8/8/2019 PWC Risk Performance
1/32
Seizing opportunityLinking risk and performance
Thought Leadership Institute
8/8/2019 PWC Risk Performance
2/32
8/8/2019 PWC Risk Performance
3/32
July 2009
Table of contents
The heart of the matter 2
Global business volatility seems more extreme than ever.How will your company manage the risks and rewards ofdoing business in unprecedented times?
The time to link risk and corporate performance management is now 3
An in-depth discussion
Uncovering the connections between risk andperformance reveals a fuller view of your companysstrategy and operations.
Business as usual is a riskier proposition 5
Siloed approaches to risk management create dangerous blind spots for business 6
Closer alignment of risk and performance management has become a
business imperative 8
An integrated approach to risk and performance management leads to
smarter risk taking 12Moving toward an integrated approach to risk and performance management 15
What this means for your business 16
Build the foundation for a more stable future:Start with a deeper assessment of risk and rewardacross your organization.
Start at strategy setting 18Doing more with less: Honing your arsenal of business metrics 20
Transforming disparate data into meaningful information 23
Creating accountability and incentives for integrating risk and
performance management 26
A call to action
8/8/2019 PWC Risk Performance
4/32
2
The heart of the matter
Global business volatilityseems more extreme
than ever. How willyour company managethe risks and rewardsof doing business inunprecedented times?
8/8/2019 PWC Risk Performance
5/32
3PricewaterhouseCoopers
The time to link risk and corporate performance management is now
The origins of the financial crisis will be debated for some time, but the fallout exposedone clear shortcoming: inadequate risk assessment practices. Too many companies took
on excessive risk with too little regard for reasonable, realistic long-term performanceexpectations. The debacle is focusing minds on more robust approaches to risk management,
with a new imperative to keep pace with financial innovation, performance incentives, andbusiness goals. Reforms will stretch risk management across the organization and involvesystematically linking risk and corporate performance management, leading to an informed
view of reward.
Extreme volatility, even financial crisis, isnt new to US business. Companies that keep theirproverbial eyes on the ballon improving performance, both financially and operationally
will emerge from these trying times better positioned to take advantage of opportunities.
However, conducting business as usual is in itself a risky proposition. Compliance-driven
approaches to managing risk no longer suffice in an increasingly volatile, interconnectedbusiness environment. Approaches to risk management need to provide business leaders
and their boards of directors with an integrated view of risk and performance that defineshow rapidly emerging events will impact operations, quality, and, ultimately, shareholder value.
Recent research shows that many companies fail to connect risk and performance in thecourse of basic performance management. Just 37 percent of nearly a hundred seniorexecutives at US-based multinationals surveyed by PricewaterhouseCoopers in 2008 saidtheir companies link key risk indicators to corporate performance indicators.
External stakeholders are already motivating companies to take a fresh approach to aligning
their risk appetites and performance objectives in a smarter, more systematic way. Companydirectors, credit rating agencies, and institutional investors alike are scrutinizing the risk-
reward relationship and formalizing their own linkages between risk and performance, creatingnew expectations and market demands for businesses. A further inducement is being craftedby the Obama Administration, which has telegraphed its clear intent to more closely tether
compensation in financial services to long-term performance, through either regulatory orlegislative action. The bonus culture has been a hallmark of Wall Street, but its not entirely
unique to the big banks. The reforms to compensation and incentives that emerge on WallStreet will likely have an influence on the wider American business community.
There is no handbook for integrating risk and performance management, but it should beunderstood at the start that this is not merely a defensive response to greater uncertainty in
the business environment and, for some, to pending regulation. Companies are recognizingthat the same drivers of increased volatilitycapital mobility, rapid innovation, and the
development of new business modelsalso offer opportunities that they must exploit toincrease revenue, improve shareholder value, and satisfy evolving customer demands. With
an integrated, principled approach to managing risk and business performance, companiescan seize with greater confidence the opportunities that an interconnected economy presents.
The process of connecting risk and reward starts at strategy setting. When company leaders
understand the greatest sources of value creation and destruction across their organizations,when they assign clear accountability for risk management and performance management,and when they systematically quantify the rewards associated with the risks, they change the
decision-making game for their managers.
8/8/2019 PWC Risk Performance
6/32
4
An in-depth discussion
Uncovering theconnections between
risk and performancereveals a fuller view ofyour companys strategyand operations.
8/8/2019 PWC Risk Performance
7/32
5PricewaterhouseCoopers
Business as usual is a riskier proposition
According to the 2008 World Economic Forum Global Risks report, while the financialconditions of the past decade allowed for an exceptional period of economic growth and
stability worldwide, the interconnected global business environment also presents newsources of increased volatility, including systemic financial risk, skyrocketing food prices,
rapidly extending supply chains, and a looming energy crisis.1
From Wall Street to Main Street, and now around the world, the effects of that systemic
financial risk are being harshly realized. Still, financial shocks arent new: A recentPricewaterhouseCoopers analysis revealed that the international mobility of capital has, over
the last two centuries, repeatedly produced financial crises by freeing large amounts of capitalto swell local markets. In todays networked world, such bubbles inflate faster than ever.2
Whether or not one subscribes to the argument that current levels of economic volatility arecyclical, one thing is certain: the pace of change and business innovation over the last decade
has been unprecedented. And it has dramatically increased the frequencyand scaleofeconomic disruptions.
Put into historical perspective, just one financial crisis affected the US in all of the
18th century (perhaps unsurprisingly, as the US was in its infancy), and five financial panics
occurred in the US over the next hundred years. In the course of the 20th century, the USsaw 11 major economic disruptions, and in just the first decade of the new millennium,the US has experienced two financial crises.3
In times of economic instability, the natural tendency among business leaders is oftento batten down the hatches, shy from increased risk, and ride out the storm. In fact,
some 80 percent of 101 senior executives at US-based multinationals surveyed byPricewaterhouseCoopers in 2009 said theyre likely to be more cautious about spending
and investing over the next 12 to 18 months.4 However, the ability to take smart, strategic,frequently large risks is becoming increasingly important not just to business growth butalso to sustainability and continuous operational improvement.
