The Unified Performance, Risk, and Compliance Process Model - Part III - Monitor and Analyze

 In the first installment of this series, we laid out the performance management lifecycle and its four phases.  We also explored in detail the first phase of the PM lifecycle, strategize and prioritize, where we develop and set the strategy, plan risks and set KRIs, plan compliance and set controls, and put together strategic action plans and initiatives. In the second installment in this series, we laid out the next phase, planning and execution, getting into the details of planning the strategic initiatives both from a financial and operational standpoint with an eye to risk.  In this post, we'll examine the third of the four phases, monitoring and analyzing.  In the monitor and analyze phase of the risk-adjusted PM lifecycle, you monitor to understand what is happening in the business, analyze to understand why it is happening, and for those things not on track, adjust to improve the situation relative to your goals.  A visual depiction of this phase is shown below:

Monitor

The presentation of information to be monitored is crucial in order to facilitate decision-making. Risk monitoring is aligned directly to KRIs across the source systems that provide transactional data for the KRI. Dashboards linked with risks should help identify and manage key risks versus overall risks that are being prioritized based on exposure through quantitative/qualitative assessment. Dashboards are effective ways of combining the events, trends, and intelligence monitoring patterns across all of the major facets of the business to be monitored, including the key business dimensions like customers, products, projects, and employees and the related KPIs, KRIs, controls, and incidents and losses.

     Monitor performance. You can evaluate the KPIs you’ve set to identify progress made toward achievement of objectives and trends.
     Monitor initiatives. You can also evaluate which initiatives are failing or behind schedule.
     Monitor risk. You can then evaluate important key risk indicators to identify:

• What and where are our top risks?
• What are the changes to the risk levels for key activities and opportunities?
• Are risks being assessed in accordance with company policy or according to industry best practices?
• Are our mitigation strategies effective in reducing the likelihood or impact of a risk?

     Monitor internal controls. Report key control deficiencies, approvals, verifications, and reconciliations to mitigate risk. For example, how clean is our access control? Have there been major organizational shifts that require that we reexamine our roles? Do we need to add another layer of sign-offs?
     Monitor any incidents and losses. What incidents or losses have occurred? If risks or losses have occurred, or external events are affecting the department, document this information, even if you haven’t been
tracking it in the system yet.

No matter how diligent you are, manual monitoring can be very inefficient. Automated monitoring can proactively identify out-of-tolerance conditions, associated with a KPI, KRI, or a control, and then alert the responsible party. This should take into account forecasting, trending, and modeling capabilities so that if a metric falls out of range of a trend or budget/plan, then the appropriate alert is raised, along with the workflow process to get the investigation under way.


Analyze

     Analysis is a key step in which you not only look at where you are, but what is happening (or what has happened) and why. The techniques for analysis can range from highly manual and simple to fairly automated and complex in terms of the usage of statistical techniques.

     Analyze performance. For KPIs, perform analysis to understand why they are increasing or decreasing.
     Analyze initiatives. To evaluate initiatives, perform analysis on the initiative to understand why it is succeeding or failing.
     Analyze risk. For KRIs, perform analysis to understand why they are increasing or decreasing.
     Analyze controls. When analyzing internal controls, you perform analysis on their effectiveness. For example, you notice that a control seems to generate a lot of incidents and find that the thresholds are set too low, creating false positives. You conclude that your controls have lost their effectiveness and analyze why.
     Analyze root causes of incidents or losses. If incidents or losses occur, perform analysis on the root causes and trends.
    
     In all of these cases, analysis was done with human intervention. However, it is important to note that this does not necessarily have to be the case. With the volume and complexity of data in the enterprise today, it is becoming increasingly difficult for humans to mine through the data and come to intelligent conclusions. Using data mining techniques, it is possible to have software determine the likely root causes and even suggest recommended actions to remediate.


Adjust

After monitoring to know what has happened and analyzing to understand why it happened, for those things not going according to plan, it is time to set the business back on course by taking what you’ve learned and
using that information to adjust the settings across the enterprise. However, you must always consider the impact of your goals, risks, and compliance concerns when making decisions to adjust your actions.

     Adjust performance. If you see KPIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course. However, it is critical to remember that KPIs are interlinked, and you must optimize your performance goals in the context of risk objectives without violating your compliance objectives.
     Adjust initiatives. For initiatives that are not going as planned, it becomes essential to rapidly take remedial action or cancel them. For example, if an initiative is failing and you determine the root cause to be the MBOs for the key employees staffing the initiative, the simplest thing is to change the MBOs to see if this gets the initiative back on target.
     Adjust risk. For KRIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course, often by putting the appropriate mitigating controls in place to stabilize them. The following types of actions can be performed to adjust risk: treat it (mitigation), tolerate it (accept it), transfer it (to another entity), or terminate it (closing down the activity that is exposing the plan to risk). However, it is critical to remember that KRIs are interlinked, and you must optimize your risk goals in the context of performance objectives without violating your compliance objectives.
     Adjust controls. For controls violations, adjustment takes the form of remediation and certification.
     Adjust after incidents or losses. For incidents and losses, the correct adjustments typically involve reexamining if we are tracking the right risks and have put the appropriate controls in place to mitigate them.  Keep in mind that not every risk can be adjusted or mitigated; in some cases, you must simply accept the risk based on the established controls.





