integrating strategy and risk management

www.cass.city.ac.uk

Nicholas Hawke and Andrew Smart

Integrating Strategy and Risk Management

Advanced Risk Management Programme 9th - 13th February 2014

http://www.rmahq.org/home


www.cass.city.ac.uk

Integrating Strategy & Risk Managementan Introduction to Risk-Based Performance Management

Workshop for the RMA12 February 2014


www.cass.city.ac.uk

Introductions CEO & Co-founder of Manigent, a thought-

leadership consultancy firm focused on strategy execution and risk management

15 years plus in strategy and risk management

2006/07 -12 month / 21 organisation research project into the integration of strategy and risk management

2008 - Created the Risk-Based Performance Management methodology during various strategy and risk related engagements in the city


www.cass.city.ac.uk

The credit crunch and its subsequent fall-out has rewritten the rules on strategy execution and risk management


http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article4761892.ece

www.cass.city.ac.uk

Post credit crunch, regulatory bodies have been more aggressive and active


www.cass.city.ac.uk

As we enter the recovery and growth phase, managing risk (and Risk Appetite) to drive and sustain competitive advantage will be critical


www.cass.city.ac.uk

Risk-Based Performance Management (RBPM) is a holistic and integrated approach to strategy execution and risk management

Performance Management

Risk Management

Strategy Management

Appetite

What are we trying to achieve?

Are we on track?

What is our Risk Appetite?

Are we operating

within appetite?

Governance & Communications

Culture


www.cass.city.ac.uk

Integrating Strategy Execution and Risk management approaches


www.cass.city.ac.uk

Since its inception, the Balanced Scorecard has continued to evolve.

Raison d'être for Balanced Scorecard was to provide a ‘balanced’ set of performance measurements.

“What you measure is what you get” - Kaplan & Norton, 1992

Performance Measurement

With adoption, the Balanced Scorecard evolved to become more focused on strategy.

Introduced the 5 principles1. Translate the Strategy into

operational terms

2. Mobilise change through executive leadership

3. Make Strategy a continual process

4. Make Strategy everyone’s everyday job

5. Align the organisation to the Strategy


The Balanced Scorecard is now positioned as a framework for enhancing strategic execution.

A closed loop system of strategic execution1. Develop the Strategy

2. Plan the Strategy

3. Align the organisation

4. Plan operations

5. Monitor and Learn

6. Test and Adapt the Strategy

Strategy Execution


www.cass.city.ac.uk

COSO - Internal Controls framework (1994)Provided a common definition of internal control and a framework against which internal control systems can be assessed and improved.

COSO – ERM framework (2004)The framework defines essential enterprise risk management components, discusses key ERM principles and concepts

Unlike the Balanced Scorecard, Risk Management has evolved via a series of standards.

COSO

Various standards were created, often influenced by the COSO frameworks.

The Risk Management Standard, 2002 (IRM, AIRMIC, ALARM)

Orange Book, 2004 (HM Treasury)

AS/NZS 4360:2004

BS31100, 2008 (British Standards)

Various Government standards

ISO 31000:2009

Provides principles and generic guidelines on risk management.

ISO 31010:2009

Provides guidance on selection and application of systematic techniques for risk assessment.

ISO 31000 & ISO 31010

Various


www.cass.city.ac.uk

We believe that Integrating strategy and risk management is the next, natural evolution

Risk-based performance Management enables executives to manage with one eye on strategy & one eye on risk.

Comprehensive strategic execution framework• Aligns strategic intent with risk

rppetite

• Integrated performance and risk reporting and analytics

• Embedded governance and ownership model

Risk-Based Performance Management


www.cass.city.ac.uk

Other experts also recognise the need for new approaches, and are looking at the integration of performance and risk management ...What went wrong in Financial

Services?1. Wrong measures of risk or, at

least, very limited understanding of the properties of the risk measures being used

2. Incorrect data used to estimate risk measures

3. Failure to understand correlations across risk measures

4. Managing local risks and ignoring global ones

5. Treating risk management as a compliance issue, not a strategic one

6. Taking big bets that unlikely events will not occur

7. Senior executives and boards striving for short-term gains while ignoring the risk exposure associated with generating high profits

Value-at-Risk Calculation typically assumes that probability of gains and losses follows a

normal distribution.What about Black Swan events?

VaR does not account for liquidity risk; it assumes you can get out of a position

overnight.

VaR is like “an airbag that works all the time, except when you have an accident.”

Now is the time to enhance the BSC with Key Risk Indicators (KRIs) and

integrate performance and risk management.

