0 BSC Risk Management Kaplan 2009
0 BSC Risk Management Kaplan 2009
0 BSC Risk Management Kaplan 2009
T H E S T R AT E G Y E X E C U T I O N S O U R C E
SPECIAL RISK
Risk Management and the
B A L A N C E
MANAGEMENT ISSUE
In the aftermath of the global eco-
Strategy Execution System nomic meltdown, risk management
has taken on new importance, not only
in the financial services sector, but
By Robert S. Kaplan across industries. This first-ever theme
issue of Balanced Scorecard Report is
Besides rethinking strategy, perhaps nothing has preoccupied business devoted exclusively to the nexus of
leaders these past months more than their failures in risk manage- risk management and strategy. BSC
O N
Enterprises face many different personnel and the establishment Harvard Business Publishing is a not-for-profit, wholly
owned subsidiary of Harvard University. The mission of
types of risk. I have found it useful of standard operating procedures Harvard Business Publishing is to improve the practice
to classify risks into three cate- and internal controls, including of management and its impact on a changing world.
We collaborate to create products and services in the
gories, based on their degree the segregation of duties and media that best serve our customers—individuals and
organizations that believe in the power of ideas.
of predictability, controllability, dual authorizations, companies
and management, and, most attempt to have zero defects in Palladium Group, Inc., is the global leader in helping
organizations execute their strategies by making
important, on the magnitude of Level 3 processes. The internal better decisions. Our expertise in strategy, risk,
corporate performance management, and business
their consequences to the enter- audit department plays a key role intelligence helps our clients achieve an execution
premium. Our services include consulting, conferences,
prise. Level 3, the lowest category, in monitoring Level 3 risks by communities, training, and technology. The Palladium
encompasses routine operational verifying that standard operating Balanced Scorecard Hall of Fame for Executing Strategy™
recognizes organizations that have achieved an out-
and compliance risks. Level 2 procedures are being followed standing execution premium. For more information, visit
www.thepalladiumgroup.com or call 781-259-3737.
represents strategy risks, and Level without exception and by high-
1 captures global enterprise risks. lighting defects and deviations in
compliance and routine operating
Level 3: Routine Operational processes. Further, Sarbanes-
and Compliance Risks Oxley audits are performed on
Level 3 processes to provide Join us! Sign up for the free
At the bottom of the risk hierarchy, external assurance on the effec- BSC Online e-newsletter at www.thepalladi-
umgroup.com/bsconline. Become a member of
Level 3 risks arise from errors tiveness of a company’s internal the Execution
in routine, standardized, and controls. In short, Level 3 risks Premium Community (XPC) at www.thepalladi-
umgroup.com/xpc.
predictable processes that expose are known and avoidable. Risk
the firm to substantial loss. In our management of these processes
Sign up for the electronic version of
BSR—available only to subscribers—
work on linking strategy to opera- strives to achieve 100% compli- at www.bsronline.org/ereg.
tions, we distinguish between ance and zero defects.
2
November–December 2009
Level 2: Strategy Risks those linked to the customer At this time, the development of
value proposition and customer a risk scorecard is more conjecture
Companies select strategies that
outcomes; and the financial and concept than actual fact.
they hope will create and sustain
perspective depicts those related So I cannot present a working
a competitive advantage that leads
to revenue, price, and margin example of a complete, actual
to superior financial returns. But
objectives. The strategy map thus risk scorecard. But it would not
earning superior returns requires
provides a natural framework be premature to consider some
companies to accept some risk.
for identifying, mitigating, and general principles for developing
Companies wanting a risk-free
systematically managing the risks a risk scorecard and its associated
strategy would have to invest all
to a company’s strategic objectives initiatives.
their capital in default-free and
in an integrated and comprehen-
inflation-protected government What Would a Risk Scorecard
sive manner.
bonds, an action that any of their Look Like?
shareholders could do individually Some companies, particularly
Let’s start with the entity’s strategy
just as well, and probably more those in financial services such
map of linked strategic objectives.
cheaply. as Bank of Tokyo-Mitsubishi UFJ
In building the BSC for the strate-
and SwissRe, already incorporate
Strategy risk can be straight- gy map, we would, of course,
a risk management strategic
forward and easily quantifiable, formulate metrics for every strategy
theme into their strategy maps.
as when a company accepts the map objective, followed by targets
(This theme is in addition to tradi-
risk of default when extending for each metric and, finally, strate-
tional strategic themes relating to
credit to customers; or it can gic initiatives designed to close
operational excellence, customer
be more speculative, as when a the gap between targeted and
management, and innovation.)
company invests in developing current performance.
Defining a risk management
an entirely new product line or
strategic theme highlights risk Working from the same strategy
entering a new geographic market.
management as a key component map, we could build a risk score-
To manage its various Level 2
of the company’s strategy and card by first identifying for each
risks, a company should identify
makes it visible for resource allo- strategic objective the primary
the major plausible risks inherent
cation, monitoring, and discussion risk events that would prevent
in the strategy, attempt to mitigate
at strategy review meetings. I the objective from being achieved.
and manage those risks, and
have tentatively concluded, how- For each risk event, we would
then continually monitor the risk
ever, that measuring and manag- select metrics that would be early
exposure it has accepted to earn
ing risk differs so substantially warning or leading indicators
superior returns.
