integrating risk into your balanced scorecard

Integrating Risk Into Your Balanced Scorecard

Prepared for:

StratexSystems Webinar Series27 September 2012 4 October 2012

Content

Recapping on the Balanced Scorecard

Recapping on Risk Management

Integrating Risk into your Balanced Scorecard Use of Business Drivers to define levels of Appetite &

Exposure Use of Risk taxonomy to identify Risks per Objective

The Balanced Scorecard was introduced in 1992

“What you measure is what you get”

Raison d'être for Balanced Scorecard was to provide a ‘balanced’ set of performance measurements.

The Balanced Scorecard was followed by the Strategy Map in 2000

Strategy Map is a powerful tool for visualising Strategy, showing the cause

& effect relationships and tensions within the strategy.

Over the last 20 years, the Balanced Scorecard has continued to evolve…

Raison d'être for Balanced Scorecard was to provide a ‘balanced’ set of performance measurements.

“What you measure is what you get” - Kaplan & Norton, 1992

Performance Measurement

With adoption, the Balanced Scorecard evolved to become more focused on strategy.

Introduced the 5 principles1. Translate the Strategy into operational

terms

2. Mobilise change through executive leadership

3. Make Strategy a continual process

4. Make Strategy everyone’s everyday job

5. Align the organisation to the Strategy

Performance Management

The Balanced Scorecard is now positioned as a framework for enhancing strategic execution.

A closed loop system of strategic execution1. Develop the Strategy

2. Plan the Strategy

3. Align the organisation

4. Plan operations

5. Monitor and Learn

6. Test and Adapt the Strategy

Strategy Execution

The credit crunch and subsequent fall-out is rewriting the rules on strategy execution (and risk management)

http://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article4761892.ece

Kaplan & Norton on Risk and the Balanced ScorecardHBR June 2012 Three categories of

Risk Preventable Risks Strategy Risks External Risks

Managing Risk is very different from managing Strategy

Kaplan & Norton on Risk and the Balanced Scorecard- What we think… The 3 categories are

just a relatively simple risk taxonomy

Managing Risk is not different to, but a fundamental part of, managing strategy

From the father of BSC, no direction on how to

integrate Risk in the BSC.

So what do we mean when we say “Risk”?

The possibility that an event will occur and adversely affect the achievement of objectives. COSO Integrated Risk

Management Framework

the effect of uncertainty on objectives, whether positive or negative.

ISO31000

The uncertainty of future events that will impact on the achievement of

objectives, either positively (opportunities) or negatively (threats).

Andrew Smart

The uncertainty of future events, incorporating both lost opportunities

as well as threats materialising, which will impact our ability to achieve business objectives.

Client

No organisation can create value without taking risk.

“ You have to speculate to accumulate”

What is Risk Management

As much about exploiting opportunities as preventing potential problems.

Risk Management is an essential part of good management

“coordinated activities to direct and control and organization with regard to risk”

risk management framework; “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization”

risk management process; “systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk”

ISO31000

There are two major risk management standards which have influenced our thinking…

COSO1994 & 2004

ISO310002009

The Risk

Standard

2002AS/NZS 4360

2009

BS31100 2008

Over the last 20 or so years Strategy & Risk Management frameworks have evolved largely in isolation

Balanced Scorecard

1992

ISO310002009

COSO Internal

Controls

Framework

1994

Strategy Maps2000

So to the question…. How to integrate Risk into the Balanced Scorecard?

1. Use Business Drivers to define levels of risk appetite and risk-taking Links risk management in the strategic process Shapes the conversation about risk Enables the monitoring of the alignment of risk-taking

to strategy Enables us to answer the question: Are we operating

within Appetite?

2. Use your Risk taxonomy to enable the Risk Identification process per objective

Risk Appetite has a central role to play in the integration of strategy and risk management

The COSO definition provides ‘What, Who, When and Why’ of risk appetite What: the amount and type of risk Who: an organisational entity When: over a defined time horizon Why: to achieve the objectives of the entity

Risk appetite is the amount and type of risk that is acceptable to be taken by an organisational entity over a defined time period, to achieve the objectives of that entity – COSO Enterprise Risk Management

Risk appetite sets the boundaries within which strategy is executed

– StratexSystems

Risk Appetite should be integrated into your

organisational strategic framework

Business Goals

Business Model

Business Drivers

Internal Analysis External Analysis

Business Objectives

Strategy

Appetite

Appetite Alignment

Risk ManagementPerformance Management

Appetite

Identify strengths & weaknesses

Identify threats & opportunities

Is our business model fit for

purpose?