Berkshire Hathaway CEO Warren Buffetts insights on taking risk in volatile times offer a case
in point. In 2007, Buffett expressed uncertainty about the road ahead for his companys coreinsurance businesses but seemed confident in the organizations ability to effectively manage
risk and performance. In a letter to shareholders, he said the investment vehicle hadnt lostits taste for risk, yet added: We remain prepared to lose $6 billion in a single event, if wehave been paid appropriately for assuming that risk. We are not willing, though, to take on
even very small exposures at prices that dont reflect our evaluation of loss probabilities.Appropriate prices dont guarantee profits in any given year, but inappropriate prices most
certainly guarantee eventual losses.5
In many regards, increased risk is a cost of market entry. Take the case of home furnishingsretailer IKEA, which, out of necessity, maintains a fundamental acceptance of, and appetitefor, the increased risks associated with supporting a global operating model.
1. World Economic Forum, Global Risks 2008: A Global Risk Network Report (January 2008).2. PricewaterhouseCoopers,American Perspectives (October 2008).3. Ibid.4. PricewaterhouseCoopers,2009: Q1 Management Barometer(2009).5. Warren Buffett, Berkshire Hathaway Annual Report 2006 (February 2007).
8/8/2019 PWC Risk Performance
8/32
6 Seizing opportunity: Linking risk and performance
The company sources its products from1,600 suppliers in 55 countries. Managingthe operational and reputational risks
associated with maintaining such a diversesupply chain could well become a minefield,
but IKEA could not produce its expansiveportfolio of offerings without those 1,600
global suppliers.
To maintain quality, safety, environmental,
forestry, and social standards, the companyhas developed a responsible supply chain
program, which features formal processesto ensure that all their suppliers produce
goods and services in accordance withinternationally recognized conventions
and standards. External auditors regularlymonitor both primary suppliers and largesub-suppliers. While taking on the risk
of sourcing internationally, IKEA smartlymanages that risk by implementing and
closely monitoring operating standardson a global level in order to maintain
corporate performance.
IKEA, however, likely represents more
the exception than the rule. As recentevents have shown, todays corporate risk
management practices have not always
proved up to the task of balancing increasedrisk appetites with the need to maintain bothfinancial and operational stability throughrapid change.
Siloed approaches to risk managementcreate dangerous blind spots forbusiness
Risk is, by definition, forward-looking. It isa measure of probabilityof either loss
or gaindepending on the circumstances
surrounding a given events occurrence.And that probabilityof value destructionor creationdirectly impacts a companys
performance objectives. In fact, studiesof large-cap companies have found that
nearly 60 percent of the time, failureto assess and respond to strategic or
business risks is behind rapid declines inshareholder value.6 Nonetheless, manybusiness leaders continue to view risk
and compliance as two sides of the samecoin, reflecting a common, organizational
focus on managing risk to prevent known,historical business failures rather than to
anticipate likely (or seemingly unlikely)game-changing events.
Compliance with regulatory and reportingrules is a non-negotiable feature of doing
business, but a risk management strategyfocused myopically on prevention is, by
nature, backward-looking and fails toaccount for the likelihood of change or
the possibility of growth. A holistic riskmanagement program, on the other hand,encompasses the tools and processes
used to identify, assess, and quantifybusiness threats and the measures taken
to prioritize, monitor, control, and mitigatethose threats.
In the wake of the high-profile lapses ofthe 1990s that led to increased regulatory
pressures, intensified shareholder activism,and a barrage of compliance requirements,
many companies began to view risk almost
exclusively as a threat to be mitigated.Without a doubt, increased regulatorycomplexityboth in the US and abroadand the layers of compliance processes
and controls associated with managing ithave forced organizations to shoulder new
burdens in terms of cost and productivity.But beyond the costs, a compliance-only
approach to risk management can have thedangerous side effect of distracting from the
principles that belie the requirements aroundthe need to balance risk and reward in awell-reasoned, transparent way.
According to a senior risk management
executive at one multinational energycompany, performance-focused risk
management can enable both complianceand business strategy. We found that if wemanage and design according to risk, we
6. PricewaterhouseCoopers,2008State of the Internal Audit Profession Study(2008).
8/8/2019 PWC Risk Performance
9/32
An in-depth discussion 7PricewaterhouseCoopers
usually exceed any government requirementsthat anybody can lay on us, just becauserisk is such a logical way to do it. We know
the risk associated with a certain thicknessof pipe on a platform leg. We know the risk
associated with a certain type of valve ora certain type of pump in a refinery. And
we are going to design to a level higherthan most government expectations, hesaid, adding that the primary drivers of his
companys risk management programs aresafety and finance. We are more interested
in protecting an $8 billion book-value refinerythan any government is. Weve got a lot of
hide invested in those assets, and we wantnothing to go wrong.
Focusing too narrowly on regulatorycompliancean important but discrete
element of business riskcan result insilos of risk and performance information
that often hamper an organizations ability
to monitor critical risk interdependencies.Ironically, the same organizational structuresthat arose to manage compliance have now,at many companies, become insufficient for
addressing increasingly complex and oftenoverlapping global regulatory demands.
Consider, for example, a global
pharmaceutical company that mustcomply with federal financial reportingrequirements and drug safety standards;
international trade and labor regulation;and global intellectual property
management provisions. Each category ofcompliance is rife with risk that permeates
every level of the organizationfromproduct lines to functional business units,
geographies, and the enterprise as awhole. But the knowledge about thesehighly interdependent risks resides in
information silos designed to simplifyand facilitate reporting and compliance.