In the final installment of this series, we'll take a look at the final phase of the PM Lifecycle:  model and optimize.


Excerpted from Driven to Perform: Risk-Aware Performance Management From Strategy Through Execution (Nenshad Bardoliwalla, Stephanie Buscemi, and Denise Broady, New York, NY, Evolved Technologist Press, 2009). Copyright © 2009 by Evolved Media, LLC

The Unified Performance, Risk, and Compliance Process Model - Part II - Plan and Execute

In the previous installment of this series, we laid out the performance management lifecycle and its four phases.  We also explored in detail the first phase of the PM lifecycle, strategize and prioritize, where we develop and set the strategy, plan risks and set KRIs, plan compliance and set controls, and put together strategic action plans and initiatives. The next phase, planning and execution, gets into the details of planning the strategic initiatives both from a financial and operational standpoint.  The details of this phase can be depicted as such:
Align Corporate Budget to Departmental Budget and Link Corporate and Departmental Initiatives

The budgeting process takes each of the outcomes or actions from the planning process and aligns revenues and expenses against them. Decisions regarding investment priorities and resource allocations define how the company will operate and set the bar for measuring performance.


To create risk-adjusted budgets, incorporate the range of possible revenues and costs of each action into the budget at the appropriate organizational level. A risk-adjusted budget is one that responds to changing circumstances, providing the financial capability to react to events in a planned, proactive manner. Align risk adjusted budgets with contingency plans should risk events occur, or if risks exceed the acceptable threshold to achieving budgets.


Align Departmental Budget to Departmental Operational Plans

The operational planning process links the financial budget to specific operational factors. Plan out each step of each initiative. Consider what risks you have in each area of the operational plan. For example, in a risk-adjusted operational plan, for every decision to allocate resources to one set of operational activities versus another, you determine the impact and probability of the highest priority operational risks on those individual line items and use this to set a range of expected and forecasted values instead of fixed values. If the risk materializes, you would want a contingency plan in place that showed the performance and risk implications if we moved the budget from one initiative to another.


Forecast Performance and Risks

Create rolling, risk-adjusted forecasts of the budget (revenues and costs) and operational plan (including number, capacity, and cost of resources necessary to achieve plan) so that you can see trends over a rolling time horizon for those risks whose probability, consequence, and resiliency over time. That way if you have to make adjustments, you can see where you’ve been and the direction in which things are likely to go. Predictive analytic techniques can be a particularly powerful tool for building risk-adjusted forecasts by modeling the impact previous risks had on previous forecasts.

Execute Plans

This step is essential but obvious; put the plan into action. Be prepared to execute on the type of risk associated with the plan once the threshold or tolerance is exceeded.

In the next installment, we'll look at the the monitor and analyze phase, which is most traditionally associated with reporting and dashboarding capabilities in the business intelligence arena.

Excerpted from Driven to Perform: Risk-Aware Performance Management From Strategy Through Execution (Nenshad Bardoliwalla, Stephanie Buscemi, and Denise Broady, New York, NY, Evolved Technologist Press, 2009). Copyright © 2009 by Evolved Media, LLC

The Unified Performance, Risk, and Compliance Process Model - Part I - Strategize and Prioritize

The classic performance management lifecycle that most theorists and practitioners use to describe the continuous cycle of performance improvement consists of four phases: strategize & prioritize, plan & execute, monitor & analyze, and model & optimize. This lifecycle represents the natural stages that most companies go through over and over again as they improve their performance management practice. Part of the science of performance management is determining which of the areas is in most need of attention.  This is a visual depiction of the performance management lifecycle:

As I wrote in this post, one of the aspects of Driven to Perform that I'm most proud of is how we unified performance, risk, and compliance into a coherent strategic management process framework.  What led us to do this?  There are numerous reasons, but let's consider the following for starters.  In the process of setting business strategy, the development of strategic and operational plans should include the identification and assessment of risks to short- and long-term objectives and plans. Interfacing strategy with risk management to assess the vulnerability and impact of risks inherent in alternative strategies is integral to scenario analysis. Additionally, prioritizing inherent risks may demand risk mitigation tactics that will need to be factored into the annual plan and budgeted for during the planning process. 

