MANAGEMENT & ACCOUNTING

Embedding Risk Management Practices for

Improved Organisational Performance
Patrick Ow
Improving business results require risk management practices to be simplified and embedded
seamlessly into normal business operations, planning and budgeting processes, and
organisational culture. It is no longer an add-on or a management fad. Private and public sector
organisations alike have struggled to understand risk management implementation steps and
techniques. For those who have overcome it, they are reaping the fruits of their labour.

H
igh performing organisations, Risk is the likelihood of something hap- signed to provide reasonable assurance that
having developed strategies pening (either positive or negative) that operations are effective and efficient,
through a sound strategic plan- will have a consequence or impact (aris- organisational reporting is complete, reliable,
ning process, must ruthlessly implement ing from the event) upon the achievement accurate and timely, and that all applicable laws
strategies by removing performance bar- of objectives. Risk management standard and regulations are complied with.
riers or risk through enterprise-wide risk AS/NZ 4360:2004 defines risk as “the Effective risk management calls for a col-
management practices. chance of something happening that will laborative approach involving all parts of the
Organisations can implement their strat- have an impact on objectives”. organisation. Taking an enterprise-wide
egy and perform well if: approach to risk management is vital as risk
Risk = Likelihood X Consequence
䡲 Everyone understands strategic, unit and in different units may be within the risk
departmental objectives, measures and Like the risk management process itself, an appetite of that individual unit. Taken to-
targets and key priorities (clarity). enterprise-wide approach (or commonly gether, that unit’s risk might exceed the risk
䡲 Everyone is connected emotionally and known as enterprise risk management, ERM) appetite of the organisation as a whole - in
engaged to strategic themes, key objec- to manage risks arose from the business sec- which case, different risks responses may
tives and organisational priorities (com- tor and it is being adopted by public and not- be required to bring the individual unit’s
mitment). for-profit organisations around the world. risk in line with the organisation’s risk ap-
䡲 There is clear “line-of-sight” for each in- The Committee of Sponsoring Organ- petite.
dividual, department, and unit so that they isations of the Treadway Commission The starting point is the organisation’s
are closely aligned to the organisation’s (COSO) has broadly defined ERM as “a objectives, encapsulated by their vision and
key priorities (translation). process, affected by an entity’s board of di- strategy.
rectors, management and other personnel, From objectives, SMART (specific, mea-
䡲 Structure, system and cultural barriers
applied in strategy setting and across the surable, achievable, realistic, and timed)
are removed through embedded enter-
enterprise, designed to identify potential performance measures and quantifiable
prise-wide risk management process (en-
events that may affect the entity, and man- targets are developed. Measures and tar-
abling).
age risk to be within its risk appetite, to gets are important as what gets measured
䡲 Everyone works together to arrive at bet-
provide reasonable assurance regarding gets managed and done.
ter ways to achieve objectives and tar-
the achievement of entity objectives.” From the highest level, guided by
gets, removing “its not my job” thinking
The enterprise-wide approach to risk man- organisational structure, organisational vi-
(synergy).
agement does not necessarily negate or replace sion and strategies are cascaded down and
䡲 Individuals are responsible for achieving the traditional risk management process and forms the strategic objectives, and perfor-
targets (accountability). mitigating risk controls, which is summarised mance measures and targets, which in turn
䡲 Everyone is a de facto risk manager (re- in Table 1. Controls are policies, procedures, cascades down, is weighted and forms
sponsibility). practices and organisational structures de- each business and supporting units’ objec-

26 ACCOUNTANTS TODAY • April 2008

 Embedding Risk Management Practices for Improved Organisational Performance

tives, and performance measures and tar-

Diagram 1 Mapping the Cascading Process to Organisational Structure
gets. Then it cascades down further as de-
partmental and project objectives where Organisation
applicable. Ultimately, all objectives must Vision/
be cascaded into everyone’s individual per- Board Strategy
Strategic
formance objectives, as measured by their Objectives/
Measures/
annual performance plan. (See Diagram 1) CEO Targets
Prioritise objectives throughout each level
of the organisation. For prioritisation, de- Business
velop strategic themes (or value drivers) that Objectives/

n Performance to Strategy
Business Units Measures/
align to the organisational vision and strat- Targets
egy. Examples of strategic themes include
revenue growth, sustainable outcomes and Functional
Objectives/
efficiency. Eliminate organisational activities Support Units Measures/
Targets
or initiatives that do not support strategy

& Aligning
implementation. The prioritisation process
Operational
ensures clear focus or line-of-sight perfor- Objectives/
Departments
mance for everyone within the organisation. Measures/

Cascading
Targets
Use management tools like the balanced

s
scorecard to cascade down top-level objec- Project
tives, and performance measures and tar- Objectives/
Projects Measures/
gets systematically throughout the Targets
organisation, right down to each individual,
which is based on four perspectives (finan- Individual
Staff Objectives/
cial, customer, processes, and people)1. Measures/
Targets
1 “Beyond Measurement Alone — Optimising Two-way influences
Corporate Performance”, Accountants Today,
November 2005, page 48.

