N ove m b e r – D e ce m b e r 20 09 | Vo l u m e 1 1 , N u m b e r 6

T H E S T R AT E G Y E X E C U T I O N S O U R C E

SPECIAL RISK
Risk Management and the
B A L A N C E

MANAGEMENT ISSUE
In the aftermath of the global eco-
Strategy Execution System nomic meltdown, risk management
has taken on new importance, not only
in the financial services sector, but
By Robert S. Kaplan across industries. This first-ever theme
issue of Balanced Scorecard Report is
Besides rethinking strategy, perhaps nothing has preoccupied business devoted exclusively to the nexus of
leaders these past months more than their failures in risk manage- risk management and strategy. BSC
O N

cofounder Robert Kaplan presents his

ment. In this opening gambit, Robert Kaplan explores how risk opening gambit on the subject (oppo-
management can be better integrated into strategy execution. An site); and we offer three Case Files from
organizations as diverse as a NASA
analysis of risk management—its history and mainstream approaches agency, a unit of a major bank, and a
—and of resulting market failures leads him to conclude that risk consumer products giant. These stories
are based on presentations delivered
management should be viewed as a third leg of shareholder value at the Palladium Group’s 2009 Strategic
creation, along with revenue growth and productivity. Here, Kaplan Risk Conference, “Turning Risk into
Opportunity.”
introduces two important concepts: a three-level hierarchy of risk;
and the risk indicator scorecard, a parallel to the strategy scorecard Executive Insight ........................................7
that he and David Norton conceived nearly two decades ago. What Bad Things Could
Happen? Risk Management at
Jet Propulsion Laboratory
The financial crisis that erupted in 2007 revealed a major gap in the manage- Following two space shuttle disasters,
ment systems of companies, especially those in the financial sector. Companies’ NASA completely overhauled its risk
management systems were focused on shareholder value, revenue growth, pro- management process to foster a culture
focused on risk. Gentry Lee, chief engi-
ductivity, cost control, and quality. But few explicitly incorporated risk. At recent neer of JPL’s Planetary Flight Systems
speaking events, I have been asked whether using the Balanced Scorecard Directorate (which oversees all robotic
would have helped the failed companies avoid the catastrophe they inflicted on planetary spacecraft), reveals the orga-
nization’s approach at every stage of a
shareholders, creditors, and the world economy. I usually respond by articulating mission.
the hope that adopting the BSC, whose underlying philosophy entails seeking a Case File ....................................................10
balance between achieving short- and long-term strategic objectives, would have Leadership and Strategic Risk
mitigated some of the excessive risk taking that the failed companies pursued Management: An SFO Approach
for short-term financial gain. But, candidly, the measurement, mitigation, and No new processes or data required: it’s
management of risk have not been strongly featured in David Norton’s and my all about orientation. Here’s how one
banking executive has made risk man-
work.1 So the events of recent years have forced us to think more deeply about agement as day-to-day a process as
how to incorporate risk management into our strategy execution framework. strategy management. Foster the right
mindset with leadership, he advises,
Risk management is not new. People have been studying risk and its mitigation and use the SFO principles as a natural
framework.
for centuries.2 International regulations, such as the Basel I and Basel II rules,
have institutionalized risk management for banks.3 Actuarial societies and COSO Case Snapshot ........................................13
(the Committee of Sponsoring Organizations of the Treadway Commission) have Integrating Risk Management into
the Strategic Planning Process at
formalized a new discipline of enterprise risk management (ERM) and promulgated Canadian Blood Services
standards for implementing it. Many companies established risk management Have a glance at this BSC Hall of Fame
departments led by a C-level chief risk officer to comply with these and other organization’s pioneering approach to
integrating risk management with
regulations (such as Sarbanes-Oxley) as well as to help the enterprise manage strategy management.
its risk exposure. Risk professionals have their own organizations (the Global
Decision Analytics ..................................14
Association of Risk Professionals, the Risk Management Association), certification
Managing Operational Risk at
examinations, and a rich array of sophisticated risk modeling processes at their Mars, Incorporated
disposal. Yet despite risk management’s extensive history, sophisticated models The company known for everything
of risk exposure, and a large population of risk management professionals, from M&Ms and Uncle Ben’s rice to
Pedigree pet food has an impressive
many companies affected by the crisis failed because of their excessive exposure and rigorous system for identifying and
to risk. Apparently, all were doing their jobs, and yet the system failed. Many managing operational and strategic
interrelated factors contributed to the failures,4 but two in particular stand out: risk. Besides its ERM process, Mars
relies on a rich trove of analytic data to
anticipate, prioritize, and mitigate
Continued on next page risks—and share effective tactics across
its business units and segments.
Balanced Scorecard Report

companies’ failure to explicitly strategic processes—those that Balanced Scorecard Report

account for risk when formulating are identified in the process per-
Editorial Advisers
their strategies, and their failure spective of an entity’s strategy Robert S. Kaplan
to monitor and manage the risks map and scorecard—and vital Professor, Harvard Business School
David P. Norton
they had assumed. processes: those vital to conducting Director and Founder, Palladium Group, Inc.
business but that do not contribute Publishers
Fifteen years ago, Norton and I Robert L. Howie Jr.
to the differentiation of the strate-
surveyed managers and learned Managing Director, Palladium Group, Inc.
gy. Examples of Level 3 vital
that 85% of senior executives Edward D. Crowley
processes are maintaining and General Manager, Newsletters,
spent less than one hour per Harvard Business Publishing
updating the financial accounting
month discussing strategy; 50% Executive Editor
and tax systems (such as posting Randall H. Russell
reported they spent zero hours
entries to the general ledger and VP/Director of Research, Palladium Group, Inc.
per month on strategy. But most Editor
the accounts receivables and
senior executives spent even less Janice Koch
accounts payables ledgers; and Palladium Group, Inc.
time managing risk than they
paying and receiving cash), pro- Circulation Manager
did managing strategy. Then, as Bruce Rhodes
tecting assets and information,
now, they viewed risk manage- Newsletters, Harvard Business Publishing
and ensuring information security, Design
ment as a compliance function—
privacy, backup, and disaster Robert B. Levers
something they could delegate to Levers Advertising & Design
recovery. They also include the
their risk professionals, who in Letters and Reader Feedback
internal control processes that Please send your comments and ideas to
most firms tend to be siloed and [email protected].
protect the firm from fraud, negli-
subordinate. If companies are to Subscription Information
gence, legal, and other potential To subscribe to Balanced Scorecard Report, call
get serious about risk manage-
regulatory liabilities. Any break- 800.668.6705. Outside the U.S., call 617.783.7474,
ment, it must be embedded into or visit bsr.harvardbusinessonline.org. For group
down in a Level 3 process could subscription rates, call the numbers above.
the routines and processes of
expose the company to significant Services, Permissions, and Back Issues
senior management, much as we Balanced Scorecard Report (ISSN 1526-145X)
financial and information losses is published bimonthly. To resolve subscription
have promoted strategy manage-
and expensive regulatory and liti- service problems, please call 800.668.6705.
ment within the organization Outside the U.S., call 617.783.7474.
gation procedures. But even when Email: [email protected]
through the use of our six-stage
these processes are performed Copyright © 2009 by Harvard Business School
strategy execution system. Publishing Corporation. Quotation is not permitted.
perfectly, the company could still Material may not be reproduced in whole or in part
in any form whatsoever without permission from the
The Risk Management fail in its strategy execution. publisher. To order back issues or reprints of articles,
please call 800.668.6705. Outside the U.S., call
Framework Through the extensive training of 617.783.7474.