While the model above is simple and serves as a useful starting point, the realities of the processes underneath, especially when risk and compliance concerns are addressed, become more complex, as depicted in this diagram that summarize the entire unified model:

In this post, let's double-click on the strategize & prioritize phase, depicted in detail below:

We'll provide prescriptive guidance in how to put all the pieces together in our model so you can try it yourself in your own organizational context.

Understand the Corporate and Departmental Contexts

     Review the corporate strategic goals, strategic plans, initiatives, and metrics. Contextualize them to the implications they have for the departments and use this context to drive the PM lifecycle.

Develop and Set the Strategy

     First, review the environment. To get a holistic picture of risk, understand where you currently stand and assess the internal environment and properly define and prioritize the most important risks with the greatest impact and likelihood of occurrence (risk type, impact, probability, timeframe, and mitigation strategy/costs). Be sure to assess external as well as internal risks. External risks include capital availability, competitors, shifting customer needs, economic downturns, legal or regulatory actions, shareholder relationships, disruptive technologies, and political unrest. Internal risks relate to process, management information, human capital, integrity, and technology, as well as financial concerns.
     Next, get a holistic picture of the full set of compliance initiatives you will intersect with, such as SOX, OSHA, data privacy laws, and global trade regulations.
     The next step is to set the mission, values, and vision:

• Define mission (the fundamental purpose of the entity, especially what it provides to customers and clients). Example:  "Make every information asset in the company add value to every business process"
• Define core values (the attitude, behavior, and character of the organization). Example:  "Show willingness to do whatever it takes to help customers succeed"
• Define the vision. A vision is a concise statement that defines the 3- to 5-year goals of the organization. Example:  "By 2012, be consistently ranked in the top 10% of customer satisfaction as a value-added partner for every business unit in the company."

     Next, set the goals. Define a strategy and set business objectives using risks as a key variable for deciding which strategies to pursue. With all that contextual information in hand, set a strategy to follow. Consider using a strategy map to display the cause and effect relationships among the objectives that make up a strategy. A good strategy map tells the story of how value is created for the business.

Assign KPIs to Goals and Set the Right Targets

     Define KPIs and targets that translate strategy into performance expectations. Identify value drivers (those elements that contribute to the value in your organization). Value drivers and related performance tolerances (KPIs) have risks associated with their achievement. Identify these risks and establish tolerance levels (KRIs). This connectivity between a value driver and a relevant KPI and KRI is an important bridge from a strategic view of risk—which can have a time horizon of three or more years—to a more focused budgetary view of risk, which is often applied to a single year.

Perform Additional Risk Analysis and Set KRIs

     Now look again at risks to see what could keep you from meeting your goals. For each risk, decide what your risk appetite is. Can you afford to take that risk? What’s the worst-case scenario? What is the contingency plan?
     Set a response strategy for the risk (treat, tolerate, transfer, or terminate).  Decide whether you can afford the worst-case scenario presented by that risk from a performance management perspective. Could it bring down some critical value-generating mechanism for the company?
     Define KRIs and risk thresholds and tolerances for those risks. Key risk indicators, like KPIs, are the early warning signals that define the threshold at which a risk could occur.

Perform Additional Compliance Analysis

     Define your compliance requirements. Define policies, procedures, and controls that must be in place to ensure that you can meet the compliance requirements. Make sure that this applies not only at the main business process level but also to all subprocesses including and perhaps especially those related to partners. Define control targets that translate compliance expectations into performance.

Work on the Strategic Action Plan and Initiatives

     The strategic initiatives help define the exact methodology (the roadmap) for achieving the various goals. The results of this planning may require revisiting the strategy.
     First, develop the roadmap (sequence of actions) for achieving performance, risk, and compliance expectations.
     Next, define critical success and failure factors for all initiatives. Every project or investment must, in addition to defining the critical factors for its success, also define its critical “failure factors,” that is, those circumstances under which the project or investment is no longer likely to be successful. These failure factors can then be translated into metrics that serve as an early warning mechanism, allowing the organization to restructure or cancel a project before good resources and money are thrown after bad.
     Finally, develop different risk-adjusted scenarios with contingency plans should risks to achieving plans materialize.

Cascade Accountability

     Cascade accountability of KPIs, KRIs, and controls throughout the organization and ultimately into individual MBOs for alignment.  Each KPI, KRI, and control and its target should be owned by some department or group. The MBOs of the staff must reflect the KPIs, KRIs, and controls you set. This sounds obvious, but frequently performance is measured at an individual level in a way that does not in fact relate directly to corporate goals and strategies.

In the next post, we'll look at how the unified process model plays out in the second phase of the performance management lifecycle: planning and execution.

Excerpted from Driven to Perform: Risk-Aware Performance Management From Strategy Through Execution (Nenshad Bardoliwalla, Stephanie Buscemi, and Denise Broady, New York, NY, Evolved Technologist Press, 2009). Copyright © 2009 by Evolved Media, LLC