Leadership is unable to get an integrated
view of the key connection points atwhich new risksand new opportunities
for business growth and operationalimprovementmight arise.
Without an integrated view of risk and
performance across the whole business,companies are doomed to repeat the failuresof the recent pastfrom high-profile supply
chain disruptions to extreme financialbreakdownsin which they took on
excessive risk without a fully informedview of reward.
Leading companies are already deploying
fresh, integrated approaches that shed lighton the path forward.
One global automotive manufacturer, for
instance, was experiencing significantlosses due to a key risk in its supply chain:supplier bankruptcies. In addition to the
direct costs of those failures, the companyfaced the indirect costs derived from thepoor product quality, unreliable supply, and
management distraction that resulted fromthe disruptions. The companys goals in
addressing the challenges were twofold:to enhance predictability across its supply
chain operations and to lower the costsof managing supplier risk. Only by takingan integrated view of interconnected,
global risks and their impacts on bothoperational and financial performance
would the company be able to achievethese very clear objectives. By analyzing its
suppliers business environments, identifyingleading risk indicators, and conductingrisk-adjusted evaluations of its suppliers
We found that if we manage and design according to risk, we usually exceed any governmentrequirements that anybody can lay on us, just because risk is such a logical way to do it.
8/8/2019 PWC Risk Performance
10/32
8 Seizing opportunity: Linking risk and performance
pricing proposals, the automaker is now ablenot only to make more informed supplierselection decisions but also to quickly
identify troubled suppliers and take earlycorrective action.7
Looking at risk interdependencies across
the supply chain can undoubtedly yieldperformance improvements. Taking thatintegrated view to the next level and
considering risk and performance intandem, across a whole organization,
can further improve performance andreduce operating costs.
A British oil company, for example, had set
up various operating units as independentprofit centers, each hedging currency riskindependently. When senior managers
looked at foreign exchange transactions
across the business, they realized they
were creating unnecessarily expensivehedges that could be avoided. By viewingrisk across the company rather than insilos of risk and reporting information,
management was able to reduce coststhat accrued to the bottom line. Risk is
really a potential cost on capital, saysNeil Doherty, chairman of the Insurance
and Risk Management Department atthe Wharton School. So you can thinkof managing risk as really the other side
of the coin from managing capital.Doherty contends that a sophisticated
and comprehensive approach to riskmanagement (such as the one taken at
the British oil company), by which riskis viewed as an integral part of financial
management, can increase a companysvalue 3 to 5 percent.8
Closer alignment of risk andperformance management hasbecome a business imperative
The market is recognizing, now more thanever, the natural linkages between risk
and corporate performance, motivatingcompanies to integrate the management
of both in a more focused way.
According to a PricewaterhouseCoopersanalysis of 52 North American, European,and Japanese financial institutions, the
market tends to assign a higher price-to-book multiple to firms with more effective,
sophisticated risk management programs,
as measured by earnings volatility, capitaladequacy, and capital optimization(see Figure 1). These organizations
integrated risk and return at granular levelsacross the business; continually analyzed
the risk-reward relationship on new initiativesfrom inception; balanced qualitative and
quantitative views of risk in managementdecision making with statistical metrics,
stress testing, and business judgment; andemployed metrics that rigorously accountedfor market, liquidity, and operational risks but
that were flexible enough to reflect changingmarket conditions.
The linkages between risk and performance
management have historically been mademost apparent among financial servicescompanies, but they certainly extend
to other industries. In any industry, acomprehensive risk profile, aligned with
key financial metrics, can allow seniormanagement to compare the impact of
risk management activities on the marketvaluation of the business.
More than half of 101 senior executives surveyed by PricewaterhouseCoopers believe thecapital markets reward companies with a strong track record for risk management.
7. PricewaterhouseCoopers, From Vulnerable to Valuable: How Integrity can Transform a Supply Chain (November 2008).
8. Wharton School, Leveraging Risk Management,Knowledge@Wharton (March 1, 2006).
8/8/2019 PWC Risk Performance
11/32
An in-depth discussion 9PricewaterhouseCoopers
Credit rating agencies, under scrutinythemselves for their risk assessment
practices in light of the mortgage-backedsecurities market implosion, are now taking
up the charge of formalizing the linkage
between risk and performance. Since2005, the agencies have incorporated riskmanagement evaluations into ratings forfinancial services institutions, but for most
other companies across industries, thelinkages between risk management and
corporate performance remained implicit.A leading exception to that rule was
Canadian utility Hydro One, whichafter afive-year implementation of rigorous, holistic
risk management practicesreceived afavorable credit rating by both Moodys andStandard & Poors, resulting in a lower cost
of capital.9
That economic connection is poised to bemore clearly spelled out across the businessworld. Standard & Poors, in its central task
of determining creditworthiness, has begun
to take the enterprise risk management(ERM) analysis used for financial services
into sectors like industrial products, retailand consumer, technology, automotive, and
entertainment and media. The ERM analysis
will take into account an organizations riskmanagement culture and governance, riskcontrols, emerging-risk preparation, andstrategic management. Based on these
components, a company will receive oneof four ratings: weak, adequate, strong,
or excellent. As a result, a companys riskmanagement practices will be more formally
tied to its cost of capital.
If the experience of the insurance sectorover the past few years is an indicator, thisnew approach could result in credit-rating
changes for some companies, potentiallyimpacting their shareholder value and cost
of capitaleven their very access to capital.Capital may begin to dry up for those
companies with poor or inadequate riskmanagement practices relative to their peers.
