Pulling together into a single framework the two separate disciplines of strategy management and risk management, and how it is possible to integrate it with Balanced Scorecard. This presentation provides a practical guide for organizations to shape and execute sustainable strategies with full understanding of how much risk they are willing to accept in pursuit of strategic goals.
Please contact andrew.smart@stratexsystems.com for more details about the presentation or to have a talk about our software solutions.
1. Integrating Risk Into Your Balanced
Scorecard
Prepared for:
StratexSystems Webinar Series
27 September 2012 4 October 2012
2. Page 2
Content
Recapping on the Balanced Scorecard
Recapping on Risk Management
Integrating Risk into your Balanced Scorecard
Use of Business Drivers to define levels of Appetite & Exposure
Use of Risk taxonomy to identify Risks per Objective
3. Page 3
The Balanced Scorecard was introduced in 1992
“What you measure is what you get”
Raison d'être for Balanced Scorecard was to provide a
‘balanced’ set of performance measurements.
4. Page 4
The Balanced Scorecard was followed by the
Strategy Map in 2000
Strategy Map is a powerful tool for
visualising Strategy, showing the cause &
effect relationships and tensions within
the strategy.
5. Page 5
Over the last 20 years, the Balanced Scorecard
has continued to evolve…
Raison d'être for Balanced
Scorecard was to provide a
‘balanced’ set of performance
measurements.
“What you measure is what you
get”
- Kaplan & Norton, 1992
Performance Measurement
With adoption, the Balanced
Scorecard evolved to become more
focused on strategy.
Introduced the 5 principles
1. Translate the Strategy into operational
terms
2. Mobilise change through executive
leadership
3. Make Strategy a continual process
4. Make Strategy everyone’s everyday job
5. Align the organisation to the Strategy
Performance Management
The Balanced Scorecard is now
positioned as a framework for
enhancing strategic execution.
A closed loop system of strategic
execution
1. Develop the Strategy
2. Plan the Strategy
3. Align the organisation
4. Plan operations
5. Monitor and Learn
6. Test and Adapt the Strategy
Strategy Execution
6. Page 6
The credit crunch and subsequent fall-out is
rewriting the rules on strategy execution (and risk
management)
7. Page 7
Kaplan & Norton on Risk and the Balanced
Scorecard
HBR June 2012
Three categories of
Risk
Preventable Risks
Strategy Risks
External Risks
Managing Risk is very
different from managing
Strategy
8. Page 8
Kaplan & Norton on Risk and the Balanced
Scorecard
- What we think…
The 3 categories are
just a relatively simple
risk taxonomy
Managing Risk is not
different to, but a
fundamental part of,
managing strategy
From the father of BSC,
no direction on how to
integrate Risk in the BSC.
9. Page 9
So what do we mean when we say “Risk”?
The possibility that an event will occur
and adversely affect the achievement
of objectives. COSO Integrated Risk
Management Framework
the effect of uncertainty on objectives,
whether positive or negative.
ISO31000
The uncertainty of future events that
will impact on the achievement of
objectives, either positively
(opportunities) or negatively (threats).
Andrew Smart
The uncertainty of future events,
incorporating both lost opportunities
as well as threats materialising,
which will impact our ability to
achieve business objectives.
Client
No organisation can create value
without taking risk.
“ You have to speculate to
accumulate”
10. Page 10
What is Risk Management
As much about exploiting opportunities as
preventing potential problems.
Risk Management is an essential part of good management
“coordinated activities to direct and control and organization with regard to risk”
risk management framework; “set of components that provide the foundations and
organizational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management processes throughout the organization”
risk management process; “systematic application of management policies,
procedures and practices to the tasks of communication, consultation, establishing the
context, identifying, analysing, evaluating, treating, monitoring and reviewing risk”
ISO31000
11. Page 11
There are two major risk management standards
which have influenced our thinking…
COSO
1994 & 2004
ISO31000
2009
12. Page 12
Over the last 20 or so years Strategy & Risk
Management frameworks have evolved largely in
isolation
Balanced
Scorecard
1992
ISO31000
2009
13. Page 13
So to the question…. How to integrate Risk into
the Balanced Scorecard?