Dr Robert Kaplan is focusing on measurement of risk

E&Y suggested a ‘re-balanced’

scorecard

However the focus is measurement via

indicators ... where is the strategic

alignment?


www.cass.city.ac.uk

Kaplan on Risk and the Balanced ScorecardHBR June 2012

Three categories of Risk1. Preventable Risks2. Strategy Risks3. External Risks

Managing Risk is very different from managing

Strategy


www.cass.city.ac.uk

Risk and the Balanced Scorecard - What we think…

Managing Risk is not different to, but a fundamental part of, managing

strategy


www.cass.city.ac.uk

Integrating Strategy & Risk Management based on Risk-Based Performance Management


www.cass.city.ac.uk

Risk-Based Performance Management (RBPM) is a holistic and integrated approach to strategy execution and risk management


Risk Management

Strategy Management

Appetite


Are we on track?

What is our Risk Appetite?

Are we operating

within appetite?

Governance & Communications

Culture


www.cass.city.ac.uk

The Risk-Based Performance Management (RBPM) methodology is based on seven management disciplines

Business Drivers

Shareholder Value

2. Manage Performance

3. Manage Risk

1. Set Strategy

5.Governance

6.Communications

7.Culture

Capital ?Income

Share Price ?Economic value add

4. Appetite Alignment

Reputation

Profit

Appetite Appetite


www.cass.city.ac.uk

Discipline 1: Set StrategyStrategy: “to develop a sustainable (and defendable) position which enables the organisation to achieve its objectives while operating within defined risk appetite boundaries”

“One major problem that led to the current financial crisis was that although objectives had been created, there was no articulation of risk appetite or identification of those responsible when risks were incurred”

A clear articulation of strategy is important but it must include an expression of the amount and type of risk that the organisation is willing to accept


www.cass.city.ac.uk

“Within the RBPM approach, we define ‘manage performance’ as the continuous process of monitoring objectives and their KPIs, identifying root causes of underperformance and making adjustments.”

Discipline 2: Manage Performance

KPIs

Processes Initiatives

Objectives


www.cass.city.ac.uk

Discipline 3: Manage Risk“In the context of Risk-Based Performance Management, Risk Management is about understanding and exploiting opportunities and threats (the risk the organisation faces in pursuit of its objectives), and the continuous monitoring and management of those risks to ensure the organisation executes its strategy while operating within appetite”


www.cass.city.ac.uk

Discipline 4: Appetite Alignment“Appetite Alignment is the process of continuously aligning current risk exposure to the defined risk appetite, which by implication encapsulates the strategy of the organisation. To translate into simple terms, it is about understanding whether the current level of risk-taking is aligned to the chosen business strategy, i.e. are we operating within appetite?”


www.cass.city.ac.uk

Discipline 5: Governance“Governance is the process and practices which define the strategic, operating and decision-making boundaries of an organisation (or organisational unit), and how decisions are made and implemented.”


www.cass.city.ac.uk

Discipline 6: Communications

“When a firm’s risk appetite is properly defined and clearly communicated, it becomes a powerful management tool to clarify all dimensions of enterprise-wide risk and enhances overall business and financial performance”

The Five C’s: 1. Clarify2. Credible3. Concise4. Context 5. Consistent

“all the good-to-great companies had a penchant for intense dialogue. Phases like “loud debate”, “heated

discussions”, and healthy conflict” peppered the articles and interview transcripts from all the companies. They didn’t use discussion as a sham process to let people

“have their say” so they could “buy in” to a predetermined decision. The process was more like a heated scientific

debate, with people engaged in a search for the best answers”. Jim Colins


www.cass.city.ac.uk

Discipline 7: Culture

• Culture comprises an organisation’s widely shared values, symbols, behaviours and assumptions.

• “the way we do things around here”

• The seven key characteristics of a Strategy-Focused, Risk-Aware Culture1. Driven by a compelling vision2. Live by a clear set of values3. Led with integrity4. Align risk-taking to strategy5. Established clear accountabilities6. Engage in high quality conversations7. Incentives are aligned to appetite

Culture is perhaps the ultimate strategy and risk management tool


www.cass.city.ac.uk

Underpinning the Risk-Based Performance Management approach is a clear change process

Define Strategic

Goals

Define Strengths

& Weaknesse

s

Define Business Drivers

Define the Strategy

Define Processes

Define Initiatives

Define Operational

Risks

Define Operational

Controls

Define Indicators

Assess Risks & Controls

Monitor Appetite

Alignment

Define Strategic

Risks

Define Strategic Controls

Define the Business

Model

Define Risk Appetite

Align Risk Appetite & Strategy

Define Strategic

Objectives

Board Executive

Formulation Execution


www.cass.city.ac.uk

Organisational progress in implementing the approach can be measured using the a Maturity Model• Based on the RBPM Seven

disciplines• Provides a snapshot of your

organisational Strategy & Risk maturity

• Provides a ‘slice’ by organisation behaviour

“How mature is your integrated strategy & risk management approach?”