from measuring and managing of when the risk event might be
The risk management literature strategy that it may be preferable occurring. Take, for example, the
identifies a long laundry list of to develop a completely separate common learning and growth
possible strategy risks, such as risk scorecard. Strategy is about objective “Achieve strategic job
financial risk; customer, brand, and moving the company forward readiness,” in which all employees
reputation risk; supply chain risk; toward achieving breakthrough in strategic job families have the
innovation risk; environmental performance. The strategy map skills, experience, and knowledge
risk; human resources risk; and and scorecard provide the road to perform their processes at a
information technology risk. map to guide this strategic journey. high level of excellence. This
Such a list implies a complex risk Risk management, in contrast, is objective would typically have a
management process perhaps about identifying, avoiding, and BSC metric “percentage of employ-
specific to each type of risk. overcoming the hurdles that the ees in strategic job families rated
Recall, however, that the strategy strategy may encounter along as ‘very good’ or ‘excellent’ for
map and Balanced Scorecard the way. Avoiding risk does not relevant skills, experience, and
already contain all of an entity’s advance the strategy; but risk knowledge”; a target of 90% or
strategic objectives and the inter- management can reduce obstacles higher; and strategic initiatives
relationships among them: the and barriers that would otherwise involving in-class and on-the-job
learning and growth perspective prevent the organization from training, a pay-for-knowledge
contains objectives for people and progressing to its strategic desti- incentive plan, and planned job
technology; the internal process nation. The metrics for a risk rotations.
perspective has objectives for scorecard and associated initia-
What risk events would threaten
managing operations, customers, tives for preventing or mitigating
this strategic objective? They
innovation, and environmental, risks seem fundamentally different
could be high turnover or retire-
regulatory, and social processes; from the BSC metrics and initiatives
ments of experienced employees
the customer perspective shows used to move a strategy forward.
3
Balanced Scorecard Report
in strategic job families, ineffective than wait for risk metrics to signal and their derivatives turned out
training programs, or lack of an adverse condition, manage- to be far higher than had been
mobility. Risk metrics would ment needs to estimate which assumed in the VaR models,
thus reflect each of these poten- risk events are the most likely leading to the collapse of many
tial problems—current turnover to occur and will have the most financial institutions such as
rates, number of actual or antici- adverse consequences to the Bear Stearns, Lehman Brothers,
pated retirements, evaluations strategy. Certainly this is easier Wachovia Bank, and Washington
of training program relevance to advocate than implement. In Mutual.
and effectiveness, and gaps some circumstances, companies
When historic data are not avail-
between the demand and supply have sufficient historic data to
able or adequate to quantify
of fully qualified employees estimate the likelihood of many
risk exposure, risk managers use
(such as when some locations types of risk events. Insurance
another tool, the heat map, as a
have an excess supply of employ- companies can estimate the prob-
framework for stimulating discus-
ees, while others, perhaps in abilities of events they insure
sion and, they hope, for gaining
different countries or continents, against, including mortality, natu-
consensus on their subjective
have serious shortages). For an ral disasters, sickness, and car
estimates of risk events. For each
innovation objective at a pharma- accidents. Financial firms have
identified risk event—e.g., high
ceutical company, the risks could extensive historical data on the
turnover in a given strategic job
be failed or delayed clinical trials. prices and correlations of financial
family, an ineffective training pro-
Supply chain risks could be dis- instruments such as stocks, bonds,
gram, unexpected retirements—
ruptions in a supplier’s plant or and derivatives, which give them
managers estimate, usually on
bottlenecks at a distribution the apparent ability to forecast the
a 1-to-5 scale, two parameters:
center. Following this approach, likelihood of losses of a given
the likelihood of the event and
each strategic objective on the magnitude and to summarize their
the magnitude of the event’s
strategy map would have one risk exposure with an aggregate
consequences (see Figure 1).
or more risk metrics that would metric known as “value at risk”
They multiply the two ratings
provide an early warning signal (VaR).5 Unfortunately, the risks
to produce a heat map score of
about when performance along of some of the newer and more
between 1 and 25. (See Figure 2.)
that strategic objective is in jeop- complex financial instruments,
ardy. A rising trend in a risk met- particularly mortgage-backed Managers use the heat map
ric, or even a single observation securities and their derivatives, score to set priorities for selecting
above a pre-set control limit, were estimated from historic time and funding risk prevention and
would generate a management periods that did not include a mitigation initiatives. Risk events
alert requiring immediate atten- decline in U.S. housing prices. that score 15 or higher on the heat
tion. When housing prices began a map are the most likely and con-
nationwide decline in 2006 and sequential; they get priority for
Risk management should be
2007, the default rate and correla- the limited funds available for ini-
anticipatory and preventive,
tions among mortgage securities tiatives to prevent or mitigate risk.
not reactive. Therefore, rather
Thus the planning for coping
Figure 1. Calculating a Risk Score with Level 2 strategic risks
requires that managers identify
Likelihood of the Event the major risks to the strategy,
Score 5 4 3 2 1
establish an early warning risk
scorecard to signal when adverse
Rating Virtually Likely Even Unlikely Remote conditions are occurring, and set
certain odds
priorities for funding initiatives
Probability event
will occur in the 95% 75% 50% 25% 5%
that will prevent or mitigate the
next 36 months most likely and consequential of
the strategic risk events. Because
Magnitude of the Event’s Consequences of the comprehensive nature of
Score 5 4 3 2 1
the strategy map, which includes
the processes most critical for
Consequence Highly Adverse Moderate Some Little successful strategy execution,
adverse impact impact impact
the firm will be anticipating and
planning for its most significant
For each identified risk, managers estimate the likelihood of an event’s occurrence operational as well as strategic
and the magnitude of its consequences, usually on a 1-to-5 scale. risks.
