“If you can’t measure it, you can’t manage it.”
– Peter Drucker
ISO31000 (Section 3, Part A) says that risk management should create and protect value, and it’s true. Underlying this principle however, is the question: what does the organization value? The answer should theoretically be articulated in policy and in a statement of objectives. If not, it’s time to go back to square one and get some answers. Depending on the organization, what it values, could be any combination of things. The following is a partial list to get you thinking, but it’s by no means comprehensive:
• Health and safety of people
• Learning and development
• Profit
• Service delivery to customers
• Timeliness
• Quality
• Production metrics
• Reputation
• Environmental protection
• Medical or technological breakthroughs
• Publicity
Many of these are intangible benefits but boiling it down to basics… risk management should be able to demonstrate the link between risk management practices and tangible benefits for the organization. In the case of a not-for-profit organization, or government departments, this might mean benefits to the recipients of their services, but this still ‘creates value’ in terms of the organizations mandate.
Tempting though it may be to think that risk management automatically delivers benefits, that simply isn’t true. Risk management isn’t a means unto itself. Applied ineffectively it is just as capable of robbing value as any other management activity. The key word in all of this however is “demonstrate”. Ultimately an organization needs to be able to show clear tangible benefits that can be measured. If the benefits can’t be measured we are missing one of the fundamentals of a management system – a feedback loop.
Although simplistic, it’s not unreasonable to think of creating value as positive risk management and protecting value as involving negative risk management. In some areas of risk management it is easier to demonstrate these links than in others. For example, safety risk management is in many respects, based on the concept of protecting people from harm while the creation of value is often implemented through new projects or marketing initiatives. It is important to consider though, that most risk management strategies or controls will both protect and create value. For example:
- Security which protects people and assets can equally creates value by allowing your organization to open up international offices in locations which would be otherwise too dangerous to operate.
- Equally, financial portfolio management both creates and protects value through asset allocation, diversification, etc.
This shouldn’t be all that complicated and can be summed up in 3 steps:
- List the organizations key result areas (KRAs). What are the results that you want to achieve? Not all of them but just the ones which really count – ie. The KEY result areas. Eg: Profitability, safety statistics, production quantities…
- Identify the critical success factors (CSFs) that must happen to achieve those results. What things will contribute to achieving those results? Eg: Staff training, the quality of the financial reporting systems, effectiveness of project management, etc.
- List the key performance indicators (KPIs) that will measure whether or not the CSFs are in place. Eg: Hours of training delivered per person per year, percentage completion of training plan, implementation of new financial reporting system before end of year, etc.
Example 1: Linking Risk Management to Value Creation
An organization might in theory, have 6 corporate objectives, 8 critical success factors (CSFs), 10 Key Performance Indicators (KPIs). 25 risks on the risk register and 15 risk treatments. These would probably be interlinked in a complex range of ways. For example, 5 risk treatments might support 1 or more organizational objectives).
To look at just one example of a causal pathway, lets consider the links between foreign currency fluctuations and their effects on profitability. we might for example, find the following way to demonstrate how risk management creates and protects value:
- Corporate objective #2: Maintain shareholder returns
- KRA #5: Net profit after tax of at least 10%
- CSF #5: Annual gross profit margins sustained
- KPI #2: New contracts maintain 25% or greater gross margin
- Risk: Failure to protect sales margins due to increase in raw materials prices as a result of global financial market adversely effecting currency exchange rates.
- Treatment: Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations cost of sales.
The emphasis here is on a 'causal pathway'. If you simply proposed a plan to “Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations on cost of sales” you might have a great idea but you haven’t demonstrated how it adds value. Using a risk management approach can help you to build your case for funding this training.