Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection
We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.
Services for Technology Vendors
We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.
Risk has always been an integral part of business, but dealing effectively with risk is a progression. Indeed, history shows businesses adapting and coping better with risk through innovation. The importance of using information technology to manage risk is growing because today’s systems can automatically measure and analyze a much broader set of risk factors than individuals can, and do so more reliably. But a key challenge companies face in implementing enterprise risk management is developing a process for defining and measuring risk.
The objective of enterprise risk management is to optimize risk. By that I mean defining an organization’s risk tolerance and taking steps to minimize risk within the context of its tolerance. Ideally, optimization is accomplished through a formal process of seven steps:
This is a comprehensive model, but, alas, few corporations undertake this sort of rigorous risk management effort. Most set their risk parameters through a potpourri of explicit policies or more often by less formal means. And even in those cases, most companies don’t establish the appropriate metrics for these risks and therefore have a difficult time monitoring them.
Short of the major effort of overhauling a corporation’s attitudes and practices, the next best way to improve enterprise risk management is to focus on establishing key risk indicators on a bottom-up basis (defining risks and their appropriate metrics) and incorporating risk explicitly in performance management processes. Even without a rigorous, company-wide effort, companies should create key risk metrics for individuals and business units. Using them, executives and managers can assess performance of individuals or business units in a way that takes these risk metrics into account in determining how well they have performed.
“Risk-adjusted performance” is a concept central to investment management. Portfolio managers are assessed on their risk-adjusted returns, not their absolute returns, because they can show superior results by taking above-average risks – but usually only for a while. Risk-adjusted returns is a way of handicapping their performance so that the returns of those taking on average or even less risky investments are measured on a common scale with those that are making chancier bets.
Similarly, focusing only on business objectives without explicitly considering risk can produce results that are not in the best interest of senior executives, the business owners or employees as a whole, as I pointed out in an earlier blog.
Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of balanced scorecards. This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. The scorecards are “balanced” because they incorporate metrics that model the kinds of trade-offs that intelligent executives or managers would want their direct reports to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard therefore would include first-call-resolution percentage as a compensating metric to call times. Similarly, risk should be considered in assessing how well an individual or business unit has done. It provides a more balanced evaluation of performance and focuses individuals on key risks and their relative importance.
Most companies don’t need new software to implement enterprise risk management. Whatever systems they use to collect and report data will do the job of collecting and disseminating risk data and risk metrics. If they have a scorecard application, they can incorporate key risks into it. Implementing risk management requires executives to participate so the appropriate attention is paid to defining key risks, determining how to measure and monitor them, and ensuring complete data is available for this purpose. In good times, disasters and scandals only briefly raise awareness of dangers to the business. Challenging economic environments, such as the one we’re in today, tend to focus executives’ attention on risk. There’s no better time to deal with its implications.
Best regards,
Robert Kugel – SVP Research
Robert Kugel leads business software research for ISG Software Research. His team covers technology and applications spanning front- and back-office enterprise functions, and he runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).
Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business,
Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@isg-research.net