Wednesday, August 3, 2011

It's not just about the numbers...

The previous article (It's a question of values) discussed how to tell if risk management is supporting organizational objectives.  In the ideal world, it's not a difficult thing to do: metrics such as payback period, Net Present Value (NPV) and Return on Investment (ROI) give an easy cost/benefit calculation. At the very least, you can usually tell if you achieved some tangible benefit. In practice it's not so easy and that's what this article is about.  (By the way, if you're very short of time, the key points are summed up in Table 1 below, but if you're like most of us and only moderately short of time, it's probably worth reading the full article.)

The So-called ‘Soft’ Benefits
Unlike most business investments, risk management is often seen as delivering a 'soft' benefit. By this, I mean that the benefit is sometimes difficult to measure directly. Typically, there is likely to be a benefit, but it is unclear whether the predicted savings will be realized in the bottom-line or otherwise quantified.  Risks are by their nature, abstract concepts - things that may or may not occur, and hence any proposed risk treatments have abstract benefits. Even if you do implement a risk treatment:
  1. The risk may not realized and the predicted consequences never occur, 
  2. The risk occurs but the scope and damage are less than predicted. 
This issue of soft vs. hard benefits doesn't invalidate the risk management business case, but it does make it rather unusual. While most business cases include both hard and soft benefits, many of the important benefits with risk management have in the past been ill-defined or unstated.

Making Intangible Benefits 'Tangible'

There is no such thing as ‘perfect risk management’. All risk management involves making trade-offs, some of those stated, but many unstated.  More often than not, it's these unstated or seemingly 'intangible' elements that will make or break the case for risk management.  We will often also have to make decisions and trade-offs regarding perceived versus actual risks.  Sometimes managing the actual risk will also mitigate the perceived risks and vice versa.  Sometimes not.

Sometimes it may appear that the perceived risks are more important than the actual risk, and other times vice versa.  There are many reasons, why we might choose to focus more on managing perceived risks.  For example, removing nail clippers from airline passengers may have little to do with managing the actual risk of hijack but it is part of the process that visibly demonstrates that something is being done.  In fact, the risk of hijack is usually perceived by the travelling public, to be much higher than it actually is. The greater risk associated with airline hijackings, is therefore not one of hijack but the risk that people lose confidence in aviation safety, with the resulting economic costs and the increased road fatalities.  

Similarly, it will often be appropriate to put in place measures such as tamper proof packaging on food and drugs even though it is still entirely possible to contaminate the goods inside.  Such measures in practice will only deter the lazy or ignorant would-be poisoner, but they do reassure the consumer to continue purchasing the product.

Of course, these issues of perceived versus actual risk are largely subjective and will vary depending on individual risk criteria and level of understanding. Many risk management projects have more benefits to an organization than the ones that are cited, but some of these benefits may be difficult to quantify in absolute terms. A significant driver in the decision-making process is likely to be personal or organizational agendas, which will involve greater or lesser good to various parties.

Don't lose heart however. I'm about to give you a bundle of ideas regarding how you can identify seemingly intangible risks and illustrate the value they add.

Some Practical Tips on How to Measure the Immeasurable

Firstly, it's worth going out on a limb by saying that intangible benefits are something of a misnomer. All benefits are quantifiable - if we think laterally.  Intangible benefits in this context, represent benefits that are difficult, or impossible, to accurately predict and measure in financial terms. Often, however, these intangible benefits can be quantified into Key Performance Indicators such as percentage market share, or industry ranking. Some simple examples of intangible benefits to be considered when evaluating and measuring the performance of a risk management project include:

  • Brand Advantage - reinforcing, advancing or changing an organization's reputation as a safe and/or well managed place to work
  • Strategic Advantage - working towards or meeting overall corporate objectives
  • Competitive Advantage – getting into markets ahead of competitors faster and less expensively, better addressing customer needs, meeting changing market demand, scaling easily and more cost effectively, and gaining market share
  • Intellectual Capital - increase in relevant knowledge gained by risk management and other staff, and the perceived market value from those gains
  • Organizational Advantage - enabling an organization to function more effectively, or reinforcing or recreating a corporate culture 
  • Risk Avoidance - the risk of NOT implementing a solution
Table 1: Metrics for Measuring Intangible Benefits
Every company or organization has objectives that are measured in non-financial terms. Some of these include improvements in branding, image, customer satisfaction, product development time, employee recruitment, and many others come in this category. Reaching these objectives should ultimately translate into either financial savings or increased income, but the objective and progress towards it are measured first in non-financial terms. Does your proposed action contribute to one of these objectives? If so, it deserves some attention.

If you were writing the business case for risk management, I'd suggest that assigning financial value to benefits should be one of the last additions to the business case, not as is often the way, the first. If you can show in tangible terms that your proposal contributes to a business objective, the benefit is real.  If management agrees that reaching the objective has value, then the benefit has value.  That much of the value proposition is solid.

Sure, measuring the links between risk management and (say) staff skills, can be easier said than done. When trying to assign value to a risk management initiative however, sit down with your colleagues, finance team members, and managers to decide 'what is the value of reaching the objective?' and 'does the risk management framework or treatment contribute to this?'.  If the answer is yes, the only question remaining is: 'what percentage of that value should be credited to the risk treatment?' The figure you agree on may not be 100%, but it should not be 0% either.  


NB. Hope it's useful reading for you. This article is actually an excerpt from another ebook titled 'The Business Case for Risk Management'. Due out in the next month or so. 

No comments:

Post a Comment