Figure 1: The market values good risk management
Source: PricewaterhouseCoopers analysis, based on Bloomberg data, 2007
Risk management score
1.00.9
1.5
2.0
2.5
3.0
3.3
5 10 15 20 25 30 35 40 45 50
Price-to-book ratio (P/B)
1st QuartileAvg. P/B = 2.6
2nd QuartileAvg. P/B = 1.7
3rd QuartileAvg. P/B = 1.5
4th QuartileAvg. P/B = 1.3
Better Worse
9. Tom Aabo, John Fraser, and Betty Simkins, The Rise and Evolution of the Chief Risk Officer,Journal of Applied CorporateFinance (Summer 2005).
8/8/2019 PWC Risk Performance
12/32
Projects title
8/8/2019 PWC Risk Performance
13/32
Aligned with key financialmetrics, a comprehensiverisk profile allows senior
management to assess theimpact of risk managementactivities on the marketvaluation of the business.
8/8/2019 PWC Risk Performance
14/32
12 Seizing opportunity: Linking risk and performance
Other stakeholders are homing in on thelinkages between risk and performance,driving management to provide more
transparency on both at an operational level.In fact, more than half of 101 senior executives
surveyed by PricewaterhouseCoopersbelieve the capital markets reward
companies with a strong track record forrisk management.10 Institutional investorsare already using comprehensive analyses
of risk, operations, and performance toassess a companys investment potential.
The California State Teachers RetirementSystem, the second-largest public pension
fund in the US with assets of $158 billion,has, for example, identified 20 risk factors
ranging from monetary transparency andcorporate governance to workers rightsand environmental complianceaffecting
its evaluation of current and potentialinvestments.11 Boards of directors
stakeholders in many ways allied withinstitutional investor motivationsare likely
to follow suit in seeking a more holisticview of risk and long-term performance,as well as of the corresponding data against
which to assess and monitor investment andstrategic decisions.
An integrated approach to risk andperformance management leads tosmarter risk taking
A principles-based approach to riskmanagement integrates risk with
performance across the entire organizationto help companies eliminate redundancies,
reduce costs, clarify roles, and designateaccountabilities. By its nature, such anapproach further leads to an understanding
across the organization not only of risk
appetitethe amount of risk an organizationis willing to accept in pursuit of valuebutalso of risk tolerance: the level of variation
an organization is willing to accept relative tothe achievement of a specific objective.
Companies are awakening to the meritsof assessing the risk-reward relationshipby more closely aligning risk and
performance management. But the gapbetween awareness and action remains
to be closed.
According to a PricewaterhouseCoopersManagement Barometer survey of 96
senior executives in 2008 at US-basedmultinational companies, just 37 percent ofrespondents said their companies linked key
risk indicators (KRIs) with key performanceindicators (KPIs). Of those companies,
roughly two-thirds said their organizationslinked key risk indicators to the management
of earnings volatility, capital optimization,and capital adequacy; and just over half saidtheir companies employed risk-adjusted
performance metrics to set businessobjectives and monitor progress
against them.12
Yet 45 percent of survey respondentssaid their organizations do not link riskand performance indicators at all, and
15 percent were uncertain whether theircompanies do so.
At its core, an integrated approach tomanaging risk and performance involvesassessing growth opportunities, evaluatingand quantifying a companys financial
appetite and tolerance for risk, andimproving operational effectiveness.
Corporate performance managementcomprises the processes and systems that
link employees and operations to corporatestrategy and business goals as well asthe metrics used to evaluate success.
An integrated approach to managing riskand performance is about using the right
information to achieve a meaningful viewof risk across a business and to more
accurately anticipate the associated impacton corporate performance. And its aboutlayering that information into strategy setting
and decision making.
10. PricewaterhouseCoopers,2009: Q1 Management Barometer(2009).
11. California State Teachers Retirement System, www.calstrs.com.
12. PricewaterhouseCoopers,2008: Q2 Management Barometer(2008).
8/8/2019 PWC Risk Performance
15/32
An in-depth discussion 13PricewaterhouseCoopers
Take the example of a US fixed-satellitetelecommunications provider. Faced withfierce industry competition, rapid technology
innovation, and an economic downturnthats forced many customers to tighten
their purse strings, the company is underpressure to improve both operational and
financial performance in order to retainexisting customers, win new business, andmeet shareholder expectations. Managing
global satellite risksfrom a shortageof domestic engineering talent to trade
barriers, political risk, and excess supply oftelecommunications capacity (all of which
present associated market opportunities)is key to the companys success in achieving
its performance objectives.
By integrating risk and performance
metrics at the enterprise and businessunit levels, business leaders can better
assess the risk-reward proposition of
these business challenges and theirassociated opportunities, and more deftly
manage volatility. With a comprehensive
view of how the linkages between risk andperformance play out across the business,
leadership can make better decisionsregarding how to deploy resources to
protect, maintain, and create value.
For example, each business unit mightmap the probability of change, in a givenmagnitude, across key risk indicators for
customer satisfaction, process efficiency,and competition, against the potential
impacts on earnings volatility (see Figure 2).
Such an integrated view can helpmanagement decide how resourcessuchas capital and talentshould be allocated
to minimize volatility while achieving theorganizations objectives. Perhaps most
important, aligning risk and performance
Figure 2: Sample of potential linkages between risk and performance
Processefficiency
Saleseffectiveness
Competition
Externalfactors
Key risk indicators KRIs
Customer
Probability of 1%change in KRIs
1,000
100
10
1
0
0% 25% 50% 75% 100%
Impact of 1%change in KRIson EBITDA($ millions)
The probability of a1% change in eight
key risk indicatorsis mapped againstthe potential impactof that change onearnings (EBITDA).
8/8/2019 PWC Risk Performance
16/32
14 Seizing opportunity: Linking risk and performance
information in such a way can help businessunit leaders forge a common view of thedivisions risk tolerance and appetite,
which is critical to the companys ability tomanage its risk portfolio and overall business
performance.