4
November–December 2009
impact on the company’s strategy, not have the requisite variety to these risks and to develop counter-
and what might be done to avoid survive changes in that environ- measures they can deploy should
or mitigate the adverse conse- ment. The discussions around they occur.
quences should it occur. As the Level 1 risks help the leadership
Ultimately, risk management
chief risk officer of JP Morgan team determine whether the
requires leadership, especially
Chase told me, “Most of the company’s strategy is sufficiently
when times are good and no
events we discuss at these meet- robust to survive the disruptions
clouds are visible on the horizon.
ings never occur, thank God; but that might occur from black swan
CEOs must have the courage to
a few of them have happened, events in its physical, economic,
turn down apparently profitable
and we have either already miti- and competitive environments.
opportunities that expose the
gated their consequences or,
Mitigate, Plan, Lead company to excessive risk. As
because of our prior contingency
M.D. Ranganath, chief risk officer
planning, acted rapidly to mini- “Prediction is very hard, especially of Infosys (a BSC Hall of Fame
mize the damage.” about the future.”8 Risk manage- company), observed at the 2008
Scenario planning provides a ment requires predicting events, Harvard Business School Global
systematic process to help man- particularly unlikely ones that Summit:
agers consider the correlated have never occurred. But despite
Everyone does risk management
consequences of future events. the difficulty of risk management, in bad times. The strong test
The scenarios are often triggered senior executives who avoid, de- of risk management is whether
by natural acts (earthquakes, emphasize, or delegate it do so at it works in good times. Will top
hurricanes, tsunamis), global their peril. management stand behind the
economic phenomena (dramatic risk managers, avoiding tempta-
Risk comes in many forms and tion and saying no to things
changes in energy prices, currency combinations. Some risks—Level 3 that put the enterprise at risk? I
exchange rates, interest rates, risks—are known and avoidable.
economic growth rates, or regula- We attempt to minimize their inci- 1. As an exception, see the discussion of risk
management as an internal process in pp. 73–77
tion), or competitors’ actions. LG dence through standard operating of R. S. Kaplan and D. P. Norton, Strategy Maps
Display, the Korean producer of procedures, internal controls, and (Harvard Business Publishing, 2004).
large LCD displays, conducts two- internal audits. Other risks, which 2. An excellent reference is Peter L. Bernstein,
Against the Gods: The Remarkable Story of Risk
day war games three times a year we classify as Level 2 risks, are (Wiley, 1996).
in which four management teams inherent in the firm’s strategy. 3. Basel I, supplanted by Basel II, focuses on
(one representing LG Display; The firm accepts them as neces- credit risk, establishing minimum capital require-
the others, its three largest com- ments for banks.
sary in its pursuit of superior
petitors) assess how the company’s returns but attempts to reduce 4. Among them: using the wrong measures or
not fully understanding the properties of the risk
current strategy would perform their likelihood of occurrence or measures being used, using incorrect data for
against those that its competitors mitigate them. The strategy map estimating risk measures, failing to understand
correlations between risk measures, and taking
might deploy or counteract with. provides a powerful framework big bets that unlikely events would not occur.
Following the Kaplan/Norton for identifying strategic and key 5. Value-at-risk is an estimate of the amount that
can be lost at a specified probability of occurrence
Strategy Execution model, man- operational risks, which can then during a specified time interval. For example, a
agers can address these Level 1 be monitored with a separate risk securities trader with a five-day, 99% VaR of $50
million has estimated that the current trading posi-
enterprise risks during their delib- indicator scorecard. Heat maps tion has less than a 1% chance of a loss exceeding
erations in Stage six of the strategy display the likelihood and impact $50 million over the next trading week.
execution system, Test and Adapt of risk events, helping managers 6. Nassim N. Taleb, The Black Swan: The Impact of
set priorities and fund risk mitiga- the Highly Improbable (New York: Random House,
the Strategy. The CEO could lead 2007).
a discussion around “the three tion initiatives. Finally, some risks,
7. R. Simons identified three such occurrences in
things that would cause our strat- from uncontrollable, external “How Risky Is Your Company?” Harvard Business
egy to fail.”7 The leadership team events, can threaten the firm’s Review (May 1999).
could engage in scenario planning, existence. These Level 1 risks 8. This quote has been attributed to people as
diverse as Niels Bohr and Yogi Berra.
war-gaming, and tail-risk stress- are especially difficult to predict
testing to learn the sensitivity but can be the most devastating T O L E A R N M O R E
of the company’s strategy to should they occur. We advocate
A pioneering approach is high-
events that occur outside normal the regular use of tools such as
lighted in “Aligning Enterprise
business operations that they scenario planning, tail-risk meet-
Risk Management with Strategy
cannot control. From evolutionary ings, and war-gaming to make
Through the BSC: The Bank of
biology, we learn that species executives aware of such potential
Tokyo-Mitsubishi Approach,” in
that have become too specialized Level 1 risks—hoping that these
BSR September–October 2005
in a particular environment will tools encourage managers to
(Reprint #B0509D).
adopt strategies that can survive
Reprint #B0911A
6
November–December 2009
By Gentry Lee, Chief Engineer, Planetary Flight Systems Directorate, “How”: Ranking the Risks
E X E C U T I V E
team calibrates the probabilities the science instruments were very identify the most salient risks;
as appropriate to their project. new, so we assigned reserves of they’re the ones most likely to
up to 40% for those. (Even that happen and carrying the worst
Using their knowledge and expe-
margin wasn’t enough: the cost consequences. What do you do
rience, team members position
of one of the science instruments about the more subtle ones—the
each risk to the mission in the
exceeded the reserve.) bad things that, if they happened,
matrix based on its likelihood
wouldn’t necessarily cause catas-
and consequences. For example, Once you’ve established cost and
trophe but might create constant
a risk that has a 1-in-10 chance schedule reserves, you have to
annoyances? In some cases, you
of materializing (a relatively high create a burn-down plan: How
might decide that constant annoy-
degree of likelihood) and that will those reserves be used up as
ance is bad enough that you want
would seriously compromise the the project progresses? Then you
to mitigate that risk.