1. Use Business Drivers to define levels of risk appetite
and risk-taking
Links risk management in the strategic process
Shapes the conversation about risk
Enables the monitoring of the alignment of risk-taking to
strategy
Enables us to answer the question: Are we operating within
Appetite?
2. Use your Risk taxonomy to enable the Risk
Identification process per objective
14. Page 14
Risk Appetite has a central role to play in the integration of
strategy and risk management
The COSO definition provides „What, Who, When and
Why‟ of risk appetite
What: the amount and type of risk
Who: an organisational entity
When: over a defined time horizon
Why: to achieve the objectives of the entity
Risk appetite is the amount and type of
risk that is acceptable to be taken by an
organisational entity over a defined time
period, to achieve the objectives of that
entity – COSO Enterprise Risk Management
Risk appetite sets the boundaries
within which strategy is executed
– StratexSystems
15. Page 15
Risk Appetite should be
integrated into your
organisational strategic
framework
Business Goals
Business Model
Business Drivers
Internal Analysis External Analysis
Business Objectives
Strategy
Appetite
Appetite Alignment
Risk Management
Performance
Management
Appetite
Identify strengths
& weaknesses
Identify threats &
opportunities
Is our business
model fit for
purpose?
Is our business
model fit for
purpose?
Are we operating
within appetite?
Manage threats
& opportunities
Are we on-track
to deliver?
Manage
strengths &
weaknesses
Appetite
SettingExecutionFormulation
Setting
From high-level strategies to specific business objectives
Define specific business objectives and appetite for specific entity’s
Allocation of scarce resources by entity, risk category, product lines
Execution
Are we on-track to achieve our business objectives
Are we operating within appetite (are we taking too much, or not enough
risk?)
Do we have the right level of controls in place to meet internal and external
compliance drivers?
Are we aligning our change agenda to our strategic agenda?
Formulation
Development of high-level strategies and allocation of scarce resources,
including capital
Given our business context, what is our appetite for risk?
Given our appetite, have we got the right business model?
Are we comfortable with the assumptions we have made?
16. Page 16
Risk Appetite is the „glue‟ that brings together
Strategy & Risk
Performance
Management
Risk
Management
Strategy
Management
Appetite
What are we trying to
achieve?
Are we on track?
What is our Risk Appetite?
Are we operating
within appetite?
Governance & Communications
Culture
17. Page 17
We use „key‟ Drivers to define levels of risk appetite and
shape the conversation around risk (and strategy)
Business drivers
Capital
Income
Reputation
Shareholder value
Share price
Economic value
add
Profit
Strategy
Align Risk-taking
to Strategy
Manage
Risk
Manage
Performance
Appetite
Governance Communication
Culture
18. Page 18
Using drivers to frame appetite setting enables the Board to
set clear operating boundaries
Business Drivers Low Moderate High Extreme
Capacity
Limit
Income
X% Capital
@Risk
X% Capital
@Risk
X% Capital
@Risk
X% Capital
@Risk
Capital
Up to
X £M
X £M to
Y £M
X £M to
Y £M
X £M to
Y £M
Above
X £M
Reputation
Up to X vol.
Bad
coverage
Up to X vol.
Bad
coverage
Up to X vol.
Bad
coverage
Up to X vol.
Bad
coverage
19. Page 19
Appetite Alignment Matrix is a key tool for
monitoring the alignment of Risk-taking to Strategy
Enabling monitoring of
risks which are outside
of Appetite
Shows where we are
taking to much and
not enough risk
Changes the risk
conversation
Answers the question:
Are we operating with in
Appetite?
20. Page 20
So to the question…. How to integrate Risk into
the Balanced Scorecard?
