How to improve organisational-wide performance with effective enterprise-wide risk management – A CEO’s practical guide

Risk management is an essential component of good management in any organisation. It is an objective-focused management practice that seeks to improve organisational-wide performance when it effectively implemented enterprise-wide.

Contrary to popular believe, risk management is not about managing specific events or situations. It is also not about managing a list of risk.

Rather, risk management is about managing the achievement of objectives, taking the appropriate risks in the right amounts (risk-taking), seizing opportunities (opportunity-seeking) and being successful. You are constantly identifying opportunities, uncertainties, and risks that might occur along the way between where you are now and where you want to go.

Improving business results and organisational-wide performance require enterprise-wide risk management practices to be simplified and embedded seamlessly into and throughout your business operations, planning and budgeting processes, including organisational culture. It is no longer an add-on or a management fad.

Proper and effective risk management must occur throughout different organisational layers and across organisational boundaries for organisational success. This is what enterprise risk management is all about.

Private and public sector organisations alike have struggled to understand the enterprise-wide risk management implementation steps and techniques. Over-engineered approaches and lack of understanding have caused a lack of appreciation for effective risk management. For those who have overcome these, they are reaping the fruits of their labour.

You too can improve organisational performance with effective and appropriately structured enterprise-wide risk governance and arrangements that seek to increase the likelihood and extent of your success.

Organisations must execute their strategies to succeed

High performing organisations, having developed strategies through best-in-class strategic planning processes, must ruthlessly implement strategies. They do so by removing performance barriers or risk through effective enterprise-wide risk management practices.

Management teams must implement and bring to life what looks good on paper. Everyone must translate written plans into tangible action that produces results!

An effective enterprise-wide risk management will enable an effective execution or implementation of your organisational or corporate strategy and achievement of your strategic objectives.

Organisations can implement their strategy and perform well if:

• Everyone in the organisation clearly understands the strategic, departmental, workgroup, and individual objectives, measures and targets and key priorities – Clarity.
• Everyone is connected emotionally and actively engaged in the organisation’s strategic themes, key objectives, and priorities – Commitment.
• There is a clear performance line-of-sight for everyone in the organisation. This enables everyone to be closely on-board and aligned to the achievement and success of the organisation’s key priorities and strategies – Translation.
• Structure, system, and cultural barriers are removed, risk-taking managed, and opportunity-seeking enabled through embedded enterprise-wide risk management processes – Enabling.
• Everyone is working together to arrive at better ways, to succeed, and to achieve objectives and targets through collaboration, innovation, and the removal of “It’s not my job” thinking – Synergy.
• Everyone is held accountable for their actions (or inactions). Every individual is responsible and rewarded for achieving success – Accountability.
• Everyone is a de facto risk manager, managing their own opportunities, uncertainties, and risks because they have personal objectives and priorities to manage and achieve – Responsibility.

Taking a different and practical approach

Organisational performance is dependent on the successful cascading of corporate strategy to every individual in the organisation where there is:

• Strong employee involvement, buy-in, commitment, and alignment to the achievement of strategic objectives and execution of the corporate strategy.
• A disciplined focus on only a hand-full of executable key objectives that matter most and would significantly make a difference.
• Close alignment of employees’ interests with those of the organisation.
• Positive work and performance culture that enables and empowers every employee to perform at their best.

Organisational performance and success will depend on every employee performing well and achieving their objectives. These personal objectives must be cascaded and linked to strategic objectives. There must be an alignment of personal contribution to the overall achievement of corporate strategy for improved organisational performance.

Taken together, the sum of parts must integrate seamlessly and work together cohesively as one to achieve strategic objectives.

An analogy of this would be an orchestra. Every musical instrument must be played in harmony with each other to produce a musical piece. The conductor (aka the CEO) unifies the orchestra, sets the tempo, and shapes the sound of the ensemble.

A typical symphony orchestra consists of four groups of related musical instruments called the woodwinds, brass, percussion, and strings. Among the instrument groups and within each group of instruments, there is a generally accepted hierarchy (like in any organisation).

Every instrumental group (or section) has a principal who is generally responsible for leading the group and playing orchestral solos.

When one or more members of the orchestra play out of tune from the rest, it will become noticeable. It will impact the quality of the played music. Performance suffers!

Likewise, every employee in the organisation must each play in tune and perform from the same song sheet with the rest of the workforce to deliver the required superior organisational performance. The larger the organisation or workforce, the larger this challenge will be.

But this is not impossible when there is a simplified but effective strategy execution in place for improving organisational performance.

