I have written before about enterprise risk management, which is an essential piece of both performance management and corporate governance. Every aspect of business entails risk. Everyone who makes a business decision is – whether consciously or not – making trade-offs between risk and reward. Assessing risk is tricky in business because it means different things to different people depending on where they work and their specific role in an organization. From a broad view, risk management becomes an “enterprise” issue for three reasons. One is to ensure that risk management is harmonized across the company and consistent with the corporation’s risk tolerance. A second purpose is to manage cross-functional risks – things that happen in one part of the company can have negative impacts on other areas. The third is to address the risk elements of what’s called the agency dilemma.
Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from management. The agency issue exists where the best interests of the principals are either not congruent or in conflict with the interests of the agents (the professional managers running the corporation). Agency issues are rife in any large-scale business, at times to the point of distorting business practices in whole industries. For example, motion-picture distribution companies might be better off if they were to handle a larger number of lower-budget films, but today’s industry is driven by producers and agents whose interests are best served by making blockbusters. For the producers and “above the line” talent, these projects have large potential payoffs while the outsized risks are mainly borne by others.
Much of the focus in the economics literature has been on the shareholder/senior management version of the principal/agent problem and the various mechanisms used to align their interests, such as stock-based compensation plans (increasingly with vesting provisions to encourage a long-term view) and other incentive-based plans. Indeed, one reason “performance management” has been the focus of so much IT investment is the need to have measurement capabilities and incentive plans that align the strategic interests of the corporation with the objectives of executives, managers and employees.
Yet the explicit focus of many performance measurement and incentive compensation plans has been on goal achievement with little regard to the risks. In this respect, the risk aspect has been more implicit, leaving it up to the employees to use their judgment or relying on supervisors to police risk-taking and set the tone for risk tolerance. Fortunately, most of the time this works well enough. Unfortunately – as recent disasters have demonstrated – it doesn’t always. And it strikes me that in most of the latter cases, one of the contributing factors has been the lack of attention to the risk aspects of the agency dilemma.
Just as shareholders’ concerns are not always going to be aligned with senior management’s, middle managers’ objectives may not always be well aligned with those executives. I think this is especially true when it comes to making decisions about risk. Reputational risk, for example, is usually of greater value to the senior managers (who are more closely identified with the company) than to those running business units or functional areas. For this reason, and because they almost always are evaluated explicitly on some sort of output measure (volume, profits, cash flow and the like), lower-level managers have every reason not to err on the side of caution. Senior executives also may (intentionally or not) court disaster by stressing output without measuring risk. In such a case, a line manager may forgo required maintenance in order to meet some rush order. Ninety-nine times out of 100 this doesn’t matter. But the one time it does, catastrophe ensues.
Thus when risk is not measured explicitly, midlevel managers are put into a position where they have a strong incentive to ignore or undervalue risks (from the shareholders’ and executives’ perspectives), even if senior executives would support a decision to, say, forego the rush order or negotiate some alternative. Part of this is human nature – it’s hard to disprove a negative. Without explicitly being able to demonstrate that they made the appropriate trade-off, a middle manager may be penalized for choosing the safer option. Over time, if employees learn that making a sensible trade-off only leads to grief, they stop making sensible decisions.
Compounding the problem is the difficulty of appropriately defining and measuring risk. One of the factors that inhibit explicit enterprise risk management is that, outside of several already heavily regulated industries, there is limited experience with establishing formal systems for measuring and monitoring business risks. Banks and insurance companies, for example, have centuries of experience developing analytical frameworks for risk management and devote a great deal of management horsepower to compliance. (Despite this, disasters happen with depressing regularity, but that’s another topic.) Consequently, organizations may not collect risk metrics and may not even understand or agree on what those metrics ought to be. The lack of data, in turn, can inhibit the development of formal enterprise risk management systems and processes. Yet despite this lack of experience, I suspect that it’s possible to assemble a sufficient number of risk metrics to make this part of a performance measurement system. For example, in the maintenance example, the appropriate control is to monitor a system that schedules the work and can raise cautionary flags when it is delayed. A built-in audit function also could be added to compare actual to budgeted maintenance spending and flag this if outlays lag expectations.
Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of “balanced scorecards.” This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. They are “balanced” because they incorporate metrics that model the kinds of trade-offs that managers want employees to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard would include first-call-resolution percentage as a compensating metric.
Some companies have developed sophisticated systems that properly balance objectives so employees are rewarded for making the right trade-offs. Still, few include risk explicitly; I think “risk” ought to be a separate category alongside the typical array of “financial,” “internal business processes,” “customer” and “learning and growth.” Incorporating risk explicitly in performance management systems helps manage the agency dilemma. Because managers are explicitly evaluated on risk, they have incentive to apply the proper balance in day-to-day decision-making. Moreover, this approach addresses the agency dilemma since those further up in the hierarchy can be alerted when risk thresholds are exceeded.
Robert Kugel – SVP Research