mission (a severe consequence) have to track use of the reserves
if it did happen would go in the carefully. If the burn-down plan Sometimes, even if the risks are
upper-right portion of the matrix is violated (for example, you start huge, you may decide to go
and be shaded red, indicating that running out of the extra money ahead anyway. JPL’s Deep Impact
it counted among the worst risks. or time you budgeted for the program is a good example. The
All reds must be mitigated. Yellow project), you need to stop and goal of the program was to have
indicates less serious risks that figure out what’s going on. a spacecraft smash into a comet
still need mitigation, and green and have another spacecraft
indicates minor risks that we can “When”: Making Risk Manage- observe the impact for scientific
live with. ment an Ongoing Discipline research. We launched in spite
JPL practices risk management of identifying several red risks
“Newness” criteria help us rank
constantly, through every phase related to systems engineering.
risks in the categories of perfor-
of a project. We analyze the risks Why? There would be no other
mance, cost, and schedule. For
associated with a project’s design comet accessible for at least three
example, if an engineering
and development and the risks and a half years, so we decided
component has never been used
that could surface during testing to take a chance.
in the environment of a mission
we’re planning, the risks are and launch. As each project Soon after we launched Deep
much higher than if the compo- advances, some risks disappear Impact, we realized that its
nent has been flown once in and new ones emerge. The attitude control system was not
the same environment—which, project team reviews the risks properly designed from a systems
in turn, is riskier than if it’s been once each quarter as the project engineering point of view. During
flown multiple times in that advances, prioritizing them using the spacecraft’s six-month flight
environment. the likelihood-and-consequences to impact with the comet, we
weighting model. fixed a half-dozen problems, any
Each project is one of which could have caused
Once you’ve established cost and schedule also reviewed by the spacecraft to miss the comet
reserves, you have to create a burn-down an outside risk altogether. So the mission ended
review team, up being a success, in part because
plan: How will those reserves be used up as we were mitigating risks during
with the frequen-
the project progresses? cy of external flight.
review accelerat- When conditions have permitted,
ing as the launch we’ve also delayed some launches
We then assign cost and schedule date approaches. At the outset, because of the risks. The Mars
reserves (extra money and time) this team weighs in once a year; Science Laboratory (MSL) is an
to the mission based on the risk as we get closer to launch, the example. Known as Curiosity,
ratings. The Mars Reconnaissance team reviews the risks three times this NASA rover will perform the
Orbiter, a spacecraft designed to within six months. Reviews can first-ever precision landing on
investigate the history of water be added on an ad hoc basis, Mars. The rover will carry more
on Mars, is a good example. The too, if at any juncture the project advanced scientific instruments
Orbiter contained spacecraft sys- team and the outside review team than any other mission to Mars to
tems that had been flown five disagree. date. It’ll include instruments for
times before, so JPL assigned the The risk assessment process isn’t the analysis of samples scooped
craft itself a 15% cost and sched- always scientific. You have to use up from the soil and drilled
ule reserve. On the other hand, judgment sometimes. It’s easy to powders from rocks. It will also
8
November–December 2009
investigate whether Mars may agers have to ultimately address optimism, looking for signs that
have supported microbial life in the risk reviewers’ concerns. particular team members might be
the past or is supporting such If they don’t, a confrontation underestimating the time they’ll
life now. between the need to complete their part of the
project manager
The MSL can be launched only
and the risk man-
during a one-month period that
ager could end The risk manager’s job is to oversee the
comes around every 26 months.
up costing the project, ask the hard questions, and move
If you miss that window, you have
project manager
to wait another 26 months. It was people around if necessary to manage
her job.
a $400 million decision to hold off
cost- and schedule-related risk. We measure
launching, but we decided to do Most risk review
it because we hadn’t achieved key team members people’s optimism, looking for signs that
milestones. The risk of catastrophe are from JPL, particular team members might be underesti-
with a premature launch was too and some come mating the time they’ll need to complete
great, and we realized we were from NASA.
trying to do too many new things Occasionally their part of the job.
at once with the project. It’s very (as in the Phoenix
hard to make this kind of judgment radar problem),
call. But sometimes you just have they come
job. We try to get an accurate
to do it. from the Department of Defense
sense of anticipated costs and
or private industry. The key is to
You also have to learn from the schedules, and we move people
find team members who have the
risk management process. Ours around if necessary to tasks they
specialized knowledge (of areas
has a feedback mechanism that can manage more effectively.
such as motion dynamics, radar,
helps us compare predicted risks
and electronics) needed to ana- Risk management isn’t easy. You
against the actual problems that
lyze and mitigate particular risks. have to get beyond the theory
emerge during a project and use
and find a way to put it into
the differences to assess risks on So, the composition of a risk
practice in a disciplined way.