Having an effective strategy execution will ensure that:

• All employees clearly see the alignment of their job, performance, and positive contribution to the achievement of corporate strategy and strategic objectives. There is a clear line-of-sight for value creation (or preservation) and performance.
• Personal performance and development objectives and plan are linked to the corporate strategy. This is enhanced through the appropriate human resource reward and performance-recognition systems.
• Support functions and core processes are tightly aligned with the corporate strategy and fully support the value creation activities of all business units along the organisational value chain.
• All functional, operational, and business unit fully support the achievement of the corporate strategy.
• Opportunities, uncertainties, and risks affecting the achievement of strategic objectives are actively identified, managed, and reported from an enterprise-wide perspective. Open discussions on performance (and non-performance) are vital for enhanced performance.
• All employees know regularly (more than annually) the progress they are individually making in contributing to the overall achievement and performance of the corporate strategy. Regular and continuous performance feedback is vital for improved performance.
• Organisational policies, procedures, systems, and processes are fully supporting each other from an integrated management perspective to implement the corporate strategy.

Strategy execution requires two types of fit within the organisation.

• Vertically fit — Strategic or vertical alignment is the systematic synchronisation of organisational levels, people, processes, systems, plans, objectives, incentives, and relationships that align the business, budgets, and operations to the corporate strategy.
• Horizontal fit — Integrate and synchronise individual components across core processes, value chains, and boundaries of the organisation for the key purpose of aggregated alignment with the corporate strategy. A value chain is a chain of activities that delivers a valuable product or service for the stakeholder.

When the organisational structure is complex, develop a robust, practical, yet simplified, integrated management system that will fully integrate the relevant management practices and common touch-points of the business into one coherent and synchronised management system that enables and drives the achievement of its corporate strategy. There must be both vertical and horizontal fit.

An effective system of risk management that is integrated seamlessly with planning, budgeting, and reporting processes enables employees to make better-informed decisions and choices. This is done by systematically identifying opportunities, uncertainties, and risks. The appropriate controls and treatments are implemented to increase the likelihood and extent of organisational success within an acceptable level of risk.

The implementation of an integrated approach to enterprise-wide risk management involves the following activities:

• Determine and contextualise the organisation’s capacity, capability, and appetite for the required performance level and level of risk needed to deliver the corporate strategy and strategic objectives.
• Contextualise, understand, and cascade the corporate strategy and strategic objectives into operational and individual scorecards and objectives that are specific, measurable, achievable, reasonable, and time bound (SMART).
• Identify opportunities, uncertainties, and risks that may enhance or threaten the achievement of organisational objectives and growth.
• Identify and evaluate the design and effectiveness of key controls intended to manage these opportunities, uncertainties, and risks. This creates a risk-based control environment that drives the achievement of objectives.
• Obtain appropriate independent assurances on the effectiveness of key controls across key areas of risk.
• Prioritise and allocate appropriate and sufficient resources to activities and projects that add real value to the achievement of corporate strategy and strategic objectives.
• Evaluate performance and report against the achievement of corporate strategy and objectives, budgets, risks, controls, and regulatory compliance.
• Continuously improve, adapt, and change based on feedback and lessons learned.

Risk management enables you to succeed

Risk management is about identifying opportunities, uncertainties, and risks that might occur along the way between where you are now and where you want to go.

After identifying these uncertain events, you assess how these events could affect the achievement of your objectives, at all levels of your organisation (vertical fit) and across the value chain of your business (horizontal fit).

Opportunities and risks arise because of uncertainties. Both have to be identified and managed. These uncertainties could either prevent you from being successful. Opportunities can accelerate your success.

The ultimate objective of risk management is not about avoiding risk or preventing you from doing the things you like to do. Rather, it is about the ability to take reasonable but informed risks and opportunities to be successful.

The value of risk management is that it enables decision-makers in the organisation to make better quality, timely, and risk-informed decisions that are within the acceptable levels of risk. It also enables decision-makers to seize on opportunities to increase the likelihood and extent of your success.

Risk management helps to actively manage risk-taking and accelerate opportunity-seeking.

Author

You know that there are safeguards in place to mitigate the likelihood of significant and costly mistakes by managing the potential consequences of uncertainties along the way. This allows you to “accelerate the car” and get to your desired destination quicker but safely. When you think about it, cars have brakes so that you can go faster and safely towards your destination.

Risk management acts like your brakes in the car. You assume it is there and is working effectively when you navigate around road corners or want to slow down at the lights.   

Likewise, organisations have risk management so they can take the appropriate risks or pursue opportunities to succeed in achieving their objectives.

