Governance, risk & compliance

How to see it coming:

Linking risk and performance
management
Get up to speed*
How to see it coming next time:
Linking risk and performance management
Many companies use retrospective indicators, disparate systems Highlights
and inefficient data-gathering processes to monitor their core 1. Identify what you really need to know:
business activities. So how can you get the information you need Define your core business objectives and
the main risks that could help or hinder you
to make sound, risk-informed decisions? in achieving them.
2. Choose the measures that matter most:
How much do you really know about your But in order to manage risk properly, you
Look for indicators that can give you an
business? In our previous point of view, have to see ahead. So you require information
idea of how these risks might affect your
we talked about the importance of making that give you clues about the future; like the
company’s performance, if they occur.
everyone personally accountable for risk. anti-collision radar systems used in aircraft,
Be selective; a few key measures are far
But you can’t expect people to take the right it must warn you of danger before the
better than a long checklist.
decisions unless they have the right information danger materialises.
– information that’s both relevant and reliable. 3. Turn your data into actionable information:
Second, that information must be accurate –
Standardise your management and reporting
Of course, most organisations collect an and a robust technological infrastructure is
processes, make sure that you’re fully
enormous amount of data. But extracting truly essential here. Yet many organisations still rely
utilising your existing systems and use
meaningful information from this morass of on inefficient processes and disparate systems
middleware, if necessary, to integrate
detail is often very difficult indeed. Technology to capture the data they need. They supplement
disparate data elements.
research firm Gartner recently predicted that, their existing infrastructure with isolated
between 2009 and 2012, more than 35% of the ‘patches’, as and when new compliance 4. Create a risk-informed organisation:
top 5,000 global companies will ‘regularly fail requirements surface – an approach that results Use the information you now possess
to make insightful decisions about significant in an increasingly hotchpotch IT environment. to monitor your operational and financial
changes in their business and markets’ performance, identify any opportunities
because they lack the necessary information, So how can you create an information base
for improvement or growth, and infuse the
processes and tools. that will give you the insights you need to see
organisation with a shared sense of
risks that are still on the horizon and respond
responsibility for risk management.
The problem is two-fold. First, much of the to them appropriately?
data companies collect is backward-looking.

How to see it coming next time PricewaterhouseCoopers 1

Understanding the links between risk and performance

• Risk is, by definition, forward-looking; it’s • Unfortunately, however, this is much easier a coherent picture of what’s happening
a measure of the probability of loss or gain said than done. The overwhelming majority throughout the entire enterprise.
from a given event, and that probability of – 71% – of the senior executives we polled
loss or gain directly affects a company’s in one recent survey said that the biggest • Conversely, adopting a holistic approach
performance objectives. Yet many barrier they face in linking their risk and to risk management enables a company to
executives still see risk management and performance indicators is lack of reliable understand the links between its risks and
corporate performance management as information. performance; to establish a meaningful set
quite separate activities. of measures – or risk-informed performance
• Why? A lot of companies have inefficient indicators, as we’ve called them – for
• They focus on trying to avoid any repetition data-gathering processes; fragmented monitoring its progress; and to make
of known, historical business problems, systems; and heterogeneous reporting smarter management decisions.
rather than anticipating major changes. structures, based on different reporting
But risk management that’s based on periods, data sources and reporting tools, • So how can you get the information you
prevention rather than prediction fails to which typically produce conflicting versions require to manage your risks and performance
prepare a company for the future. It cannot, of the ‘truth’. holistically? There are four key steps:
for example, take account of the sort of –– Identify what you really need to know
shifts that redefine an entire industry. • Many companies also implement risk
management and compliance initiatives –– Choose the measures that matter most
• In fact, risk management should be an in response to a crisis or to meet a legal –– Turn your data into actionable
integral part of a company’s operational deadline, rather than treating them as information; and
and financial performance management. an intrinsic part of their performance
–– Create a risk-informed organisation.
And the measures the C-suite uses to manage management processes. As a result, such
risk should be closely connected with the projects are often conducted in isolation,
measures it uses to manage the other without regard for the systems that are
elements of the company’s performance. already in place. This ad hoc approach
makes it very hard for management to get

