It's a question of values....

“If you can’t measure it, you can’t manage it.”

– Peter Drucker

ISO31000 (Section 3, Part A) says that risk management should create and protect value, and it’s true. Underlying this principle however, is the question: what does the organization value? The answer should theoretically be articulated in policy and in a statement of objectives. If not, it’s time to go back to square one and get some answers. Depending on the organization, what it values, could be any combination of things. The following is a partial list to get you thinking, but it’s by no means comprehensive:
• Health and safety of people
• Learning and development
• Profit
• Service delivery to customers
• Timeliness
• Quality
• Production metrics
• Reputation
• Environmental protection
• Medical or technological breakthroughs
• Publicity

Many of these are intangible benefits but boiling it down to basics… risk management should be able to demonstrate the link between risk management practices and tangible benefits for the organization. In the case of a not-for-profit organization, or government departments, this might mean benefits to the recipients of their services, but this still ‘creates value’ in terms of the organizations mandate.

Tempting though it may be to think that risk management automatically delivers benefits, that simply isn’t true. Risk management isn’t a means unto itself. Applied ineffectively it is just as capable of robbing value as any other management activity. The key word in all of this however is “demonstrate”. Ultimately an organization needs to be able to show clear tangible benefits that can be measured. If the benefits can’t be measured we are missing one of the fundamentals of a management system – a feedback loop.

Although simplistic, it’s not unreasonable to think of creating value as positive risk management and protecting value as involving negative risk management. In some areas of risk management it is easier to demonstrate these links than in others. For example, safety risk management is in many respects, based on the concept of protecting people from harm while the creation of value is often implemented through new projects or marketing initiatives. It is important to consider though, that most risk management strategies or controls will both protect and create value. For example:

• Security which protects people and assets can equally creates value by allowing your organization to open up international offices in locations which would be otherwise too dangerous to operate.
• Equally, financial portfolio management both creates and protects value through asset allocation, diversification, etc.

The key activity here is to be able to link risk management to organizational objectives and the easiest way to do that is to use key performance indicators (KPIs). If you’re lucky, your organization will already have documented objectives and strategic KPIs. If not you’ll get a chance to apply your creative talents as any good employee or consultant already knows and MSU (make stuff up). The trick is that in some fashion, the risk management framework and risk assessments must draw a link to the achievement of organizational objectives and be measurable against the KPIs.

This shouldn’t be all that complicated and can be summed up in 3 steps:

1. List the organizations key result areas (KRAs). What are the results that you want to achieve? Not all of them but just the ones which really count – ie. The KEY result areas. Eg: Profitability, safety statistics, production quantities…
2. Identify the critical success factors (CSFs) that must happen to achieve those results. What things will contribute to achieving those results? Eg: Staff training, the quality of the financial reporting systems, effectiveness of project management, etc.
3. List the key performance indicators (KPIs) that will measure whether or not the CSFs are in place. Eg: Hours of training delivered per person per year, percentage completion of training plan, implementation of new financial reporting system before end of year, etc.

Last but not least, it’s essential to be able to link risk mitigation or opportunity enhancement measures to those KPIs. If you propose for example to deliver training on xyz as part of a risk treatment plan, there should be a clear link from that training to the desired outcome.

Example 1: Linking Risk Management to Value Creation
An organization might in theory, have 6 corporate objectives, 8 critical success factors (CSFs), 10 Key Performance Indicators (KPIs). 25 risks on the risk register and 15 risk treatments.  These would probably be interlinked in a complex range of ways. For example, 5 risk treatments might support 1 or more organizational objectives).

To look at just one example of a causal pathway, lets consider the links between foreign currency fluctuations and their effects on profitability. we might for example, find the following way to demonstrate how risk management creates and protects value:

• Corporate objective #2: Maintain shareholder returns
• KRA #5: Net profit after tax of at least 10%
• CSF #5: Annual gross profit margins sustained
• KPI #2: New contracts maintain 25% or greater gross margin
• Risk: Failure to protect sales margins due to increase in raw materials prices as a result of global financial market adversely effecting currency exchange rates.
• Treatment: Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations cost of sales.

This of course shows just one slice of the KPIs, CSFs and KRAs that an organization might have but hopefully you get the general idea. Even in this simple example, the treatment (financial analysis training) probably addresses a host of issues and directly or indirectly supports a number of corporate objectives (eg: environment, health and safety, sales growth etc) however you can see from this just how easily the causal link can be drawn between ‘training’ and ‘shareholder returns’.

The emphasis here is on a 'causal pathway'. If you simply proposed a plan to “Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations on cost of sales” you might have a great idea but you haven’t demonstrated how it adds value. Using a risk management approach can help you to build your case for funding this training.