Str

ate

gy

Pe

rfo

rma

nce

M

an

ag

em

en

t

Ris

k M

an

ag

em

en

t

Ap

pe

tite

A

lign

me

nt

Go

vern

an

ce

Co

mm

un

ica

tion s

Cu

lture

Manage

Operationalise

Monitor

Improve

Initial

ExemplaryExpert

ProficientCompetent


www.cass.city.ac.uk

Advantages of integrating strategy management & risk management

• Aligning risk appetite and strategy – the board and senior management should evaluate the organisation’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

• Enhancing risk response decisions – actively managing emerging risk provides the rigor to identify and select among alternative risk responses: risk avoidance, reduction, sharing, and acceptance.

• Reducing operational surprises and losses – organisation’s are able to identify potential events and establish responses, reducing surprises and associated costs or losses.

• Seizing opportunities - by considering a full range of potential events, management is positioned to identify and proactively realize opportunities.

• Improving deployment of capital - obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.


www.cass.city.ac.uk

Implementing a Risk-Based Performance Management approach brings a range of benefits

“Using Risk-Based Performance Management has delivered a more focused, structured Risk framework, enabling us to focus on the vital few – the number of Key Risk dropped from 120+ to just 10! - Investment banking client

"Coupled with the implementation of a new risk management framework, significant business benefits are emerging“ – Source: Annual accounts of a Financial Services client

“we were able to reduce our operational losses by over to 50% in the first year of using Risk-Based Performance Management ” – Investment banking client

“Deploying Risk-Based Performance Management has enabled us to realise a 94% reduction in the value of errors and a 63% reduction in the volume of errors.– Head of Operational Risk, Mortgage Services Provider


www.cass.city.ac.uk

Central to this integrated model for Strategy and Risk Management is the Strategy Map


www.cass.city.ac.uk

The Strategy Map articulates how an organisation creates valueF

inan

cial

Cu

sto

mer

Inte

rnal

P

roce

ssL

earn

ing

&

Gro

wth

Drive sales execution

Sustainable Growth

“We align our incentives to our

appetite & desired behaviours”

“Their fees are clear and

fair”

Deliver Revenue Growth

Objective KPIs InitiativesTargets


YTD % Increase in

income25%

Implement new sales process

Objective Statement of what strategy

must achieve and what’s critical to

its success

KPIs How success in achieving the

strategy will be measured and

tracked

Targets The level of

performance or rate of

improvement needed

Initiatives Key action programs

required to achieve

Priorities


www.cass.city.ac.uk

However, to create value, risk-taking must be aligned to strategyF

inan

cial

Cu

sto

mer

Inte

rnal

P

roce

ssL

earn

ing

&

Gro

wth

Sustainable Growth Objective Appetite AlignmentExposure




its success

Appetite How much risk

are we willing to run to achieve the objective?

ExposureHow much risk

are we currently running?

Alignment Is our current

risk-taking aligned to appetite?

Moderate HighOver-

exposed





fair”



www.cass.city.ac.uk

Effective risk management supports value creation and value protectionF

inan

cial

Cu

sto

mer

Inte

rnal

P

roce

ssL

earn

ing

&

Gro

wth

Sustainable Growth Objective Risks MitigationThresholds


Mis-selling resulting in reputation loss

Appetite Tolerances

Controls Initiatives Policy &

procedures Processes



its success

RisksThe threats and

opportunities (risks) exist which

may impact achievement of

objectives

ThresholdsThe appetite and tolerance

thresholds used to monitor risk

Mitigation The activities undertaken to manage risk





fair”



www.cass.city.ac.uk

Many different types of risks make up the organisational risk universe

Fin

anci

alC

ust

om

erIn

tern

al

Pro

cess

Lea

rnin

g &

G

row

th

Increase Investment Returns by 25%

Sustainable Growth

Increase Retention of competent staff by

10%

Increase Shareholder value


Strategic Risk

Operational Risk

Insurance Risk

Finance Risk

Hazard Risk


www.cass.city.ac.uk

Many different types of risks make up the organisational risk universe

Fin

anci

alC

ust

om

erIn

tern

al

Pro

cess

Lea

rnin

g &

G

row

th


Sustainable Growth

Increase Retention of competent staff by

10%

Increase Shareholder value


Strategic Risk

Operational Risk

Insurance Risk

Finance Risk

Hazard Risk

Unexpected changes in

interest rates

Unexpected Equity

movements


www.cass.city.ac.uk

The Risk Map is structured around the 4 perspectives to provide a snapshot of the current level of Risk Exposure (‘Heat’)

• The 4 perspectives are aligned to the Strategy Map

• Often the risks are defined as ‘impacts’ not ‘events’ i.e. the impact maybe on the customer but the event was operational


www.cass.city.ac.uk

Appetite Alignment Matrix is one of our key innovations and a key tool for monitoring the alignment of risk-taking to strategy

Enables monitoring of the alignment of risk-taking to strategy

Enables the monitoring of risks which are outside of appetite

Also shows where we are taking too much and not enough risk

Changes the risk conversation

Are we operating within Appetite?