Enterprises face many different personnel and the establishment Harvard Business Publishing is a not-for-profit, wholly
owned subsidiary of Harvard University. The mission of
types of risk. I have found it useful of standard operating procedures Harvard Business Publishing is to improve the practice

to classify risks into three cate- and internal controls, including of management and its impact on a changing world.
We collaborate to create products and services in the
gories, based on their degree the segregation of duties and media that best serve our customers—individuals and
organizations that believe in the power of ideas.
of predictability, controllability, dual authorizations, companies
and management, and, most attempt to have zero defects in Palladium Group, Inc., is the global leader in helping
organizations execute their strategies by making
important, on the magnitude of Level 3 processes. The internal better decisions. Our expertise in strategy, risk,
corporate performance management, and business
their consequences to the enter- audit department plays a key role intelligence helps our clients achieve an execution
premium. Our services include consulting, conferences,
prise. Level 3, the lowest category, in monitoring Level 3 risks by communities, training, and technology. The Palladium

encompasses routine operational verifying that standard operating Balanced Scorecard Hall of Fame for Executing Strategy™
recognizes organizations that have achieved an out-
and compliance risks. Level 2 procedures are being followed standing execution premium. For more information, visit
www.thepalladiumgroup.com or call 781-259-3737.
represents strategy risks, and Level without exception and by high-
1 captures global enterprise risks. lighting defects and deviations in
compliance and routine operating
Level 3: Routine Operational processes. Further, Sarbanes-
and Compliance Risks Oxley audits are performed on
Level 3 processes to provide Join us! Sign up for the free
At the bottom of the risk hierarchy, external assurance on the effec- BSC Online e-newsletter at www.thepalladi-
umgroup.com/bsconline. Become a member of
Level 3 risks arise from errors tiveness of a company’s internal the Execution
in routine, standardized, and controls. In short, Level 3 risks Premium Community (XPC) at www.thepalladi-
umgroup.com/xpc.
predictable processes that expose are known and avoidable. Risk
the firm to substantial loss. In our management of these processes
Sign up for the electronic version of
BSR—available only to subscribers—
work on linking strategy to opera- strives to achieve 100% compli- at www.bsronline.org/ereg.
tions, we distinguish between ance and zero defects.

2
 November–December 2009

Level 2: Strategy Risks those linked to the customer At this time, the development of
value proposition and customer a risk scorecard is more conjecture
Companies select strategies that
outcomes; and the financial and concept than actual fact.
they hope will create and sustain
perspective depicts those related So I cannot present a working
a competitive advantage that leads
to revenue, price, and margin example of a complete, actual
to superior financial returns. But
objectives. The strategy map thus risk scorecard. But it would not
earning superior returns requires
provides a natural framework be premature to consider some
companies to accept some risk.
for identifying, mitigating, and general principles for developing
Companies wanting a risk-free
systematically managing the risks a risk scorecard and its associated
strategy would have to invest all
to a company’s strategic objectives initiatives.
their capital in default-free and
in an integrated and comprehen-
inflation-protected government What Would a Risk Scorecard
sive manner.
bonds, an action that any of their Look Like?
shareholders could do individually Some companies, particularly
Let’s start with the entity’s strategy
just as well, and probably more those in financial services such
map of linked strategic objectives.
cheaply. as Bank of Tokyo-Mitsubishi UFJ
In building the BSC for the strate-
and SwissRe, already incorporate
Strategy risk can be straight- gy map, we would, of course,
a risk management strategic
forward and easily quantifiable, formulate metrics for every strategy
theme into their strategy maps.
as when a company accepts the map objective, followed by targets
(This theme is in addition to tradi-
risk of default when extending for each metric and, finally, strate-
tional strategic themes relating to
credit to customers; or it can gic initiatives designed to close
operational excellence, customer
be more speculative, as when a the gap between targeted and
management, and innovation.)
company invests in developing current performance.
Defining a risk management
an entirely new product line or
strategic theme highlights risk Working from the same strategy
entering a new geographic market.
management as a key component map, we could build a risk score-
To manage its various Level 2
of the company’s strategy and card by first identifying for each
risks, a company should identify
makes it visible for resource allo- strategic objective the primary
the major plausible risks inherent
cation, monitoring, and discussion risk events that would prevent
in the strategy, attempt to mitigate
at strategy review meetings. I the objective from being achieved.
and manage those risks, and
have tentatively concluded, how- For each risk event, we would
then continually monitor the risk
ever, that measuring and manag- select metrics that would be early
exposure it has accepted to earn
ing risk differs so substantially warning or leading indicators
superior returns.
from measuring and managing of when the risk event might be
The risk management literature strategy that it may be preferable occurring. Take, for example, the
identifies a long laundry list of to develop a completely separate common learning and growth
possible strategy risks, such as risk scorecard. Strategy is about objective “Achieve strategic job
financial risk; customer, brand, and moving the company forward readiness,” in which all employees
reputation risk; supply chain risk; toward achieving breakthrough in strategic job families have the
innovation risk; environmental performance. The strategy map skills, experience, and knowledge
risk; human resources risk; and and scorecard provide the road to perform their processes at a
information technology risk. map to guide this strategic journey. high level of excellence. This
Such a list implies a complex risk Risk management, in contrast, is objective would typically have a
management process perhaps about identifying, avoiding, and BSC metric “percentage of employ-
specific to each type of risk. overcoming the hurdles that the ees in strategic job families rated
Recall, however, that the strategy strategy may encounter along as ‘very good’ or ‘excellent’ for
map and Balanced Scorecard the way. Avoiding risk does not relevant skills, experience, and
already contain all of an entity’s advance the strategy; but risk knowledge”; a target of 90% or
strategic objectives and the inter- management can reduce obstacles higher; and strategic initiatives
relationships among them: the and barriers that would otherwise involving in-class and on-the-job
learning and growth perspective prevent the organization from training, a pay-for-knowledge
contains objectives for people and progressing to its strategic desti- incentive plan, and planned job
technology; the internal process nation. The metrics for a risk rotations.
perspective has objectives for scorecard and associated initia-
What risk events would threaten
managing operations, customers, tives for preventing or mitigating
this strategic objective? They
innovation, and environmental, risks seem fundamentally different
could be high turnover or retire-
regulatory, and social processes; from the BSC metrics and initiatives
ments of experienced employees
the customer perspective shows used to move a strategy forward.
3
Balanced Scorecard Report

in strategic job families, ineffective than wait for risk metrics to signal and their derivatives turned out
training programs, or lack of an adverse condition, manage- to be far higher than had been
mobility. Risk metrics would ment needs to estimate which assumed in the VaR models,
thus reflect each of these poten- risk events are the most likely leading to the collapse of many
tial problems—current turnover to occur and will have the most financial institutions such as
rates, number of actual or antici- adverse consequences to the Bear Stearns, Lehman Brothers,
pated retirements, evaluations strategy. Certainly this is easier Wachovia Bank, and Washington
of training program relevance to advocate than implement. In Mutual.
and effectiveness, and gaps some circumstances, companies
When historic data are not avail-
between the demand and supply have sufficient historic data to
able or adequate to quantify
of fully qualified employees estimate the likelihood of many
risk exposure, risk managers use
(such as when some locations types of risk events. Insurance
another tool, the heat map, as a
have an excess supply of employ- companies can estimate the prob-
framework for stimulating discus-
ees, while others, perhaps in abilities of events they insure
sion and, they hope, for gaining
different countries or continents, against, including mortality, natu-
consensus on their subjective
have serious shortages). For an ral disasters, sickness, and car
estimates of risk events. For each
innovation objective at a pharma- accidents. Financial firms have
identified risk event—e.g., high
ceutical company, the risks could extensive historical data on the
turnover in a given strategic job
be failed or delayed clinical trials. prices and correlations of financial
family, an ineffective training pro-
Supply chain risks could be dis- instruments such as stocks, bonds,
gram, unexpected retirements—
ruptions in a supplier’s plant or and derivatives, which give them
managers estimate, usually on
bottlenecks at a distribution the apparent ability to forecast the
a 1-to-5 scale, two parameters:
center. Following this approach, likelihood of losses of a given
the likelihood of the event and
each strategic objective on the magnitude and to summarize their
the magnitude of the event’s
strategy map would have one risk exposure with an aggregate
consequences (see Figure 1).
or more risk metrics that would metric known as “value at risk”
They multiply the two ratings
provide an early warning signal (VaR).5 Unfortunately, the risks
to produce a heat map score of
about when performance along of some of the newer and more
between 1 and 25. (See Figure 2.)
that strategic objective is in jeop- complex financial instruments,
ardy. A rising trend in a risk met- particularly mortgage-backed Managers use the heat map
ric, or even a single observation securities and their derivatives, score to set priorities for selecting
above a pre-set control limit, were estimated from historic time and funding risk prevention and
would generate a management periods that did not include a mitigation initiatives. Risk events
alert requiring immediate atten- decline in U.S. housing prices. that score 15 or higher on the heat
tion. When housing prices began a map are the most likely and con-
nationwide decline in 2006 and sequential; they get priority for
Risk management should be
2007, the default rate and correla- the limited funds available for ini-
anticipatory and preventive,
tions among mortgage securities tiatives to prevent or mitigate risk.
not reactive. Therefore, rather
Thus the planning for coping
Figure 1. Calculating a Risk Score with Level 2 strategic risks
requires that managers identify
Likelihood of the Event the major risks to the strategy,
Score 5 4 3 2 1
establish an early warning risk
scorecard to signal when adverse
Rating Virtually Likely Even Unlikely Remote conditions are occurring, and set
certain odds
priorities for funding initiatives
Probability event
will occur in the 95% 75% 50% 25% 5%
that will prevent or mitigate the
next 36 months most likely and consequential of
the strategic risk events. Because
Magnitude of the Event’s Consequences of the comprehensive nature of
Score 5 4 3 2 1
the strategy map, which includes
the processes most critical for
Consequence Highly Adverse Moderate Some Little successful strategy execution,
adverse impact impact impact
the firm will be anticipating and
planning for its most significant
For each identified risk, managers estimate the likelihood of an event’s occurrence operational as well as strategic
and the magnitude of its consequences, usually on a 1-to-5 scale. risks.
4
 November–December 2009