Contrary to popular believe, risk management is not about managing specific events or situations. It is not about managing a list of risk on a 5-by-5 risk matrix. We have being caught up with risk matrixes rather than what it takes to be successful!

On the contrary, risk management is about achieving success or improving performance. It is about taking the appropriate risks, seizing opportunities and being successful. Risk management is success management.

You can only increase the likelihood and extent of your success and performance if you understand what might happen, both good and bad, as you strive to achieve your objectives and be successful.

Risk management identifies what needs to go right, rather than what can go wrong. What needs to go right is about making informed decisions to seek out opportunities and take the right amounts of opportunity and risk to succeed.

For far too long, we have been focusing on the process, compliance, and tactics of risk management, rather than the purpose and intent of risk management.

Author

Over the years, risk management has unfortunately become a compliance tick-the-box exercise of form filling. It has boiled down to the generation of long lists of risks that overwhelms people. Corporate executives have found no value in the practice of risk management, unfortunately.

It is so easy to get into the trap of focusing on the long list of risks or events without focusing on the big-picture performance and the consequences of these events on the achievement of your objectives. You can easily get trapped in the details rather than thinking about your success, and what needs to be done to be successful.

This is where the international risk management standard ISO 31000 defines risk as “the effect of uncertainty on objectives”. The Committee of Sponsoring Organisations of the Treadway Commission (COSO) defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.”

Good risk management always starts with a clear strategy!

A potter requires good quality clay before she starts. Without the right amount of quality clay, the potter will not get the intended outcome she is seeking to achieve. No matter what the potter does, the result will not be her best. There is only so much she can do with poor quality clay.

Likewise, the starting point for great organisational performance is a clear strategy. The basis for effective risk management is a clear and concise organisational strategy.

Only time will tell whether that strategy is good or bad. Strategy is about making tough choices. Indecision is also a strategic choice.

When the organisation knows where it is going and when it needs to get to its destination, it is easier to identify opportunities, uncertainties, and risk associated with that journey.

You wouldn’t leave your house without a destination in mind, would you? When you have a destination in mind, you are in a much better position to identify the possible uncertainties along your road trip like rain or traffic. You could even find opportunities by taking short-cuts to get to your destination faster, avoiding the traffic.

If you are unclear as to your destination, then you cannot implement good risk management. Period. There is no basis for risk management. Like the porter, you do not have the right quality clay to start with.

Additionally, if you use the wrong clay for the job, you will not get the right outcome. When you do not understand strategy in a networked and interconnected world and respond accordingly to your competitive environment, you have sealed our failure as seen from the demise of Blockbuster, which when bankrupt in 2010. You simply cannot apply great risk management to a sinking ship.

Therefore, the starting point for effective risk management is an appropriate strategy and objectives for a networked and interconnected world.

The irony is that Blockbuster failed because its leadership had built a well-oiled operational machine. It was a very tight network that could execute with extreme efficiency but poorly suited to let in new information. Antioco’s fatal flaw wasn’t one of intelligence or capability, but a failure to understand the networks that would determine his fate. (Forbes, 2014)

A conceptual model for success

Use the conceptual model as shown in the diagram below to improve organisational performance. The model shows how an appropriate organisational strategy can accelerate organisational success.

The foundational components for success include:

