What does performance look like in your organization? And how do you manage it? Does your organization reliably achieve its objectives?
This article is based on OCEG’s definition of GRC and the extended G(P)RC concept promoted by Corporater.
I have been thinking lately of a common misconception – or a semantic difference in how risk- and non-risk professionals tend to miscommunicate. This writing intends to clarify what risk professionals regard as a significant detail – and others will consider as an insignificant misunderstanding related to performance and risk;
- Good governance enables the possibility to reach our objectives
- When things go terribly right – the use of leading indicators
- When things go terribly wrong – underperformance is not a risk
- The fine line between performance management and risk management
It is all about performance – and good governance
Every business leader has their view of what performance entails in their company, not least due to industries’ different natures and organizations’ preferences in governing, managing, and assuring performance. In a for-profit company, it is primarily measured in accounting and financial terms. In a non-profit or a government entity, it is common to measure its performance according to the organization’s mission.
According to OCEG, the purpose of governance is to “reliably achieve objectives.” I like to think of governance as the enabler of “reliably” and “achieve objectives” as the performance part. My statement is, “For something to be successfully managed, it must be governed.” In its simplest form, governance is about setting objectives, responsibilities, and guidelines – what will we achieve, who is responsible, and which rules we should follow.
When things go terribly right
On a high level, performance concerns the governance, management, and assurance of anything in your organization that is likely to impact your objectives. However, while the governance and management of performance are proactive and business-driving disciplines, performance measurements are often implemented as lagging indicators for the obvious measurable parts of the business, such as closed sales, quarterly earnings, number of produced items, and customer churn. By a lagging indicator, we mean “post-process measure,” basically a metric recorded after something has happened. When having the correct data at hand, it is a trivial exercise to calculate how we perform within each area that is important to our business. These indicators often indicate aspects of the organization that are difficult or impossible to influence directly post reporting.
When our organization seems to perform – when business is good, there will always be subtle internal or external effects that we have not taken into account – or even noticed. In such situations, mature organizations implement leading indicators to measure the drivers for their successful performance. Knowing what constitutes one’s success will help you catch emerging risks, foresee performance issues, and even help you upper your targets. Leading indicators’ objective is to predict future performance – so an organization can take the necessary measures to reliably achieve its objectives. In a mature organization, there might be relationships defined between, e.g., financial, organizational, and operational performance indicators to indicate how the lower levels drive the performance up the chain.
When things go terribly wrong
When our performance metrics do not indicate the level we planned and hoped for, a common understanding is that we have a risk of not meeting our future targets. However, this indication of lack of performance is more likely a consequence of poor governance rather than a risk. We need more information about the increased uncertainties to take proper action. Addressing this as a risk or a consequence might seem like semantics. However, the difference in thinking is a key to how we can drive performance – or “reliably achieving objectives.” Risk management is not about keeping track of a bucket of uncertainties; it is about managing uncertainties to an acceptable level. If we regard the lack of performance as a risk, we accept the uncertain residual nature of our situation and create an attitude of excuses, bad luck, and business impotence. By treating it as a consequence of poor governance and/or a consequence of risk, we can do something about it.
Where leading performance indicators meet risk
There is a fine line at the intersection between performance management and risk management – sometimes even overlapping. Both disciplines aim to achieve objectives but suggest two different, synergetic approaches. For example, a key risk indicator (KRI) is an example of a leading KPI – an early warning detector providing insight into future performance. By connecting KRIs to relevant strategic objectives and correlating them with your lagging KPIs, you have taken a first step to improved performance driven by GRC.
To a certain extent, what we in our daily rhetoric speak of as a risk is merely improvable business governance or management. Thus, the line and synergy between proper business management and risk are often confused.
Traditional risk thinking is that you should be able to reduce the risk using organizational measures and then insure/hedge against the residual risk by e.g. transferring it to an insurance company. However, I do not know anyone who would insure “Lack of performance.” On the other hand, you can buy insurance for risks that can impact your performance, such as cyber insurance and ensuring your business’s critical assets.
When reporting risks to the board of directors, risks are presumed residual risks. This means that we have reduced the risks’ probability and consequences by treating unacceptable risks to meet the acceptable level set by the board to the extent our resources allow. The residual risks are, e.g., accepted, shared, further reduced, or completely avoided. The goal is to control the organization’s residual risks so we can make the right decisions and solve problems. Consequently, reducing uncertainty will drive performance.
Lack of performance is not a risk – it’s a consequence
The consequence of not hitting our performance targets can be partially due to residual risks accepted by the board, partially due to bad governance – and, in the worst case, a fraction of bad luck.