Strategies and top-level objectives are ‘broken down’ and cascaded downwards
From the highest level, guided by the appropriate organisational structure, organisational vision and strategies are translated, ‘broken down’ and cascaded as individual business and supporting units’ objectives, and performance measures and targets as shown in the diagram below.
These are cascaded further down across all organisational layers, relevant for everyone in the organisation. This ensures that there is vertical fit.
All top-level objectives can be and should be cascaded as individual performance objectives as measured by their annual performance plan.
There are three options when cascading objectives or measures from one higher-level (parent) to the next sub-level down (child):
- Adoption – Sub-level adopts the exact objective and/or measure as its parent. This is used when you want to install the same performance discipline.
- Distinctive – Sub-level develops measures or objectives that are unique and cannot be explicitly attributed to its parent. This allows for independence from the parent due to the unique characteristics of the sub-levels.
- Shared – Every child at the same level shares or contributes to the parent’s objective and/or measure, either on an absolute basis or relative basis. This is used there is joint accountabilities of measures.
Ensure alignment and line-of-sight of all individual performance to avoid uncoordinated actions and poor outcomes. This is where strong people and culture come in to implement effective performance management, compensation, training and development systems and processes.
Prioritise objectives throughout each level of the organisation
An effective prioritisation ensures clear focus or line-of-sight performance for everyone within the organisation.
Develop strategic themes (or value drivers) that align with the organisational vision and strategy for prioritisation and alignment to be effective. Examples of strategic themes include revenue growth, sustainable outcomes, and efficiency.
Eliminate organisational activities or initiatives that do not support strategy implementation and execution and organisational success. These are non-value adding activities.
Use management tools like the balanced scorecard to cascade down top-level objectives, and performance measures and targets systematically throughout the organisation, right down to every employee. This is based on four cause-and-effect perspectives (financial, customer, processes, and people) as shown in the diagram below, which can be customised to suit your unique circumstance.
Not all strategic objectives apply applicable to all units. Weight the achievement of each unit for clarity so that individuals managing their unit are clear about their unit performance, avoiding any finger-pointing. Eliminate joint responsibilities. Identify single points of accountability.
Integrate and embed risk management throughout the organisation
Each level of the organisation will now have its cascaded objectives. This will enable opportunities, uncertainties, and risks to be effectively identified and managed by every individual. These opportunities, uncertainties, and risks are closely and linked to the achievement of the cascaded objectives.
Information about these opportunities, uncertainties, and risks are documented in the relevant risk/issues register. These registers record information about identified risks and issues. It includes all information about each identified opportunity and risk, such as the nature of that risk, level of risk, who owns it and what are the mitigation measures in place to respond to it.
A risk management plan specifies the approach, the management components, and resources to be applied to the management of opportunities, uncertainties, and risks. These plans can be developed for each level of the organisation, based on these identified opportunities, uncertainties, and risks, as shown in the diagram below.
Risk management plans interact with each other constantly, passing or transferring risks and issues up and down through the different organisational levels based on pre-established criteria. These criteria should be the same as those criteria for passing performance or critical information to the Board.
If, for example, a unit cannot address a risk solely by itself because it does not have control, influence or authority over the management or implementation of the control, that unit’s risk should be ‘passed up’ as a risk item into the next level up’s risk register. This risk could end up in the strategic risk register for corporate or organisational-wide action.
Additionally, if the control were operational within that unit, the Unit Head may ‘pass down’ that risk into a project’s risk register for the project team’s attention. The project manager will be responsible for managing that risk. This interactive process ensures that someone is responsible for actively managing the risk, which could be identified from any part of the organisation.
An enterprise-wide approach to risk management that will enable:
- Every employee to understand the organisation’s risk appetite, risk tolerance, performance targets, and where are the ‘edges of the envelope’ for each business line, product, geographic unit, and value chain.
- Every employee to operate at or near the ‘edges of the envelope’ without crossing the line, where risk-takers (e.g., executives) take measured risk without crossing the line and risk-averse employees (e.g., doers) take on more measured or acceptable risk to reach the line.
- Employees can raise opportunities, concerns, issues, and risks for discussion and management without fear of repercussions within a positive organisational culture of mutual trust and respect.
- Fearless and objective reporting of performance (or non-performance), variances, compliance, budgets, and lessons learned.
- Every business unit and workgroups within the organisation can assess, monitor, and manage opportunities, uncertainties, and risks consistently.
Risk management must therefore be an integral and integrated part of organisational culture and processes, embedded as part of everyday organisational life. It could be embedded across and throughout the organisation when it is designed and implemented well.
Risk registers and plans are living documents that should be part of and a sub-set of performance reporting. This is where opportunities, risks, performance, and achievements are constantly monitored and appropriately evaluated against the achievement (or even non-achievement) of strategy and objectives.
Avoid silo-based performance and risk management practices
Supporting unit’s objectives like finance and people and culture must effectively support the achievement of front-line business units’ objectives. They should not be operating independently, having disparate or non-related objectives.
Rather, they should be actively supporting front-line operations in everyone’s quest to succeed. Ultimately, every part of the organisation must be helping each other achieve the organisation’s strategic goals, whether directly or indirectly.
The “It’s not my job” mindset must be minimised or eliminated.
This ensures that there is horizontal fit across the organisation’s value chain, where organisational boundaries are broken down.
Also, all prioritised activities must be adequately resourced, both financially and with the right qualified people. This includes resourcing opportunity-seeking activities and risk-taking activities and mitigations. Effective portfolio and program management ensure that the appropriate resources are assigned to the relevant projects and initiatives.
Risk management helps to strengthen the organisation’s control environment
The flow-on effect of an effective organisational-wide risk management approach is the creation of an effective control environment that enables the achievement of strategic objectives.