To be effective, risk management Figure 2. A Heat Map

cannot be done in a siloed fashion
by risk professionals only nor
delegated to middle management High 5 15 25
functions and departments. Senior
managers, during their monthly

Likelihood of the Event

strategy review meetings (Stage
five in the strategy execution
system, Monitor and Learn), Medium 3 9 15
should allocate time to discuss
critical operational and strategy
risks. Risk professionals can lead
or facilitate discussions of risk
indicators and risk initiatives at Low 1 3 5
these senior management meet-
ings. Such periodic reviews would
ensure that executives regularly Low Medium High
discuss the company’s risk expo-
Magnitude of the Event’s Consequences
sure and assess how well they
By multiplying the “likelihood” rating by the “magnitude” rating, managers arrive at
are mitigating these known risks a heat map score of between 1 and 25. A score of 15 or higher represents a risk event that is
to the strategy. most likely to occur and most consequential and should get funding priority for mitigation
and prevention initiatives.
Level 1: Global Enterprise Risks
consequences ranking of higher metaphor, a Level 1 risk to
Level 2 risk management addresses than 5 (highly adverse). California is a severe earthquake
the “known unknowns.” But along the San Andreas fault.
the failures of many companies Myopia to existential risk was
Scientists believe that such an
are triggered by the “unknown not confined to financial firms.
event is plausible within the next
unknowns”: the unpredictable, The black swan event for General
several decades, but they cannot
unprecedented occurrences that Motors and Chrysler was the
predict either the year it will
create existential risk. Such events doubling or tripling of oil prices,
occur or its magnitude. Neverthe-
are often referred to as “black which made their profitable prod-
less, citizens can mitigate in
swan” events, based on the title uct lines of large, fuel-inefficient
advance the consequences of
of a highly popular book by vehicles essentially unsalable to
such an earthquake by construct-
Nassim Taleb that mocks attempts U.S. consumers, causing massive
ing buildings that are earthquake
by companies to use quantitative losses and tipping the already
resistant and by formulating emer-
models to measure and manage financially strapped and highly
gency and disaster relief plans.
risk.6 Consider the VaR models leveraged companies into bank-
used by many financial institu- ruptcy. Neither company had Some companies do their Level 1
tions (and the risk models used planned or implemented a strategy risk planning by conducting active
by credit rating agencies). These that could generate positive discussions of unlikely events
were based on data going back cash flows in a world of high and their consequences. Goldman
several decades during which gasoline prices. Sachs and JP Morgan Chase hold
there was no nationwide decline regular tail-risk meetings of senior
Companies need to consider what
in housing prices. Senior man- management where they discuss
unlikely event or combination of
agers at many financial institu- the consequences of unlikely
events could lead to their demise.
tions apparently believed that external events. (They are called
As much as David Norton and I
such an across-the-board decline tail-risk meetings because the
have preached for 20 years that
was an extremely unlikely event, likelihood of the events are in the
you cannot manage what you
outside the 99% confidence inter- “tail” of the probability distribu-
don’t measure, Level 1 enterprise
val of their VaR models. As a tion.) Such events could include
risks have humbled and chas-
result, they had no alternative a tripling of energy prices, a
tened me. I now agree with Taleb
or complementary process for devaluation of the U.S. dollar, civil
that quantitative models may have
assessing or mitigating their expo- insurrection in China, a devastating
limited applicability in predicting
sure to rare events. Referring earthquake or hurricane in a
the likelihood of Level 1 risks,
to the heat map tool, one can sensitive region, or war in the
especially within a given time
interpret a black swan event as Middle East. The group assesses
period. But I disagree with Taleb
having a probability ranking of less the ramifications of the event, the
that managers cannot plan for or
than 1 (highly unlikely) and a mitigate them. Using a physical
5
Balanced Scorecard Report

impact on the company’s strategy, not have the requisite variety to these risks and to develop counter-
and what might be done to avoid survive changes in that environ- measures they can deploy should
or mitigate the adverse conse- ment. The discussions around they occur.
quences should it occur. As the Level 1 risks help the leadership
Ultimately, risk management
chief risk officer of JP Morgan team determine whether the
requires leadership, especially
Chase told me, “Most of the company’s strategy is sufficiently
when times are good and no
events we discuss at these meet- robust to survive the disruptions
clouds are visible on the horizon.
ings never occur, thank God; but that might occur from black swan
CEOs must have the courage to
a few of them have happened, events in its physical, economic,
turn down apparently profitable
and we have either already miti- and competitive environments.
opportunities that expose the
gated their consequences or,
Mitigate, Plan, Lead company to excessive risk. As
because of our prior contingency
M.D. Ranganath, chief risk officer
planning, acted rapidly to mini- “Prediction is very hard, especially of Infosys (a BSC Hall of Fame
mize the damage.” about the future.”8 Risk manage- company), observed at the 2008
Scenario planning provides a ment requires predicting events, Harvard Business School Global
systematic process to help man- particularly unlikely ones that Summit:
agers consider the correlated have never occurred. But despite
Everyone does risk management
consequences of future events. the difficulty of risk management, in bad times. The strong test
The scenarios are often triggered senior executives who avoid, de- of risk management is whether
by natural acts (earthquakes, emphasize, or delegate it do so at it works in good times. Will top
hurricanes, tsunamis), global their peril. management stand behind the
economic phenomena (dramatic risk managers, avoiding tempta-
Risk comes in many forms and tion and saying no to things
changes in energy prices, currency combinations. Some risks—Level 3 that put the enterprise at risk? I
exchange rates, interest rates, risks—are known and avoidable.
economic growth rates, or regula- We attempt to minimize their inci- 1. As an exception, see the discussion of risk
management as an internal process in pp. 73–77
tion), or competitors’ actions. LG dence through standard operating of R. S. Kaplan and D. P. Norton, Strategy Maps
Display, the Korean producer of procedures, internal controls, and (Harvard Business Publishing, 2004).
large LCD displays, conducts two- internal audits. Other risks, which 2. An excellent reference is Peter L. Bernstein,
Against the Gods: The Remarkable Story of Risk
day war games three times a year we classify as Level 2 risks, are (Wiley, 1996).
in which four management teams inherent in the firm’s strategy. 3. Basel I, supplanted by Basel II, focuses on
(one representing LG Display; The firm accepts them as neces- credit risk, establishing minimum capital require-
the others, its three largest com- ments for banks.
sary in its pursuit of superior
petitors) assess how the company’s returns but attempts to reduce 4. Among them: using the wrong measures or
not fully understanding the properties of the risk
current strategy would perform their likelihood of occurrence or measures being used, using incorrect data for
against those that its competitors mitigate them. The strategy map estimating risk measures, failing to understand
correlations between risk measures, and taking
might deploy or counteract with. provides a powerful framework big bets that unlikely events would not occur.