Table 1 Risk & Control Cycle

Risk/Control Cycle Description Key Questions
Set/Confirm Objectives Clarify what the organisation seeks to achieve, • What are we trying to achieve?
starting with its vision and strategic objectives.
Identify Events/Risk to Achieving those Identify all events and risks that may affect/ im- • What could go wrong?
Objectives pact the achievement of these objectives. • What could happen that would affect our ob-
jectives?
Assess Risks Assess likelihood that each risk will materialise • What is the likelihood or probability that the
and calculate the consequences arising from the risk will occur?
risk. • What is its consequence or impact if the risk
does eventuate?
Identify Risk Responses Identify and select cost-effective responses to • What are the risk responses or options avail-
managing risk, based on a Board – approved risk able to us to address risk?
appetite.
Execute Control Activities To Address Risk Implement cost-effective risk control activities • How do we rate the control effectiveness?
to address or mitigate risks, as encapsulated in • In the light of risk control assessment and
a risk management plan. prioritisation, what is the most cost-effec-
tive way to address/mitigate the risk?
Develop Effective Information and Develop cost-effective information and commu- • How can we integrate risk as well as per-
Communication nication systems and processes to enable the formance information and indicators into
organisation in meeting its objectives, and for our everyday business performance report-
timely reporting of risks and decision-making. ing and decision-making processes?
Implement On-going Monitoring Activities to Once risk controls are established, develop and • How do we use information management
Ensure Controls are Effective implement on-going cost effective monitoring systems and technologies/IT to maintain or
activities to ensure that risk management and enhance our on-going risk monitoring and
control practices continue to operate effectively performance reporting capability?
and ef ficiently as an integral par t of
organisational culture and business processes.

April 2008 • ACCOUNTANTS TODAY 27

Embedding Risk Management Practices for Improved Organisational Performance

(See Diagram 2)
Diagram 2 Cascading Corporate Measures using the Balanced Scorecard Approach
Map and allocate each strategic objec-
Corporate tive into business and support units’ objec-
Process Financial 20% (Operating Margin) tives as shown in Diagram 3. Not all stra-
Customer 25% (Customer Satisfaction)
tegic objectives are applicable to all units.
Customer People Processes 35% (Safety Index)
People 20% (Employee Satisfaction) ‘Weight’ the achievement of each unit for
BU 1 BU 2 clarity so that individuals managing their
Process Process Financial 20% (Operating Expenses)
own unit are clear about their unit perfor-
Customer 25% (Customer Retention)
Customer People Customer People Processes 35% (Days Absent) mance, avoiding any finger pointing. Elimi-
People 20% (Certification) nate joint responsibilities.
Dept A Dept B
Thereafter, develop risk management
Process Process Financial 10% (Variable Cost)
Customer 35% (First Pass Yield) plans for each level of objectives (whether
Customer People Customer People Processes 30% (Accidents) strategic, business, functional, operational
People 25% (Cross-Training)
and project) as an integral par t of
Individual 1 Individual 2
Customer 35% (On -time Delivery)
organisational culture, planning and bud-
Process Process
Processes 35% (Log Book Violations) geting processes, and performance man-
Customer People Customer People People 30% (Achieving Targets) agement practices. (Shown in Diagram 4)
All risk management plans interact with
each other constantly, “passing” risk items
Diagram 3 Cascading and Aligning Corporate Measures Enterprise-Wide up and down through dif ferent
Organisation Business Unit 1 Business Unit 2 Business Unit 3 Support Unit 1 Support Unit 2 organisational levels based on its imple-
(Sales) (Customer Service) (Production) (Finance) (Human Resource) mentation capability over the risk items.
Strategic Objective 1 $7.0 mil $3.0 mil Criteria for passing risk are categorisation,
(Revenue/ Funding (70%) (30%)
RM10mil) materiality and/or impact upon the
Strategic Objective 2 30% of responses 70% of responses organisation — similar to perhaps the cri-
above 98% above 98%
(Customer
satisfaction satisfaction teria for passing information to the Board.
Satisfaction 98%)
For example, if a unit cannot address risk
Strategic Objective 3 Safety above 95% solely by itself because they do not have
(Safety Index 95%) benchmark
control, influence and/or authority over
Strategic Objective 4
Ave 85% of all staff Ave 85% of all staff Ave 85% of all staff Ave 85% of all staff Ave 85% of all staff the implementation of the risk control, that
employed within Unit employed within Unit employed within Unit employed within Unit employed within Unit
(Employee unit’s risk must be passed up as a risk item
Satisfaction 85%)
into the organisational risk profile for cor-
porate action.
Cascading & Aligning Performance to Strategy Alternatively, if the risk control were op-
erational in nature within that unit, the Unit
Diagram 4 Developing and Integrating Individual Risk Management Plans Enterprise-Wide Head would pass down that risk item into
the department’s risk management plan for
Organisation Business Unit 1 Business Unit 2 Business Unit 3 Support Unit 1 Support Unit 2
(Sales) (Customer Service) (Production) (Finance) (Human Resource) the Department Head’s attention. The De-
Strategicc Ob
Objective 1 $7.0
7.0 m
mil $3.0
3.0 m
mil partment Head would then be responsible
(Revenue/e/ FFunding (70%)
70% (30%)
30% for that risk. This interaction process en-
RM10mil)
sures that someone will act upon risk iden-
Strategicc Ob
Objective 2 30% off res
responses 70% off res
responses tified from any part of the organisation.
(Customeer aboveve 998% above
ove 998%
Satisfaction
tion 98%) satisfaction
sfac satisfaction
sfac
Integrate the risk management process
into the strategic management process if
Strategicc Ob
Objective 3 Safety abov
above 95% organisational culture and processes per-
(Safety Index
ndex 95%) benchmark
chm
mits as shown in Diagram 5.
Strategicc Ob
Objective 4 Ave 85%
% of all staff Ave 85%
% of all staff Ave 85%
% of all staff Ave 85%
% of all staff
For example, accompany business propos-
(Employeee employedd wi
within Unit employedd w
within Unit employed
ed w
within Unit employedd wi
within Unit als with a sub-section on risk management.
Satisfaction
tion 85%)
The risk management sub-section clearly
Org Business Business Business Functional Functional sets out all key risks affecting the achieve-
Risk Risk Risk Risk Risk Risk ment of the business proposal, clearly iden-
Profile Mgt Plan Mgt Plan Mgt Plan Mgt Plan Mgt Plan
tifying responsibility and accountability for
risk control, what funding is allocated from
existing (or future) budgets to address these
Cascading & Aligning Performance to Strategy
risks and whether the business proposal