Is our business model fit for

purpose?

Are we operating within appetite?

Manage threats & opportunities

Are we on-track to deliver?

Manage strengths & weaknesses

Appetite

Setti

ngEx

ecuti

onFo

rmul

ation

SettingFrom high-level strategies to specific business objectivesDefine specific business objectives and appetite for specific entity’sAllocation of scarce resources by entity, risk category, product lines

ExecutionAre we on-track to achieve our business objectives Are we operating within appetite (are we taking too much, or not enough risk?)Do we have the right level of controls in place to meet internal and external compliance drivers?Are we aligning our change agenda to our strategic agenda?

Formulation Development of high-level strategies and allocation of scarce resources, including capitalGiven our business context, what is our appetite for risk? Given our appetite, have we got the right business model?Are we comfortable with the assumptions we have made?

Risk Appetite is the ‘glue’ that brings together Strategy & Risk

Performance Management

Risk Management

Strategy Management

Appetite

What are we trying to achieve?

Are we on track?

What is our Risk Appetite?

Are we operating within appetite?

Governance & Communications

Culture

We use ‘key’ Drivers to define levels of risk appetite and shape the conversation around risk (and strategy)

Business drivers

Capital

Income

Reputation

Shareholder value

Share price

Economic value add

Profit

Strategy

Align Risk-taking to Strategy

Manage Risk

Manage Performance Appetite

Governance Communication

Culture

Using drivers to frame appetite setting enables the Board to set clear operating boundaries

Business Drivers Low Moderate High Extreme Capacity Limit

Income X% Capital@Risk

X% Capital@Risk

X% Capital@Risk

X% Capital@Risk

Capital Up to X £M

X £M to Y £M

X £M to Y £M

X £M to Y £M

Above X £M

ReputationUp to X vol.

Bad coverage

Up to X vol. Bad

coverage

Up to X vol. Bad

coverage

Up to X vol. Bad

coverage

Appetite Alignment Matrix is a key tool for monitoring the alignment of Risk-taking to Strategy

Enabling monitoring of risks which are outside of Appetite

Shows where we are taking to much and not enough risk

Changes the risk conversation

Answers the question:

Are we operating with in Appetite?




within Appetite?


Common categorisation of risk

Strategic Riskuncertainty related to

strategic choices

Execution Riskuncertainty related to

execution of the chosen strategy

Operational Riskuncertainty related

to processes, people, technology,

change etc

Credit Riskuncertainty related to a counterparty's ability to meet their

obligations

Market Credituncertainty related to the market value of a

portfolio

Riskuncertainty of future

events that will impact on the achievement of

objectives

The Strategy Map articulates how an organisation creates valueFi

nanc

ial

Cust

omer

Inte

rnal

Pr

oces

sLe

arni

ng &

G

row

th

Increase Investment Returns by 25%

Sustainable Growth

Increase Retention of competent staff by

10%

Increase Shareholder value

Objective KPIs InitiativesTargets

Increase Investment

Returns by 25%

YTD % Increase in investment

returns25%

Implement new portfolio mgt system

Objective Statement of what

strategy must achieve and what’s

critical to its success

KPIs How success in achieving the

strategy will be measured and

tracked

Targets The level of

performance or rate of

improvement needed

Initiatives Key action programs

required to achieve Priorities

However, to create value, risk-taking must be aligned to strategy…Fi

nanc

ial

Cust

omer

Inte

rnal

Pr

oces

sLe

arni

ng &

G

row

th


Sustainable Growth


10%


Objective Appetite AlignmentExposure

Increase Investment

Returns by 25%




Appetite How much risk

are we willing to run to achieve the

objective?

ExposureHow much risk

are we currently running?

Alignment Is our current risk-taking aligned to

appetite?