2 How to see it coming next time PricewaterhouseCoopers

1 Identify what you really need to know

• Begin with the big picture. All large • Assess the odds. Once you’ve identified the
organisations gather a huge amount of key risks your business faces, you should Connecting the dots
information, so the first task is to ascertain assess how they would affect it, if they
When a leading Canadian utility set itself
what you really need to know. Start by sitting materialised. Consider both the size of each
various core business objectives, the board
down with your fellow executives and risk and its momentum; is it increasing,
recognised that the company couldn’t achieve
defining your business objectives – the key decreasing or stable? This will help you
its goals without considering the attendant
strategic, operational and financial goals determine how likely it is to occur. It will also
risks. So it implemented a three-phase risk
you want to realise. help you spot any potential conflicts of
management programme, beginning with the
interest within the business. It’s only by
• Look at the flipside. Now identify the main risks development of a company-wide risk profile.
aligning information about your objectives
that could either help or hinder you in achieving This process showed that increased demand
and risks that you can detect and resolve
your objectives. These will obviously vary, on the company’s aging infrastructure posed
such competing objectives.
depending on your company’s individual a significant risk to some of its core objectives:
circumstances and the industry is which it’s • Keep track. The next step is to devise a set namely, to achieve a top-quartile performance
operating. But suppose, for example, that it’s of risk-informed metrics that will enable you in its transmission and distribution business,
a components manufacturer. The main strategic to track your organisation’s performance to achieve a top-quartile performance in terms
risks it faces might include intense competition and ensure that the decisions everyone of operational efficiency; and to satisfy 90%
and the pace of innovation, while the main makes are in line with the strategy you’ve of its customers.
operational risks might include supply-chain established. We’ll talk more about this in
Acting on the insights it had gleaned from
disruptions and intellectual property theft, and the following section.
linking information about its risks with its goals,
the main financial risks soaring commodity
the company launched an energy conservation
prices and a large pension plan liability.
initiative that included providing customers
with free real-time electricity monitors. As a
result, it helped its customers reduce electricity
consumption by up to 15%, thereby alleviating
some of the burden on its assets and boosting
its customer satisfaction ratings above 80%.

How to see it coming next time PricewaterhouseCoopers 3

2 Choose the measures that matter most
• Cut to the chase. When it comes to
developing the right risk-informed Setting the right business metrics
performance measures, a few essential
metrics are far better than a cumbersome When you’re deciding what to measure and how best to measure it, ask yourself the following questions:
laundry list. So focus on the processes that
offer the greatest opportunities for creating 1. What are the greatest sources of value creation and destruction across our business?
value or the greatest danger of destroying it. 2. Where have we failed to deliver value to our shareholders, and where have we succeeded?
3. How do we currently measure the potential effects of risk?
• Think big and small. Don’t concentrate
4. Do these measures provide a clear picture of the risk variables – i.e., the possibility that
exclusively on systemic, high-impact risks,
a risk will occur, the probability that it will occur, the time at which it is most likely to
though. Sometimes, a risk that initially seems
occur and the severity of the impact?
quite trivial can escalate into a full-scale disaster.
5. Are they quantifiable (in monetary terms, numbers or percentages), easy to understand
• Study the downside. Ask yourself two key and apply, timely and cost-effective?
questions: What have I really got to lose? And 6. Are they tailored to our company’s specific objectives and the industry conditions in
how much shock can my balance sheet endure? which it operates?
Many companies don’t quantify how much 7. Can they be used to corroborate or invalidate management’s decisions and actions?
they’re willing to lose, if a risky transaction goes
8. Where is the underlying information kept? Does it reside at the business unit or functional
sour, or how much money would be required to
level and, if so, is it readily accessible to the C-suite?
survive, if it turned into a worst-case scenario.
• Cover all the bases. But don’t rely on
financial measures alone. Operational Survival of the fittest
measures are equally important. One highly respected European car insurer combines financial and non-financial data in
• Choose wisely. Make sure that the metrics management reports, with information on sales. The common denominator isn’t whether it’s a
you select truly matter. A good risk-informed financial or non-financial number, but whether it’s a vital aspect of the company’s performance.
performance indicator is one that funnels One of the top executives in the company also analyses three critical ‘live-or-die’ metrics every
a lot of information into a single, relatively morning: loss ratios, expense ratios and ancillary sales. Rigorous use of leading risk indicators
simple measure; acts as an early warning has helped the company more than double its revenues over the past six years1.
sign; and affects the decisions management 1. P
 ricewaterhouseCoopers, ‘Management Information and Performance: CFOs Face New Demands for High-Quality Data
makes (see opposite). That Drives Decisions’ (June 2007).