Following the Kaplan/Norton for identifying strategic and key 5. Value-at-risk is an estimate of the amount that
can be lost at a specified probability of occurrence
Strategy Execution model, man- operational risks, which can then during a specified time interval. For example, a
agers can address these Level 1 be monitored with a separate risk securities trader with a five-day, 99% VaR of $50
million has estimated that the current trading posi-
enterprise risks during their delib- indicator scorecard. Heat maps tion has less than a 1% chance of a loss exceeding
erations in Stage six of the strategy display the likelihood and impact $50 million over the next trading week.

execution system, Test and Adapt of risk events, helping managers 6. Nassim N. Taleb, The Black Swan: The Impact of
set priorities and fund risk mitiga- the Highly Improbable (New York: Random House,
the Strategy. The CEO could lead 2007).
a discussion around “the three tion initiatives. Finally, some risks,
7. R. Simons identified three such occurrences in
things that would cause our strat- from uncontrollable, external “How Risky Is Your Company?” Harvard Business
egy to fail.”7 The leadership team events, can threaten the firm’s Review (May 1999).

could engage in scenario planning, existence. These Level 1 risks 8. This quote has been attributed to people as
diverse as Niels Bohr and Yogi Berra.
war-gaming, and tail-risk stress- are especially difficult to predict
testing to learn the sensitivity but can be the most devastating T O L E A R N M O R E
of the company’s strategy to should they occur. We advocate
A pioneering approach is high-
events that occur outside normal the regular use of tools such as
lighted in “Aligning Enterprise
business operations that they scenario planning, tail-risk meet-
Risk Management with Strategy
cannot control. From evolutionary ings, and war-gaming to make
Through the BSC: The Bank of
biology, we learn that species executives aware of such potential
Tokyo-Mitsubishi Approach,” in
that have become too specialized Level 1 risks—hoping that these
BSR September–October 2005
in a particular environment will tools encourage managers to
(Reprint #B0509D).
adopt strategies that can survive
Reprint #B0911A
6
 November–December 2009

existing available system into risk

I N S I G H T
What Bad Things Could Happen? pieces, asking, “In what ways
Risk Management at Jet could this system go wrong under
each situation it will encounter
Propulsion Laboratory during the mission?”

By Gentry Lee, Chief Engineer, Planetary Flight Systems Directorate, “How”: Ranking the Risks
E X E C U T I V E

Jet Propulsion Laboratory There are a lot of bad things

Adapted by Lauren Keller Johnson, from Lee’s presentation at the that can happen with any project,
Palladium Group’s Strategic Risk Conference, April 2009, in New York but you have to identify the
most important ones. We use two
It’s one thing to understand that all organizations must criteria to do this prioritization:
manage risk strategically. It’s quite another to know how, bad things that are (1) most likely
precisely, to make strategic risk management a disciplined to happen and (2) would have
practice in your own company. In the aerospace industry— the worst consequences if they
where high-stake risks lurk everywhere—executives have did happen.
honed risk management to a fine point. Jet Propulsion Think of it as an equation:
Laboratory (JPL) is no exception. Drawing from JPL’s long
and sometimes painful experience, Gentry Lee lays out his Risk ranking = likelihood of
happening × severity of consequences
organization’s systematic approach to managing risk. His
account offers valuable lessons for executives in any industry. The project team for each mission
creates a 5-by-5 matrix, where
In the aerospace industry, the and a budget established for it, one axis represents likelihood
possibility of failure lurks at every we identify the risks—all the bad from 1 to 5, and the other repre-
turn. I often say, “You have to be things that could happen with sents severity of consequences
properly paranoid.” The Columbia the project. Bad things can take from 1 to 5. (A 1 on the likeli-
disaster (along with several other three forms: (1) performance (the hood axis might mean a 1-in-
mission failures) was a wake-up project doesn’t meet the desired 1,000 chance of happening; a 1
call for the industry to establish objectives), (2) cost (it eats up on the consequences axis might
stricter risk management disci- more money than you budgeted), represent a minor nuisance. A 5
pline.1 We set out to build a and (3) schedule (it takes longer on the likelihood axis represents
culture around this. With every to complete than you wanted). relatively high likelihood; a 5 on
project we work on at JPL, we the consequences axis represents
Take the Phoenix mission to Mars.
invest a huge amount of time and a catastrophic outcome.) Each
Phoenix was a robotic spacecraft
attention in identifying, weighing,
on a space-exploration mission
and mitigating risks. These are
to Mars under the Mars Scout About Jet Propulsion
immense, one-of-a-kind projects—
program. The Phoenix lander Laboratory
everything from trying to blast
descended on Mars on May 25,
apart a comet and analyze its Jet Propulsion Laboratory (JPL)
2008. Mission scientists used
contents to landing a rover on is a federally funded research
instruments aboard the lander to
Mars to assessing atmospheric and development center and
search for environments suitable
chemistry on Venus. In some NASA field center located in
for microbial life on Mars and
missions, people’s lives are at the San Gabriel Valley, north of
to research the history of water
stake. In all of them, large amounts Los Angeles. JPL focuses on con-
there.
of taxpayers’ money are at risk. structing and operating robotic
This mission was cost-capped; we planetary spacecraft, although it
We can’t remove risk entirely
had only so much money we also conducts Earth-orbit and
from anything we do, but we
could spend. We needed to figure astronomy missions. In addition,
can manage it. And we’ve devel-
out how to get the job done JPL is responsible for operating
oped a systematic approach NASA’s Deep Space Network.
with the money we had. One
for doing that. I like to present JPL’s current projects include
technology system required for
this approach as the “what, how, the Cassini-Huygens mission to
the spacecraft was radar, but
when, and who” of risk manage- Saturn, the Mars Exploration
existing systems had been flown
ment as practiced at JPL. Rovers (Spirit and Opportunity),
only in airplanes, not spacecraft.
Because we had no money to the Mars Reconnaissance Orbiter,
“What”: Identifying the Risks and the Spitzer Space Telescope.
develop a new radar system for
The instant a project is confirmed the Phoenix, we broke down the
7
Balanced Scorecard Report

team calibrates the probabilities the science instruments were very identify the most salient risks;
as appropriate to their project. new, so we assigned reserves of they’re the ones most likely to
up to 40% for those. (Even that happen and carrying the worst
Using their knowledge and expe-
margin wasn’t enough: the cost consequences. What do you do
rience, team members position
of one of the science instruments about the more subtle ones—the
each risk to the mission in the
exceeded the reserve.) bad things that, if they happened,
matrix based on its likelihood
wouldn’t necessarily cause catas-
and consequences. For example, Once you’ve established cost and
trophe but might create constant
a risk that has a 1-in-10 chance schedule reserves, you have to
annoyances? In some cases, you
of materializing (a relatively high create a burn-down plan: How
might decide that constant annoy-
degree of likelihood) and that will those reserves be used up as
ance is bad enough that you want
would seriously compromise the the project progresses? Then you
to mitigate that risk.
mission (a severe consequence) have to track use of the reserves
if it did happen would go in the carefully. If the burn-down plan Sometimes, even if the risks are
upper-right portion of the matrix is violated (for example, you start huge, you may decide to go
and be shaded red, indicating that running out of the extra money ahead anyway. JPL’s Deep Impact
it counted among the worst risks. or time you budgeted for the program is a good example. The
All reds must be mitigated. Yellow project), you need to stop and goal of the program was to have
indicates less serious risks that figure out what’s going on. a spacecraft smash into a comet
still need mitigation, and green and have another spacecraft
indicates minor risks that we can “When”: Making Risk Manage- observe the impact for scientific
live with. ment an Ongoing Discipline research. We launched in spite
JPL practices risk management of identifying several red risks
“Newness” criteria help us rank
constantly, through every phase related to systems engineering.
risks in the categories of perfor-
of a project. We analyze the risks Why? There would be no other
mance, cost, and schedule. For
associated with a project’s design comet accessible for at least three
example, if an engineering
and development and the risks and a half years, so we decided
component has never been used
that could surface during testing to take a chance.
in the environment of a mission
we’re planning, the risks are and launch. As each project Soon after we launched Deep
much higher than if the compo- advances, some risks disappear Impact, we realized that its
nent has been flown once in and new ones emerge. The attitude control system was not
the same environment—which, project team reviews the risks properly designed from a systems
in turn, is riskier than if it’s been once each quarter as the project engineering point of view. During
flown multiple times in that advances, prioritizing them using the spacecraft’s six-month flight
environment. the likelihood-and-consequences to impact with the comet, we
weighting model. fixed a half-dozen problems, any
Each project is one of which could have caused
Once you’ve established cost and schedule also reviewed by the spacecraft to miss the comet
reserves, you have to create a burn-down an outside risk altogether. So the mission ended
review team, up being a success, in part because
plan: How will those reserves be used up as we were mitigating risks during
with the frequen-
the project progresses? cy of external flight.
review accelerat- When conditions have permitted,
ing as the launch we’ve also delayed some launches
We then assign cost and schedule date approaches. At the outset, because of the risks. The Mars
reserves (extra money and time) this team weighs in once a year; Science Laboratory (MSL) is an
to the mission based on the risk as we get closer to launch, the example. Known as Curiosity,
ratings. The Mars Reconnaissance team reviews the risks three times this NASA rover will perform the
Orbiter, a spacecraft designed to within six months. Reviews can first-ever precision landing on
investigate the history of water be added on an ad hoc basis, Mars. The rover will carry more
on Mars, is a good example. The too, if at any juncture the project advanced scientific instruments
Orbiter contained spacecraft sys- team and the outside review team than any other mission to Mars to
tems that had been flown five disagree. date. It’ll include instruments for
times before, so JPL assigned the The risk assessment process isn’t the analysis of samples scooped
craft itself a 15% cost and sched- always scientific. You have to use up from the soil and drilled
ule reserve. On the other hand, judgment sometimes. It’s easy to powders from rocks. It will also