An effective control environment sets the appropriate foundation for improving organisational performance and future success within a risk-control cycle as shown in the table below. It ensure that there is vertical and horizontal fit throughout and across the organisation.
Controls are policies, procedures, practices, and organisational structures and arrangements designed to provide reasonable assurance that:
- Organisational strategies and objectives can effectively be achieved within the appropriate opportunity-seeking and risk-taking appetites.
- Operations are effective and efficient across the organisational value chain.
- Organisational reporting is complete, reliable, accurate and timely.
- All applicable laws and regulations are complied with.
- Critical or key performance information can be effectively reported across different organisational layers to the appropriate accountable person.
- The appropriate organisational culture is developed to support improved individual performance.
| Risk-control cycle | Description | Key questions |
| Set or confirm strategies and objectives | Clarifying what the organisation is seeking to achieve and succeed, starting with its vision and strategic objectives. | What am I trying to achieve?What does success look like for me?How can I tangibly measure and report that success? |
| Identify opportunities, uncertainties, and risks to achieving those strategies and objectives | Identify opportunities, uncertainties and risks that may affect or impact the achievement of these strategies and objectives. | What could go wrong?What could happen that would affect the achievement of my strategies and objectives? |
| Assess opportunities, uncertainties, and risks throughout different organisational layers and across organisational boundaries | Assess likelihood that each opportunity, uncertainty, or risk that may materialise. Determine the consequences arising if it does materialise. | What is the likelihood or probability that the opportunity, uncertainty, or risk will occur?What is its consequence or impact if that opportunity, uncertainty, or risk does eventuate?What is the likelihood and extent of my success? |
| Identify responses to opportunities, uncertainties, and risk | Identify and select cost-effective responses to managing opportunities, uncertainties, and risk, based on Board approved opportunity-seeking and risk-taking appetites. | What is my opportunity-seeking appetite?What is my risk-taking appetite?Am I operating within the given opportunity-seeking or risk-taking appetites?What are the responses or options available to me to succeed and achieve my objectives? |
| Implement actions, controls, or treatments to take advantage of opportunities or mitigate uncertainties and risks | Implement cost-effective actions in your risk management plan. | How do I rate my control effectiveness?In the light of my control assessment and prioritisation, what is the most cost-effective way to respond to opportunities, uncertainties, or risks?Can the implemented controls provide the necessary assurance that the organisation can succeed by achieving its strategy and objectives? |
| Develop effective information and communication throughout different organisational layers and across organisational boundaries | Develop cost-effective information and communication systems and processes to enable the organisation to succeed in meeting its objectives, and for timely reporting of opportunities, uncertainties, risks, and decision making. | How can I integrate risk, and performance information and indicators into my everyday reporting and decision-making processes? |
| Implement on-going monitoring activities to ensure controls are appropriately designed and effective in their implementation | Once controls have been established, develop, and implement on-going cost-effective monitoring and review activities to ensure that opportunities, uncertainties, and risks are effectively managed and controlled. | How do I use the information management system and technology/IT to maintain or enhance my on-going risk monitoring and performance reporting capability?How can I ensure that controls and mitigations continue to operate effectively and efficiently as an integral part of organisational culture and business processes? |
Effective risk management can strengthen your control environment throughout different organisational layers and across organisational boundaries. This in turn will increase the likelihood and extent of your success by the achievement of your strategy and objectives.
Beware of the sum of all parts
Effective risk management calls for an intentional collaborative approach involving all parts of the organisation – throughout different organisational layers and across organisational boundaries. There is intense cooperation by everyone in the organisation towards achieving the organisational strategy, vision, and mission.
As Jim Colins say, everyone must be on the same bus in the right seats heading to a single destination for any organisation succeed. When there is no meeting of minds, actions, and direction, there will be organisational chaos and failures.
Taking an enterprise-wide approach to risk management is vital as opportunities, uncertainties, or risks in individual units may be within the risk appetite of that individual unit. But taken together, that unit’s risk might exceed the risk appetite of the organisation (as a whole).
In which case, a different response may be required to bring an individual unit’s risk in line with the organisation’s risk appetite.
Everyone is a risk manager
Hence, the need to have an effective enterprise-wide approach to identifying and managing opportunities, uncertainties, and risks across the entire organisation and throughout different levels of the organisation.
Effective risk management will also impact every individual. Organisational strategies and objectives must be translated, broken up and cascaded right down into individual performance goals for everyone in the organisation.
This is where everyone is a ‘risk manager’ because everyone has cascaded individual objectives to meet and managed. These cascaded top-down objectives must be appropriately translated and effectively encapsulated into everyone’s performance plan.
As such, everyone will have opportunities, uncertainties, and risks to actively manage to be successful in their work. This is risk management at the individual level.
When there is a good alignment between individual effort and performance across the organisation, the overall organisational performance should improve especially when it is done well and operating effectively.
The result is improved organisational performance.
In summary
Every employee must individually contribute to the overall success of the organisation. Like members of an orchestra, all employees must play in tune and contributing positively in parts to the overall performance of the orchestra.
Each employee must manage their performance by achieving their objectives that have been cascaded from the overall corporate strategy. In doing so, they must manage their opportunities, uncertainties, and risks related to the achievement of these individual objectives. Risk management helps them make the best-informed decisions to achieve their objectives.
An effective enterprise-wide risk management system enables the whole organisation to achieve its strategic objectives and to succeed as a collective of well-coordinated individuals performing at their best.
Enterprise risk management helps improve performance throughout different organisational layers and across organisational boundaries. It enables vertical and horizontal fit in your organisation.
Organisational-wide performance can only be improved with effective enterprise-wide risk management that seeks to bring out the best individual performance at all levels of the organisation and across the organisation’s value chain.
Risk management is just good management!