A new balanced scorecard Measuring performance and risk
“Risk — let’s get this straight up front — is good. The point of risk management is not to eliminate it; that would eliminate reward. The point is to manage it — that is, to choose where to place bets and where to avoid betting altogether.” ‘Managing Risk in the 21st Century’ Thomas A. Stewart, Fortune, 7 February 2000
Introduction Due to the recent turmoil in the financial sector, it is easy to lose sight of the fact that risk management at many nonfinancial companies is not sufficiently effective either. All too often, and in all sectors of our economy, efforts in risk management are dispersed, isolated and unrelated to the wider company strategy. Many organizations would benefit greatly from a more comprehensive and integrated risk management approach that takes into account strategic, operational, financial and compliance risks. An effective risk management system covers all risk areas, is deeply embedded within existing practices in the company and is present throughout all its businesses. Risk management should not be a separate silo, a relatively isolated add-on to the day-to-day workings of the organization. On the contrary, risk management should be intimately linked to performance management. Performance management and risk management are two sides of the same coin and should be treated as such. Splitting them into different and virtually separate management systems significantly reduces the effectiveness of risk management and may have dramatic consequences.
The goal:
“Risk management should not be a separate silo, a relatively isolated add-on to the day-to-day workings of the company. To the contrary, risk management should be intimately linked to performance management.” The reality: “The pressure on the risk department to keep up and approve transactions was immense… …criticisms that we were being “non-commercial,” “unconstructive” and “obstinate” were not uncommon.” “At the root of it all, however, was — and still is — a deeply ingrained flaw in the decision-making process… The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”… Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.” The Economist, ‘Confessions of a Risk Manager’, 7 August 2008
A new balanced scorecard Measuring performance and risk
1
Risk management aligned with performance management One of the most effective ways to link performance and risk management is the integration of risk factors and risk management in a company’s performance management tool of choice. Currently, the balanced scorecard (BSC) is by far the most popular tool for performance management. For each of the four main perspectives in the classic BSC, a company defines its goals and the related Key Performance Indicators (KPIs). These KPIs allow the organization to measure and monitor its performance. Now is the time to enhance the BSC with Key Risk Indicators (KRIs) and integrate performance and risk management. In a business world that is growing more complex and global by the day, this need for integration is more pressing than ever.
The corporate scandals in the early years of this decade led to stricter rules regarding financial reporting and internal controls: the Sarbanes-Oxley Act in the US; additional corporate governance requirements in many other countries; stricter regulations at most stock exchanges. These new rules, however, tend to deal primarily with only one aspect of risk management: ensuring the reliability of reported financial performance. Without denying the essential importance of this issue, it is clear that there are many other risks out there in the business world. It is perfectly possible for a company to be fully SOX compliant but suffer from clearly inadequate risk management, with flaws that can prove fatal. In fact, more shareholder value has been destroyed as a result of strategic mismanagement and poor execution than in all the financial reporting scandals combined.1 What companies need beyond strict controls over financial reporting is integrated, comprehensive risk management. A new, “risk-enhanced” BSC is a solid tool for achieving this objective.
Risk management aligned with performance management… two sides of the same coin Create value
Define strategy
Seek opportunities
Protect value
Avoid negative events
Performance management focus
Risk management focus
Resolve problems
Continuous improvement
1 “Are Boards Worrying About The Wrong Risks?”, Corporate Board, March/April 2006
2
A new balanced scorecard Measuring performance and risk
Risk management beyond SOX Many listed companies have made a big effort to comply with regulations on financial reporting and internal controls as demanded by the US Sarbanes Oxley Act and other, similar laws, codes or regulations. However, the mere fact that a company is fully SOX compliant does not mean that it has an adequate risk management system in place. Imagine a car race in which the owners (shareholders) of the car (company) have entrusted their vehicle to a driver of their choice (management). After a few nasty accidents due to speeding, the organizers of the race (government) have obliged all participants to install a “SOX Information System” in each car. This system ensures that both drivers and owners receive frequent, reliable information on the speed of their car, information that is difficult to tinker with. However, the SOX Information System doesn’t give any information on other important factors that influence the performance and risk level of the car during the race such as tire pressure, oil level, expected weather conditions or the expertise of the maintenance team. Each one of these risk factors frequently has a major negative impact on performance and occasionally even causes an all-out crash. In other words, the SOX Information System ensures that drivers and owners can be pretty sure they have the right information on speed; it hardly mitigates the many other risks that may reduce performance or even cause total-loss accidents.