4 How to see it coming next time PricewaterhouseCoopers

3 Turn your data into actionable information

• Take stock. Now that you’ve worked out data you gather against five key criteria: sometimes it’s too expensive to do so. Where
what you need to know to manage risk correctness, credibility, consistency, this is the case, think about putting a monitoring
properly, you can focus on getting it in as currency and completeness (see Figure 1). and reporting application on top of your other
reliable a form as possible. This doesn’t applications to pull together the information
necessarily mean that you’ll have to overhaul • Lay down the rules. Most large companies they hold. In other words, use middleware to
your entire IT infrastructure. Many companies have standardised operational processes. integrate your information rather than trying to
already collect the information they require; Ensure that your management and reporting integrate the applications that contain it.
the trouble is that it’s buried in numerous processes are also standardised.
different data systems and silos scattered • Manage the change. Make sure that all the
• Make the most of what you’ve got. Ensure, people who are involved in gathering the
throughout the organisation – or even outside too, that you are exploiting the full capabilities of
it. Investment decisions are often based on information you need understand how that
the technology you already possess. According information will be used, as well as how to
information about the economic climate and to one study, companies typically utilise only
market conditions, for example, as well as operate any new systems, software and
27.6% of the functionality of their enterprise processes you introduce.
information about a company’s financial resource planning systems.
strength, production plans and so forth. • Hold onto the reins. Establish a consistent,
So take stock. Assess the quality of the • Be pragmatic. Remember that you don’t have enterprise-wide set of standards for investing
to integrate every application. In fact, in new systems and applications. If your
Figure 1: The five ‘Cs’ of data quality business units buy software independently of
the organisation as a whole, there’s a danger
The data are accurate are reliable. They have been validated using an independent source of
Correct information that is known to be correct. that they’ll create new information silos,
thereby limiting the ability to perform
The data are believable and ‘reasonable’ – e.g., the number of products sold at each site does
Credible not exceed the number of products sold by the entire company. cross-functional analyses and reducing the
The data are clear, unambiguous and consistent – both within the same database and across value of the investment you’ve made.
Consistent different databases.
• Learn as you go. Set up a system for
Current The data are up-to-date and available in a timely manner. continuously monitoring and refining the
tools and processes you use to collect
Complete The data are comprehensive. No records are missing and every field is known for each record. the information you need.
Source: PricewaterhouseCoopers

How to see it coming next time PricewaterhouseCoopers 5

4 Create a risk-informed organisation
• Make smarter management decisions. • Convert the crowd. These are by no means
You’ve finally got the information you need, the only ways in which you should use the Reward for taking the right risks
so how should you use it? First, and most information you’ve acquired. Recent events
The engineers at a company that builds and
obviously, to monitor your organisation’s have clearly demonstrated that separating a
maintains nuclear plants had never been
progress and make smarter management company’s risk management from its financial
conditioned to take business risks: quite
decisions. Armed with an accurate picture and operational management is a recipe for
the contrary, indeed. But when the company
of how the risks it’s assuming – or avoiding disaster. In an increasingly connected world,
started facing pressure to grow through
– are affecting its operational and financial it’s essential to integrate them and adopt a
new business ventures, new markets and
performance, you’ll have a much better idea collaborative approach. But people do what
new technologies, the board decided to
of which levers to pull and when to pull them. they get measured on, so risk-informed
introduce an incentive scheme aligned
performance indicators are crucial in creating
• Go for the gold. You can also identify any with smart, performance-based risk taking.
a culture of individual and collective
areas for improvement and assess the
accountability for risk management. The board started by freeing up a core group
opportunities for growth much more
of senior managers to pursue new business
accurately – both factors that can make • Pay as they perform. The way employees are
ideas and innovations, and teaming them
a big difference to your bottom line. Neil remunerated also shapes how they behave
with efficiency experts to create a set of
Doherty, chairman of the Insurance and – and risk-informed performance indicators are
metrics that rigorously accounted for the
Risk Management Department at the invaluable here, too. Once the links between
upside – and downside – potential of each
Wharton School in Philadelphia, estimates risk management and performance are visible,
project. All managers are now evaluated on
that a ‘sophisticated and comprehensive’ you can devise incentives that are aligned with
criteria linked with the company’s risk and
approach to risk management, in which your organisation’s risk appetite and long-term
performance management strategy, such
risk is viewed as an integral part of financial profitability; and pay people according to their
as the number of customer calls and sales
management, can increase a company’s risk-adjusted performance. In fact, some
proposals they make. To date, the pro-
value by 3-5%. companies have even introduced claw-back
gramme has helped the organisation move
schemes, where senior executives are required
into two new growth areas.
to repay any bonuses based on performance
claims that later prove erroneous.

