Measuring Risk Management Outcomes
Hello, in this session I want to talk about the thing that a lot of risk management people struggle with and that is the measurement of Risk Management outcomes. How can we actually say and prove to an organisation that what we are doing within the risk management field is actually making a difference and value adding to the organisation.
I have had experience where everything is going really well and as a result of that the organisation takes the foot off the pedal around risk and their approach to risk management and of course as soon as they do that incidence start to occur again. I’ve talked about the risk paradox in the past; I have done another blog on that, it goes into more detail.
The way I look at risk management performance is in three distinct categories. The first and foremost is around compliance. The second is maturity and the third and final (and most important) is the value added to the organisation.
The first is compliance. Are we complying with what we have said our objectives are and our policy requirements in the risk management policy. Does every part of the organisation have a risk register? And has everyone received risk management training? And by the way I know a very good Diploma and Advance Diploma if you want to come and do those! Have risk workshops been conducted every three months? The interesting thing about the compliance element is that you can be 100% compliant with all the things in the risk management policy but not adding value to the organisation.
So the next thing we want to do is look at the maturity of our risk management program and risk management framework. The way we do that is using some risk management audit tool. I have a maturity assessment that I have used quite successfully on a number of organisations. It measures the maturity against the development of the risk management framework and all the elements of the risk management framework as well as the application. Are you actually managing risks or are you just capturing risks? What you want to do over time as an organisation is build up your level of maturity against that particular tool that you’ve used. You can get an external third party to come in or you can do it internally. The idea is that we want to increase the capabilities of our organisation but also the maturity in relation to risk management and we want to benchmark that. What we need to do is identify where we are now and where we want to be and how long we want that to take. So you need some sort of tool that has a semi quantitative capability.
The third and the most difficult concept for people to understand is how is risk management adding value. This is really quite simple. You are already measuring the performance of your organisation against a range of metrics. Those metrics tell you what your lead indicators are and your lag indicators and how well you are performing against those lead and lag indicators. The way we match our risk management program against those performance indicators, is if we have an increased maturity within our organisation and our risk management over time, what you should also find is that over the same period there should be improvements against every single one of those metrics. Now, here is part of the risk management paradox, we can’t say for certain that the risk management program has contributed all of that. For example, I worked with an organisation that had a 90% staff turnover in a 12 month period. We put in a whole lot of different strategies to try and reduce that. After 12 months we had reduced it down to 20%. We could not say for a certainty that the strategies that we implemented contributed all of that. We certainly did contribute to that but it was around the time of the global financial crisis and in this particular area in the mining boom had come off slightly so people were less likely to leave the workplace anyway. What we can say is that we contributed to the improvement in that performance. The trick here is to understand the compliance but match and benchmark your maturity. At the same time you benchmark your maturity for your risk management program, benchmark where all your metrics are in your organisation as performance measures. What we want to be able to demonstrate is a causal link in the improvement in our maturity and the improvement in those performance measures. If you do that, you are able to demonstrate the value of risk management to your organisation.
Risk management is not as clear cut as a marketing strategy where you may put an advertising campaign out and it results in 24.7% increase in sales. That is something that is concrete and risk management doesn’t work like that. But I reiterate, benchmark and then measure. If you improve your risk maturity over time then that should flow on to an increase or improvement in your performance measures within your organisation. That should allow you to demonstrate the value of risk management to your organisation and to the management of your organisation because you will be doing a lot less crisis management. That’s all I’ve got for this session and as always, let’s be careful out there!