Delivering a project last week, I was involved in a conversation which neatly captured the power of the Risk-Based Performance Management approach, and its underlying philosophy that strategy and risk must be managed together, using an integrated framework.
The conversation that took place involved two highly experienced, and very knowledgeable risk management professionals, a Manigent consultant and myself.
The question at hand related to definition of the enterprise risk management (ERM) framework, and specifically what were the correct Business Drivers to use.
The initial view was that the right Business drivers were their existing ‘Risk Drivers’ i.e the factors that would lead to the risk materialising. However as we explained the meaning of a Business Driver and worked through some examples, it become clear to everyone involved that the existing Risk Drivers were not the right Business Drivers. As we were using StratexPoint as our enabling technology platform, the Risk Drivers were defined as causes, making up one half of the Risk bow tie.
So that brings us to the question – what is the difference between Business Drivers and Risk Drivers? And of course, why is it important?
Business drivers are those vital few factors that disproportionately influence the success or otherwise of the business or industry. For example, for organisations which are heavily dependent on Capital, such as Investment Banking, then Capital would be defined as a Business Driver. Whereas Businesses which are more reliant on Cashflow, such as Retail or Hospitality would use Cashflow as a Business Driver.
Risk Drivers on the other hand are the factors which disproportionately influence the risk to materialise. For example, the risk of misselling payment protection may have a Risk Driver (also known as a Cause) of Overly aggressive commission plans, Poor Sales Support Material, Poor Sales Training etc.
The difference is Business Drivers are about the delivery of a Business Strategy, its objectives, processes, initiatives etc whereas Risk Drivers focus on the individual risk. Both are important but play different roles in the Enterprise Risk Management framework.
Coming back to the project and client, making this difference clear lead to a ‘penny drops moment’ – the client, finally seeing how including Business Drivers into their ERM Framework, created an integrated approach which linked back to the strategy and business plan of the organisation. Later in the day when we did an initial run through with key business stakeholders, they immediately recognised the Business Drivers from the organisational strategy and business plan documents and immediately engaged in a discussion about the individual risks and whether the right risks were assigned to the right objectives. Interestingly, once we achieved the individual risk level, the Risk Drivers (which had not previously been meaningful to the business, really mean something as they were explained within the context of an individual risk).
During the debrief of the meeting with the business stakeholders, the most interesting point of discussion was the lack of effort spent explaining each risk and why it was required, and the quality of the conversation around the business objectives and their risks. The risk management team were amazed how quickly the business stakeholder ‘got it’, engaged with the ERM framework and started to immediately think about the risks to the objectives in a very meaningful and tangible way (the previous experience with risk management at this organisation was a very abstract one which was disconnected from the Business in many respects).
Often early in projects we seek to create these ‘eureka moments’ to really bring the project to life. We found that on Friday and the project is now well on course to deliver the transformational change in risk management that the organisation was looking for.