28 ACCOUNTANTS TODAY • April 2008

 Embedding Risk Management Practices for Improved Organisational Performance

clearly promotes the achievement of

Diagram 5 Integrating Risk Management into Strategic Planning Process2
organisational strategy through clear mea-
surable output and/ or outcomes.
As part of a manager’s monthly perfor- Establish Context & Determine & Assess & Evaluate Determine Risk Identify Cost
Identify Evaluate Existing (Quantify) Risk Appetite & Agree on Effective Risk
mance report, include a section on risk Performance
Related Risk
Controls Likelihood & Impact Acceptable Risk
Levels/ Tolerance
Actions/ Treatments
(Risk Mgt Plan)
management, identifying issues or risk
Monitor Control & Execution Gap
potentially affecting the manager’s perfor-
Identify Objectives/ Monitor Update
mance for their unit or department. This Drivers &
Identify Actions
Required (Strategy Implementation of
Monitor/ Review
Changes (External/ Assumptions,
Environment Formulation) Actions (Strategy Internal) Plans, Controls &
way, risk management is not about box Scanning Implementation) Objectives

ticking but becomes an integral part of per-

formance reporting and management.
Risk Management Process
Therefore, risk management must NOT
be an add-on or separated as an indepen- 2 “Outperform by Linking Performance and Risk Management”, Accountants Today, February 2008, page 26.

Diagram 6 Embedding Risk Management Plans Enterprise-Wide

Organisation Enterprise-Wide
Vision/ Risk Strategy &
Strategy Appetite
Strategic Organisational
Objectives/
Measures/ Risk Profile
Targets

Integral Part of Business Planning, Budgeting; Performance Management

Business
Objectives/ Business Risk
n Performance to Strategy

Measures/ Mgt Plan

Targets
Risk to Risk Strategy
a
Functional
Objectives/ Functional Risk
Measures/ Mgt Plan
Targets
& Aligning

