Risk Management Best Practice 5 – Ongoing Risk Monitoring
Every organization is challenged by risks manifest through its many different day-to-day operations. To help monitor and manage these risks, most organizations employ groups providing performance and compliance risk assurance so that significantly adverse consequences are avoided. These groups typically carry out their function through the conduct of periodic, in-depth assessments of those areas representing the highest risk to the company. Such assessments are both costly and time consuming; their accuracy rapidly diminishing with the passage of time since the assessment’s performance.[wcm_restrict plans=”49027, 25542, 25653″]
How then can an organization economically monitor performance and compliance risk on a more continuous basis in such a way as to enable a timely, preemptive response should an elevated risk condition be detected?
Well-conceived risk management dashboards aid oversight organizations including internal audit, management oversight, and compliance groups, in monitoring the organization’s overall risk profile and risk-based operational performance. Such dashboards focus on the organization’s key risk processes and include drill-down measures monitoring for diminished risk margins. (See StrategyDriven article, Organizational Performance Measures Best Practice – Vertical Cascading) The system contains both organizational and oversight action thresholds prompting action to ensure continued, effective risk mitigation. (See StrategyDriven articles, Organizational Performance Measures Best Practices – Predefined Action Thresholds and Multiple Action Thresholds) Furthermore, the risk management dashboards should inform the development of annual oversight assessment plans as well as where oversight resources should be applied for preemptive assessments based on situational and conditional performance. (See the StrategyDriven Self Assessment Program Forum)
Construction and Use of Risk-based Performance Metrics Dashboards
Internal oversight groups gain access to all of the organization’s performance measures. But while these measures should collectively represent the entirety of organizational performance, they go well beyond that which is necessary to monitor organizational risk. Consequently, those numerous measures not directly contributing to risk monitoring become distracting to the executives and managers leading the oversight groups; making it necessary to develop specific risk-based performance metrics dashboards. (See StrategyDriven article, Organizational Performance Measures Best Practice – Eliminate Low-Value Metrics)
Identifying the high value risk-based performance metrics needed to monitor organizational risk begins with the risk assurance map. (See StrategyDriven article, Risk Management Best Practice – Map Corporate Risks to Operational Processes) Such maps collate organizational risks to the processes and programs through which these risks would be manifest. Once the high-risk program areas are identified, key performance measures for these areas can be easily identified and appropriately grouped into risk-indexed dashboards with cascading support measures residing underneath.
Note that unlike functional area dashboards, some metrics will be present in the dashboards of several risk areas. This is consistent with the relationship of multiple risks with one process and several processes with one risk.
The dashboard’s performance measures should be updated at a frequency consistent with the rate of change in performance itself. (See StrategyDriven whitepaper, Organizational Performance Measures – Construction) and at a minimum updated on a monthly basis. These dashboards should be formally reviewed as prompted by a threshold alert and at a periodicity consistent with the metrics update frequency in order to identify those areas warranting immediate attention and in preparation for the annual audit planning.
Final Thought…
Organizational risks change over time necessitating risk management dashboard updating. These revisions should be performed when the organization’s risk profile and assurance map is updated and when a new or significant change in risk occurs such as that accompanying an acute event (e.g. launch of a new, major construction project or occurrence of a significant industrial accident).[/wcm_restrict][wcm_nonmember plans=”49027, 25542, 25653″]
Hi there! Gain access to this article with a StrategyDriven Insights Library – Total Access subscription or buy access to the article itself.
Subscribe to the StrategyDriven Insights Library
Sign-up now for your StrategyDriven Insights Library – Total Access subscription for as low as $15 / month (paid annually). Not sure? Click here to learn more. |
Buy the Article
Don’t need a subscription? Buy access to Risk Management Best Practice 5 – Ongoing Risk Monitoring for just $2! |
[/wcm_nonmember]
About the Author
Nathan Ives is a StrategyDriven Principal and Host of the StrategyDriven Podcast. For over twenty years, he has served as trusted advisor to executives and managers at dozens of Fortune 500 and smaller companies in the areas of management effectiveness, organizational development, and process improvement. To read Nathan’s complete biography, click here.
Leave a Reply
Want to join the discussion?Feel free to contribute!