1. Use Business Drivers to define levels of risk appetite
and risk-taking
Links risk management in the strategic process
Shapes the conversation about risk
Enables the monitoring of the alignment of risk-taking to
strategy
Enables us to answer the question: Are we operating within
Appetite?
2. Use your Risk taxonomy to enable the Risk
Identification process per objective
21. Page 21
Common categorisation of risk
Strategic Risk
uncertainty related to
strategic choices
Execution Risk
uncertainty related to
execution of the
chosen strategy
Operational Risk
uncertainty related
to processes,
people, technology,
change etc
Credit Risk
uncertainty related
to a counterparty's
ability to meet their
obligations
Market Credit
uncertainty related to
the market value of a
portfolio
Risk
uncertainty of future
events that will impact
on the achievement of
objectives
22. Page 22
The Strategy Map articulates how
an organisation creates value
FinancialCustomerInternalProcess
Learning&
Growth
Increase Investment
Returns by 25%
Sustainable Growth
Increase Retention
of competent staff by
10%
Increase Shareholder
value
Objective KPIs InitiativesTargets
Increase
Investment
Returns by 25%
YTD % Increase
in investment
returns
25%
Implement
new
portfolio mgt
system
Objective
Statement of what
strategy must
achieve and what’s
critical to its
success
KPIs
How success in
achieving the
strategy will be
measured and
tracked
Targets
The level of
performance or
rate of
improvement
needed
Initiatives
Key action
programs
required to
achieve Priorities
23. Page 23
However, to create value, risk-
taking must be aligned to
strategy…
FinancialCustomerInternalProcess
Learning&
Growth
Increase Investment
Returns by 25%
Sustainable Growth
Increase Retention
of competent staff by
10%
Increase Shareholder
value
Objective Appetite AlignmentExposure
Increase
Investment
Returns by 25%
Objective
Statement of what
strategy must
achieve and what’s
critical to its
success
Appetite
How much risk
are we willing to
run to achieve the
objective?
Exposure
How much risk
are we currently
running?
Alignment
Is our current
risk-taking
aligned to
appetite?
Moderate High Over-exposed
24. Page 24
Effective risk management
supports value creation and
protection...
FinancialCustomerInternalProcess
Learning&
Growth
Increase Investment
Returns by 25%
Sustainable Growth
Increase Retention
of competent staff by
10%
Increase Shareholder
value
Objective Risks MitigationThresholds
Increase
Investment
Returns by 25%
Unexpected
changes in
interest rates
Unexpected
Equity
movements
Appetite
Tolerances
Controls
Initiatives
Policy &
procedures
Processes
Objective
Statement of what
strategy must
achieve and what’s
critical to its
success
Risks
The threats and
opportunities (risks)
exist which may
impact achievement
of objectives
Thresholds
The appetite and
tolerance
thresholds used
to monitor risk
Mitigation
The activities
undertaken to
manage risk
25. Page 25
Many different types of risks
make up the organisational risk
universe
FinancialCustomerInternalProcess
Learning&
Growth
Increase Investment
Returns by 25%
Sustainable Growth
Increase Retention
of competent staff by
10%
Increase Shareholder
value
Increase Investment
Returns by 25%
Strategic Risk
Operational Risk
Insurance Risk
Finance Risk
Hazard Risk
26. Page 26
Many different types of risks
make up the organisational risk
universe
FinancialCustomerInternalProcess
Learning&
Growth
Increase Investment
Returns by 25%
Sustainable Growth
Increase Retention
of competent staff by
10%
Increase Shareholder
value
Increase Investment
Returns by 25%
Strategic Risk
Operational Risk
Insurance Risk
Finance Risk
Hazard Risk
Unexpected
changes in interest
rates
Unexpected Equity
movements
27. Page 27
Risk categorises can be used to support risk
identification and integration of risk in the Balanced
Scorecard
Increase Investment
Returns by 25%
Insurance Risk
Underwriting Risk
Operational Risk
Strategic Risk
Hazard Risk
Financial Risk
Business Risk
Reputation Risk
Process Risk
Market Risk
Credit Risk
Liquidity Risk
People Risk
System Risk
External Events
Legal Risk
Claims Mgt Risk
Reinsurance RiskProduct Risk
Premium Risk
Civil disruption
Health & Safety
Accidents
Natural
28. Page 28
How do we define a risk?
