this post, one of the aspects of Driven to Perform that I'm most proud of is how we unified performance, risk, and compliance into a coherent strategic management process framework. What led us to do this? There are numerous reasons, but let's consider the following for starters. In the process of setting business strategy, the development of strategic and operational plans should include the identification and assessment of risks to short- and long-term objectives and plans. Interfacing strategy with risk management to assess the vulnerability and impact of risks inherent in alternative strategies is integral to scenario analysis. Additionally, prioritizing inherent risks may demand risk mitigation tactics that will need to be factored into the annual plan and budgeted for during the planning process.
While the model above is simple and serves as a useful starting point, the realities of the processes underneath, especially when risk and compliance concerns are addressed, become more complex, as depicted in this diagram that summarize the entire unified model:
In this post, let's double-click on the strategize & prioritize phase, depicted in detail below:
We'll provide prescriptive guidance in how to put all the pieces together in our model so you can try it yourself in your own organizational context.
Understand the Corporate and Departmental Contexts
Review the corporate strategic goals, strategic plans, initiatives, and metrics. Contextualize them to the implications they have for the departments and use this context to drive the PM lifecycle.
Develop and Set the Strategy
First, review the environment. To get a holistic picture of risk, understand where you currently stand and assess the internal environment and properly define and prioritize the most important risks with the greatest impact and likelihood of occurrence (risk type, impact, probability, timeframe, and mitigation strategy/costs). Be sure to assess external as well as internal risks. External risks include capital availability, competitors, shifting customer needs, economic downturns, legal or regulatory actions, shareholder relationships, disruptive technologies, and political unrest. Internal risks relate to process, management information, human capital, integrity, and technology, as well as financial concerns.
Next, get a holistic picture of the full set of compliance initiatives you will intersect with, such as SOX, OSHA, data privacy laws, and global trade regulations.
The next step is to set the mission, values, and vision:
- Define mission (the fundamental purpose of the entity, especially what it provides to customers and clients). Example: "Make every information asset in the company add value to every business process"
- Define core values (the attitude, behavior, and character of the organization). Example: "Show willingness to do whatever it takes to help customers succeed"
- Define the vision. A vision is a concise statement that defines the 3- to 5-year goals of the organization. Example: "By 2012, be consistently ranked in the top 10% of customer satisfaction as a value-added partner for every business unit in the company."
Assign KPIs to Goals and Set the Right Targets
Define KPIs and targets that translate strategy into performance expectations. Identify value drivers (those elements that contribute to the value in your organization). Value drivers and related performance tolerances (KPIs) have risks associated with their achievement. Identify these risks and establish tolerance levels (KRIs). This connectivity between a value driver and a relevant KPI and KRI is an important bridge from a strategic view of risk—which can have a time horizon of three or more years—to a more focused budgetary view of risk, which is often applied to a single year.
Perform Additional Risk Analysis and Set KRIs
Now look again at risks to see what could keep you from meeting your goals. For each risk, decide what your risk appetite is. Can you afford to take that risk? What’s the worst-case scenario? What is the contingency plan?
Set a response strategy for the risk (treat, tolerate, transfer, or terminate). Decide whether you can afford the worst-case scenario presented by that risk from a performance management perspective. Could it bring down some critical value-generating mechanism for the company?
Define KRIs and risk thresholds and tolerances for those risks. Key risk indicators, like KPIs, are the early warning signals that define the threshold at which a risk could occur.
Perform Additional Compliance Analysis
Define your compliance requirements. Define policies, procedures, and controls that must be in place to ensure that you can meet the compliance requirements. Make sure that this applies not only at the main business process level but also to all subprocesses including and perhaps especially those related to partners. Define control targets that translate compliance expectations into performance.
Work on the Strategic Action Plan and Initiatives
The strategic initiatives help define the exact methodology (the roadmap) for achieving the various goals. The results of this planning may require revisiting the strategy.
First, develop the roadmap (sequence of actions) for achieving performance, risk, and compliance expectations.
Next, define critical success and failure factors for all initiatives. Every project or investment must, in addition to defining the critical factors for its success, also define its critical “failure factors,” that is, those circumstances under which the project or investment is no longer likely to be successful. These failure factors can then be translated into metrics that serve as an early warning mechanism, allowing the organization to restructure or cancel a project before good resources and money are thrown after bad.
Finally, develop different risk-adjusted scenarios with contingency plans should risks to achieving plans materialize.
Cascade accountability of KPIs, KRIs, and controls throughout the organization and ultimately into individual MBOs for alignment. Each KPI, KRI, and control and its target should be owned by some department or group. The MBOs of the staff must reflect the KPIs, KRIs, and controls you set. This sounds obvious, but frequently performance is measured at an individual level in a way that does not in fact relate directly to corporate goals and strategies.
In the next post, we'll look at how the unified process model plays out in the second phase of the performance management lifecycle: planning and execution.