|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada |
|
|
|
|
Features
Table of Contents
Printer Friendly
Risk and the Balanced Scorecard Organizations around the globe need to step up their risk management initiatives. The Balanced Scorecard can help By Cam Scholey, CMA
But on the whole, most organizations in North America still find themselves scrambling to determine the resources and know-how to deal effectively with risk. In a recent PricewaterhouseCoopers survey, 60% of U.S. CEOs still see governance, risk management and compliance expenditure primarily as a cost rather than an investment. And only 25% of CEOs worldwide state that they are managing these priorities effectively. A new attitude to risk management is essential to make it an integral part of how an organization functions. The new Management Accounting Guideline (MAG) entitled Identifying, Measuring, and Managing Organizational Risks for Improved Performance, by Marc J. Epstein and Adriana Rejc, should be considered a breakthrough for any organization that faces risk — essentially, all organizations. The Risk Management Payoff Model provided revolves around performance measures to identify, measure, manage, and report risks properly. The intent of this article is to complement the new MAG by demonstrating how the concept of risk management can be included in the Balanced Scorecard to assist in the process of properly identifying, measuring, managing, and reporting risks. The Balanced Scorecard has been touted as a tool that can help any organization to better measure and manage progress toward its chosen strategy. Since the management of risk is often instrumental in achieving organizational objectives, it makes sense to consider how risk management may be incorporated into the Balanced Scorecard to help with the identity, measurement, management and reporting of key risks. Since the Balanced Scorecard is an integrating framework, it lends itself well to initiatives such as risk management.
The Balanced Scorecard Pioneered by Kaplan and Norton in 1992, the Balanced Scorecard has assisted many companies in better measuring, communicating and managing their organizational strategy. The traditional model introduced by Kaplan and Norton included four dimensions: customer, financial, internal, and learning and growth. The customer dimension focused on gaining and retaining customers through quality and service objectives. The financial dimension was composed mainly of traditional historical financial goals and measures, directed at bottom line performance. The internal dimension zeroed in on the critical components of internal operations that would make success in the customer and financial perspectives possible. The learning and growth dimension measured the elements of the organization that would dictate future sustainability, such as employee skills and research and development. Objectives for the internal dimension were often derived from looking at the other three perspectives and determining what gaps existed in the organization, in terms of skills and innovation. Managing risk
There are several ways that companies can deal with risk. One way is a four-step process for effectively identifying, measuring, managing, and reporting risks: 1. Brainstorming a comprehensive list of risks the organization faces; 2. Preparing the risk assessment chart for each risk type; 3. Completing the risk report card; and, 4. Entering results into the Balanced Scorecard to gauge actual overall performance. The Glacier Inn, a fictional example of an ice hotel business, can be used to illustrate how the Balanced Scorecard could be applied to identify, measure, manage and report risks. The Glacier Inn was established to address a unique winter adventure market niche. Inspired by the ice hotels in Sweden and Quebec, it is run like a “cold resort,” and is expected to attract day visitors as well as overnight guests. Of any venture at the mercy of Mother Nature, an ice hotel certainly makes the very short list. It is therefore a relevant example of how risk can be managed using a process, introduced in Figure 1. Ice hotels face the risk of shortened seasons every year. A brainstorm clearly indicated that this risk was of primary concern. Warm weather (delaying construction), stormy weather (affecting guest arrival), in addition to other causes of risk threaten to cut revenue generating days between January and April short, which would make the season a financial failure. The Glacier Inn therefore will need to identify, measure and manage the risks associated with it. The following process will be applied to these risks to demonstrate how it can be used. Step 1: Identify the relevant risks through brainstorming — the seven big questions The key reason for the shortage of effective risk programs is the fact that most people and organizations simply have trouble identifying the risks they face. One way to do so is through a brainstorming exercise in which managers are encouraged to openly discuss what they believe are the areas where the organization is exposed. It is useful to set up the brainstorm to address the three major contributors to organizational risk: strategic risk, environmental risk, and operational risk. By asking a series of important questions, most if not all of the real risks the organization faces can surface. Strategic risk: two questions As Anthony Atkinson, CMA, FCMA, and Alan Webb, CA, stated in their article “Responsible hands” (CMA Management, November 2004), strategic risk addresses the concern that major strategic alternatives may be ill advised given an organization’s internal and external circumstances. Two questions should be asked in relation to strategic risk:
Environment risk: three questions There are three sources of environment risk: macro-environmental factors, competitive factors, and market factors. Three questions should be considered in relation to these:
Operational risk: two questions There are two forms of operational risk: process risk and compliance risk. Process risk is the potential that a procedure, control or practice contains a design flaw that creates an organizational risk. Compliance risk is the potential that an implemented procedure, control, or prescribed practice that is otherwise well designed will not operate as intended by management. Operational risk should be addressed with the following questions:
Brainstorming is an art. There is no one best way to identify all the risks that the organization faces. So the process of identifying, collecting and prioritizing key risks using brainstorming will vary amongst organizations. The important part is to get to the key objective/result: a comprehensive list of relevant risks that can be analyzed and assessed effectively. This sets the stage for Step 2.
