Being a risk manager can be a thankless job and may also lead to becoming a scapegoat when things go wrong. You cannot prove a negative and there is only a chance that something is going to happen, so when it doesn’t, is that a result of good risk management? In this RIMS 2016 session, Rodney Farrar, Director at Paladin Risk Management, explained how to demonstrate the successes of your risk management programs to get the proper credit you deserve.
The task of measuring the benefits risk management brings to an organization is a challenging one. Unlike finance or human resources reporting, it is impossible to enter data into a software application to come up with a percentage indicating effectiveness. To measure the value of risk management within the organization, we need to understand our objectives and need to be able to measure performance against those objectives.
The measurement of risk management performance can be divided into three distinct categories:
- Compliance. This measures whether the organization is complying with its own risk management policy directives.
- Maturity. This measures the maturity of the risk management program within the organization against industry best practice.
- Value Add. This measures the extent to which risk management is contributing to the achievement of the organization’s objectives and outcomes. Define performance indicators for your risk program.
There are five steps to complete measurement of a risk management program.
1. Specify risk management goals and objectives.
The goal of the risk management program within the organization may be: “To ensure that the risks facing the organization are appropriately managed in order to protect the interests of the organization and its many stakeholders and to assist in the decision making process.”
Examples of risk management objectives may include:
- All personnel to be trained in the risk management requirements of Acme Corp by Q4 2017.
- All functional areas are to have developed risk registers by Q3 2016.
- All functional areas are to review risk registers at least quarterly.
- All risks outside the risk target for the organization are to be escalated to the appropriate level of management for acceptance within 24 hours of assessment.
2. Assess achievement.
From these objectives we can develop performance measures and key performance indicators (KPIs).
3. Assess compliance.
Even if all of your measures and KPIs line up, does this mean we are adding value or are we simply “doing risk management” rather than “managing risk”? It is actually conceivable that an organization has 100% compliance against all of the risk management policy requirements and yet risk management is not contributing to the achievement of effective outcomes.
4. Assess maturity.
Risk maturity applies an audit/health check approach to determine the level of effectiveness of the risk management framework. It does not measure outcomes – it only measures how the program compares against best practices. The process needs to be one that is repeatable because maturity needs to be reviewed on a regular basis.
There are five levels of maturity: awareness, understanding, application, embedded, mature.
5. Assess value add.
For us to be able to do this effectively, we need to identify a number (in the order of 2-5) of performance measures for each of our “critical success factors, which are the categories in which we measure the consequences of our risks. They can include:
- Financial (profit/loss)
- Reputation (customer complaints)
- Safety (number of safety incidents)
- Compliance (number of reportable incidents)
This is not an exact science as a direct relationship cannot be proven – but it does provide an excellent indication of a causal relationship. If the performance against a specific metric improves after the implementation of risk treatment strategies, then there is some evidence that there has been a value add. What this means is that, if you measure the maturity of your risk framework, you must, at the same time, measure performance against KPIs.