8
 November–December 2009

investigate whether Mars may agers have to ultimately address optimism, looking for signs that
have supported microbial life in the risk reviewers’ concerns. particular team members might be
the past or is supporting such If they don’t, a confrontation underestimating the time they’ll
life now. between the need to complete their part of the
project manager
The MSL can be launched only
and the risk man-
during a one-month period that
ager could end The risk manager’s job is to oversee the
comes around every 26 months.
up costing the project, ask the hard questions, and move
If you miss that window, you have
project manager
to wait another 26 months. It was people around if necessary to manage
her job.
a $400 million decision to hold off
cost- and schedule-related risk. We measure
launching, but we decided to do Most risk review
it because we hadn’t achieved key team members people’s optimism, looking for signs that
milestones. The risk of catastrophe are from JPL, particular team members might be underesti-
with a premature launch was too and some come mating the time they’ll need to complete
great, and we realized we were from NASA.
trying to do too many new things Occasionally their part of the job.
at once with the project. It’s very (as in the Phoenix
hard to make this kind of judgment radar problem),
call. But sometimes you just have they come
job. We try to get an accurate
to do it. from the Department of Defense
sense of anticipated costs and
or private industry. The key is to
You also have to learn from the schedules, and we move people
find team members who have the
risk management process. Ours around if necessary to tasks they
specialized knowledge (of areas
has a feedback mechanism that can manage more effectively.
such as motion dynamics, radar,
helps us compare predicted risks
and electronics) needed to ana- Risk management isn’t easy. You
against the actual problems that
lyze and mitigate particular risks. have to get beyond the theory
emerge during a project and use
and find a way to put it into
the differences to assess risks on So, the composition of a risk
practice in a disciplined way.
subsequent projects. review team might change as
Understanding the what, how,
the risks evolve during a project’s
“Who”: Putting the Right when, and who can help. I
journey through the design, test-
People on the Right Risk ing, and launch phases. In addi- 1. In 2003, the space shuttle Columbia disintegrated
Management Tasks tion, for especially risk-intensive over Texas during reentry, killing all seven crew
members. Damage to the shuttle’s thermal protection
Each JPL project has a risk review projects, we may establish a tiger system occurred at launch, but NASA managers lim-
ited the investigation into the damage during flight
team, made up of a handful of team to focus on a particular risk. because they felt little could be done. The disaster
2

prompted significant changes in risk assessment

engineers who have long and Each project has a risk manager and management at the agency.
broad experience. They’ve worked whose job is to oversee the proj- 2. A tiger team is a specialized group assembled to
on dozens of projects and have ect, ask the hard questions, and test the effectiveness of an organization’s ability to
protect assets by attempting to circumvent, defeat,
seen how risks manifest them- move people around if necessary or otherwise thwart the organization’s security.
selves. They can smell trouble. to manage cost- and schedule- (Source: Wikipedia)
And they know how to interrogate related risk. He understands that Gentry Lee is responsible for the engi-
the very smart members of the the biggest sources of cost and neering integrity of all of JPL’s robotic
project team (people who are scheduling risk are (1) too much planetary missions. Previously he over-
supremely confident in their own work, (2) an inability to accurately saw the engineering aspects of the
judgment)—without belittling estimate how much time or money twin rover missions to Mars (2004) and
them. a task will take, and (3) a lack of the Deep Impact and Stardust missions.
He was chief engineer for the Galileo
The risk review team members understanding of the steps needed
project (involving Jupiter exploration)
ask challenging questions about to accomplish the work. The risk and served in a variety of positions on
the project team’s assessment manager actively manages these the Viking project (the first successful
of the risks, and if they’re not sources of risk. landing on another planet). Lee is also
comfortable with the answers, a novelist, television producer, and
For example, at JPL, we break
they keep challenging. These are computer game designer. He coauthored
down project milestones by four best-selling novels with Arthur
confrontational exchanges, and people—who’s doing what for C. Clarke and collaborated with Carl
there are huge egos involved. The each milestone. Then we ask Sagan on the award-winning Cosmos
tension is good. It’s valuable to them how much time they think documentary series.
have smart people confronting it will take to get their part of
each other. But the project man- Reprint #B0911B
the job done. We measure people’s
9
 Balanced Scorecard Report

Leadership and Strategic Risk

F I L E
Numerous tools are available
to help companies identify risk
Management: An SFO Approach factors and assess risks. But risk
management is as much—if not
C A S E

Based on a presentation by Jack Klinck, Executive Vice President and Global more—a matter of sound leader-
Head of State Street Alternative Investment Solutions, at the Palladium Group’s ship and governance than it is
April 2009 Strategic Risk Conference about creating new analytics and
metrics. Risk management is
How can risk management be fixed? Banking executive Jack
about building a new approach
Klinck (and former chairman of BSC Hall of Fame company into an existing process (strategy
Mellon Europe), offers two solutions, neither requiring a new management). It involves a shift
framework or process. First, since risk management is both in orientation—looking at per-
a strategic and a defensive discipline, it must be unsiloed formance from the flip side—
and integrated with strategy management. Second, it must whether to understand the impli-
be directly linked to leadership—and leaders must foster a cations of skyrocketing sales
culture of risk-mindedness. The five principles of the Strategy- (suggesting not only marketing
Focused Organization provide an excellent model for helping success but also, say, a slip in
embed risk management into the corporate DNA. client acquisition standards) or
the impact of staff cuts on client
The global financial crisis has taneously. Fourth, the fragmented servicing.
prompted financial services firms regulatory environment reinforced
How can an organization bring
to reevaluate their assumptions the notion of risk as solely a
risk to the forefront of its man-
about the way they manage compliance issue. Finally, the push
agement process? One way is by
risk and the internal discussions for high profits in the short term
trying to better understand how
they hold about risk, both at the became so extreme that many
the risks in one business unit or
board and management-team players looked past the risks they
line affect another. An enterprise
levels, noted Jack Klinck. Klinck were taking.
may have dozens of relationships
heads State Street Corporation’s
The crisis, Klinck noted, caused with one client. What does that
Alternative Investment Solutions
managers across his bank’s busi- mean in terms of its overall risk
(AIS) unit, which provides fund
ness units to look with fresh eyes exposure—and that of any indi-
accounting, fund administration,
at how they were managing their vidual unit? During the peak of
and risk services for approximately
businesses. They realized manage- the financial crisis, said Klinck,
$400 billion in alternative assets,
ment was vertically oriented, with “we realized we weren’t evaluat-
including hedge funds, private
not enough consideration of the ing the product overlap with
equity funds, and offshore funds.
horizontal interrelationships and many of our clients and counter-
With the flood of analysis (and of the ways each business affected parties.” Today, he added, it’s
the benefit of hindsight), many the others. important to ask your manage-
causes of the financial crisis ment teams, “Are you having the
are familiar by now. From a risk Making Risk Management Part right conversations across the
perspective, said Klinck, there of the Corporate DNA business to identify and manage
were five basic triggers. First, Risk management is both a strate- strategic risk?” “Are your people
financial services firms were confi- gic and a defensive discipline, as paying attention to what the
dent they could contain product it touches every type of external performance indicators are telling
risk by slicing it and packaging and internal threat, known and them—and about the indicators’
the pieces as securitized invest- unknown—from financial risk impacts on other performance
ments. As the packages became to competitive threats, and from areas?” And perhaps most impor-
more mixed, the underlying reputational risk to event risk. tant, “Are you listening to your
risks became obscured. Second, Because risk permeates every area people?” Ultimately, an organiza-
because risk management was and aspect of business, a siloed tion’s people are its best leading
siloed by type of risk (credit, approach to managing risk makes indicators.
operational, market, counterpar- no sense. Companies not only State Street AIS already had in
ty), managers misunderstood risk need to adopt a holistic view of place several management tools
correlations among assets. Third, risk, but they must also integrate and techniques—notably, strategy
the industry ignored the potential risk management into their overall maps and Balanced Scorecards
for systemic risk—defaults and management system so that it (BSCs). As a self-professed fan
other risk events occurring simul- is part of their corporate DNA. of the Kaplan/Norton Strategy