This kind of comprehensive, portfolioview of investment opportunities and theirsensitivities to specific strategic, financial,
and operational risks empowers businessesto explore the risk-reward relationship in a
realistic, informed way and make investmentdecisions that are in line with reasonable
performance expectations.
Consider the example of one global financialservices company that operates across theMiddle East and North and sub-Saharan
Africa. This company ranks the risk level inevery country in which it does business on
a scale of 1 to 10 (1 being least risky and10 being most risky). Those ratings reflect
a combination of economic, political, andmarket risk in the sector and in the region,relying on externally available qualitative
datato which the company assignsquantitative ratingsas well as internally
developed quantitative evaluations. Based
on the countrys risk rating, the companydetermines capital allocation.
According to the organizations vice
president of country and counterparty risk,A certain return-on-capital threshold has to
be met. We do business in jurisdictions thatare graded a 7 or 8, which inherently have a
lot of political and economic risk. But wenevertheless do business there and areprofitable. By setting the bar for
performance and measuring an opportunityagainst it in the context of the risks
surrounding it, the company can moreconfidently proceed into less traditional,
riskier territory.
An integrated risk and performancemanagement process can help
companies:
More accurately quantify risk appetite
and tolerance in the context of businessstrategy.
Systematically identify potential risks
across the business portfolio andmitigate (or exploit) their impacts onfinancial and operational performance.
Explicitly assess specific risks when
creating and evaluating performancegoals of new projects or investments
at the business unit level and in thecontext of the companys overall businessportfolio.
Channel company resourcesfinancial
and operationalto initiatives where therisk-reward proposition is clearly defined and
better meets basic conditions for success.
Better align the financial incentives forrisk taking with potential outcomes.
Moving toward an integrated approachto risk and performance management
Integrating risk and performance managementfor financial and operational improvement
may seem like common business sense. Butas research bears out, its easier said than
done. The barriers to systematically linking riskand performance measures are real for many
companies, but not insurmountable.
An overwhelming majority71 percent
of the senior executives surveyed by
PricewaterhouseCoopers ManagementBarometer said the biggest challengetheir organizations face in linking risk
and performance indicators is that the
8/8/2019 PWC Risk Performance
17/32
An in-depth discussion 15PricewaterhouseCoopers
information resides in too many placesacross their companies.13 FurtherPricewaterhouseCoopers research found that
just 35 percent of more than 200 financialservices institutions surveyed agreed that
their organizations maintained one set ofintegrated systems for financial and risk
reporting.14 As management teams know,fragmented information is difficultif not impossibleto act on.
Accountability is often also an obstacle:
43 percent of respondents toPricewaterhouseCoopers Management
Barometer survey noted that their companiesdid not have a single executive who was
accountable for systematically linking riskand performance. Further, 40 percent of
respondents to that poll also noted that thebusiness case for linking risk and performance
management remained unclear; the benefits
of taking such an approach werent readilyapparent at their companies.
Information is at the heart of many of
the challenges that companies facein integrating risk and performance
management into strategic planning,forecasting, and even compensation
decisions. Without an integrated visionof risk and performancebased on real,accessible information and an accountability
structure that supports itthe risk-rewardrelationship, and the incentives supporting
it, can easily remain misaligned.
Having accurate, timely, company-widerisk and performance information at the
ready for deeper analysis enables senior
management to evaluate how risk playsout across a businesss operations and
impacts financial performance in both theshort and long terms. But the pressure
to deliver on those near horizons drivesmany business strategies today and poses
another significant challenge to taking alonger view of risk and reward. Accordingto 85 percent of respondents to a 2009
PricewaterhouseCoopers survey of 101senior executives at US-based multinationals,
the focus on short-term risk was amongthe factors that contributed to the current
financial crisis.15
According to the finance director at onemultinational home appliance maker, the
urge to maintain or improve short-term
share price performance often eclipsesthe principles driving a longer view ofrisk and reward: If you are looking atmaking a major acquisition, managing risk
is obviously important. But if executiveleadership is worried about what the market
is going to say about this move in the nextfew weeks or the next quarter, then it could
get derailed.
If the current financial crisis is any indicator,
it is clear that a narrow focus on the nextquarter can easily sabotage the principles
of solid risk and performance management,especially when the two are viewed as
discrete functions within an organization.
According to a 2009 PricewaterhouseCoopers survey of US-based multinationals, thefocus on short-term risk was among the factors contributing to the current financial crisis.
13. PricewaterhouseCoopers,2008:Q2 Management Barometer(2008).
14. PricewaterhouseCoopers, Leveraging Compliance: Standardization and Simplification of Risk Adjusted Performance Reporting (2006).
15. PricewaterhouseCoopers,2009:Q1 Management Barometer(2009).
8/8/2019 PWC Risk Performance
18/32
16
Build the foundation for amore stable future: Start
with a deeper assessmentof risk and reward acrossyour organization.
What this means for your business
8/8/2019 PWC Risk Performance
19/32
17PricewaterhouseCoopersPricewaterhouseCoopers
Leading an organization to think aboutand act onrisk and performance in an integrated
way will face its roadblocks. But by focusing first on a few key areas for integration andimprovement, companies can make great strides toward implementing a fresh approach that
meets the challenges of an interconnected world.
There is no step-by-step handbook for designing a risk-based performance management
program. But the underlying principles and the questions business leaders must ask of theirorganizations before setting out are universal. Business leaders should consider the following:
What are the greatest sources of value creationand destructionacross my business?
Where or when has my company most clearly failed to realize or deliver value to keystakeholders? Where have we been most successful?
Where does accountability for risk and performance management currently reside within
my organization? Does that accountability structure facilitate the integration of businessinformation around potentially risky opportunities?
How does my organization currently measure the potential impacts of riskand quantifythe associated reward? Do we do that in a systematic way, on a continuous basis?
