The new British Standard 31100 – Code of Practice for Risk Management has been welcomed by many since its launch in October 2008. So how does Risk-based performance relate to BS31100 and how can it help your organisation improve compliance with the standard?
The relationship between Risk-based performance and BS31100
In many respects Risk-based performance and BS31100 share a very common background. Both build on existing standards, frameworks and methodologies, including HM Treasury Orange Book, COSO’s Integrated Enterprise Risk Management framework and the Risk Management Standard developed by IRM, AIRMAC and ALARM. Both were developed to answer practical, real organisational needs rather than simply being theoretical. Both also approach risk from a threats and opportunities perspective and don’t simply see risk as ‘bad’. The similarities don’t stop there.
Both are based on a comprehensive set of principles (BS31100 has 11 principles, where Risk-based performance has 7). Both provide a framework and process for risk management and guidance on implementation, although Risk-based performance is more focused on implementation than BS31100.
However they do differ in focus and emphasis. BS31100 is a risk management standard, whereas Risk-based performance is fundamentally about strategy execution. Risk-based performance argues that there are two sides to the strategy execution equation, performance management and risk management.
BS31100 recognises the link between risk management and strategy by the statements: “Organisations of all types and sizes face a range of risks affecting the achievement of their objectives” and “Effective risk management can assist the organisation to achieve its objectives”.
Under the Risk-based performance methodology, the relationship between risks and objectives, and understanding and managing that relationship, is fundamental. Risk-based performance provides the framework, tools and processes to integrate and align performance and risk management. This slightly different emphasis makes Risk-based performance an ideal umbrella methodology that can sit above BS31100, providing organisations adopting BS31100 with a proven framework within which to explicitly link their BS31100 efforts to performance management and wider strategy execution agenda.
How can Risk-based performance support BS31100 compliance?
As a descriptive standard, as opposed to a prescriptive one, BS31100 takes the form of guidance and recommendations. The British standard is not a rigid specification of how to carry out risk management.
Risk-based performance, on the other hand, is focussed more on implementation. It is a practical and proven ‘how to do risk management’ methodology that already incorporates the guidance and recommendations of BS31100, aiding compliance with the standard. The methodology also incorporates leading thinking around performance management and focuses on improving organisational capabilities to deliver strategy, providing additional benefits to a BS31100 programme.
Any risk management programme, including BS31100, is in fact a change programme; therefore this change must be carefully planned and managed. With this in mind, we will describe how Risk-based performance can bring additional benefits to a BS31100 programme in the context of creating successful change.
1. Establishing a sense of urgency
In the current climate establishing a sense of urgency may be relatively easy, however it is still worth exploring, as this can be a significant challenge for many risk related projects.
Often risk management projects, including implementing BS31100, lack a robust and defendable business case and ROI because these can be very difficult to calculate given the nature of risk. After all, what is the value of unknown potential threats or opportunities materialising? Is history a reliable indicator of the future? Is the historical data even available? These types of questions all add to the challenge of justifying risk management programmes.
Whilst similar questions will emerge when considering a Risk-based performance project, by their nature these projects typically engage a wider audience of senior people. Talking about benefits from a risk perspective can be difficult to agree on, whereas improving performance and achieving already agreed objectives can be easier to understand and agree on.
Making these improvements tangible and agreed is an important step towards understanding the size of the issues and potential benefits, and is therefore an important step toward developing the sense of urgency required to successfully deliver your BS31100 programme.
Change guru JohnP. Kotter suggests: “75% of the management must be genuinely convinced that the status quo is more dangerous than launching into the unknown”. Achieving this urgency can be difficult if risk is justified on the basis of regulatory or compliance requirements, whereas a more business focussed discussion around strategic execution is more likely to achieve this 75% threshold.
2. Forming a powerful guiding coalition
Achieving buy-in and getting the right people to back your risk management/BS31100 programme is critical to success. Again in this current climate this should be relatively easy, however our experience shows it is still a concern. In fact, we have seen a situation where senior management did not support a risk management project because they believed it was risk management failures that ‘lead them into this mess’
Risk management projects are usually the idea of the Director/Head of Risk, CRO or equivalent. Generally support will come from finance and compliance; however those involved in areas such as operations and sales typically see risk as a burden, creating additional work for their already stretched teams.
Broader support and engagement can be achieved by changing the discussion and explicitly linking it to strategy and objectives, by demonstrating how the proposed project will clarify performance expectations and targets, enable more effective risk taking which will likely lead to improved performance, make compliance less of a burden by taking a risk-based approach and lead to reduction in costs due to reductions in risk related losses. This will bring functions such as operations and sales into the fold and result in a more effective project, embedded risk practices and enhanced organisational results.
