"A Holistic Approach to Managing Risk amidst Global Uncertainty"
The RMA/Cass Business School
10–14 February 2013
Advanced Risk Management Programme
Organised by Andrew Smart & Nicholas Hawke
In today’s fast-moving, complex environment, risk executives must cultivate an understanding across all risks and businesses. Business problems are multifaceted, interrelated, and increasingly global. Executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.
The RMA/Cass Advanced Risk Management Programme, led by the faculty at Cass, one of the UK’s top business schools, exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research, instilling knowledge and skills applicable to the real world of global business. In addition to its focus on the known and quantifiable risks of credit, market, and operational, the programme concentrates on the unknowable and difficult to measure risks, including business, strategic, and reputation. Cass has excellent links to the City of London firms and institutions and is able to complement Cass faculty with guest faculty and senior level business practitioners, considered by their peers to be industry thought leaders
Areas of focus for The RMA/Cass Advanced Risk Management Programme include:
• Risk management as a strategic competitive strength
• An integrated approach to risk management
• Fostering a culture and climate that openly communicates risk
• A framework for rapidly responding to known risks and unraveling the complexities of the unknown
• A focus on risk informed by global perspectives.
1. Advanced Risk Management Programme
9th - 13th February 2014
Integrating Strategy and Risk
Management
Nicholas Hawke and Andrew Smart
www.cass.city.ac.uk
2. Integrating Strategy & Risk Management
an Introduction to Risk-Based Performance Management
Workshop for the RMA
12 February 2014
www.cass.city.ac.uk
3. Introductions
CEO & Co-founder of Manigent, a
thought-leadership consultancy firm
focused on strategy execution and risk
management
15 years plus in strategy and risk
management
2006/07 -12 month / 21 organisation
research project into the integration of
strategy and risk management
2008 - Created the Risk-Based
Performance Management methodology
during various strategy and risk related
engagements in the city
www.cass.city.ac.uk
4. The credit crunch and its subsequent fall-out has rewritten the rules on
strategy execution and risk management
www.cass.city.ac.uk
5. Post credit crunch, regulatory bodies have been more
aggressive and active
www.cass.city.ac.uk
6. As we enter the recovery and growth phase, managing risk (and Risk Appetite) to
drive and sustain competitive advantage will be critical
www.cass.city.ac.uk
7. Risk-Based Performance Management (RBPM) is a holistic and
integrated approach to strategy execution and risk
management
What are we trying to
achieve?
What is our Risk
Appetite?
Strategy
Management
Appetite
Are we on
track?
Performance
Management
Risk
Management
Governance & Communications
Culture
www.cass.city.ac.uk
Are we
operating
within
appetite?
9. Since its inception, the Balanced Scorecard has continued to
evolve.
Performance Measurement
Performance Management
Raison d'être for Balanced
Scorecard was to provide a
„balanced‟ set of performance
measurements.
With adoption, the Balanced
Scorecard evolved to become
more focused on strategy.
The Balanced Scorecard is now
positioned as a framework for
enhancing strategic execution.
“What you measure is what you
get”
- Kaplan & Norton, 1992
Introduced the 5 principles
A closed loop system of
strategic execution
1.
Translate the Strategy into
operational terms
2.
3.
Make Strategy a continual process
4.
Make Strategy everyone‟s everyday
job
5.
www.cass.city.ac.uk
Mobilise change through executive
leadership
Align the organisation to the Strategy
Strategy Execution
1.
Develop the Strategy
2.
Plan the Strategy
3.
Align the organisation
4.
Plan operations
5.
Monitor and Learn
6.
Test and Adapt the Strategy
10. Unlike the Balanced Scorecard, Risk Management has evolved
via a series of standards.
COSO
COSO - Internal Controls
framework (1994)
Provided a common definition of
internal control and a framework
against which internal control
systems can be assessed and
improved.
COSO – ERM framework
(2004)
The framework defines essential
enterprise risk management
components, discusses key
ERM principles and concepts
Various Government
standards
Various standards were created,
often influenced by the COSO
frameworks.