Where is such risk and performance information currently housed in my company?Does it reside at the business unit or functional level, and if so, is it readily accessiblefor consideration at the corporate level?
Is my companys information structure facilitating the natural connections between risk,operational improvement, and business performance or prohibiting those connections from
being made?
What events has the market rewarded in the past? What events have they punished?Is the markets perception of my companys risk profile consistent with my own view of it?
Are the incentives for taking a principles-based, integrated approach to managing risk and
performance aligned at every level of my organization? Does leadership promote a culture of
risk-based performance management?
8/8/2019 PWC Risk Performance
20/32
8/8/2019 PWC Risk Performance
21/32
What this means for your business 19PricewaterhouseCoopers
Company leadership recognized that these
performance objectives and operating goalswould not be achieved without consideringthe impacts of the risks surrounding them.
Hydro One implemented an ongoing,three-phase risk management program
starting from a collaboratively developed,company-wide risk profile accounting for
specific sources, levels, and likelihoodsof risk; moving into individual discussionsabout the companys risk profile with the top
30 or 40 executives; and ultimately drivingtoward risk-based investment appraisal
and planning sessions, at which the riskmanagement and investment planning teams
would jointly develop a risk-based approachto allocating company resources.
In one instance, the company recognizedthe ostensibly conflicting operational
and financial interests it held in helping
consumers reduce their energy consumption.Dramatically increased demand on thecompanys aging assets, however, posed asignificant risk to many of Hydro Ones core
business objectives: customer satisfaction,distribution reliability, and operating
efficiency. Acting on this alignment of riskand performance information, Hydro One
launched an energy conservation initiativethat made it the first electricity company in
the world to provide customers with freePowerCost Monitors. The companys2006 pilot study showed that real-time
electricity monitors helped customers reduceelectricity consumption by up to 15 percent,
thereby alleviating some of the burden onHydro Ones assets and helping it achieve
both corporate and residential customersatisfaction ratings above 80 percent.17
Figure 3: Sample of potential linkages between risk and performance
High
Med
Low
Decreasing Stable Increasing
Risklevel
Risk momentum
Business and strategic risksRisk factors affecting the ability of eachbusiness unit to meet earnings targets;typically managed at the business unitlevel
Operational risksRisk factors involved in operationalfailures and resulting in potential loss;typically managed by central corporatesupport
Financial risksRisks resulting from volatility inunderlying market factors and arisingfrom uncertainty around the ability ofcounterparties, suppliers, or customersto meet financial obligations
Business strategy
External factors
Commodity price
Process efficiency
IT systems
Suppliers
Technology & innovation
Regulatory
People
Environmental
Interest rates
Equity
Foreign exchange
Pension risk
Receivables
Counterparty
Customer
Competition
Reputation
Legal
Fraud
17. Anette Mikes, Enterprise Risk Management at Hydro One, Harvard Business Publishing, July 3, 2008.
8/8/2019 PWC Risk Performance
22/32
20 Seizing opportunity: Linking risk and performance
Hydro Ones integrated risk and performancemanagement program clearly illustratesan approach that links potential risks to a
companys long-term business strategy tothe very real results of near-term operational
execution, creating a continuous feedbackcycle between planning and performance.
Such a cycle (see Figure 4) necessarilybegins with a clear articulation of business
objectives, derived from the overarchingcompany strategy. Once a leadership team
has identified the risks that directly threatenor serve business objectives, it can assess
and quantify their potential performanceimpacts (financial and operational) in
order to make risk-informed decisionsabout investment opportunities, resourceallocation, and management accountability.
With risk-informed performance measures
in place and accountability aligned to reflectan integrated, cross-functional approach
to risk and performance management,company leadership can continually monitorexisting and emerging risks, and identify
areas for both financial and operationalperformance improvement.
Doing more with less: Honing yourarsenal of business metrics
When it comes to measuring the links
between strategy and execution, less mayactually be more. A few essential, risk-
informed performance indicators, tiedto the processes that offer the greatest
opportunities for value creation or valuedestruction, will serve a leadership teambetter than a cumbersome laundry list of
metrics will. This sharpened arsenal of risk-
based performance indicatorsoperationaland financialcan become an early warningsystem for likely threats, a means of
realistically linking risk and reward basedon the organizations risk appetite, and a
tool for identifying areas for improvement.
Among the financial measures mentionedearlier (earnings volatility, capitaloptimization, and capital adequacy), a
few additional metrics are involved instrategy setting and decision making. The
following two questionsand the measuresassociated with their answersmight feature
prominently in an integrated approach to riskand performance management.
What have I reallygot to lose?All toooften, companies assess the anticipated
rewards of a risky transaction withoutevaluatingand actually quantifyingjust
how much they are willing to lose if anopportunity sours. Often referred to as value
at risk, the answer to this basic but difficultquestion represents the amount a companyis willing to lose, over a given amount of
time, if an initiative fails. Assessing thismetric, and understanding if and how it can
change, enables leadership to realisticallyassess downside risksand exit or close
down an initiative if circumstances warrant.
How much shock can my balance sheet
endure? Surprising as it may sound, manycompanies dont have a firm handle on
how much money would be required for
the business to survive in the event a riskyopportunity turns into a worst-case scenario.Referred to as economic capital in the financial
services sector, this is a key metric fordecision making around any potentially riskybusiness initiative. Unfortunately, according to
PricewaterhouseCoopers survey of more than200 financial institutions, few respondents
believed that this strategic measurementconcept was well understood outside the
risk function: Only 9 percent of respondentsbelieved their board of directors was veryknowledgeable about economic capital,
while 22 percent considered their board notknowledgeable at all. As such, respondents
agreed that downside risk was not beingextensively used in measuring business unit
performance and was used even less indetermining compensation.18 But as market,
18. PricewaterhouseCoopers, Leveraging Compliance: Standardization and Simplification of Risk Adjusted Performance Reporting (2006).