Moderate High Over-exposed

Effective risk management supports value creation and protection...Fi

nanc

ial

Cust

omer

Inte

rnal

Pr

oces

sLe

arni

ng &

G

row

th


Sustainable Growth


10%


Objective Risks MitigationThresholds

Increase Investment

Returns by 25%

Unexpected changes in interest rates

Unexpected Equity movements

Appetite Tolerances

Controls Initiatives Policy &

procedures Processes




RisksThe threats and

opportunities (risks) exist which may

impact achievement of objectives

ThresholdsThe appetite and

tolerance thresholds used to monitor risk

Mitigation The activities undertaken to manage risk

Many different types of risks make up the organisational risk universeFi

nanc

ial

Cust

omer

Inte

rnal

Pr

oces

sLe

arni

ng &

G

row

th


Sustainable Growth


10%



Strategic Risk

Operational Risk

Insurance Risk

Finance Risk

Hazard Risk

Many different types of risks make up the organisational risk universeFi

nanc

ial

Cust

omer

Inte

rnal

Pr

oces

sLe

arni

ng &

G

row

th


Sustainable Growth


10%



Strategic Risk

Operational Risk

Insurance Risk

Finance Risk

Hazard Risk

Unexpected changes in interest

rates

Unexpected Equity movements

Risk categorises can be used to support risk identification and integration of risk in the Balanced Scorecard


Insurance Risk

Underwriting Risk

Operational Risk

Strategic Risk

Hazard Risk

Financial RiskBusiness Risk

Reputation RiskProcess Risk

Market Risk Credit RiskLiquidity Risk

People Risk

System Risk

External Events

Legal Risk

Claims Mgt Risk

Reinsurance RiskProduct Risk

Premium Risk

Civil disruption

Health & Safety

Accidents

Natural

How do we define a risk?

The risk of (what, where, when)….. caused by (how) ……resulting in..…(impact/consequences)

Examples The risk of financial deficit at end of year caused by

decreased in-patient activity and revenue, resulting in rationalisation of service offerings.

The risk of exceeding A&E waiting times, caused by increased demand and staff vacancies, resulting in not meeting community expectations and adverse patient outcomes

Where do we define Risks?

Objectives

Key Risks

Key Controls

The Objectives, Risks and Controls structure is central to Stratex solutions

30

Objectives

KPIs Actions Key Risks

KRIs Actions Assessment Key Controls

KCIs Actions Assessment

Events

Certification

Risk Appetite Processes Initiatives Systems People &

Roles Assets

Operational enablers are aligned to strategy

Governance Commentary Workflows Audit Trails

Build a strategy focused, risk aware culture




within Appetite?


About StratexSystems

“StratexPoint enabled us to reduce the value of our operational losses by 94%, the volume by 63% and our economic capital provision by 23%” - Head of Operational Risk, HML - Skipton group

Our missionTo provide an integrated strategy and risk management solutions which enhances strategy execution, enhance capital efficiency by 15% and reduce operational losses 25% while providing 100% confidence that your business is operating within appetite.

Post credit crunch, Financial Services clients face challenges beyond traditional ‘Risk Management’

Lack of an integrated, enterprise-wide solution

Too many spreadsheets

Systems reinforce silo processes

Compliance focused risk tools

Intensive and intrusive FSA oversight

Board and Senior Management pressure

Political pressure to reform and do things differently

Basel 3, Solvency 2, S166

Confidence in our approachProven partnersLow RiskKeep us out of the newspaperCost effective

Deliver strategy Reduce capital provisionReduce operational lossesReduce / eliminate finesEnable the right culture

“Operate within Appetite”

Examples of where our solution has added real and tangible business value

60%

23%

182

Op lossesHML seen a 60% reduction in operational losses within 18 months

Regulatory capitalHML also seen a 23% reduction in regulatory capital

InitiativesConsolidated global portfolio of major initiatives to enable single view of status & risk

Demonstration

Free trial of StratexLive

Stratex Bootcamp

30 day free use of StratexLive Regular ‘coaching’ session online Load your own data Add your own users START NOW

integrating risk into your balanced scorecard

Documents

strategy page

strategy map

risk management page

visualising strategy

balanced scorecard recapping

balanced scorecardprepared

balanced scorecardhbr

simple risk taxonomy