subsequent projects. review team might change as
Understanding the what, how,
the risks evolve during a project’s
“Who”: Putting the Right when, and who can help. I
journey through the design, test-
People on the Right Risk ing, and launch phases. In addi- 1. In 2003, the space shuttle Columbia disintegrated
Management Tasks tion, for especially risk-intensive over Texas during reentry, killing all seven crew
members. Damage to the shuttle’s thermal protection
Each JPL project has a risk review projects, we may establish a tiger system occurred at launch, but NASA managers lim-
ited the investigation into the damage during flight
team, made up of a handful of team to focus on a particular risk. because they felt little could be done. The disaster
2
Based on a presentation by Jack Klinck, Executive Vice President and Global more—a matter of sound leader-
Head of State Street Alternative Investment Solutions, at the Palladium Group’s ship and governance than it is
April 2009 Strategic Risk Conference about creating new analytics and
metrics. Risk management is
How can risk management be fixed? Banking executive Jack
about building a new approach
Klinck (and former chairman of BSC Hall of Fame company into an existing process (strategy
Mellon Europe), offers two solutions, neither requiring a new management). It involves a shift
framework or process. First, since risk management is both in orientation—looking at per-
a strategic and a defensive discipline, it must be unsiloed formance from the flip side—
and integrated with strategy management. Second, it must whether to understand the impli-
be directly linked to leadership—and leaders must foster a cations of skyrocketing sales
culture of risk-mindedness. The five principles of the Strategy- (suggesting not only marketing
Focused Organization provide an excellent model for helping success but also, say, a slip in
embed risk management into the corporate DNA. client acquisition standards) or
the impact of staff cuts on client
The global financial crisis has taneously. Fourth, the fragmented servicing.
prompted financial services firms regulatory environment reinforced
How can an organization bring
to reevaluate their assumptions the notion of risk as solely a
risk to the forefront of its man-
about the way they manage compliance issue. Finally, the push
agement process? One way is by
risk and the internal discussions for high profits in the short term
trying to better understand how
they hold about risk, both at the became so extreme that many
the risks in one business unit or
board and management-team players looked past the risks they
line affect another. An enterprise
levels, noted Jack Klinck. Klinck were taking.
may have dozens of relationships
heads State Street Corporation’s
The crisis, Klinck noted, caused with one client. What does that
Alternative Investment Solutions
managers across his bank’s busi- mean in terms of its overall risk
(AIS) unit, which provides fund
ness units to look with fresh eyes exposure—and that of any indi-
accounting, fund administration,
at how they were managing their vidual unit? During the peak of
and risk services for approximately
businesses. They realized manage- the financial crisis, said Klinck,
$400 billion in alternative assets,
ment was vertically oriented, with “we realized we weren’t evaluat-
including hedge funds, private
not enough consideration of the ing the product overlap with
equity funds, and offshore funds.
horizontal interrelationships and many of our clients and counter-
With the flood of analysis (and of the ways each business affected parties.” Today, he added, it’s
the benefit of hindsight), many the others. important to ask your manage-
causes of the financial crisis ment teams, “Are you having the
are familiar by now. From a risk Making Risk Management Part right conversations across the
perspective, said Klinck, there of the Corporate DNA business to identify and manage
were five basic triggers. First, Risk management is both a strate- strategic risk?” “Are your people
financial services firms were confi- gic and a defensive discipline, as paying attention to what the
dent they could contain product it touches every type of external performance indicators are telling
risk by slicing it and packaging and internal threat, known and them—and about the indicators’
the pieces as securitized invest- unknown—from financial risk impacts on other performance
ments. As the packages became to competitive threats, and from areas?” And perhaps most impor-
more mixed, the underlying reputational risk to event risk. tant, “Are you listening to your
risks became obscured. Second, Because risk permeates every area people?” Ultimately, an organiza-
because risk management was and aspect of business, a siloed tion’s people are its best leading
siloed by type of risk (credit, approach to managing risk makes indicators.
operational, market, counterpar- no sense. Companies not only State Street AIS already had in
ty), managers misunderstood risk need to adopt a holistic view of place several management tools
correlations among assets. Third, risk, but they must also integrate and techniques—notably, strategy
the industry ignored the potential risk management into their overall maps and Balanced Scorecards
for systemic risk—defaults and management system so that it (BSCs). As a self-professed fan
other risk events occurring simul- is part of their corporate DNA. of the Kaplan/Norton Strategy
10
November–December 2009
Management system for several feasible approach to risk manage- acquisition criteria.” The leader-
years, Klinck felt it was only ment.” The strategy map and BSC ship team, Klinck added, also pro-
natural to mirror this approach provided a flexible framework for vides the model for values and
for building strategic risk manage- clarifying priorities, adjusting the behavior. That includes cultivating
ment into the organizational emphasis of specific themes as not only risk-mindedness but also
DNA. He saw no need to invent needed, recalibrating targets, and team members’ willingness to be
a new framework or process reprioritizing initiatives—while candid in assessing performance,
for managing risk. “By tying risk maintaining the underlying strategy. rather than sugarcoating the
management to our existing picture for the boss.
strategic framework, we’ve been The Five Principles of
Managing Risk Because State Street AIS grew
able to implement what we con-
through a number of acquisitions,
sider a sound, sensible, eminently State Street AIS’s approach to it was particularly important that
risk management roughly follows the unit understand the way each
The Role of the Theme Kaplan and Norton’s foundational of its three groups affects the
Team in Risk Management principles for strategy manage- others. Besides recognizing the
ment: the five principles of the need to create a coordinated
Although their focus is strategy, Strategy-Focused Organization. approach to marketing and client
strategic theme teams are an (See Figure 1, next page.) service (to minimize client confu-
invaluable mechanism for risk
management as well. When the 1. Executive leadership. First sion) and the need for an inte-
financial crisis struck, State Street and foremost, senior manage- grated approach to technology (to
AIS’s theme teams provided a ment, and not only the chief risk ensure seamless client servicing),
natural forum for discussing officer (CRO) or the risk manage- senior management saw the need
key issues across its businesses. ment group, should be responsi- to develop coherent standards for
Management quickly got valu- ble for risk management. (The risk management among the
able insights about the changing converse is also important; AIS’s acquired units. For example, the
markets, and the teams high- head of risk, for instance, as part leadership team strenuously
lighted emerging risks that of the senior management team, debated managing client acquisi-
could affect many areas of the participates in all strategy review tion risk: How can the company
business. meetings and key decisions.) achieve business growth targets
A leader’s enlarged role in risk while avoiding clients that don’t
Theme teams assemble and
management, by the way, does match the organization’s strategic
circulate Balanced Scorecard
performance reports before every not mean that the CRO’s role is risk profile? Few organizations
strategy review meeting. As front- reduced. In fact, the CRO must allow such debate, Klinck noted.
