When GRC Meets Performance Management

Soon after the deregulation of the airline industry in the 1970s, the CEO of Braniff Airways launched an ambitious growth plan aimed at transforming the company from a well-established regional player into a global powerhouse. In a matter of weeks, Braniff opened 49 new routes, offering only one daily round trip for each and brushing aside time-tested industry practices which called for frequent services as a precondition of route expansion. But no sooner had the strategy left the runway than it ran into serious turbulence, in the form of increasing competition, rising fuel prices, and a domestic recession. With its customer base shrinking and its regional business now burdened with heavy expansion debt, Braniff called it quits in 1982.

Hmmm ... An aggressively growth-oriented market strategy following a period of deregulation; disregard for long-established industry norms; and financial collapse in a cooling economy. Sound familiar?

Fast forward to 2008, and it's doubtful that the majority of companies are much more successful at integrating strategy and risk management than they were back in Braniff's day. Carl Waller, managing director with risk advisory firm Protiviti, believes that's because of the risk management function's historical focus on insurance coverage as well as what he calls "exuberance for the best case." For example, the mortgage industry pre-2007 acted on the assumption that it could "grow the market by relaxing lending standards etc., and not really looking at the risk profile of that strategy because that's covered in another area of the organization.

"Traditionally, in the way we've looked at risk and the development of strategy, those two areas have been bifurcated," Waller adds.

The Braniff example comes from a new Protiviti white paper, co-authored by Waller, which proposes a way to end that bifurcation. The paper describes the Performance/Risk Integration Management Model (PIMM), which Protiviti defines as "an enterprisewide program that establishes and maintains alignment of strategy risk-management capabilities and performance management processes in a changing operating environment."

The model starts at the top, with the integration of strategy development and risk management. "If you miss that, then everything else is academic" says Waller. At the highest level, Protiviti defines governance as the process of optimizing the balance between two elements: Aspire and Protect.

Aspire -- Articulating Strategy, Capabilities, and Infrastructure. This element focuses on the value that the business will create value for its customers, employees, and stakeholders. The goal is to select objectives based on what the organization does better than any of its competitors, or on infrastructure that competitors lack.

All kinds of business initiatives founder on human capital issues. A key best practice, according to Protiviti, is to implement a formal strategy articulation process, a method for ensuring that the components of the strategy can be communicated to the organization easily and effectively. Another best practice is strategy visualization; companies should leverage technologies that can provide effective visual representations of progress and priorities.

Protect -- Identifying the Risks that Matter. The objective here is to define all of the "soft spots, loss drivers and incongruities that are inherent in the enterprises' strategic objectives" and that could adversely impact performance, including environmental risks; process risks, such as financial and reputational exposures; operations risks; and compliance risks. Once these are identified, the organization can define its risk appetite and, at a more granular level, its specific risk tolerances.

Integration of performance management and risk management goals comes next, at a point Protiviti calls Aim -- Defining the Metrics that Matter. This consists of identifying the strategy's value drivers, selecting metrics that reflect those drivers, and setting targets. The key is to consider each value driver in relation not only to performance, but also to the risks associated with it.

Waller offers the hypothetical example of an organization that has set the overall objective of increasing sales volume. A value driver might be overseas sales, and the company might construct a KPI around market penetration in emerging markets. That might establish a target of, say, a 40 percent increase in market share in emerging markets. But the company would also want to modify the target based on key risk indicators, for example around political risk. "Because you didn't want to get deep into those markets that are highly risky, instead of 40 percent market penetration in emerging markets, you might back it off to, let's say, 30 percent," Waller explains.

Once metrics and targets have been finalized, the strategy can proceed along lines established by familiar business process management disciplines such as planning, monitoring and evaluating performance, and realigning the plan as needed to achieve the desired results, with appropriate use of analytics, scorecards, and dashboards at each stage.

PRIMM is very much a technology-enabled model. Until recently, "technology hadn't really caught up with the complexities of this process," says Waller, "but a lot of major applications providers are addressing this now." He points to the recent acquisitions by SAP and Oracle of major point solution providers as a sign that they're taking the integration of strategy development, BPM and GRC very seriously.

Finance leaders will be key players in the unfolding integration of these disciplines. In the companies in which Protiviti is implementing PIMM, CFOs are helping the rest of the executives articulate the strategy. "They're also providing the mechanisms for communicating it out to the organization, and in many cases they are the owners of the process itself," Waller reports.

You can download Protiviti's white paper "Performance/Risk Integration Management Model: The Convergence of Enterprise Performance Management and Risk Management" here.