10
 November–December 2009

Management system for several feasible approach to risk manage- acquisition criteria.” The leader-
years, Klinck felt it was only ment.” The strategy map and BSC ship team, Klinck added, also pro-
natural to mirror this approach provided a flexible framework for vides the model for values and
for building strategic risk manage- clarifying priorities, adjusting the behavior. That includes cultivating
ment into the organizational emphasis of specific themes as not only risk-mindedness but also
DNA. He saw no need to invent needed, recalibrating targets, and team members’ willingness to be
a new framework or process reprioritizing initiatives—while candid in assessing performance,
for managing risk. “By tying risk maintaining the underlying strategy. rather than sugarcoating the
management to our existing picture for the boss.
strategic framework, we’ve been The Five Principles of
Managing Risk Because State Street AIS grew
able to implement what we con-
through a number of acquisitions,
sider a sound, sensible, eminently State Street AIS’s approach to it was particularly important that
risk management roughly follows the unit understand the way each
The Role of the Theme Kaplan and Norton’s foundational of its three groups affects the
Team in Risk Management principles for strategy manage- others. Besides recognizing the
ment: the five principles of the need to create a coordinated
Although their focus is strategy, Strategy-Focused Organization. approach to marketing and client
strategic theme teams are an (See Figure 1, next page.) service (to minimize client confu-
invaluable mechanism for risk
management as well. When the 1. Executive leadership. First sion) and the need for an inte-
financial crisis struck, State Street and foremost, senior manage- grated approach to technology (to
AIS’s theme teams provided a ment, and not only the chief risk ensure seamless client servicing),
natural forum for discussing officer (CRO) or the risk manage- senior management saw the need
key issues across its businesses. ment group, should be responsi- to develop coherent standards for
Management quickly got valu- ble for risk management. (The risk management among the
able insights about the changing converse is also important; AIS’s acquired units. For example, the
markets, and the teams high- head of risk, for instance, as part leadership team strenuously
lighted emerging risks that of the senior management team, debated managing client acquisi-
could affect many areas of the participates in all strategy review tion risk: How can the company
business. meetings and key decisions.) achieve business growth targets
A leader’s enlarged role in risk while avoiding clients that don’t
Theme teams assemble and
management, by the way, does match the organization’s strategic
circulate Balanced Scorecard
performance reports before every not mean that the CRO’s role is risk profile? Few organizations
strategy review meeting. As front- reduced. In fact, the CRO must allow such debate, Klinck noted.
line analysts, they help ensure work with the businesses and But, he added, “we’re convinced
that discussion is driven deep manage the “escalation procedures” that when the financial crisis
into the organization and that —all the steps involved in a risk hit, AIS was in a much stronger
response takes place at the right mitigation effort. The CRO’s inde- position than many of our
level. Theme teams discuss the pendence ensures that senior competitors.”
strategic implications of the sub- managers aren’t tempted to unduly 2. Measurement. The same BSC
par objectives along with those influence or compromise any measures that provide an early
in the green, objectively noting standards and that they balance indication of strategic performance
the biggest risks to the strategy responsibility with authority. success or failure also serve as
and the business. They can per-
As organization leader, Klinck key risk indicators when analyzed
form in-depth analysis to uncover
sets the appetite for and approach from a 360-degree perspective.
the drivers of a potential risk, to
conduct scenario planning, and to risk, clarifying the strategic The red/amber/green “traffic
simply to generate creative new direction and path to getting light” assessment on the strategic
ideas. They can bring together there. For example, the leading objectives, measures, and initia-
management from different private equity administration tives shows—in the context of the
areas of the organization—and business that State Street AIS whole strategy map—how subpar
of the entire enterprise—to acquired in 2007 had been performance puts other goals at
explore issues and find holistic growing at a rate of 35% a year. risk. Thus, this assessment gives
solutions. During the crisis, Establishing a risk management managers the ability to respond
AIS’s theme teams met more infrastructure and culture from rapidly with corrective action. The
frequently, to facilitate rapid the start was critical. “We aligned color-coding provides in effect a
response and organizational the private equity unit’s strategic “heat map” of key strategic issues,
learning. objectives to AIS priorities and showing their connection with
collaborated on devising client
11
Balanced Scorecard Report

other indicators and helping the the financial crisis, State Street AIS review meetings, the strategy
organization identify trends and already had in place a culture map is assessed as a whole.
gain insights. For example, an that encouraged employee dissent Klinck and his team review the
amber rating on a sales win/loss and candor in discussing strategic heat map of red/amber/green
analysis metric would suggest not issues. Developing the business ratings of performance against
only that sales losses are in line unit strategy maps generated objectives, examining the ratings’
with projections but also that wins awareness and ownership of AIS’s implications and ramifications.
may be declining—a risk that strategic priorities and of the role Then they explore a given strate-
would need to be investigated. each business has in contributing gic theme in detail. Each strategic
to them. Its theme teams bring theme owner leads a discussion
3. Alignment. The strategy map
together a broader group of on the assessment results, looking
and strategic themes provide the
people involved in strategy imple- at their impact on strategic out-
structure for aligning businesses,
mentation. Yet another group is comes, both negative and positive.
teams, and individuals to the
developing initiative teams. Every “We actively debate the risks
organization’s common goals.
quarter, the executive team holds and implications—focusing on
Alignment also encompasses
a town hall meeting at a key loca- the horizon, not the past,” said
risk. Said Klinck, “We look at our
tion to provide a forum for open Klinck. “This approach allows us
themes and objectives to ask,
discussion with local leaders. to manage strategic risk even in
‘Will they promote the right
the absence of perfect measures.”
behaviors—or create conflicts?’ 5. Governance. Traditionally,
For example, ‘Are our incentives to governance in financial services To be robust, a strategic risk man-
grow promoting undue risk taking? firms occurs mainly through agement approach must embed
Are we investing in the right the business units, resulting in risk management into the organi-
places in product development a siloed approach to managing zation in good times as well as
to meet the latest marketplace risk and strategy. A solid gover- bad. It must treat risk holistically,
requirements for transparency?’” nance structure can help empha- as an integral part of strategy and
The strategy map thus serves size the mutual impacts of different performance management. In this
equally as a “shared risk agenda.” groups or performance drivers, way, organizations can adapt to
at the same time ensuring that change—even rapid change—with
4. Engagement. An organiza-
dialogue occurs horizontally and speed and agility. “We hope,” said
tion’s staff is probably the most
at multiple levels. Klinck, that “by recognizing the
effective leading risk indicator.
importance of a proactive, holistic
“We try to engage staff as much as Strategy review meetings are
approach, the entire financial
possible” and to listen carefully to as critical to risk management
services industry will emerge
people throughout the organiza- as they are to strategy review
from this crisis stronger.” I
tion, noted Klinck. Well before itself. At AIS’s monthly strategy
Prior to joining State Street AIS, Jack
Figure 1. The Five Principles of Strategic Risk Management Klinck was vice chairman of Mellon
Financial Corporation and president of
the Investment Management Solutions
Group. Previously he was chairman of
Mellon Europe. Early in his tenure there,
1. Executive
he introduced the Balanced Scorecard
Leadership
management system; in 2004, Mellon
Europe was inducted into the Balanced
Scorecard Hall of Fame for Executing
Strategy.
2. Measurement 5. Governance
Strategic Risk T O L E A R N M O R E
Management
See “Mellon Europe: Mobilizing
Change Through Executive Lead-
ership,” in BSR January–February
3. Alignment 4. Engagement 2005 (Reprint #B0501F). Also
see Mellon Europe’s write-up in
the Balanced Scorecard Hall of
Fame Report 2005 (Product
#9157). Both are available at
Strategic risk management parallels the approach to strategy management embodied in
Kaplan and Norton’s five principles of the Strategy-Focused Organization.
www.harvardbusiness.org.
Reprint #B0911C
12
 November–December 2009