line analysts, they help ensure work with the businesses and But, he added, “we’re convinced
that discussion is driven deep manage the “escalation procedures” that when the financial crisis
into the organization and that —all the steps involved in a risk hit, AIS was in a much stronger
response takes place at the right mitigation effort. The CRO’s inde- position than many of our
level. Theme teams discuss the pendence ensures that senior competitors.”
strategic implications of the sub- managers aren’t tempted to unduly 2. Measurement. The same BSC
par objectives along with those influence or compromise any measures that provide an early
in the green, objectively noting standards and that they balance indication of strategic performance
the biggest risks to the strategy responsibility with authority. success or failure also serve as
and the business. They can per-
As organization leader, Klinck key risk indicators when analyzed
form in-depth analysis to uncover
sets the appetite for and approach from a 360-degree perspective.
the drivers of a potential risk, to
conduct scenario planning, and to risk, clarifying the strategic The red/amber/green “traffic
simply to generate creative new direction and path to getting light” assessment on the strategic
ideas. They can bring together there. For example, the leading objectives, measures, and initia-
management from different private equity administration tives shows—in the context of the
areas of the organization—and business that State Street AIS whole strategy map—how subpar
of the entire enterprise—to acquired in 2007 had been performance puts other goals at
explore issues and find holistic growing at a rate of 35% a year. risk. Thus, this assessment gives
solutions. During the crisis, Establishing a risk management managers the ability to respond
AIS’s theme teams met more infrastructure and culture from rapidly with corrective action. The
frequently, to facilitate rapid the start was critical. “We aligned color-coding provides in effect a
response and organizational the private equity unit’s strategic “heat map” of key strategic issues,
learning. objectives to AIS priorities and showing their connection with
collaborated on devising client
11
Balanced Scorecard Report
other indicators and helping the the financial crisis, State Street AIS review meetings, the strategy
organization identify trends and already had in place a culture map is assessed as a whole.
gain insights. For example, an that encouraged employee dissent Klinck and his team review the
amber rating on a sales win/loss and candor in discussing strategic heat map of red/amber/green
analysis metric would suggest not issues. Developing the business ratings of performance against
only that sales losses are in line unit strategy maps generated objectives, examining the ratings’
with projections but also that wins awareness and ownership of AIS’s implications and ramifications.
may be declining—a risk that strategic priorities and of the role Then they explore a given strate-
would need to be investigated. each business has in contributing gic theme in detail. Each strategic
to them. Its theme teams bring theme owner leads a discussion
3. Alignment. The strategy map
together a broader group of on the assessment results, looking
and strategic themes provide the
people involved in strategy imple- at their impact on strategic out-
structure for aligning businesses,
mentation. Yet another group is comes, both negative and positive.
teams, and individuals to the
developing initiative teams. Every “We actively debate the risks
organization’s common goals.
quarter, the executive team holds and implications—focusing on
Alignment also encompasses
a town hall meeting at a key loca- the horizon, not the past,” said
risk. Said Klinck, “We look at our
tion to provide a forum for open Klinck. “This approach allows us
themes and objectives to ask,
discussion with local leaders. to manage strategic risk even in
‘Will they promote the right
the absence of perfect measures.”
behaviors—or create conflicts?’ 5. Governance. Traditionally,
For example, ‘Are our incentives to governance in financial services To be robust, a strategic risk man-
grow promoting undue risk taking? firms occurs mainly through agement approach must embed
Are we investing in the right the business units, resulting in risk management into the organi-
places in product development a siloed approach to managing zation in good times as well as
to meet the latest marketplace risk and strategy. A solid gover- bad. It must treat risk holistically,
requirements for transparency?’” nance structure can help empha- as an integral part of strategy and
The strategy map thus serves size the mutual impacts of different performance management. In this
equally as a “shared risk agenda.” groups or performance drivers, way, organizations can adapt to
at the same time ensuring that change—even rapid change—with
4. Engagement. An organiza-
dialogue occurs horizontally and speed and agility. “We hope,” said
tion’s staff is probably the most
at multiple levels. Klinck, that “by recognizing the
effective leading risk indicator.
importance of a proactive, holistic
“We try to engage staff as much as Strategy review meetings are
approach, the entire financial
possible” and to listen carefully to as critical to risk management
services industry will emerge
people throughout the organiza- as they are to strategy review
from this crisis stronger.” I
tion, noted Klinck. Well before itself. At AIS’s monthly strategy
Prior to joining State Street AIS, Jack
Figure 1. The Five Principles of Strategic Risk Management Klinck was vice chairman of Mellon
Financial Corporation and president of
the Investment Management Solutions
Group. Previously he was chairman of
Mellon Europe. Early in his tenure there,
1. Executive
he introduced the Balanced Scorecard
Leadership
management system; in 2004, Mellon
Europe was inducted into the Balanced
Scorecard Hall of Fame for Executing
Strategy.
