Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing


        Analyst Perspectives

        << Back to Blog Index

        Risk Analytics Has Benefits for Optimizing Performance



        Risk has always been an integral part of business, but dealing effectively with risk is a progression. Indeed, history shows businesses adapting and coping better with risk through innovation. The importance of using information technology to manage risk is growing because today’s systems can automatically measure and analyze a much broader set of risk factors than individuals can, and do so more reliably. But a key challenge companies face in implementing enterprise risk management is developing a process for defining and measuring risk.

        The objective of enterprise risk management is to optimize risk. By that I mean defining an organization’s risk tolerance and taking steps to minimize risk within the context of its tolerance. Ideally, optimization is accomplished through a formal process of seven steps:

        1. Identification lists the relevant risks and defines their precursors. It answers these questions: What usually goes wrong? What is the source of the risk? What usually happens before something goes wrong?
        2. Analysis and quantification define the consequences of the risk, where the impact falls, and who controls the impact under which circumstances and estimates the cost and probability of the risk.
        3. Risk integration, a step specific to enterprise risk management, lists risks that are correlated across business units, identifies portfolio effects (where risks in individual business units may cancel each other out) and aggregates the risks within business units and across the enterprise.
        4. Assessment initially arrays the risks at the business unit level based on their cost and probability, refines those priorities at the business unit level based on management objectives and then further refines priorities at the corporate level.
        5. Response requires a company to address each of the identified risks. Some they may take steps to eliminate entirely because both the probability of this risk occurring is high and the consequences if it does are steep. In other cases, it can take steps to reduce the impact of a risk by narrowing the probability that it will occur or having responses in place to mitigate its impact. It can insure the risk fully or in part with third parties or self-insure it because of a cost/benefit calculation.
        6. Monitoring involves implementing continuous and consistent methods of tracking risks, reporting and alerting when these risk events (or their precursors) occur and measuring and assessing responses to them.
        7. Review is a periodic, fact-based secondary assessment because risks themselves are not static and all organizations learn from their successes and failures in identifying and dealing with risks.

        This is a comprehensive model, but, alas, few corporations undertake this sort of rigorous risk management effort. Most set their risk parameters through a potpourri of explicit policies or more often by less formal means. And even in those cases, most companies don’t establish the appropriate metrics for these risks and therefore have a difficult time monitoring them.

        Short of the major effort of overhauling a corporation’s attitudes and practices, the next best way to improve enterprise risk management is to focus on establishing key risk indicators on a bottom-up basis (defining risks and their appropriate metrics) and incorporating risk explicitly in performance management processes. Even without a rigorous, company-wide effort, companies should create key risk metrics for individuals and business units. Using them, executives and managers can assess performance of individuals or business units in a way that takes these risk metrics into account in determining how well they have performed.

        “Risk-adjusted performance” is a concept central to investment management. Portfolio managers are assessed on their risk-adjusted returns, not their absolute returns, because they can show superior results by taking above-average risks – but usually only for a while. Risk-adjusted returns is a way of handicapping their performance so that the returns of those taking on average or even less risky investments are measured on a common scale with those that are making chancier bets.

        Similarly, focusing only on business objectives without explicitly considering risk can produce results that are not in the best interest of senior executives, the business owners or employees as a whole, as I pointed out in an earlier blog.

        Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of balanced scorecards. This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. The scorecards are “balanced” because they incorporate metrics that model the kinds of trade-offs that intelligent executives or managers would want their direct reports to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard therefore would include first-call-resolution percentage as a compensating metric to call times. Similarly, risk should be considered in assessing how well an individual or business unit has done. It provides a more balanced evaluation of performance and focuses individuals on key risks and their relative importance.

        Most companies don’t need new software to implement enterprise risk management. Whatever systems they use to collect and report data will do the job of collecting and disseminating risk data and risk metrics. If they have a scorecard application, they can incorporate key risks into it. Implementing risk management requires executives to participate so the appropriate attention is paid to defining key risks, determining how to measure and monitor them, and ensuring complete data is available for this purpose. In good times, disasters and scandals only briefly raise awareness of dangers to the business. Challenging economic environments, such as the one we’re in today, tend to focus executives’ attention on risk. There’s no better time to deal with its implications.

        Best regards,

        Robert Kugel – SVP Research

        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for ISG Software Research. His team covers technology and applications spanning front- and back-office enterprise functions, and he runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).

        JOIN OUR COMMUNITY

        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@isg-research.net

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all


        Analyst Perspectives Archive

        See All