Step 2: Prepare the risk assessment chart
Step 3: Complete the risk report card At this point, it’s assumed that a risk assessment chart has been completed and updated for all relevant risks. The risk report card (see Figure 2) is where all of the risk work done earlier (namely, risk identification and assessment) is consolidated and summarized. The report card represents a summary of the information from all the risk assessment charts. In other words, the results from the risk assessment charts are fed into the report card’s “Actual” column to give managers a sense of where the organization is performing well and where it needs to focus more effort. Generally speaking, the organization should be happy with anything at or above “target,” and extremely pleased with anything approaching or exceeding the “stretch” number. Anything below target should be acted on and rectified. This focused approach allows managers to spend the limited resources they have on those areas deemed to leave the most risk exposure.
Step 4: Enter results into the balanced scorecard The internal business process perspective is usually where any objectives related to risk can be found in a Balanced Scorecard. To keep the scorecard simple and avoid clutter, one method used in practice is to have a single risk measure on the front-page Balanced Scorecard, with a series of linked measures on the background report card. The risk-related goal on the main scorecard could be “manage risk effectively.” This can be done for any goal, not just risk. So at a glance, managers can gain a sense of how well they are progressing with their overall risk management program compared to initial expectations. If results are at or in excess of some target, they can gain an increased sense of confidence that their risk program is effective. If it is below expectations, it merits special attention and corrective action to improve risk performance. Three levels of results By following this process, the reader can see how information is tiered into three levels. First, managers can get a good overall sense for how effective its risk management program is compared to expectations (from the Balanced Scorecard). Second, the risk report card provides another level of detail that can be used to put a spotlight on areas needing further attention. And third, for each risk, an assessment can be made of just how much risk is being assumed (in terms of probability and consequence), and what is being done about it. Figure 3 provides a conceptual illustration of this. The background report card can be used to avoid clutter while at the same time keeping all the elements valuable in assessing and managing risk in view. Once actual results are entered into the report card, an actual risk score can be calculated and compared to initial expectations. This is accomplished by entering the risk score into the Balanced Scorecard then comparing it to the target and stretch expectations that are indicated on the Balanced Scorecard. Potential benefits This approach to risk management can be useful in many ways, and a host of potential benefits can result. First, it allows adopters to formalize a risk management program in an inexpensive way, using existing software packages and resources. Second, it helps to bring focus and clarity to the organization on what risk areas are in most need of improvement. And finally, by putting a spotlight on the most urgent risk areas, it can help direct management toward a strong and sustainable plan of action for continually mitigating risk. Properly identifying, measuring, managing, and reporting risk has become recognized as an extremely important initiative. The Balanced Scorecard is an integrating framework that can allow organizations a systematic way to manage risk. By using the Balanced Scorecard for risk management, an organization can position itself to minimize the negative consequences of risk, which is of great importance in the overall achievement of organizational objectives. Cam Scholey, CMA, MBA, (www.amii.bz) is president of Advance Management Initiatives, Inc., an author and a lecturer. |
An effective risk management program can no longer be
seen as a ‘nice-to-have’ for an organization. There are simply too many threats today. Yet it has only been
in the past couple of years that companies have started ramping up their commitment to risk management. For
instance, a 2005 study by Aon Ltd. in the U.K. noted that the percentage of companies with risk
management/insurance departments has increased since the company’s 2003 survey (84% against 54%). Departments
are less thinly staffed than previously with 53% of companies having five or fewer in the team, and 47%
having six or more. Some 22% of companies now have more than 10 employees in their risk management/insurance
department, up from 11% in 2003. These are positive signs.
There are a multitude of risks in the franchise business model. To assess
the likelihood and severity of each risk, The Glacier Inn prepares a risk assessment chart for each of the
risks it has identified. The chart details the 