2. Measurement 5. Governance
Strategic Risk T O L E A R N M O R E
Management
See “Mellon Europe: Mobilizing
Change Through Executive Lead-
ership,” in BSR January–February
3. Alignment 4. Engagement 2005 (Reprint #B0501F). Also
see Mellon Europe’s write-up in
the Balanced Scorecard Hall of
Fame Report 2005 (Product
#9157). Both are available at
Strategic risk management parallels the approach to strategy management embodied in
Kaplan and Norton’s five principles of the Strategy-Focused Organization.
www.harvardbusiness.org.
Reprint #B0911C
12
November–December 2009
S N A P S H O T
Integrating Risk Management into the Strategic
Planning Process at Canadian Blood Services
By Dodge Bingham, Manager, Palladium Group, Inc.
In the aftermath of the global financial crisis, organi- the BSC management system and its pioneering
zations all over the world are beginning to manage work in building its Office of Strategy Management
C A S E
risk in earnest—by moving it from a siloed to a central earned it a place in the BSC Hall of Fame for
business activity. Experienced users of the strategy Executing Strategy in 2007.
map and Balanced Scorecard are ahead of the game:
CBS’s transformation has taken it from strategy
they realize that the BSC management system represents
management to enterprise risk management (ERM).
not only an appropriate tool for risk management but
In recent months, CBS began evolving its ERM into a
also one that allows integration of risk management
process that is integrated with strategy management.
with strategy and performance management—the
ideal. Consider this summary example from veteran Figures 1 through 3 illustrate the steps involved
BSC user Canadian Blood Services. in identifying and synthesizing risks, the first two
steps in CBS’s risk methodology. Figure 1 shows
At Canadian Blood Services (CBS), managing risk
where risk management enters the process—in the
is literally a matter of life or death. CBS, the blood
Translate the Strategy stage. Figure 2 shows the key
supply system provider for Canada (except Quebec),
questions CBS asks in the first two steps. Subsequent
was created in 1998 in the wake of a national health
steps involve analyzing the risks (e.g., vulnerability
crisis, when HIV and Hepatitis C tainted the nation’s
and magnitudes, mitigation actions) and creating
blood supply (then managed by the Canadian Red
a risk profile (e.g., devising a risk heat map and
Cross). Since its inception, CBS has transformed itself
creating an escalation plan).
into a model of management excellence. Its use of
Figure 3 shows how CBS identifies critical measures
1. —not merely measures of performance against key
Process
objectives, but measures that will help CBS track
Define destination and manage the risks to those objectives. CBS
1. Quantify the vision and gap
2. Define the change agenda
decomposes each objective to arrive at key drivers
3. Define issues and ultimately the most critical measures. For illus-
trative purposes, only one strategic objective is
Develop the strategy shown. I
1. Construct strategic analysis
2. Formulate the strategy
2.
Translate the strategy
Process Major Question
1. Strategic objectives
2. Performance measures A. Identify risks
A. Risk identified What risks will prevent
3. Strategic risks 1. Identify the objective
us from achieving our
B. Risk synthesized 2. Select the drivers
objectives?
3. identify the gaps and risks
Develop the plan
1. Identify strategic initiatives
2. Select initiatives B. Synthesize the risks What are the top risks for
C. Analyze risks
3. Assess risks 1. Review risk across objectives analysis and monitoring?
4. Develop business plan D. Create risk profile 2. Create synthesis of key risks
3.
Objective Primary Drivers Secondary Drivers Measures
1. Alignment of 1a. Verify demand for new services 1a. Acceptance rate among physicians
offerings to
physician needs 1b. Physician use of new services 1b. Usage rate among physicians
13
Reprint #B0911D
Balanced Scorecard Report
14
November–December 2009
At the beginning of an ERM on both the risks and their Figure 1: Hypothetical Example
workshop, managers rank their treatments—further strengthening of Initiative Risk Assessment
9
initiatives in order of importance alignment and accountability.
for the next operating year. 8 8.5
Probability of Success
she would then rank them from For each initiative, unit managers
6
Initiative (Rank)
Anticipating Risks and They use a scale from 1 to 9 to
indicate the probability of success- Initiatives are ranked by the probability
Developing Treatments of success in achieving objectives,
fully achieving the initiative’s given their risks and mitigation activities.
During each workshop, facilitators objectives. A 9 indicates a 90% The numeric ranking in parentheses
reflects the initiative’s importance.
also have business unit managers or greater probability of success;
draw on their knowledge and a 1 represents a 10% or less The risk assessment ranking can
expertise to list the risks that probability. reveal important information. In
could hamper their ability to Figure 1, the ranking for a cat
The initial votes often show some
achieve the initiative’s objectives. food initiative (8.5) may actually
type of distribution. To build
This information is entered into suggest that too many resources
alignment, team members discuss
a template for the workshop. For are being applied to the initiative,
the range of scores, challenge
example, leaders in a particular or that managers are underesti-
one another’s assumptions, and
food unit might define the follow- mating their capabilities. It may
reconsider their scores based
ing initiative: “Aggressively grow even imply that sales generated
on their peers’ positions. For
and build the ready-to-heat rice as a result may be beyond the
example, if one manager believes
business by expanding the product company’s capacity to produce.
(based on his experience) that
line to generate 5% net sales The product relaunch initiative,
a proposed risk treatment won’t
growth and maintain share above with a priority ranking of 3 and a
be effective, he might argue for
25%, while increasing product risk score of 4.5, may need to be
a score of 5 instead of the 7
availability to 50% distribution.” postponed so that its resources
advocated by his peers.