ISO 31000:2009
The Risk Management
Standard, 2002 (IRM, AIRMIC,
ALARM)
ISO 31010:2009
Orange Book, 2004 (HM
Treasury)
AS/NZS 4360:2004
BS31100, 2008 (British
Standards)
Various
www.cass.city.ac.uk
ISO 31000 & ISO 31010
Provides principles and generic
guidelines on risk management.
Provides guidance on selection
and application of systematic
techniques for risk assessment.
11. We believe that Integrating strategy and risk management is the next, natural evolution
Risk-Based Performance
Management
Risk-based performance
Management enables
executives to manage with one
eye on strategy & one eye on
risk.
Comprehensive strategic
execution framework
•
•
Integrated performance and risk
reporting and analytics
•
www.cass.city.ac.uk
Aligns strategic intent with risk
rppetite
Embedded governance and
ownership model
12. Other experts also recognise the need for new approaches, and are looking at the
integration of performance and risk management ...
What went wrong in Financial
Services?
1. Wrong measures of risk or, at least,
very limited understanding of the
properties of the risk measures
being used
2. Incorrect data used to estimate risk
measures
3. Failure to understand correlations
across risk measures
4. Managing local risks and ignoring
Value-at-Risk Calculation typically assumes
global ones
that probability of gains and losses follows a
5. Treating risk management as a
normal distribution.
compliance issue, not a strategic
What about Black Swan events?
one
6. Taking big bets that unlikely events
VaR does not account for liquidity risk; it
will not occur
assumes you can get out of a position
overnight.
7. Senior executives and boards
striving for short-term gains while
VaR is like “an airbag that works all the
ignoring the risk exposure
time, except when you have an accident.”
associated with generating high
profits
Dr Robert Kaplan is focusing on
measurement of risk
www.cass.city.ac.uk
Now is the time to enhance
the BSC with Key Risk
Indicators (KRIs) and
integrate performance and
risk management.
E&Y suggested a
‘re-balanced’
scorecard
13. Kaplan on Risk and the Balanced Scorecard
HBR June 2012
Three categories of Risk
1. Preventable Risks
2. Strategy Risks
3. External Risks
Managing Risk is very
different from managing
Strategy
www.cass.city.ac.uk
14. Risk and the Balanced Scorecard - What we think…
Managing Risk is not different to, but
a fundamental part of, managing
strategy
www.cass.city.ac.uk
15. Integrating Strategy & Risk Management
based on Risk-Based Performance
Management
www.cass.city.ac.uk
16. Risk-Based Performance Management (RBPM) is a holistic and
integrated approach to strategy execution and risk
management
What are we trying to
achieve?
What is our Risk
Appetite?
Strategy
Management
Appetite
Are we on
track?
Performance
Management
Risk
Management
Governance & Communications
Culture
www.cass.city.ac.uk
Are we
operating
within
appetite?
17. The Risk-Based Performance Management (RBPM) methodology is based on seven
management disciplines
Business Drivers
Capital
Income
2. Manage
Performance
1. Set
Strategy
Appetite
www.cass.city.ac.uk
?
5.Governance
4. Appetite
Alignment
3. Manage
Risk
Shareholder Value Share Price
Reputation
Appetite
7.Culture
6.Communicatio
ns
Economic
value add
Profit
?
18. Discipline 1: Set Strategy
Strategy: “to develop a sustainable (and defendable) position which enables
the organisation to achieve its objectives while operating within defined risk
appetite boundaries”
“One major problem that led to the current financial crisis was that although objectives had been created,
there was no articulation of risk appetite or identification of those responsible when risks were incurred”
A clear articulation of strategy is important but it must include an expression of
the amount and type of risk that the organisation is willing to accept
www.cass.city.ac.uk
19. Discipline 2: Manage Performance
“Within the RBPM approach, we define ‘manage performance’ as the
continuous process of monitoring objectives and their KPIs, identifying
root causes of underperformance and making adjustments.”
