; organisation wide; designed to emphasize organisational interdependencies and line management responsibility.

However, there are also reasons to caution against ‘aligned’ infrastructures for risk and performance management. The business can be simply to complex to combine company-wide risk and performance information in a single infrastructure.

Alignment can come at the cost of excessive simplification, which paradoxically constitutes a source of risk itself. Moreover, even if the infrastructure can provide an accurate representation of the environment, management cannot be assured that this infrastructure can cope with a rapidly changing reality. For instance, how many organisations in the UK had ‘civil unrest’ in their risk registers prior to August 2011? How many airline companies considered ‘volcanic ash cloud’ prior to April 2010?

There is certainly something positive about the intensifying interest in risk management, i.e. the benefits of making noticeable, through processes and techniques, a large number of high probability/ low impact risks that are routinely faced by organisations. Yet the idea that a formal risk management system, especially if aligned to corporate performance management, can help control all risks - low probability/high impact risks in particular - causes some perplexity.

So, what are possible alternatives to the ‘alignment’ of enterprise-wide risk and performance management?

One suggestion could be: ‘work on your key business metrics’. Business metrics can be divided in lagging indicators, which focus on past results, and leading indicators that capture drivers of future conditions and thereby provide early warning capacity.

Leading indicators are a nice (not new) concept with a bad reputation: they are hard to measure (e.g., lack of credible data as they look at the future) and understand (e.g., defining clear tolerance levels can be problematic). However, an organisation that is able to adequately combine lagging and leading indicators in its control system might reach, without much additional effort, a higher level of risk-orientation in performance management than organisations pursuing formally ‘aligned’ enterprise-wide infrastructures. A good mix of lagging and leading indicators would enable not only to measure past results, but also capture potential future changes that must be monitored, tracked, and interpreted.

A second suggestion could be: ‘make sure people think about risks when making decisions’. This may lead to an other slippery area: risk culture. The ambition to create a ‘culture of risk awareness’ has steadily moved up the agenda of both public and private sector organisations, although it is not entirely clear what it means practically and what general suggestions can be made to create or strengthen risk culture. This latter is likely to be highly dependent on the scale, profile and background of an organisation or even different parts of an organisation.

However, there are a number of simple questions that might help understand of how much (little) people think about risks when making decisions. For instance, think about asking managers at different organisational levels: ‘What are the most important bits of management information for your daily work?’, followed by: ‘What do they tell you, if anything, about the key risks faced in your area of responsibility?’. The way in which these questions get answered (or not answered!) might tell a lot about risk awareness and prompt corrective actions.

--

Tommaso Palermo is speaking at the forthcoming event jointly organised by CIMA and Airmic:

Risk and performance – getting the right balance
9:30-1:30pm, Thursday 29th September 2011
Armourers Hall, 81 Coleman Street, City of London EC2R 5BJ.
(fully booked http://www.amiando.com/CIMAriskevent.html - but you can still join the waiting list or participate online)

Join the event online!

To get updates and discuss the event with other participants in advance, post your comments and questions on Twitter using the hashtag #riskresearch
We will put these questions and observations to the event attendees.

More risk event blogs:

Doing the right projects: project portfolio management in tough times - by Professor Liz M Daniel, Open University
Risky business - by Gillian Lees, CIMA (follow Gillian on Twitter)

Read Tommaso Palermo's report:
Further details of the study can be found in the Research Executive Summary: Integrating risk and performance in management reporting