8/8/2019 PWC Risk Performance
23/32
What this means for your business 21PricewaterhouseCoopers
Figure 4: Integrating risk and performance management
Managementinformation& businessintelligence
Riskprofile
Riskassessment
Integratedaccountability& information
structures
Risk-informedperformance
indicators
Identify risks to businessobjectives across key risk
categories, developing acompany-wide risk profile
Using risk profile, assesslikelihood and potentialimpact of identified risksto establish risk tolerancelevels across organization
Using risk-informedperformance indicators,monitor progress andemerging risks to businessobjectives to identify areasfor performance improvement
Based on risk assessment,
align resources andaccountability structure withinitiatives that fall withincompany risk tolerance
Execute on strategy,identifying key risk-informed performanceindicators to gauge financialand operational progress
Determine key business objectives based oncompany strategy, establishing risk appetiteacross the organization
identifym
onito
r
imp
l
emen
t
align
asse
ss
8/8/2019 PWC Risk Performance
24/32
8/8/2019 PWC Risk Performance
25/32
What this means for your business 23PricewaterhouseCoopers
subcontracting to a metal fabricator, an A&Dcompany might consider timely delivery acore risk to business objectives and mightwork with the subcontractor to assess itscurrent and proposed levels of resourceallocations to anticipate or mitigate anyrisks to the delivery timeline. Whatever theresponse, companies can continually monitortheir key risk indicators, aware that operatingconditionsand the required responsesare in constant flux.21
In establishing an integrated view of riskand performance, every company willdevelop its own tailored tool kit of risk-informed performance indicators. Butwhatever metrics a company determinesto be most informative and actionable, thedata underlying those measures must beconsistent across the whole business foran integrated approach to risk andperformance to stick.
Transforming disparate datainto meaningful information
Moving toward an integrated view ofbusiness risk and performance doesntnecessarily require an IT overhaul. For many
companies, the information required to linkup risk and performance data, and layer itinto strategic planning and decision making,already exists. But its often buried in datasilos and systems across business andfunctional units that never sync up. In fact,almost 80 percent of 101 senior executivesat US-based multinationals surveyedby PricewaterhouseCoopers in 2009 sayquality and timeliness of information areamong the top challenges for improvingrisk management in the next two to threeyears.22 However, when the information is
consistentand accessibleacross theorganization, leadership has access towell-integrated insights into target areasthat represent risks to, and opportunitiesfor, operational improvement.
For example, one multinational food andbeverage company faced the challenge ofproviding meaningful information to its boardabout the frequency and significance ofbusiness conduct incidents. Data about suchincidents resided in systems tied to customerand employee hotlines, employee surveys,certification processes, and ad hoc reporting.With a team of PricewaterhouseCoopersdata management specialists, the companywas able to standardize its incidentmanagement and reporting processesto provide the board of directors withsynthesized, meaningful enterprise-wideinformation that could also be broken downby division, location, and incident type,offering insight into the current situation and
forward-looking trends. With this incrementalbut important step toward improved datamanagement, the company was able toidentify key risk areas in its operationsandto facilitate better decision making aboutfuture investments in ethics and compliance.
While companies may maintain troves ofdata in various operating systems, thatdata does not always constitute meaningfulinformation. It is the ability to transformdata, wherever it resides, into actionablemanagement information that facilitates
the integration of risk and performancemanagement.
Japanese pharmaceutical company Takeda,for example, integrates internal informationwith external data obtained from a third-party service provider. Because everyone[in the pharmaceutical industry] has thisinformation, the competitive advantagederives from the measures you take out andhow quickly you react to the information outthere, says Axel Mau, chief financial officer(CFO) for Takedas German subsidiary.
Armed with this type of market-orientedinformation, Takeda can drill down intoperformance issues. For example, if thecompany hears that a competitor is planningto launch a product in a particular region,Takeda will crunch numbers in real time inthe new system and right away, the sales
21. PricewaterhouseCoopers, How to Fortify Your Supply Chain through Collaborative Risk Management (January 2009).
22. PricewaterhouseCoopers,2009:Q1 Management Barometer(2009).
8/8/2019 PWC Risk Performance
26/32
8/8/2019 PWC Risk Performance
27/32
In an increasinglyinterconnected world,a more collaborative
accountability structuremay help companiesbetter manage riskalongside performance.
8/8/2019 PWC Risk Performance
28/32
26 Seizing opportunity: Linking risk and performance
force can put efforts in that region to hold themarket share or increase it. If you haveto wait a month before we have an analysis
as we sometimes have had to in the pastthen its rather difficult.23
Creating accountability and incentivesfor integrating risk and performancemanagement
When it comes to managing risk andperformance, companies appear to besplit in their approach to oversight. While51 percent of the executives surveyed byPricewaterhouseCoopers 2008 ManagementBarometer said that one person (mostfrequently the CFO) or group is responsiblefor both risk management and performancemanagement, 49 percent reported thatoversight resides with a combination ofexecutives.24
In some sectors, such as financial servicesand energy, chief risk officers are mostoften accountable for risk management andmitigation. But in many other industries,accountability for risk typically falls to theCFO, with input from the chief operatingofficer. A centralized, top-down approach
to risk may work for some companies,but as recent events have shown, a morecollaborative, integrated accountabil itystructure that provides appropriateincentives at every level of the organizationmay be better suited to managing riskalongside performance in an increasinglyinterconnected business world.
At one major multinational energy company,for example, accountability for managing bothrisk and performance is shared by managers(who are close to project execution) and
company leadership (who maintain oversightof the risks to the companys full portfolio ofinitiatives). The project manager or businessunit manager is responsible for evaluating theoperational risks to execution and near-termbusiness performancesuch as volatility in
the pricing of materials and contracts, andrisks to labor and productivity. However,the companys response to macro risks, suchas labor strikes, natural disasters, or politicalinstabilityand their associated performanceimpactsis considered outside the projectmanagers or business unit managers scopeand resides with a leadership team at ahigher level in the organization.