Objectives
Processes
Initiatives
KPIs
www.cass.city.ac.uk
20. Discipline 3: Manage Risk
“In the context of Risk-Based Performance Management, Risk Management is
about understanding and exploiting opportunities and threats (the risk the
organisation faces in pursuit of its objectives), and the continuous monitoring
and management of those risks to ensure the organisation executes its strategy
while operating within appetite”
www.cass.city.ac.uk
21. Discipline 4: Appetite Alignment
“Appetite Alignment is the process of continuously aligning current risk
exposure to the defined risk appetite, which by implication encapsulates the
strategy of the organisation. To translate into simple terms, it is about
understanding whether the current level of risk-taking is aligned to the chosen
business strategy, i.e. are we operating within appetite?”
www.cass.city.ac.uk
22. Discipline 5: Governance
“Governance is the process and practices which define the strategic,
operating and decision-making boundaries of an organisation (or
organisational unit), and how decisions are made and implemented.”
www.cass.city.ac.uk
23. Discipline 6: Communications
“When a firm’s risk appetite is properly defined and clearly
communicated, it becomes a powerful management tool to clarify all
dimensions of enterprise-wide risk and enhances overall business and
financial performance”
The Five C’s:
1. Clarify
2. Credible
3. Concise
4. Context
5. Consistent
www.cass.city.ac.uk
“all the good-to-great companies had a penchant for
intense dialogue. Phases like “loud debate”, “heated
discussions”, and healthy conflict” peppered the articles
and interview transcripts from all the companies. They
didn’t use discussion as a sham process to let people
“have their say” so they could “buy in” to a
predetermined decision. The process was more like a
heated scientific debate, with people engaged in a
search for the best answers”. Jim Colins
24. Discipline 7: Culture
• Culture comprises an organisation’s widely shared values, symbols,
behaviours and assumptions.
• “the way we do things around here”
• The seven key characteristics of a Strategy-Focused, Risk-Aware Culture
1.
2.
3.
4.
5.
6.
7.
Driven by a compelling vision
Live by a clear set of values
Led with integrity
Align risk-taking to strategy
Established clear accountabilities
Engage in high quality conversations
Incentives are aligned to appetite
Culture is perhaps the ultimate strategy and risk management tool
www.cass.city.ac.uk
25. Underpinning the Risk-Based Performance Management approach is
a clear change process
Execution
Formulation
Define
Strengths &
Weaknesse
s
Define
Strategic
Goals
Define
Business
Drivers
Define
Strategic
Risks
Define Risk
Appetite
Define
Strategic
Objectives
Define the
Strategy
Define the
Business
Model
Align Risk
Appetite &
Strategy
Board
www.cass.city.ac.uk
Define
Strategic
Controls
Define
Indicators
Define
Processes
Define
Initiatives
Define
Operational
Risks
Define
Operational
Controls
Executive
Assess
Risks &
Controls
Monitor
Appetite
Alignment
26. Organisational progress in implementing the approach can be
measured using the a Maturity Model
www.cass.city.ac.uk
Manage
Operationalise
Monitor
Culture
Communications
Governance
Appetite
Alignment
Risk
Management
Improve
Performance
Management
“How mature is your
integrated strategy & risk
management approach?”
Exemplary
Expert
Proficient
Competent
Initial
Strategy
• Based on the RBPM Seven
disciplines
• Provides a snapshot of your
organisational Strategy &
Risk maturity
• Provides a ‘slice’ by
organisation behaviour
27. Advantages of integrating strategy management & risk management
• Aligning risk appetite and strategy – the board and senior management should evaluate
the organisation’s risk appetite in evaluating strategic alternatives, setting related objectives,
and developing mechanisms to manage related risks.
• Enhancing risk response decisions – actively managing emerging risk provides the rigor to
identify and select among alternative risk responses: risk avoidance, reduction, sharing, and
acceptance.
• Reducing operational surprises and losses – organisation’s are able to identify potential
events and establish responses, reducing surprises and associated costs or losses.
• Seizing opportunities - by considering a full range of potential events, management is
positioned to identify and proactively realize opportunities.