3. Creating a vision
Creating a vision for the new risk management environment is key. Typically this vision will go well beyond the risk management function, therefore it is important to make it relevant to all departments. Creating a clear, concise vision and set of objectives which embeds risk management practices whilst addressing other areas of the organisation is the most effective way of embedding risk management practices throughout the organisation. BS31100 states risk must be linked to objectives, however using Risk-based performance to deliver on your BS31100 commitments provides the framework and tools to build this integrated vision and manage its achievement via a balanced, aligned set of objectives, risks and controls.
4. Communicating the vision
Building an integrated vision incorporating performance and risk considerations will result in wider senior management engagement, a more compelling vision and one that will be regularly communicated at discussions about strategy.
The ‘risk vision’ will not have to be explained when a risk item is on the agenda, or when there are specific risk events, because it will be communicated every time the organisational vision is discussed. An integrated vision does not have to be difficult to express. The following incorporates the idea simply and effectively.
“These are the objectives we are seeking to achieve for our organisation during the next 12 months. This is where we see opportunities, this is where we see threats and this is how we are going to manage these.”
This type of statement resonates with a wide range of people, as we all understand the trade-offs between risk and reward (performance). Encapsulating this into an organisation’s strategy makes the strategy more practical, more achievable and demonstrates it has been well thought through, making it easier for staff and other parties to buy into and support.
5. Removing obstacles
How often in risk projects (and other narrowly focussed projects) do you see turf wars breaking out, egos getting in the way of progress, and the risk function being perceived as stepping into others’ areas or empire building?
Building an integrated vision with broad support across management ensures these types of barriers become less problematic if (or when) they emerge. It also ensures other processes, technology or people-related obstacles are removed quickly, as Risk-based performance provides the tools to quickly identify where issues are emerging, be they performance or risk related. It also provides processes and guidance to shape the ‘right’ behaviours and culture. In particular, it ensures a robust set of management intelligence is developed, based on both hard and soft data.
Basing discussions and decisions around robust management information makes dealing with obstacles less emotional and more rational, particularly if the obstacle is human.
6. Systematically planning to achieve quick wins
Planning for quick wins seems to be a particular issue for risk management, and potentially BS31100 projects – if we are identifying more risk events, is that good or bad? If less risk events are occurring, is that because of our efforts or did it ‘just happen’?
Using Risk-based performance and some of the tools it employs (such as the strategy map, risk maps, dashboards etc) can produce quick wins and help encourage and consolidate support because the project is delivering results. Typically a Risk-based performance implementation is completed using a clear, proven roadmap. This helps put very early wins into context and also provides a signal as to the next sets of wins the team is aiming for.
7. Declaring victory too soon
When implementing a risk management framework and process such as those described in BS31100, understanding when the project is over, the ‘problem’ fixed, and managing the transition to ‘business as usual’ can be a challenge.
Using Risk-based performance as your umbrella provides you with a roadmap and a framework you can work to, which can be helpful. However the recommendation we would give would be plan to declare victory later than expected and provide active support and encouragement for your foot soldiers, such as risk champions, for longer than expected.
The technology solution behind Risk-based performance provides insight into the level of engagement with the process, via things such as indicator update performance, audit reporting and Google Analytics style user statistics.
8. Not anchoring changes in culture
Perhaps the most challenging aspect of any risk management project, including a BS31100 or Risk-based performance project, is shaping the new culture and making it stick over time.
By supporting an organisation in taking an integrated and aligned view of performance and risk management, and encouraging an emphasis on the ‘doing’ side of strategy (as opposed to forever measuring), a BS31100 project delivered under the Risk-based performance umbrella will generally be more sustainable and the change will be more long-lasting because it is by its very nature embedded into the heart of the strategic execution processes of the business. The methodology provides robust processes, tools and technology which will remain in place long after the initial implementation is completed, thus continually reinforcing and supporting a new culture and set of behaviours.
BS31100 is an important and valuable addition to the risk management environment; however implementation and moving towards compliance will not be without challenges for many organisations. It is nevertheless a journey worth taking.
The similarities Risk-based performance shares with the standard, combined with the methodology’s emphasis on addressing practical risk (and performance) challenges, mean it provides a proven approach to enable organisations to effectively address the challenges of implementing a programme of change, and make the changes last; leading to enhancements in both risk management and overall strategic execution.
More about BS31100
The full text of the BS31100 can be bought on the BSI website for £100 +VAT. To purchase,click here.
Alternatively, people can attend a one-day Manigent training course: “Getting started with BS 31100 ” where the full text of the standard will be provided and explained to participants. There will also be practical workshops and interactive sessions during the day.
Training courses are currently scheduled for 5 May,12 June and 6 July. Alternatively an on-site option is also available. Register now as places are strictly limited. For more information on the training, click here
How compliant are you to BS 31100?
For a FREE online assessment of your compliance to BS31100, click here
BS31100 Benchmarking Group
To learn more about BS31100 and share your experiences with peer organisation, why not join Manigent’s BS31100 Benchmarking group. Find out more click here.