*It's not hard to make decisions when you know what your values are."
– Roy Disney
ISO31000 (Section 3, Part A) says that risk management should create and protect value, and it’s true. Unstated, is what does the organization value? The answer is in theory, stated in policy and objectives. If not, it’s time to go back to square one and get some answers. Depending on the organization, what it values, could be any combination of things. The following is a partial list to get you thinking, but it’s by no means comprehensive:
Health and safety of people
Learning and development
Service delivery to customers
Medical or technological breakthroughs
Sure, many of these are intangible, but somehow, somewhere, risk management should demonstrate a link to outcomes. It doesn't always. Risk management is as capable of robbing value as any other management activity. The key word in all this is “demonstrate”. An organization needs to be able to show clear, tangible benefits that can it can measure. If the benefits are not capable of measurement, you are missing one of the fundamentals of a management system – a feedback loop.
Think of creating value as positive risk management, and protecting value as negative risk management. It's not that simple but creating and protecting value are useful concepts. In some areas of risk management, it is easier to demonstrate these links than in others. Safety risk management is about protecting people from harm, and it can be hard to prove injury prevention. Creating value is easier to prove, via new projects or marketing initiatives for example. It is important to remember though, that most risk management strategies or controls will both protect and create value. For example:
Security protects value (people) and creates value by allowing operation in locations which are otherwise too dangerous.
Financial portfolio management both creates and protects value through asset allocation, diversification, etc.
The key is to be able to link risk management to organizational objectives and the easiest way to do that is to use key performance indicators (KPIs). If you’re lucky, your organization will already have documented objectives and strategic KPIs. If not you’ll get a chance to apply your creative talents as any good employee or consultant already knows and MSU (make stuff up). In some way, risk management must show a causal link to the achievement of organizational objectives. They also must be measurable against the KPIs.
This isn't as complicated as it sounds:
List the organization's key result areas (KRAs). What are the results that you want to achieve? Not all, but at least the ones which count the most – ie. The KEY result areas. E.g., Profitability, safety statistics, production quantities.
Identify the critical success factors (CSFs) that must happen to achieve those results. What things will contribute to achieving those results? This might include staff training, quality of the financial reporting systems, the effectiveness of project management, and more.
List the key performance indicators (KPIs) that will measure whether the CSFs are in place. E.g., Hours of training per person per year, percentage completion of a training plan, implementation of new financial reporting system before the end of the year, etc.
Last but not least, it’s essential to be able to link risk mitigation or opportunity enhancement measures to those KPIs. If you propose, for example, to deliver training as part of a risk treatment plan, there should be a clear link from that training to the desired outcome.
A hypothetical organization might end up with six corporate objectives, eight critical success factors (CSFs), 10 Key Performance Indicators (KPIs). 25 risks on the risk register and 15 risk treatments. These would be interlinked in a complex range of ways. For example, one risk treatment might protect against three risks and support four organizational objectives via 2 CSFs. Similarly, one risk might need three risk treatments, each of which has multiple links to CSFs and KPIs.
To look at an example of a causal pathway, consider the links between foreign currency fluctuations and profit. We might, for example, demonstrate how risk management creates and protects value as follows:
Corporate objective #2: Shareholder returns greater than 10%
KRA #5: Net profit
CSF #5: Annual gross profit margins sustained
KPI #2: New contracts maintain 25% or greater gross margin
Risk: Failure to protect sales margins due to increasing raw materials prices as a result of global financial market adversely affecting currency exchange rates.
Treatment: Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations cost of sales.
This, of course, shows only one slice of the KPIs, CSFs, and KRAs that an organization might have but you get the general idea. The treatment (financial analysis training) would address many issues, supporting more than one objective. Better reporting is, for example, an enabler for better management of employee costs, environmental issues, health and safety, sales growth and more. You can see from this how a causal link can be demonstrated between ‘training’ and ‘shareholder returns’ without much effort.
The emphasis is on a 'causal pathway.' If you only proposed a plan to “Provide financial analysis training to sales team managers on interpreting the effect of currency fluctuations on the cost of sales” you might have a great idea, but you haven’t demonstrated how it adds value. Taking a risk management approach with clear causal pathways can help you to build your case for funding this training.