Over-exposed

Under-exposedAligned


www.cass.city.ac.uk

The Appetite Alignment Matrix can also guide management responses to mis-alignments

Over-Exposed Reduce the level of risk taking;

Increase / Change Controls environment Implement Initiatives

Stop/review mis-aligned activities Review Objectives / Business outcomes Board to approve a waiver Board to change the risk appetite

Aligned Continue to monitor and manage Focus on trends

Under-Exposed Increase the level of risk taking;

Reduce / Change Controls environment Implement Initiatives

Stop/review mis-aligned activities Review Objectives / Business outcomes Board to approve a waiver Board to change the risk appetite

Over-exposed

Under-

exposedAligned


www.cass.city.ac.uk

Key Business Drivers are used to frame the definition of risk impact levels, used within both Risk Appetite definition and the Risk Assessment process

Risk Appetite Levels

Income

Reputation

Capital

?

Capital@Risk

Reputation @Risk

Risk Assessments

Key Business Drivers

Appetite Alignment Matrix


www.cass.city.ac.uk

Brining together these three powerful tools, and the underlying methodology provide the foundation for effective strategy execution

Strategy Map Risk Map


Risk Appetite


www.cass.city.ac.uk

Brining together these three powerful tools, and the underlying methodology provide the foundation for effective strategy execution

Strategy Map Risk Map



How much risk are we running?

Risk Appetite

How much risk are we willing to

take?

So What? Are we taking

the right amount of risk?


www.cass.city.ac.uk

Risk-Based Performance Management is proven to enable better execution, better risk management and deliver tangible business benefits

http://www.hml.co.uk/blog/2011/09/23/risk-management-driving-value-from-a-long-game-approach

It [Risk Management] should become part of the firm’s DNA and simply the way business is done – reflected in the effectiveness of management doing the right things.

The true output of effective risk management is a successful organisation that delivers on its strategic objectives and satisfies the needs of key stakeholders - consistently, year on year.

HML started a journey to ingrain a new approach to risk management. In spite of the financial difficulties experienced in our market, significant benefits have been achieved which have made a difference to HML’s bottom line: 94% reduction in the value of errors and a 63% reduction in the volume of errors.





www.cass.city.ac.uk

Questions


www.cass.city.ac.uk

About ManigentA thought-leadership consultancy firm focused on strategy execution and risk management

Thought-Leadership

Time-bound, Guaranteed Delivery

Pragmatic People, Proven Solutions

We leave capability behindWe wrote the book on integrating strategy and risk management


www.cass.city.ac.uk

Manigent works with clients in the financial services and other regulated industries globally.

Manigent 90 Day Change Roadmap

Known cost /Low risk Time-bound delivery Proven methodology Focus on 80% Known & 20%

Unknown

Integrated Strategy & Risk

Information Risk (Cyber) Management

Conduct Risk Management

Balanced Scorecard & Strategy Map

Enterprise & Operational Risk Management

Our Services


www.cass.city.ac.uk

Our experience & expertiseWe typically work with large clients who seek to make lasting and meaningful change in their ability to executeFinancial Services Investment Bank - Risk & Controls framework design and

implementation Investment Bank - Middle Office Op Losses and MI diagnostic FS Outsourcer - FSA RMP solution design and implementation Inter-dealer broker - Section 166 response design and

implementation

Professional Services Big 4 Audit Firm - Strategy Map/Balanced Scorecard

implementation

Telecoms UK Mobile Operator – Balanced Scorecard Design and

Deployment

Defence FSTE 100 Defence Company – Cyber Strategy & Risk

Management Global Defence Systems Integrator – Cyber Awareness training &

culture change

Government Legal Services Regulator – Developed their internal risk capability,

processes and framework Central Banks / Financial Services Regulators – Regulatory

Framework design and deployment

Our clients shaped our approach & methodology


www.cass.city.ac.uk

Contact detailsAndrew SmartCEOManigent & StratexSystems

Email: [email protected]: www.riskbasedperformance.comWeb: www.manigent.com | www.stratexsystems.com LinkedIn: http://uk.linkedin.com/in/ajsmartTwitter:@AndrewJSmart

mailto:[email protected]

http://www.riskbasedperformance.com/

http://www.manigent.com/

http://www.stratexsystems.com/

http://uk.linkedin.com/in/ajsmart


integrating strategy and risk management

Business

strategy risk management

risk measures

risk appetite

risk reporting

risk calculation

measurement of risk

risk assessment

categories of risk