6 How to see it coming next time PricewaterhouseCoopers

Incorporating risk indicators into established
performance management processes is essential
to facilitate well-informed decision making
• Think of risk management as a normal management process, not a separate activity.

• Assess how clear a picture you have of the overall risks your organisation is taking.

• Focus on developing a few crucial measures with which you can track the risks to your most
important processes.

• Ask yourself what you don’t know. Are there any risks you haven’t even considered?

• Gauge the quality of the information you collect. Consider using reporting software to integrate
data from disparate sources.

• Keep a close eye on your bill for risk management and compliance. Investigate, if it suddenly
starts soaring.

How to see it coming next time PricewaterhouseCoopers 7

How PwC can help

PricewaterhouseCoopers works to solve • Identify and assess the risks that could If you would like to discuss how to use
complex business issues – locally and globally. either help or hinder you most in achieving technology to manage risk and compliance
Our teams draw upon skills in risk, regulation, your objectives. holistically, please contact one of our partners
people, operations and technology to capture (whose details are listed on the next page) or
opportunities, navigate risk and deliver lasting • Link your risks with your performance by visit www.pwc.com/getuptospeed
change across business networks. turning your data into actionable information
and defining risk-informed metrics to track
We have advised many companies on how to your organisation’s performance.
build a risk management infrastructure that
is fully integrated with their performance • Assess your existing risk management
management systems. We can help you to: infrastructure and identify any shortcomings.
• Develop a holistic IT strategy that treats
risk management and compliance as an
integral part of your core performance
management systems.
• Make the most of the systems and
applications you currently use.
• Research new tools for integrating your
management and operational data, and
select the best solution for your needs.
• Create a sustainable technological platform
in which risk management and compliance
are embedded in the systems and processes
you use for running your business on
a day-to-day basis.

8 How to see it coming next time PricewaterhouseCoopers

Contacts
Global Governance,
risk & compliance leader
Hans Borghouts
+31 20 568 4314
[email protected]

Australia Germany Singapore

Sandra Birkensleigh Alan Martin Keith Stephenson
+61 2 826 62808 +49 69 9585 1188 +65 6236 3358
[email protected] [email protected] [email protected]

Canada Christof Menzies UK

Brenda Eprile +49 69 9585 1122 Mark Stephen
+1 416 869 2349 [email protected] +44 20 7804 3098
[email protected] [email protected]
Ireland
Bob Semple US
+353 1 792 6434 Joseph Atkinson
[email protected] +1 267 330 2494
[email protected]
Get up to speed*
Other topics in this series:
Crisis management
An unanticipated crisis can cause immense disruption, cost a lot of money to rectify and damage your company’s image if you end up on the front
page of the newspapers. This paper examines how companies can take sensible precautions, recover control and extract value from the situation.

Risk appetite
Most risk management systems aim to avoid risk. But if a business doesn’t take risks, it can’t grow. This paper looks at how you can make risk work
for you and how to take the right risks and manage them successfully.

Risk culture
Establishing a culture in which the right people do the right thing at the right time, regardless of the circumstances, is critical to an organisation’s ability
to seize the right risks and avoid the wrong ones. This paper explains organisational culture, how it can support your business strategy, goals and risk
appetite and how important it is to get this balance right.

Operationalising risk management

Most companies have responded to more regulation and increasing scrutiny from stakeholders by establishing independent oversight functions and
additional layers of control. This paper looks at the steps you can take to make risk management and compliance a part of your day-to-day business,
and reduce unnecessary overheads while at the same time adding value to your organisation.

pwc.com/getuptospeed
PricewaterhouseCoopers provides industry-focused assurance, tax, and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 155,000 people in
153 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
© 2009 PricewaterhouseCoopers. All rights reserved. ‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and
independent legal entity.
Designed by studioec4 19995 (10/09)