Fostering the right behaviors aroundsmart, performance-driven risk taking atthe operating level of a company is alsocritical to the success of an integrated riskand performance management strategy.
At Westinghouse Electric, a subsidiary ofToshiba that builds and maintains nuclear
power plants, the companys nuclearengineers had not been conditioned totake business risksin fact, quite thecontrary. But as it started facing pressureto grow through new business ventures,new markets, and new technologies,Westinghouse leadership decided to alignincentives around smart, performance-basedrisk taking.
Freeing up a core group of senior managersto pursue new business ideas andinnovations, the company teamed them
with efficiency experts who focused thepotentially risky propositions with metricsthat rigorously accounted for a projectsupsideand downsidepotential. From theground up, all managers are now evaluatedon criteria aligned with Westinghouses riskand performance management strategy, suchas the number of customer calls and salesproposals they make. To date, the programhas helped Westinghouse move into two newgrowth areas.25
Of course, from the C-suite to the factory
floor, incenting the behavior that createsa culture of risk-based performance
management often requires the teeth ofcompensation to drive accountability.
23. PricewaterhouseCoopers, Management Information and Performance: CFOs Face New Demands for High-Quality DataThat Drives Decisions (June 2007).
24. PricewaterhouseCoopers,2008: Q2 Management Barometer(2008).
25. Brian Hindo, Rewiring Westinghouse,BusinessWeek(May 19, 2008).
8/8/2019 PWC Risk Performance
29/32
8/8/2019 PWC Risk Performance
30/32
28 Seizing opportunity: Linking risk and performance
Revising incentive strategies to align riskand performance requires considerableorganizational change, and many companieswill find it a difficult road to travel. In fact,according to PricewaterhouseCooperssurvey of more than 200 financial institutions,a minority of responding companies29percentsaid that the KPIs on which seniormanagement are graded, and the incentiveschemes derived from them, were basedon risk-adjusted performance.30 Even in theaftermath of the financial crisis, less thanhalf of 101 senior executives respondingto PricewaterhouseCoopers ManagementBarometer survey in early 2009 consideredaligning compensation with prudent risktaking a top priority.31
Ensuring the alignment of risk, performance,and compensation is no easy task. Wall Streetbanks, where the pressure is most acute totie compensation to long-term performance,are resisting pay curbs, fearing a drain of toptalent to less-regulated industries. Harkingback to Warren Buffetts 2006 letter toBerkshire Hathaway shareholders, the self-proclaimed Typhoid Mary of compensationcommittees presciently argued that truecompensation reform could happen onlyif the worlds largest institutional investorsdemanded a fresh look at the whole system.
At Berkshire Hathaway, however, Buffettclaims to keep incentive structures simpleand fair, to ensure that executives arecompensated for their performance andincented to take the smartest businessrisks possible.
When we use incentivesand these can belargethey are always tied to the operatingresults for which a given CEO has authority.We issue no lottery tickets that carry payoffsunrelated to business performance, wroteBuffett. If a CEO bats .300, he gets paid for
being a .300 hitter, even if circumstancesoutside of his control cause Berkshireto perform poorly. And if he bats .150,he doesnt get a payoff just because thesuccesses of others have enabled Berkshireto prosper mightily.32
A call to action
The effects of misaligned risk and
performance management strategies arenow reverberating throughout the financialservices sector, across industries, andaround the world. While the effort to addressthe systemic risk permeating the financialmarkets will require global collaborationamong public- and private-sectorstakeholders, companies can tackle changefrom the inside out by taking smarter risksto improve that which is squarely in theircontrol: operational performance. Integratingrisk and performance management foroperational improvement (and, ultimately,improved financial performance and
shareholder value) not only makessense; it also is a business imperative.
The benefits of taking such an integratedapproach, founded on the principles ofsolid risk and performance management,are difficult to quantify in places, but thecosts of hesitating are daunting. A recentPricewaterhouseCoopers analysis of600 companies affected by supply chaindisruptions caused by convergent riskfactors found that, following the disruptions,average shareholder value at these
companies plummeted, their stock pricesexperienced greater volatility, and theysuffered sharp declines in return on salesand return on assets relative to their industrypeers. More intimidating even, the effectsof the disruptions on the companies stockprices were still apparent at least one yearafter the disruptions were announced.
The time to consider a fresh approach tomanaging risk and performance across anorganization is now. The world is watching.Consumers, investors, and regulators are alllooking to businesses for the kind of change
that will help restore confidence in the globalmarkets. And, as weve discussed here, thatchange can start with a few relatively simplesteps toward a systematic, more effectivelinking of risk with reward in every businessdecision.
30. PricewaterhouseCoopers, Effective Capital Management: Economic Capital as Industry Standard? (2005).
31. PricewaterhouseCoopers,2009: Q1 Management Barometer(2009).
32. Warren Buffett, Berkshire Hathaway Annual Report 2006 (February 2007).
8/8/2019 PWC Risk Performance
31/32
8/8/2019 PWC Risk Performance
32/32
30% total recycled fiber
This publication is printed on Finch Premium Blend Recycled.It is a Sustainable Forestry Initiative (SFI) certified stock using30% post-consumer waste (PCW) fiber and manufacturedin a way that supports the long-term health and sustainabilityof our forests.
www.pwc.com/us/managing risk
To have a deeper discussion about how this subjectmay affect your business, please contact:
Joe AtkinsonUS Advisory Risk Leader215.704.0372
Gary ApanaschikUS Advisory Corporate PerformanceManagement [email protected]
Dave PittmanUS Advisory Operations [email protected]
Top Related