• A strategy is well-suited for a networked and interconnected world. Your strategy must be constantly adapted (not changed) to respond to the ever-changing competitive or operating environment. These changes are brought about by technology and people. Blockbuster’s foray into video-on-demand streaming came too late and it died a slow and painful death. They were too busy making money in their video stores to imagine a time when people would no longer want or need them.
• Appropriate governance structures, arrangements, and processes that everyone is committed to. Most organisational failures are due to poor or lack of governance. Corporate governance is a system of policies, processes, and rules that direct and controls a business’s behaviour towards achieving organisational goals. This includes an integrated approach with other management processes like planning, budgeting, compliance, and internal audit.
• A hierarchy of objectives that is developed, cascaded and aligned throughout all organisational layers, right down to the individual. It starts with top-level strategic objectives that are clearly defined and well understood.
• A simplified enterprise-wide risk management approach that effectively enables the achievement of organisational objectives at all levels of the organisation. The approach ensures that non-critical top-level risks and issues can be effectively cascaded to lower-levels of the organisation for active management, while critical lower-level risks and issues in the organisation can be effectively escalated up for top management oversight and monitoring based on pre-agreed escalation or business rules. This is where the cascading or escalation of performance and risk information becomes seamless and second nature after passing through the relevant governance arrangements.
• Clearly understand the organisation’s appetite for opportunity-seeking and risk-taking. A appetite statement specifies the amount of opportunity and risks the organisation is willing to seek or accept in pursuit of its strategic objectives. It indicates the parameters within which the organisation would prefer to conduct its activities.
• Performance and achievement of objectives are regularly reported at all levels of the organisation, aligned with governance structures and arrangements. Risk information must be presented side-by-side with performance information for context. Contextual performance and risk information drive meaningful discussions, reflection, and introspection by everyone responsible for performance and oversight. As risk management is a success-focused concept, risk information can only be meaningful within the context of performance and achievement of objectives. Avoid discussing risk information out of context from the performance.
• A risk-based internal audit program that seeks to identify opportunities and risks with the greatest potential impact on organisational success and achievement of strategic objectives. The program ensures that organisational performance is in relation to its appetite for opportunities and risks. It provides assurance to the board that the organisation is achieving its strategic objectives within pre-defined boundaries of opportunities and risks.
• Focus on winning the game rather than keeping your eyes solely on the rules of the game. A coach teaches his players to win the game rather than to follow the game rules. Since non-compliance can trigger expensive fines and penalties, as well as reputation damage, it should not be undervalued. However, following the rules of the game is incidental or part and parcel to winning the game. It should not be the main focus. Therefore, always seek to transform compliance into a value creation exercise.

Integrate risk management into your strategic planning

Strategic management is the selection, formulation, implementation, and evaluation of cross-functional decisions that will enable the organisation to succeed by achieving its objectives. It combines the activities of the various functional areas of a business to achieve organisational objectives.

Strategy (and objectives) can be formulated on different levels of the organisation, as shown in the diagram below:

• Corporate level strategies – This level is concerned with:
  • Selection of businesses in which the organisation should compete or operate in. Strategic opportunities, uncertainties, and risks are linked to the achievement of strategic objectives, measures, and targets.
  • Development, coordination, and management of that portfolio of businesses.
• Business unit level strategies (aligned to corporate-level strategies) – This level is concerned about developing and sustaining competitive advantage for the goods and services that are produced by the organisation. Business unit opportunities, uncertainties, and risks are linked to the achievement of business unit objectives, measures, and targets.
• Functional or departmental level strategies (aligned to both corporate-level and business unit level strategies) – This level is concerned about business processes and the organisation’s value chain. Departmental opportunities, uncertainties, and risks are linked to the achievement of aggregated portfolio or program objectives, measures, and targets.
• Portfolio or program level strategies (aligned with functional, departmental, business unit and ultimately, corporate-level strategies) – This level is concerned about delivering value to stakeholders. Portfolio or program opportunities, uncertainties, and risks are linked to the achievement of portfolio or program objectives, measures, and targets.
• Projects (aligned primarily to the portfolio or program-level strategies) – This level is concerned with the effective delivery of tangible outcomes within the boundaries of time, cost, and quality. Project opportunities, uncertainties, and risks are linked to the achievement of project objectives, measures, and targets.

Your risk management approach to drive improved performance. Always begin at the highest level. Start from corporate level strategy and work across the various organisational layers, right down to every individual in the organisation as shown in the diagram below.

By completing the strategic aspect first, it is possible to ensure that operational and transitional phases are accurately placed within the strategic context. This ensures that opportunities, uncertainties, and risks are effectively identified and managed at all levels of the organisation. It also ensures that they are closely linked to the organisation’s hierarchy of objectives.

The assessment of strategic risk facing the organisation must be incorporated into the corporate planning and review cycle as part of the organisation’s strategic management process. The assessment should reflect the key results expected of the organisation with a strong emphasis on opportunities, uncertainties, and risks that might affect the achievement of key strategy or business results.

The following diagram shows how the strategic management process can be integrated and link to the risk management process.

The basic principle here is that financial results are determined by people, process, and operational performance. This is the result of performance drivers such as clear strategy and objectives, effective business processes, a competent workforce and management team, and a results-orientated culture that employs motivated people. These performance drivers are exposed to opportunities, uncertainties, and risk, both external and internal, that needs to be effectively managed and controlled.

Risk management not only protects the organisation’s value but seeks to create or enhance it. It should not be positioned within the organisation as only a compliance process or a value-protection function. Rather, it complements and integrates with strategic and performance management to improve business and individual performance.

Integrating both strategic management and risk management processes improves the financial and operational performance of the organisation, both in the short term and long term. It helps the organisation succeed by implementing its strategies and achieving its goals.