Monday, January 18, 2010

The Unified Performance, Risk, and Compliance Process Model - Part III - Monitor and Analyze

 In the first installment of this series, we laid out the performance management lifecycle and its four phases.  We also explored in detail the first phase of the PM lifecycle, strategize and prioritize, where we develop and set the strategy, plan risks and set KRIs, plan compliance and set controls, and put together strategic action plans and initiatives. In the second installment in this series, we laid out the next phase, planning and execution, getting into the details of planning the strategic initiatives both from a financial and operational standpoint with an eye to risk.  In this post, we'll examine the third of the four phases, monitoring and analyzing.  In the monitor and analyze phase of the risk-adjusted PM lifecycle, you monitor to understand what is happening in the business, analyze to understand why it is happening, and for those things not on track, adjust to improve the situation relative to your goals.  A visual depiction of this phase is shown below:


The presentation of information to be monitored is crucial in order to facilitate decision-making. Risk monitoring is aligned directly to KRIs across the source systems that provide transactional data for the KRI. Dashboards linked with risks should help identify and manage key risks versus overall risks that are being prioritized based on exposure through quantitative/qualitative assessment. Dashboards are effective ways of combining the events, trends, and intelligence monitoring patterns across all of the major facets of the business to be monitored, including the key business dimensions like customers, products, projects, and employees and the related KPIs, KRIs, controls, and incidents and losses.

     Monitor performance. You can evaluate the KPIs you’ve set to identify progress made toward achievement of objectives and trends.
     Monitor initiatives. You can also evaluate which initiatives are failing or behind schedule.
     Monitor risk. You can then evaluate important key risk indicators to identify:

  • What and where are our top risks?
  • What are the changes to the risk levels for key activities and opportunities?
  • Are risks being assessed in accordance with company policy or according to industry best practices?
  • Are our mitigation strategies effective in reducing the likelihood or impact of a risk?
     Monitor internal controls. Report key control deficiencies, approvals, verifications, and reconciliations to mitigate risk. For example, how clean is our access control? Have there been major organizational shifts that require that we reexamine our roles? Do we need to add another layer of sign-offs?
     Monitor any incidents and losses. What incidents or losses have occurred? If risks or losses have occurred, or external events are affecting the department, document this information, even if you haven’t been
tracking it in the system yet.

No matter how diligent you are, manual monitoring can be very inefficient. Automated monitoring can proactively identify out-of-tolerance conditions, associated with a KPI, KRI, or a control, and then alert the responsible party. This should take into account forecasting, trending, and modeling capabilities so that if a metric falls out of range of a trend or budget/plan, then the appropriate alert is raised, along with the workflow process to get the investigation under way.


     Analysis is a key step in which you not only look at where you are, but what is happening (or what has happened) and why. The techniques for analysis can range from highly manual and simple to fairly automated and complex in terms of the usage of statistical techniques.

     Analyze performance. For KPIs, perform analysis to understand why they are increasing or decreasing.
     Analyze initiatives. To evaluate initiatives, perform analysis on the initiative to understand why it is succeeding or failing.
     Analyze risk. For KRIs, perform analysis to understand why they are increasing or decreasing.
     Analyze controls. When analyzing internal controls, you perform analysis on their effectiveness. For example, you notice that a control seems to generate a lot of incidents and find that the thresholds are set too low, creating false positives. You conclude that your controls have lost their effectiveness and analyze why.
     Analyze root causes of incidents or losses. If incidents or losses occur, perform analysis on the root causes and trends.
     In all of these cases, analysis was done with human intervention. However, it is important to note that this does not necessarily have to be the case. With the volume and complexity of data in the enterprise today, it is becoming increasingly difficult for humans to mine through the data and come to intelligent conclusions. Using data mining techniques, it is possible to have software determine the likely root causes and even suggest recommended actions to remediate.


After monitoring to know what has happened and analyzing to understand why it happened, for those things not going according to plan, it is time to set the business back on course by taking what you’ve learned and
using that information to adjust the settings across the enterprise. However, you must always consider the impact of your goals, risks, and compliance concerns when making decisions to adjust your actions.

     Adjust performance. If you see KPIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course. However, it is critical to remember that KPIs are interlinked, and you must optimize your performance goals in the context of risk objectives without violating your compliance objectives.
     Adjust initiatives. For initiatives that are not going as planned, it becomes essential to rapidly take remedial action or cancel them. For example, if an initiative is failing and you determine the root cause to be the MBOs for the key employees staffing the initiative, the simplest thing is to change the MBOs to see if this gets the initiative back on target.
     Adjust risk. For KRIs trending in the wrong direction, once you have analyzed the root causes, it should be clear what actions to take to set things back on course, often by putting the appropriate mitigating controls in place to stabilize them. The following types of actions can be performed to adjust risk: treat it (mitigation), tolerate it (accept it), transfer it (to another entity), or terminate it (closing down the activity that is exposing the plan to risk). However, it is critical to remember that KRIs are interlinked, and you must optimize your risk goals in the context of performance objectives without violating your compliance objectives.
     Adjust controls. For controls violations, adjustment takes the form of remediation and certification.
     Adjust after incidents or losses. For incidents and losses, the correct adjustments typically involve reexamining if we are tracking the right risks and have put the appropriate controls in place to mitigate them.  Keep in mind that not every risk can be adjusted or mitigated; in some cases, you must simply accept the risk based on the established controls.

In the final installment of this series, we'll take a look at the final phase of the PM Lifecycle:  model and optimize.

Excerpted from Driven to Perform: Risk-Aware Performance Management From Strategy Through Execution (Nenshad Bardoliwalla, Stephanie Buscemi, and Denise Broady, New York, NY, Evolved Technologist Press, 2009). Copyright © 2009 by Evolved Media, LLC

No comments:

Post a Comment