• Improving deployment of capital - obtaining robust risk information allows management to
effectively assess overall capital needs and enhance capital allocation.
www.cass.city.ac.uk
28. Implementing a Risk-Based Performance Management
approach brings a range of benefits
“Deploying Risk-Based Performance Management has enabled us to
realise a 94% reduction in the value of errors and a 63% reduction in
the volume of errors.– Head of Operational Risk, Mortgage Services
Provider
“we were able to reduce our operational losses by over to 50% in the first
year of using Risk-Based Performance Management ” – Investment
banking client
"Coupled with the implementation of a new risk management framework,
significant business benefits are emerging“ – Source: Annual accounts of a
Financial Services client
“Using Risk-Based Performance Management has delivered a more
focused, structured Risk framework, enabling us to focus on the vital few
– the number of Key Risk dropped from 120+ to just 10! - Investment
banking client
www.cass.city.ac.uk
29. Central to this integrated model for Strategy and Risk Management is
the Strategy Map
www.cass.city.ac.uk
30. Financial
Customer
Deliver Revenue
Growth
“Their fees
are clear and
fair”
Learning &
Growth
Internal
Process
Sustainable Growth
Drive sales
execution
“We align our
incentives to our
appetite & desired
behaviours”
www.cass.city.ac.uk
The Strategy Map articulates how an
organisation creates value
Objective
Statement of
what strategy
must achieve and
what’s critical to
its success
KPIs
How success in
achieving the
strategy will be
measured and
tracked
Targets
The level of
performance or
rate of
improvement
needed
Initiatives
Key action
programs
required to
achieve
Priorities
Objective
KPIs
Targets
Initiatives
Drive sales
execution
YTD %
Increase in
income
25%
Implement
new sales
process
31. Financial
Customer
Deliver Revenue
Growth
“Their fees
are clear and
fair”
Learning &
Growth
Internal
Process
Sustainable Growth
Drive sales
execution
“We align our
incentives to our
appetite & desired
behaviours”
www.cass.city.ac.uk
However, to create value, risk-taking
must be aligned to strategy
Objective
Statement of
what strategy
must achieve and
what’s critical to
its success
Appetite
How much risk
are we willing to
run to achieve
the objective?
Exposure
How much risk
are we currently
running?
Alignment
Is our current
risk-taking
aligned to
appetite?
Objective
Appetite
Exposure
Alignment
Drive sales
execution
Moderate
High
Overexposed
32. Financial
Customer
Deliver Revenue
Growth
“Their fees
are clear and
fair”
Learning &
Growth
Internal
Process
Sustainable Growth
Drive sales
execution
“We align our
incentives to our
appetite & desired
behaviours”
www.cass.city.ac.uk
Effective risk management supports
value creation and value protection
Objective
Statement of
what strategy
must achieve and
what’s critical to
its success
Objective
Drive sales
execution
Risks
The threats and
opportunities
(risks) exist which
may impact
achievement of
objectives
Risks
Mis-selling
resulting in
reputation
loss
Thresholds
The appetite
and tolerance
thresholds used
to monitor risk
Mitigation
The activities
undertaken to
manage risk
Thresholds
Mitigation
Appetite
Tolerances
Controls
Initiatives
Policy &
procedures
Processes
33. Financial
Customer
Increase
Shareholder value
Many different types of risks make
up the organisational risk universe
Strategic Risk
Internal
Process
Sustainable Growth
Increase Investment
Returns by 25%
Finance Risk
Increase Investment
Returns by 25%
Operational Risk
Learning &
Growth
Insurance Risk
Hazard Risk
Increase Retention
of competent staff by
10%
www.cass.city.ac.uk
34. Financial
Customer
Increase
Shareholder value
Many different types of risks make
up the organisational risk universe
Unexpected
changes in
interest rates
Strategic Risk
Internal
Process
Sustainable Growth
Increase Investment
Returns by 25%
Unexpected
Equity
movements
Finance Risk
Increase Investment
Returns by 25%
Operational Risk
Learning &
Growth
Insurance Risk
Hazard Risk
Increase Retention
of competent staff by
10%
www.cass.city.ac.uk
35. The Risk Map is structured around the 4 perspectives to provide a snapshot of the
current level of Risk Exposure (‘Heat’)
• The 4 perspectives are
aligned to the Strategy
Map
• Often the risks are defined
as ‘impacts’ not ‘events’
i.e. the impact maybe on
the customer but the event
was operational
www.cass.city.ac.uk
36. Appetite Alignment Matrix is one of our key innovations and a
key tool for monitoring the alignment of risk-taking to strategy
Enables monitoring of
the alignment of risktaking to strategy
Enables the monitoring
of risks which are
outside of appetite
Also shows where we
are taking too much
and not enough risk
Are we operating within Appetite?