By integrating the risk dimension into this new BSC, we can do for risk management what the traditional BSC has done for performance management. Since its introduction, the BSC has been instrumental in unifying the culture and language in a company regarding its business goals and performance management, regardless of function and management layer. In the new BSC, we can achieve the same unifying result for risk management and position risk management where it belongs: intrinsically linked to performance management. The KPIs on the BSC provide an organization with tools to plan, measure and monitor its performance. As a result, the BSC helps a company to translate its vision and strategy into a clear and balanced set of financial and non-financial objectives that can be measured. These objectives are cascaded throughout the organization. From a top-down perspective, one KPI at a higher level is granulated into various, more detailed KPIs at a lower level. Obviously, from the bottom-up perspective, various KPIs at the lower level are aggregated into one KPI at the higher level. At the top of the pyramid sits the “Dashboard” BSC for top management, with a limited number of main KPIs. Thus, the traditional BSC has become the key link between different levels of management and between long-term and short-term goals. It integrates the general strategic goals and financial targets with operational planning and with ongoing financial forecasts and performance review.
Examples of performance and risk in the new balanced scorecard Performance: penetrate new markets through licensing agreements Risk: underreporting of sales by licensees Performance: engage suppliers at a very early stage to increase speed and efficiency of product development Risk: unintentional disclosure of trade secrets and other proprietary technology or knowledge Performance: increase sales in emerging markets Risk: increased exposure to political instability or legal uncertainty Performance: acquire a competitor and merge it with an existing business unit Risk: organizational stress and reduced employee loyalty
A new balanced scorecard Measuring performance and risk
3
In a similar way, the new BSC, enhanced with KRIs, will allow a company to plan, measure and monitor its risk management at each level of the organization. Executive management will be able to frequently gauge the essential risk situation of the company through the regularly updated Dashboard BSC. With adequate, dynamic information on both performance and risk, top management has all the information it needs to decide if and when a modification of strategy, objectives or procedures is appropriate.
they may arrive too late, they may arrive at the wrong harbor or — in the worst scenario — they may never be seen again. Obviously, the choice of performance objectives and related KPIs will influence the relative importance of risks and, therefore, the choice of KRIs. In the BSC area of clients and stakeholders, if a company has embraced the strategic goal to shift from older to younger customers, a suitable KPI could be “Percentage of clients under 40 years of age.” Two risks the company may face while pursuing this objective spring to mind. Older customers may feel abandoned and leave the company much faster than envisaged; youngsters may be enticed by special offers to become customers, but may leave soon after, because the company hasn’t learned yet how to cater to their needs and tastes. Two KRIs to monitor these risks could be the defection rate of older customers and the churn rate of new, younger customers.
Important decisions should not be taken just from a performance perspective. The risk dimension should be an integral part of the decision-making process. Management basing its strategy only on performance criteria is like a group of sailors setting out with a good map, compass, GPS and speedometer, but with no weather forecast, spare parts, tools, first-aid kit or life jackets. The sailors may be lucky and get to the right harbor on time. But then again,
Classic balanced scorecard Financial “To succeed financially, how should we appear to our stakeholders?”
Objectives KPIs Measures Targets Initiatives
Clients and stakeholders “To achieve our vision, how should we appear to our clients and stakeholders?”
Objectives KPIs Measures Targets
Internal business process
Vision and strategy
Initiatives
“To satisfy our clients and stakeholders, what business processes must we excel at?”
Objectives KPIs Measures Targets Initiatives
Learning and innovation “To achieve our vision, how will we sustain our ability to change and improve?”
Objectives KPIs Measures Targets Initiatives
Source: Adapted from The Balanced Scorecard by Dr. Robert Kaplan and Dr. David Norton
4
A new balanced scorecard Measuring performance and risk
As for internal business process, a company may set the goal of downsizing its labor force by 10% through financial incentives in order to achieve a competitive cost level. The related KPI would be the number of employees. However, the company may run the risk that too many high performers who are of key importance for the organization may decide to “take the money and run.” It could monitor this risk by defining the group of high performers and measuring how many of them are leaving. Again, this KRI is intimately related to the KPI. In finance, a company may respond to shareholders’ criticism of an “inefficient balance sheet” with a strategy to increase its financial leverage. Shareholders’ funds as a percentage of total liabilities could be a suitable KPI to measure progress. But obviously, increasing leverage means increasing various risks, e.g., the risk that a company breaks its loan covenants with banks. This covenant risk can and should be measured with a KRI.
