Robert Torok

Leveraging Performance Management to Support Risk Management

Performance management systems not only provide a means of measuring success for current business activities and a view of planned activities for the future, but also act as a warning signal for risk.

March 21, 2011
by Robert Torok, CA

The objective of a performance-management system — and its underlying management processes — is to enable managers and executives to understand what is going well, what is not and what the future might look like, given data from the past.

Similarly, the objectives of a risk management process are to provide warning signals of impending or potential events that may impact the organization and quantify those impacts, while enabling the organization to assess the efficacy of its mitigation strategies.

But there is frequently a gap between these two processes. This is because the performance management and risk-management processes are not intertwined. Therefore, risks are often assessed and managed without a complete understanding of the broader performance implications. Similarly, performance decisions are often made without regard for the risks they may inadvertently aggravate or mitigate. Both of these can be looked at through the metaphor of a rock being thrown into a pond: the first ripple is quite large and disturbs the water around the point of impact substantially, but each successive wave causes ever smaller ripples.

In bringing these two processes together, it is clear that strong performance-management systems should incorporate measures of risk and be able to predict future results if risks materialize and/or risk mitigation actions are taken.

Consider the following example:

  1. The organization starts with a traditional balanced scorecard, as shown in Figure 1. We will focus on customer metrics, shaded lightly in this figure. But there is a significant element missing here, namely, the risks associated with the customer metrics/targets and how the organization might get a warning signal that the risk might, in fact, materialize.
  2. Periodically, let us say monthly, traditional performance-measurement systems would report customer-survey results and number of contacts, with those results analyzed by region, service area, business unit, etc. But these results are received weeks after the fact and therefore any corrective action might be too late.
  3. Hence, the first additional measurement: a warning signal every time a customer does not rate the organization number one (the target or desired score). This is shown in Figure 2 under the column “Leading KRIs (key risk indicators).”
  4. A second key data element is also required, shown in the column “Impact of Risk Event,” indicating the consequences of not meeting the desired target. Now, the performance-management system is beginning to add value: the organization not only has a target and a set of actual results, but it also understands what will happen if an individual and significant risk event or an adverse trend materializes.
  5. However, even that is not enough, as the organization seeks to counteract each risk event, in this case a negative-customer rating. One common solution is to offer something to compensate an unsatisfied customer at the point during which the customer interacts with the organization, such as a hotel check-out desk or during a visit by a sales representative — and before the customer formally evaluates the organization. If the organization’s representative identifies a potential problem, they may be given the authority to act immediately, as shown in the column “Prevention/Mitigation Actions” of Figure 2. Even after the negative rating, the organization may offer some compensation to the customer and thus seek to turn a negative experience into a positive one (often described as “the problem is not the problem; the problem is the reaction to the problem”).
  6. Now we can extend the performance-management system even further. We can ask about the impact of these corrective actions, as shown in the column “Impact of Actions.” In effect, what this suggests is that the risk of lower-customer satisfaction ratings can be mitigated by granting client-facing staff the authority to solve the problem immediately but at a cost. And if the problems are severe enough, that cost might mean that the organization fails to achieve its financial targets!


Therefore, the most effective way for performance-management systems to support risk management is to incorporate those measures that predict events or trends, as well as enable the tracking of mitigation actions. The latter situation is shown in Figure 3, in which we have added the period results of our risk-mitigation actions, such as tracking the spend on customer-service actions as well as the change in performance ratings resulting from those actions.

The role of Finance in these areas is to provide the analytical tools and capabilities to enable performance metrics to be estimated, calculated, interpreted and reported to senior management. But through it all, it is important to keep in mind that the ultimate goal is not keeping score, but improving the score!

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Robert Torok, CA is an executive consultant with IBM Global Business Services, leading the development of solutions and methods and delivering Enterprise Risk Management (ERM) services for IBM clients. He is a chartered accountant and a member of the Institute of Chartered Accountants of Ontario (Canada).

A version of this article appeared previously in the Controllers' Corner series on IBM.com.