The risks to this initiative could are redeployed more effectively.
include possible aggressive coun- The debate is open, honest, and
termoves from competitors and collegial. That’s because everyone Finally, business unit heads submit
potential spikes in commodity involved knows that the goal is to a summary report to their seg-
prices. understand one another’s positions ment leaders and to corporate
and arrive at the best-informed headquarters showing the final
Managers next develop risk “treat- agreed-upon risk profile for each
assessments possible. Managers
ments”—activities designed to operating plan initiative. Senior
then rate each initiative from 1
mitigate or leverage the specific executives have access to the
to 9 again; usually, a smaller
risks they’ve identified. These, templates the unit managers have
distribution results. The final vote
too, are entered into the work- filled out, so they can drill down
results in a risk profile for the
shop template. For instance, to into greater detail.
initiative that gets color-coded:
combat the risk of competitor
below 5.0 is red; 5.0–5.9, orange; Analyzing Risk Data and
countermoves, the management
6.0–6.9, yellow; 7.0–7.4, blue; and Making Decisions
team may define treatments
7.5 or greater, green. If consensus
centering on accelerating product
is still lacking after the second After initiatives are put into
innovation and conducting a
vote, managers gather additional action, unit leaders review each
competitor analysis.
information outside the workshop initiative’s progress on a quarterly
Again, managers discuss and and reconvene to share it and basis—reassessing the risks
debate, achieving consensus get aligned. and treatments and deciding
15
Balanced Scorecard Report
Figure 2. Comparing Risks by Region: Hypothetical Example (dummy data) Segment insights. The system
allows segment management
Asia-Pacific Western Europe CIS* North America
Segment Segment Segment Segment teams to compare units or regions
to identify common problems.
The analysis might show, for
example, that one business unit’s
risks were clustering increasingly
within manufacturing/distribution.
It also enables teams to spot
trends early.
KEY Organization/HR Sales/Marketing Finance Manufacturing/Distribution Commercial Geography insights. The system
* CIS = Commonwealth of Independent States—the confederation of former Soviet Republics allows for identification of com-
mon issues across regions or
Mars can break down risk into corporate function categories by region. In this hypothetical
illustration, the biggest risk to the CIS segment is commercial. Sales and marketing risk is problems within a given region.
the biggest risk category for the Asia-Pacific and Western Europe segments. The latter two might (See Figure 2 for a hypothetical
confer with peers in the North America and CIS segments for solutions.
example.)
whether to change an initiative’s Since automating its ERM process, Finally, managers can use ERM
risk profile score. They update Mars has compiled enormous software to review other units’
a one-page dashboard depicting volumes of risk-related data. To initiatives—and gain insights into
execution performance for all date, the system contains 500 how to address common chal-
initiatives and documenting any operating-plan initiatives with risk lenges. This creates a learning
changes in risk profiles, adding profiles, 3,800 risks coded by type environment within the business,
comments on why specific (e.g., legal, financial, and sales enabling one unit to learn from
changes were made. The updates and marketing), and 4,200 risk and build on the success of others.
are submitted to both the seg- treatments—all generated by the
ment and corporate headquarters. company’s business units in multi- Managing risks to a company’s
ple geographies. It also contains strategy is never easy. But by
For example, suppose the profile establishing a disciplined ERM
three operating-plan cycles’
for the initiative “Relaunch Pedigree process, companies can make risk
worth of data.
brand to achieve a 10% growth management as routine as other
target” improved from yellow to Thanks to these volumes of data business responsibilities. A rigor-
green over the past two quarters and the system’s power, Mars ous process can also help man-
of the year. The initiative owner’s can now slice the data in various agers adopt the mindset needed
dashboard comments may be ways and customize how they to openly discuss and mitigate the
something along these lines: are presented—gaining valuable dangers to their business strategy.
“Shipments started in period 2 to insights for business decisions.
meet advertising schedule. Adver- For example, executives can Mars, Incorporated, has excelled
tising on air. Massive presentation examine pie charts showing how at ERM—not only encouraging
to all customers was executed risks are distributed across cate- bottom-up engagement in risk
during period 1, with excellent gories for a particular business management among unit heads,
customer participation.” unit, the entire company, a prod- but also using IT to support the
uct line, or a geography; and how gathering and analysis of risk-
These dashboards are a potent related data. Whether unit heads
risks are changing over time for
communication and decision- are seeking to introduce new
each area of interest. Consider
making tool. If an initiative products, expand into new geog-
these hypothetical examples.
shows a decreasing probability raphies, or beef up manufacturing
of success, managers discuss Product insights. Suppose a capacity, the process Mars has
the situation and decide how large percentage of the risks doc- developed positions them to
to address the problem—for umented for a particular product anticipate, prioritize, and mitigate
example, by redirecting marketing fell within the sales and marketing the risks, as well as share effective
or other resources toward the category. By getting a global view risk management tactics across
troubled initiative. The dash- of common risks, the company units. Result? The company has
boards are so simple and concise can identify common risk treat- sweetened the odds that each
that they’ve eliminated a lot of ments for that product across a strategic initiative will produce
reporting that managers used to region or the world—for example, the business results everyone’s
do. And they create transparency increasing the number of sales-
Product #B09110
looking for. I
for each unit. people for that product.
Reprint #B0911E
16 To subscribe to Balanced Scorecard Report, call 800.668.6705. Outside the U.S., call 617.783.7474. bsr.harvardbusinessonline.org