Why benchmark? And how?

Being successful in business relies on taking full advantage of resources and aiming to constantly make progress and improve. Consequently, managers and leaders at all levels are becoming increasingly accountable to their stakeholders for the delivery of key outcomes in the most competent and diligent manner. Frameworks such as ISO 31000:2009 provide generic guidelines for the design, implementation, and maintenance of risk management processes throughout an organization, but the snag is, they don’t tell us how to generate performance scorecards or develop Key Performance Indicators (KPIs) which are indispensable tools in the quest to establish, measure, and achieve the best possible performances within the business.

At last our book on How to Performance Benchmark Your Risk Management is out. It is designed to offer a practical guide to help you analyze the effectiveness of your risk management program. Applicable to all areas of management, university level study, or technical disciplines, it addresses the following:

• What is benchmarking?
• Why should we benchmark?
• What are Key Performance Indicators (KPIs), Critical Success Factors (CSFs), Key Result Areas (KRAs), etc?
• What is the causal path between Risk–>Risk Treatment–>CSF–>KRA–>KPI–>Organizational objectives
• The difference between lag and lead indicators
• How to measure performance using a variety of tools (e.g.: Kirkpatrick’s four levels of training evaluations)
• Methods for developing custom KPIs
• Linking existing frameworks such as Balanced ScoreCards that an organization may have in place already to risk benchmarking
• Using word pictures to define performance

Between us, we have built risk performance tools for dozens of organizations including resources companies in Africa, the aviation sector in Asia, and the $30 billion Australian Department of Defence. We have worked together on a range of client projects at Jakeman Business Solutions and are also lead authors of Security Risk Management Body of Knowledge, which details the security risk management process in a format that can easily be applied by executive managers and security risk management practitioners. We can be contacted via www.jakeman.com.au will also find some useful templates and short guides, which can be downloaded for free.

How to link risks, KPIs and objectives...

Before measuring performance, it is necessary to identify and develop KPIs that accurately reflect desired performance. Otherwise, monitoring and assessing KPIs can be more of a hindrance than a help in achieving goals. Indeed, the HB80  Benchmarking Handbook suggests a number of reasons why organizations might need to monitor and assess their performance, including to:

• Set performance goals 
• Develop measures of productivity
• Improve competitive advantage
• Improve products, processes, service, or all of these 
• Confirm performance against strategic plans
• Identify new business opportunities

Some equally important objectives might include to:

• Reduce costs
• Increase value for money
• Reduce volatility of outcomes
• Limit risk to as low as reasonably practicable (ALARP)
• Monitor performance against contracted or internal requirements 

Ideally, the senior management team should select organizational KPIs as an aid to shaping and encouraging behaviors that support achievement of organizational objectives. One of the key challenges with performance measures, however, is to show a causal link between initiatives and performance. One way to think of KPIs is as follows:

• Organizational objective: What results do we want to achieve?
• Risk: What could adversely or positively impact the achievement of this objective?
• Risk treatment: What do we propose to do to manage this risk?
• Critical success factors (CSF): What has to occur for the risk treatment to be successful?
• Key result area (KRA): Which areas will have the most significant impact on our risk treatment turning into organizational outcomes that we desire?
• Key performance indicator (KPI): What data, statistics, or indicators will tell us if we are achieving or about to achieve our objective?

In practice, this might look something like this:

• Corporate Objective #2: Maintain shareholder returns
• Risk: Failure to protect sales margins because of an increase in raw materials prices as a result of global financial markets adversely affecting currency exchange rates
• Treatment: Provide financial-analysis training to sales team regarding interpretation of the effect of currency fluctuations on cost of sales
• CSF #5: Gross sales margins sustained
• KRA #5: Profitability and margins
• KPI #2: New contracts maintain 25 percent or greater gross margin

Different business units will inevitably have different KPIs that reflect their focus; however, KPIs at all levels should support organizational KPIs and objectives. Equally, we cannot overstate the interconnectedness of KPIs, KRAs, risks, and objectives, but applying the Pareto principle (the 80:20 rule) should allow us to track only the more significant indicators.

Figure 1: Example of linking Risks, KPIs and Objectives

As you can see from Figure 1, even the aforementioned examples are incredibly simplistic. Life is much more complex than it seems, so although we can draw a causal link between a risk, treatment, CSFs, KRAs, KPIs, and organizational performance, the elements that affect this organizational objective can be infinitely complex and interactive.

=====================

If you'd like to find out more about measuring the performance of your risk management, you might find our book on this topic helpful.


'How to Performance Benchmark Your Risk Management: A practical guide to help you tell if your risk management is effective' by Julian Talbot and Miles Jakeman PhD.