S N A P S H O T
Integrating Risk Management into the Strategic
Planning Process at Canadian Blood Services
By Dodge Bingham, Manager, Palladium Group, Inc.

In the aftermath of the global financial crisis, organi- the BSC management system and its pioneering
zations all over the world are beginning to manage work in building its Office of Strategy Management
C A S E

risk in earnest—by moving it from a siloed to a central earned it a place in the BSC Hall of Fame for
business activity. Experienced users of the strategy Executing Strategy in 2007.
map and Balanced Scorecard are ahead of the game:
CBS’s transformation has taken it from strategy
they realize that the BSC management system represents
management to enterprise risk management (ERM).
not only an appropriate tool for risk management but
In recent months, CBS began evolving its ERM into a
also one that allows integration of risk management
process that is integrated with strategy management.
with strategy and performance management—the
ideal. Consider this summary example from veteran Figures 1 through 3 illustrate the steps involved
BSC user Canadian Blood Services. in identifying and synthesizing risks, the first two
steps in CBS’s risk methodology. Figure 1 shows
At Canadian Blood Services (CBS), managing risk
where risk management enters the process—in the
is literally a matter of life or death. CBS, the blood
Translate the Strategy stage. Figure 2 shows the key
supply system provider for Canada (except Quebec),
questions CBS asks in the first two steps. Subsequent
was created in 1998 in the wake of a national health
steps involve analyzing the risks (e.g., vulnerability
crisis, when HIV and Hepatitis C tainted the nation’s
and magnitudes, mitigation actions) and creating
blood supply (then managed by the Canadian Red
a risk profile (e.g., devising a risk heat map and
Cross). Since its inception, CBS has transformed itself
creating an escalation plan).
into a model of management excellence. Its use of
Figure 3 shows how CBS identifies critical measures
1. —not merely measures of performance against key
Process
objectives, but measures that will help CBS track
Define destination and manage the risks to those objectives. CBS
1. Quantify the vision and gap
2. Define the change agenda
decomposes each objective to arrive at key drivers
3. Define issues and ultimately the most critical measures. For illus-
trative purposes, only one strategic objective is
Develop the strategy shown. I
1. Construct strategic analysis
2. Formulate the strategy

2.
Translate the strategy
Process Major Question
1. Strategic objectives
2. Performance measures A. Identify risks
A. Risk identified What risks will prevent
3. Strategic risks 1. Identify the objective
us from achieving our
B. Risk synthesized 2. Select the drivers
objectives?
3. identify the gaps and risks
Develop the plan
1. Identify strategic initiatives
2. Select initiatives B. Synthesize the risks What are the top risks for
C. Analyze risks
3. Assess risks 1. Review risk across objectives analysis and monitoring?
4. Develop business plan D. Create risk profile 2. Create synthesis of key risks

3.
Objective Primary Drivers Secondary Drivers Measures

1. Alignment of 1a. Verify demand for new services 1a. Acceptance rate among physicians
offerings to
physician needs 1b. Physician use of new services 1b. Usage rate among physicians

Risk: Loss of service to hospital;

Partner with
trend to consolidate services
customers and
stakeholders

13
Reprint #B0911D
 Balanced Scorecard Report

Managing Operational Risk

A N A LY T I C S
bottom up. The steps in the
process are as follows:
at Mars, Incorporated 1. Defining and prioritizing
initiatives
By Lauren Keller Johnson, Contributing Writer
2. Anticipating the risks to
Adapted from a presentation by Larry Warner, Staff Officer of Risk Management, those initiatives and developing
Mars, Incorporated, at the Palladium Group’s Strategic Risk Conference, April
risk “treatments”
2009, in New York
D E C I S I O N

3. Rating the probability of

A diversified consumer products giant with global operations successfully executing the
can’t afford to ignore risks to the strategic initiatives launched initiatives, given the risks
by its business units. At Mars, Incorporated, executives set out and treatments at hand
to foster a culture in which managers aren’t afraid to talk
about, wrestle with, and vanquish the perils that can prevent 4. Analyzing risk data to
make business decisions
crucial initiatives from generating desired business results.
Sumptuous chocolate. Savory tangible and intangible, existing Defining and Prioritizing
coffee drinks. Minty chewing and emerging—across the entire Initiatives
gum. Premium pet food. It’s all organization.
During each unit’s annual planning
so delicious that the notion that
After pilot-testing its ERM process process, unit managers meet to
Mars, Incorporated (maker of
in 2003 and 2004, Mars refined review the company’s operating
these and other delights), worries
it and rolled it out to most of plan and develop a list of initia-
about risk might never cross a
its business units between 2005 tives that their units must carry out
happy consumer’s mind.
and 2007. Starting in 2007, it pur- to help execute the annual plan.
But like any company, especially chased a technology solution to fit Managers define their initiatives
a global, diversified consumer its ERM process needs, including according to strict rules that require
products firm, Mars faces risks to automating the reporting of risk specificity and measurability. For
its strategy, whether to growing analytics. Today, approximately example, instead of describing an
one of its chocolate brands in 40 of the company’s business initiative as “Drive core brands in
China, constructing a new manu- units and its six product segments chocolate,” they would define it
facturing plant, or introducing a (such as chocolate, pet care, as “Achieve chocolate’s growth
new line of dog food. An array and drinks) conduct annual ERM target of 5% by focusing on build-
of perils threatens every initiative. (or risk assessment) workshops ing the core brands.”
These risks cover the gamut: and quarterly reviews, and pro-
lack of sufficient capacity to meet vide quarterly dashboard updates A T A G L A N C E
demand, unexpected moves from to company leaders.
competitors, a spike in commodi- Mars, Incorporated
The company’s ERM process aims McLean, Virginia
ty prices, new regulations.
to manage two classes of risk.
To manage these and other risks, Founded: 1911
Operational: risks to the short-
Mars has established a rigorous Ownership: Family-owned,
term initiatives developed by
process that makes savvy use of privately held
the business units to execute the
decision analytics and information Annual revenues: $30 billion-plus
company’s annual operating plan
technology (IT).
Strategic: risks associated with Workforce: 65,000-plus employees
It all began in 2003, when senior
the long-term execution of a Operations: More than 230 sites,
management sought to promote including 135 factories, in 68
unit’s strategy, such as long-range
a culture of risk-mindedness, countries
manufacturing capacity needs.
to allow business units to deter-
The two risk classes are dealt Business segments: Chocolate,
mine what was achievable in the
Pet Care, Wrigley Gum and
context of their annually defined with differently through the Confections, Food, Drinks,
goals and objectives. The manage- company’s ERM process. In this Symbioscience
ment team developed a formal article, we focus on the process
Mars has developed for managing Major global brands: M&Ms,
enterprise risk management
Snickers, and Dove; Pedigree,
(ERM) approach to provide Mars operational risks. This process is Whiskas, and Sheba; Doublemint
with a proven, sustainable frame- strongly driven by unit managers, and Orbit; Uncle Ben’s and Dolmio;
work for anticipating and mitigat- revealing an organizational culture Klix and Flavia; and Wisdom Panel
ing complex business risks— that values engagement from the and Cocoapro