Scorecard — re-balanced Financial “To succeed financially, how should we appear to our stakeholders?”
Objectives KPIs Measures Targets KRIs Initiatives
Clients and stakeholders “To achieve our vision, how should we appear to our clients and stakeholders?”
Objectives KPIs Measures Targets
Internal business process
Vision and strategy
KRIs Initiatives
“To satisfy our clients and stakeholders, what business processes must we excel at?”
Objectives KPIs Measures Targets KRIs Initiatives
Learning and innovation “To achieve our vision, how will we sustain our ability to change and improve?”
Objectives KPIs Measures Targets KRIs Initiatives
Source: Adapted from The Balanced Scorecard by Dr. Robert Kaplan and Dr. David Norton
Companies are constantly trying to improve their operations through learning and innovation and rightly so; but often the endeavor to make operations more efficient enhances existing risks or creates new ones. For example, if a company wants to reduce production lead times (easily measured by a KPI) this strategy — if inappropriately designed or executed — may cause an increase in quality problems. Therefore, this risk should be monitored with the correct KRIs in conjunction with the KPI. KRIs in this area could be the percentage of faulty products deemed unsuitable for sale or the percentage of product devolutions by customers.
A new balanced scorecard Measuring performance and risk
5
Linking the KRIs to the KPIs in the BSC is a good remedy to avoid an unbalanced analysis of a company’s progress. At many companies, performance is monitored and measured constantly and structurally, and executive management has sufficient information to judge where the company stands regarding its performance targets. However, information on risks related to the various company strategies is of much lower quality and sometimes merely anecdotic, especially in the areas of markets/ customers and internal organization. A new, risk-enhanced BSC will eliminate this imbalance. What’s more, a clear definition of risks and related KRIs in all four BSC areas will unify risk culture and language within an organization: everybody knows what the company has defined as its key risks and, through the KRIs, what its ‘risk tolerance’ and ‘risk appetite’ are regarding each of these risks. This common language and culture is a necessary condition for a clear definition of responsibilities and processes: who owns which risks? What communication channels should be used to inform the owner of a risk quickly of new, relevant events? Of course, much as with KPIs, great care should be taken when defining the related KRIs for a BSC: is a KRI really measuring what we want it to measure? And if so, are we measuring it correctly?
6
This full use of KRIs in all four areas of the BSC has an important additional advantage: it helps to ensure that risks are detected and taken into account before they show up in the financial figures of a company. All too often, top management only thinks of risks if and when they show up in one of the many financial figures of the company. Most risks, however, do not start out as a purely financial risk, but in other areas: Markets, Operations or Organization. KRIs in those non-financial areas are often more relevant for risk management as they precede financial problems. In other words, non-financial indicators are often leading, whereas financial indicators are often lagging. This holds true for KRIs as it does for KPIs. Now is the time to integrate our risk and performance management through the introduction of KRIs in the BSC. In the process, we will develop a common risk culture and language for the whole organization. The new, risk-enhanced BSC will allow us to break down barriers within an organization, to clearly define and prioritize risks and to cascade these priorities throughout the organization.
A new balanced scorecard Measuring performance and risk
Contacts For enquiries about our Advisory services in the following countries and regions, please do not hesitate to contact our global team Norman Lonergan
Global Advisory Services Leader
+ 44 (0)20 7951 6479
Ernst & Young’s Advisory Services
Robert Patton
Americas
+ 1 404 817 5579
Gerd Stuerz
EMEIA
+ 49 211 9352 18622
Robert Der
Far East
+ 86 21 2228 2666
Michio Shibuya
Japan
+ 81 3 3503 1122
Doug Simpson
Oceania
+ 61 2 9248 4923
The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 18,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multi-disciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It’s how Ernst & Young makes a difference.
7
8
A new balanced scorecard Measuring performance and risk
Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 135,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. For more information, please visit www.ey.com . Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
www.ey.com EYG no. AU0227 © 2009 EYGM Limited. All Rights Reserved. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.