Methodware discuss risk management

So you’re the owner of a risk management program within your organization. You’re comfortable with the information you’re gathering, and have a good picture of your risk portfolio and control structure. However, the business units aren’t fully invested in the process and executive management is questioning the bottom-line value of ERM and GRC. A strategy to consider that will address both issues is linking performance management to risk management, using indicators.

The ERM landscape has shifted over the last 12 months with the official publication of ISO 31000 - the first true international risk management standard. A key element of ISO 31000 is the recognition of corporate performance objectives and how the organization's ERM approach impacts progress toward them.

From a rational perspective, this concept makes sense. All activities of a business should serve the ultimate organizational goal - success, as defined by the individual requirements of the business and its stakeholders. In practice, businesses are not perfectly efficient, and the challenge is to identify those activities whose contributions do not provide sufficient value.

Successful risk management programs can justify their value more effectively when they are related to the needs of the business. For example, the head of retail banking may not care when the CISO reports that 40% of tellers are not complying with the password policy. When that information is shared in conjunction with the $1 million per month in losses that can be attributable to bad passwords, retail banking becomes far more interested.

Risk management is most successful when it is embedded in the corporate culture - both top-down and bottom-up. This cultural shift is more likely when risk management is seen as a partner to the client-facing side of the business, rather than an adversary. To strengthen that partnership, the groups need to work together to identify key factors that contribute to the success of the business.

Progress toward achieving those success factors can typically be tracked using multiple indicators. Business units will monitor key performance indicators, based on institutional knowledge, market conditions and experiences. The KPIs that work best for your organization may not suit others, but common examples include average call center response times, new loan application volumes and sick leave.

The risk management functions typically use key risk indicators as a supplement to KPIs. Common operational KRIs include firewall intrusion attempts and suspicious activity reports. Ideally, the KRIs that your organization utilizes will feed into the KPIs, and act as an early warning system.

So, if one of your organizational objectives is to attain a certain level of customer profitability, your KPIs should be identified according to those actions that impact your ability to reach that target. Items like  customer borrowing levels, pricing spreads, news about individual customers and changing market conditions all influence customer profitability, and lend themselves to be useful KPIs. Once you've established the pertinent KPIs for your organization, look for KRIs that impact those KPIs.

With any indicator, whether performance or risk, there are a number of elements that are critical in their identification and gathering. A consistent, reliable source of data is required. Frequency can be variable - some indicators are one-off exceptions, while many are regularly posted. You will also be able to identify the relationships between an indicator and business objectives, risks, control activities and other indicators. The value of the indicator is that it is targeted - general knowledge that something has happened is fine, but specific knowledge of what will be impacted by that event is far more useful.

A common mistake that organizations make is confusing volume and detail for utility. With all your transaction systems and your GRC applications, there are mountains of data at your disposal. Before determining whether to track a specific indicator, make sure that it has relevance to the business needs - tracking an indicator because you can is not an efficient use of resources. Re-evaluate your indicators periodically to validate their continued value.

Ideally, your indicators will be a mix of lead and lag indicators. Most data points are lag indicators - alerting you to events that have already occurred. Lag indicators must be timely, allowing you to choose the proper response and react quickly. Lead indicators are more difficult to identify, as they tend to be made up of multiple data points that when viewed together indicate that an event is likely to occur. Identifying lead indicators allows you to truly be proactive in managing your risks.

The final element of linking performance management and risk management through the use of indicators is the ability to impact not just corporate performance but individual employee performance. Tying employee reviews and incentive compensation to risk management is another way to embed a risk management culture into your organization. For this to be successful, ensure that the risk measurements that you use have direct impact on the success of the organization.

There is more value in risk management and GRC practices than most organizations have been able to realize. Using indicator data to better monitor your risk profile and better manage your business at the same time is a big step toward unlocking that value.