14
 November–December 2009

At the beginning of an ERM on both the risks and their Figure 1: Hypothetical Example
workshop, managers rank their treatments—further strengthening of Initiative Risk Assessment
9
initiatives in order of importance alignment and accountability.
for the next operating year. 8 8.5

For instance, if a business unit Rating Initiatives’ Probability

7
manager listed 15 initiatives, of Success
6.6

Probability of Success
she would then rank them from For each initiative, unit managers
6

1 (most important) to 15 (least highlight the three to four most 5

important). critical risks and risk treatments 4 4.5

During the workshop, managers in the template. Using anonymous 3

discuss and debate the initiative voting technology, the manage-
2
definitions and rankings, ultimately ment team votes on the probability
arriving at agreement on both. of successfully achieving the ini- 1

This process establishes alignment tiative during the upcoming year, 0

with and accountability for the given the risks and risk treatments Cat
food
Bar
chocolate
Product
relaunch

initiatives. listed in the template. (2) (1) (3)

Initiative (Rank)
Anticipating Risks and They use a scale from 1 to 9 to
indicate the probability of success- Initiatives are ranked by the probability
Developing Treatments of success in achieving objectives,
fully achieving the initiative’s given their risks and mitigation activities.
During each workshop, facilitators objectives. A 9 indicates a 90% The numeric ranking in parentheses
reflects the initiative’s importance.
also have business unit managers or greater probability of success;
draw on their knowledge and a 1 represents a 10% or less The risk assessment ranking can
expertise to list the risks that probability. reveal important information. In
could hamper their ability to Figure 1, the ranking for a cat
The initial votes often show some
achieve the initiative’s objectives. food initiative (8.5) may actually
type of distribution. To build
This information is entered into suggest that too many resources
alignment, team members discuss
a template for the workshop. For are being applied to the initiative,
the range of scores, challenge
example, leaders in a particular or that managers are underesti-
one another’s assumptions, and
food unit might define the follow- mating their capabilities. It may
reconsider their scores based
ing initiative: “Aggressively grow even imply that sales generated
on their peers’ positions. For
and build the ready-to-heat rice as a result may be beyond the
example, if one manager believes
business by expanding the product company’s capacity to produce.
(based on his experience) that
line to generate 5% net sales The product relaunch initiative,
a proposed risk treatment won’t
growth and maintain share above with a priority ranking of 3 and a
be effective, he might argue for
25%, while increasing product risk score of 4.5, may need to be
a score of 5 instead of the 7
availability to 50% distribution.” postponed so that its resources
advocated by his peers.
The risks to this initiative could are redeployed more effectively.
include possible aggressive coun- The debate is open, honest, and
termoves from competitors and collegial. That’s because everyone Finally, business unit heads submit
potential spikes in commodity involved knows that the goal is to a summary report to their seg-
prices. understand one another’s positions ment leaders and to corporate
and arrive at the best-informed headquarters showing the final
Managers next develop risk “treat- agreed-upon risk profile for each
assessments possible. Managers
ments”—activities designed to operating plan initiative. Senior
then rate each initiative from 1
mitigate or leverage the specific executives have access to the
to 9 again; usually, a smaller
risks they’ve identified. These, templates the unit managers have
distribution results. The final vote
too, are entered into the work- filled out, so they can drill down
results in a risk profile for the
shop template. For instance, to into greater detail.
initiative that gets color-coded:
combat the risk of competitor
below 5.0 is red; 5.0–5.9, orange; Analyzing Risk Data and
countermoves, the management
6.0–6.9, yellow; 7.0–7.4, blue; and Making Decisions
team may define treatments
7.5 or greater, green. If consensus
centering on accelerating product
is still lacking after the second After initiatives are put into
innovation and conducting a
vote, managers gather additional action, unit leaders review each
competitor analysis.
information outside the workshop initiative’s progress on a quarterly
Again, managers discuss and and reconvene to share it and basis—reassessing the risks
debate, achieving consensus get aligned. and treatments and deciding

15
Balanced Scorecard Report

Figure 2. Comparing Risks by Region: Hypothetical Example (dummy data) Segment insights. The system
allows segment management
Asia-Pacific Western Europe CIS* North America
Segment Segment Segment Segment teams to compare units or regions
to identify common problems.
The analysis might show, for
example, that one business unit’s
risks were clustering increasingly
within manufacturing/distribution.
It also enables teams to spot
trends early.
KEY Organization/HR Sales/Marketing Finance Manufacturing/Distribution Commercial Geography insights. The system
* CIS = Commonwealth of Independent States—the confederation of former Soviet Republics allows for identification of com-
mon issues across regions or
Mars can break down risk into corporate function categories by region. In this hypothetical
illustration, the biggest risk to the CIS segment is commercial. Sales and marketing risk is problems within a given region.
the biggest risk category for the Asia-Pacific and Western Europe segments. The latter two might (See Figure 2 for a hypothetical
confer with peers in the North America and CIS segments for solutions.
example.)
whether to change an initiative’s Since automating its ERM process, Finally, managers can use ERM
risk profile score. They update Mars has compiled enormous software to review other units’
a one-page dashboard depicting volumes of risk-related data. To initiatives—and gain insights into
execution performance for all date, the system contains 500 how to address common chal-
initiatives and documenting any operating-plan initiatives with risk lenges. This creates a learning
changes in risk profiles, adding profiles, 3,800 risks coded by type environment within the business,
comments on why specific (e.g., legal, financial, and sales enabling one unit to learn from
changes were made. The updates and marketing), and 4,200 risk and build on the success of others.
are submitted to both the seg- treatments—all generated by the
ment and corporate headquarters. company’s business units in multi- Managing risks to a company’s
ple geographies. It also contains strategy is never easy. But by
For example, suppose the profile establishing a disciplined ERM
three operating-plan cycles’
for the initiative “Relaunch Pedigree process, companies can make risk
worth of data.
brand to achieve a 10% growth management as routine as other
target” improved from yellow to Thanks to these volumes of data business responsibilities. A rigor-
green over the past two quarters and the system’s power, Mars ous process can also help man-
of the year. The initiative owner’s can now slice the data in various agers adopt the mindset needed
dashboard comments may be ways and customize how they to openly discuss and mitigate the
something along these lines: are presented—gaining valuable dangers to their business strategy.
“Shipments started in period 2 to insights for business decisions.
meet advertising schedule. Adver- For example, executives can Mars, Incorporated, has excelled
tising on air. Massive presentation examine pie charts showing how at ERM—not only encouraging
to all customers was executed risks are distributed across cate- bottom-up engagement in risk
during period 1, with excellent gories for a particular business management among unit heads,
customer participation.” unit, the entire company, a prod- but also using IT to support the
uct line, or a geography; and how gathering and analysis of risk-
These dashboards are a potent related data. Whether unit heads
risks are changing over time for
communication and decision- are seeking to introduce new
each area of interest. Consider
making tool. If an initiative products, expand into new geog-
these hypothetical examples.
shows a decreasing probability raphies, or beef up manufacturing
of success, managers discuss Product insights. Suppose a capacity, the process Mars has
the situation and decide how large percentage of the risks doc- developed positions them to
to address the problem—for umented for a particular product anticipate, prioritize, and mitigate
example, by redirecting marketing fell within the sales and marketing the risks, as well as share effective
or other resources toward the category. By getting a global view risk management tactics across
troubled initiative. The dash- of common risks, the company units. Result? The company has
boards are so simple and concise can identify common risk treat- sweetened the odds that each
that they’ve eliminated a lot of ments for that product across a strategic initiative will produce
reporting that managers used to region or the world—for example, the business results everyone’s
do. And they create transparency increasing the number of sales-
Product #B09110

looking for. I
for each unit. people for that product.
Reprint #B0911E

16 To subscribe to Balanced Scorecard Report, call 800.668.6705. Outside the U.S., call 617.783.7474. bsr.harvardbusinessonline.org