Including Risk in a Balanced ScorecardIn the process of writing two previous posts on effective use of scorecards, I came upon a helpful article in Management that illustrates how the scorecard tool can be extended to cover risk.
To anyone keeping up with the business press, it is apparent that attention to risk management is increasing. This is a topic I myself have been following closely since collaborating on a training project for a large industrial insurer several years ago. In talking with underwriters and others at the company, I developed an appreciation of the scope companies have for deploying sophisticated risk management techniques if they choose to do so.
In the Management article, Cam Scholey, a Certified Management Accountant, looks at "how the concept of risk management can be included in the Balanced Scorecard to assist in the process of properly identifying, measuring, managing, and reporting risks." He outlines a four-step risk management process:
- Brainstorm a comprehensive list of the risks the organization faces. Questions to ask:
Which of our objectives, strategies, and intiatives are at risk of not being achieved, given our internal environment, and why? The internal environment encompasses both financial factors and human resources factors.
Which of our objectives, strategies, and intiatives are at risk of not being achieved, given our external environment, and why?
What environmental shifts or trends leave us exposed, and why? Consider all possibilities in the social, technological, economic, environmental, and political realms.
What competitive factors threaten our ability to achieve our sales and profit objectives, and why?
What market factors threaten our ability to achieve our sales and profit objecives, and why?
What procedures, controls, and practices do we have that may contain a design flaw that creates an organizational risk?
What procedures, controls, and practices do we have that may not be operating as intended?
- Prepare a risk assessment chart for each risk type. The chart for a particular risk type lists:
- Causes. (E.g., bad weather is a cause of the risk that an outdoor event will attract smaller crowds than planned.)
- The risk factor for each cause found by multiplying the likelihood of the cause by the severity of the associated consequences. The risk factors guide prioritizing of the various risk causes.
- Action plans for managing all substantial risk causes.
- Status notes on which actions have been taken, which are underway, and which are pending.
- Contingency plans for most or all substantial risk causes.
- Prepare a risk report card, summarizing the information in the risk assessment charts. The report card compares actual numbers to targets and stretch numbers for each of the following:
- The number of new risks identified and assessed.
- The number of risks with a risk factor greater than a set threshold (e.g., 25).
- The percentage decrease in the overall risk factor (total risk score) relative to the previous period.
- The number of actions that have moved from a status of pending to a status of underway or completed.
- The number of substantial risks (e.g., risk factor greater than 20) for which there is no contingency plan
- In the internal perspective portion of the scorecard, enter the total risk score. This score provides an overall gauge of the effectiveness of the organization's risk management.