& Aligning EEnterprise-Wide R

Operational
Objectives/ Operational Risk
Measures/ Mgt Plan
Cascading

Targets
s

Project
Objectives/ Project Risk
Measures/
Mgt Plan
Targets
Cascading
a

Individual
Objectives/ Performance
Measures/ Plan
Two-way influences Targets

dent activity. Risk management must be part sum of its parts. ment with assurance that a responsible
of organisational culture, embedded as part 2 Supporting units’ objectives must sup- person is continuously monitoring or
of everyday organisational life as shown in port the achievement of business units’ implementing risk controls.
Diagram 6. The risk management plan is objectives. 5 Rename your Risk and Audit Depart-
therefore a “living document” embedded as 3 Adequately resource risk controls activi- ment to Business Assurance Department.
a sub-set of performance reporting and bud- ties from budgets but prioritise against 6 Avoid “risk manager” job titles since
get reviews, where risk and achievements strategic themes. Otherwise, risk man- risk ownership is a collective matter.
are constantly monitored and evaluated agement plans become meaningless. Using one of the many approaches
against strategy and objectives. 4 Monitor and report on risk activities shown in Table 2, inputs, activities, outputs,
Take note of the following: through performance reports, rather and outcomes are chain of events that de-
1 Avoid silo-based risk management than specific risk reports. Integrate risk scribe organisational, unit and departmen-
practices as changes to one part of any reporting into performance or monthly tal performance. Inputs (e.g. qualified train-
system or organisation will affect other reports as it aids the achievement of ers recruited) lead to activities (e.g. train-
parts since the whole can exceed the business results, providing manage- ing activities), which lead short-term out-

April 2008 • ACCOUNTANTS TODAY 29

Embedding Risk Management Practices for Improved Organisational Performance

puts (e.g. number of training sessions con- the long-term outcomes (e.g. improvement “Are we doing things right?”, whereas out-
ducted). At some point, the customer or in staff competencies and behaviours as puts and outcomes answer the question “Are
beneficiaries served by organisational ac- the long-term result of the training). we doing the right things?”. By measuring/
tivities will either achieve or not achieve Inputs and activities answer the question quantifying the chain of events, we are able
to determine the performance barriers or
Table 2 Risk & Control Cycle risk, which would feed into risk manage-
Item Description Sample Performance Indicators/ ment plans. Knowing the measures help
Measures in the risk identification process.
Objectives • Goal, planned or intended • Improve quality of learning Subsequently, risk management plans (Dia-
outcome. and student performance. gram 7) can be developed from the inputs,
Inputs • Resources consumed by the system, • Government Funds — activities, outputs, and outcomes chain of
including cost/workforce. $30.0 mil.
events. The risk management plan sets out
• Financial/staffing. • 100 qualified trainers.
cost-effective risk controls required to achieve
Activities • Steps to produce the output. • 2,000 training hours.
objectives, evaluation of risk likelihood and
• Quality, quantity, timeliness, efficiency. • 1,000 workshop hours.
consequences, and determine inherent risks
Outputs • Products & services produced. • 20,000 trained teachers.
• Productivity (units of work).
the organisation is prepared to accept in line
• 4.3 million new textbooks.
• 90% trainer satisfaction. with the Board-approved risk appetite as en-
Outcomes • Results that accomplish the mission; • 20% increase in student capsulated it its Enterprise-wide Risk Strategy.
impacts. test scores. The organisation can either be a risk-averse
• Behaviour changes. • 10% increase in future earnings or risk-taking organisation. By shifting the risk
• Programme/service effectiveness. of primary school graduates. control fulcrum as shown in Diagram 8,
Risk and • Assumptions are risk and enabling • Inadequate provision of organisations can strategically position and set
Critical factors. They are external conditions Government funding. their risk tone for managing risk. However,
Assumptions that are outside the direct control • Selected trainer is competent.
there is always a cost to implementing risk
of the organisation. • Students have the ability to
• Achieving objectives can depend on concentrate. controls. Weak currency may for example
whether assumptions hold true. become an inherent risk that the organisation
• Assumptions are made about the has to accept, with little it could do directly.
degree of uncertainty (degree of risk) In summary, performance is all about
between different levels of objectives.
achieving the corporate objectives and execut-

Diagram 7 Sample Risk Management Plan

Risk Controls
Risk Consequencee Likelihood Risk Resources
Risk Event Impact Mitigation Effectiveness Responsibilityy Timing
g
No Rating Rating Rating
ing Required
Strategy Rating
What can
happen
Describe
How it can happen controls that
mitigates the
risk
Likelihoodd of
What consequence Date when Funding/
identified risk
might be if risk risk action resourcing the
occuring
occurs Evaluate adequacy is due implementation
of risk controls of risk strategy
Rating = Consequence X Likelihood
Mapped against Risk Profile Individual responsible for
managing risk action plan,
and making sure all actions
are completed

ing organisational strategy. Performance bar-

Diagram 8 Strategically Positioning Organisational Risk Appetite
riers or risks must be identified and mitigated
as part of managing organisational perfor-
mance. Enterprise-wide risk management
practices must therefore be an integral man-
agement tool that forms part of any corporate
performance management system. AT
The writer can be contacted at patrickow@
gmail.com

30 ACCOUNTANTS TODAY • April 2008