www.cass.city.ac.uk
Changes the risk
conversation
37. The Appetite Alignment Matrix can also guide management
responses to mis-alignments
Over-Exposed
Reduce the level of risk taking;
Increase / Change Controls environment
Implement Initiatives
Stop/review mis-aligned activities
Review Objectives / Business outcomes
Board to approve a waiver
Board to change the risk appetite
Aligned
Continue to monitor and manage
Focus on trends
Under-Exposed
www.cass.city.ac.uk
Increase the level of risk taking;
Reduce / Change Controls environment
Implement Initiatives
Stop/review mis-aligned activities
Review Objectives / Business outcomes
Board to approve a waiver
Board to change the risk appetite
38. Key Business Drivers are used to frame the definition of risk impact levels,
used within both Risk Appetite definition and the Risk Assessment process
Risk Appetite Levels
Capital
Income
Reputation
?
Key Business
Drivers
www.cass.city.ac.uk
Risk Assessments
Capital
@Risk
Reputation
@Risk
Appetite Alignment
Matrix
39. Brining together these three powerful tools, and the underlying methodology
provide the foundation for effective strategy execution
Risk Appetite
Strategy Map
Risk Map
Appetite Alignment Matrix
www.cass.city.ac.uk
40. Brining together these three powerful tools, and the underlying methodology
provide the foundation for effective strategy execution
Risk Appetite
Strategy Map
What are we
trying to
achieve?
www.cass.city.ac.uk
Risk Map
How much risk
are we willing to
take?
Appetite Alignment Matrix
So What?
Are we taking
the right amount
of risk?
How much risk
are we running?
41. Risk-Based Performance Management is proven to enable better execution,
better risk management and deliver tangible business benefits
It [Risk Management] should become part of the firm’s DNA and simply the way
business is done – reflected in the effectiveness of management doing the right
things.
The true output of effective risk management is a successful organisation that
delivers on its strategic objectives and satisfies the needs of key stakeholders consistently, year on year.
HML started a journey to ingrain a new approach to risk management. In spite of
the financial difficulties experienced in our market, significant benefits have been
achieved which have made a difference to HML’s bottom line: 94% reduction in
the value of errors and a 63% reduction in the volume of errors.
http://www.hml.co.uk/blog/2011/09/23/risk-management-drivingvalue-from-a-long-game-approach
www.cass.city.ac.uk
43. About Manigent
A thought-leadership consultancy firm focused on strategy execution
and risk management
Thought-Leadership
Time-bound, Guaranteed
Delivery
Pragmatic People, Proven
Solutions
We leave capability behind
www.cass.city.ac.uk
We wrote the book on
integrating strategy and risk
management
44. Our Services
Manigent works with clients in the financial services and other
regulated industries globally.
Integrated Strategy & Risk
Manigent 90 Day Change
Roadmap
Known cost /Low risk
Time-bound delivery
Proven methodology
Focus on 80% Known & 20%
Unknown
Balanced Scorecard & Strategy Map
Enterprise & Operational Risk
Management
Information Risk (Cyber)
Management
Conduct Risk Management
www.cass.city.ac.uk
45. Our experience & expertise
We typically work with large clients who seek to make lasting and
meaningful change in their ability to execute
Financial Services
Investment Bank - Risk & Controls framework design and
implementation
Investment Bank - Middle Office Op Losses and MI diagnostic
FS Outsourcer - FSA RMP solution design and implementation
Inter-dealer broker - Section 166 response design and
implementation
Professional Services
Big 4 Audit Firm - Strategy Map/Balanced Scorecard
implementation
Telecoms
UK Mobile Operator – Balanced Scorecard Design and Deployment
Defence
FSTE 100 Defence Company – Cyber Strategy & Risk
Management
Global Defence Systems Integrator – Cyber Awareness training &
culture change
Government
Legal Services Regulator – Developed their internal risk capability,
processes and framework
Central Banks / Financial Services Regulators – Regulatory
Framework design and deployment
www.cass.city.ac.uk
Our clients shaped our
approach & methodology