The risk of (what, where, when)….. caused by
(how) ……resulting in..…(impact/consequences)
Examples
The risk of financial deficit at end of year caused by
decreased in-patient activity and revenue, resulting in
rationalisation of service offerings.
The risk of exceeding A&E waiting times, caused by
increased demand and staff vacancies, resulting in not
meeting community expectations and adverse patient
outcomes
29. Page 29
Where do we define Risks?
Objectives
Key Risks
Key Controls
30. Page 30
The Objectives, Risks and Controls structure is
central to Stratex solutions
30
Objectives
KPIs Actions Key Risks
KRIs Actions Assessment Key Controls
KCIs Actions Assessment
Events
Certification
Risk
Appetite Processes Initiatives Systems
People &
Roles
Assets
Operational enablers are aligned to strategy
Governance Commentary Workflows
Audit
Trails
Build a strategy focused, risk aware culture
31. Page 31
So to the question…. How to integrate Risk into
the Balanced Scorecard?
1. Use Business Drivers to define levels of risk appetite
and risk-taking
Links risk management in the strategic process
Shapes the conversation about risk
Enables the monitoring of the alignment of risk-taking to
strategy
Enables us to answer the question: Are we operating within
Appetite?
2. Use your Risk taxonomy to enable the Risk
Identification process per objective
33. Page 33
About StratexSystems
“StratexPoint enabled us to reduce
the value of our operational losses
by 94%, the volume by 63% and our
economic capital provision by 23%”
- Head of Operational Risk, HML -
Skipton group
Our mission
To provide an integrated strategy and risk
management solutions which enhances
strategy execution, enhance capital
efficiency by 15% and reduce operational
losses 25% while providing 100%
confidence that your business is operating
within appetite.
34. Page 34
Post credit crunch, Financial Services clients face
challenges beyond traditional „Risk Management‟
Lack of an integrated,
enterprise-wide solution
Too many spreadsheets
Systems reinforce silo processes
Compliance focused risk tools
Intensive and intrusive
FSA oversight
Board and Senior Management
pressure
Political pressure to reform and
do things differently
Basel 3, Solvency 2, S166
Confidence in our approach
Proven partners
Low Risk
Keep us out of the newspaper
Cost effective
Deliver strategy
Reduce capital provision
Reduce operational losses
Reduce / eliminate fines
Enable the right culture
“Operate within Appetite”
35. Page 35
Examples of where our solution has added real
and tangible business value
60%
23%
182
Op losses
HML seen a 60% reduction in
operational losses within 18
months
Regulatory capital
HML also seen a 23% reduction
in regulatory capital
Initiatives
Consolidated global portfolio of
major initiatives to enable
single view of status & risk
37. Page 37
Free trial of StratexLive
Stratex Bootcamp
30 day free use of StratexLive
Regular ‘coaching’ session online
Load your own data
Add your own users
START NOW
Notes de l'éditeur
Introduced in 1992 at a time of transition in how business created value, from creating value out of tangible assets to creating it out of intangible assetsDesigned as a performance management tool Answered the question – How are we performing?
Strategy Map introduced in the HBR article: Having trouble with your strategy, then Map it, in the year 2000Powerful tool which enabled a strategy to be expressed on a single page, showing the cause & effect relationship between objectives and tensions within the Map
BSC has evolved from Performance Management to Strategy Execution frameworkWhat about risk?
Credit Crunch and subsequent fall-out forcing organisations to re-think how they execute strategyRe-writing the rules with a greater emphasis on Risk and specifically Risk AppetiteBoards & Regulators more active stakeholders