Risikostyring – Integrated Performance and Risk Management

Torbjørn Undeland, Senior Manager

Oslo, 3. juni 2009

- 1 -

Table of Contents

Why integrate the management of performance and risk?

Key principles of IPRM

How can we integrate the management of performance and risk?

Why integrate the management of performance and risk?

The financial crisis has shaken the confidence of companies’ to identify and

manage fundamental risks to business performance…

During the credit boom companies

focused overwhelmingly on driving

performance with little thought for risk

Increasingly complex regulation has led

to an overwhelming focus on formal

compliance with too little attention on the

more fundamental risks to the business

The major challenge today is the

continued turbulence and volatility in

global financial markets

The challenge tomorrow will be to

manage through economic cycles,

volatility, and risks more effectively

- 3 -

Challenges of the current economy

Drop in customer

and consumer

demand

Loss of public trust in

business and increasing

pressure from stakeholders

Political uncertainty

and new regulations

Increase in the cost of

capital in tightening

credit markets

Missed opportunities

through (over-)

emphasising costs

Deteriorating payment

behaviour of clients /

conditions of suppliers

Exposure of security

weaknesses and fraud

Declining asset valuesCompany

Performance and risk are treated as two distinct disciplines in most industries,

without meaningful linkages or an integrated management approach

- 4 -

When companies fail to achieve their strategic goals it is usually not due to a lack of planning but,

rather, because of plans that don’t consider the possibility of unforeseen events occurring

Performance Management Risk Management

ApproachesFor example, Balanced Scorecard, Value Based

Management, Activity Based Costing, Beyond BudgetingCompliance, Governance, Enterprise Risk Management

AchievementsStrong focus on value creation, KPIs, planning and

reporting, efficient technology support

A systematic approach to the identification,

measurement and response to risk

ShortcomingsFailure to adequately consider risk as an aspect of

performance management

Risk management often has not gone beyond

regulatory box-ticking and has established itself in a

silo

Despite the fact that most companies continue to manage performance and risk separately,

risk and reward are the two sides of the same coin

The roll-out of risk management is ongoing, but does it reach the business?

Frameworks are built for risk management – at

least formally – but there is still substantial room

for improvement

The connection with the business and those who

execute upon performance targets need enforcing,

especially in a difficult economic climate

- 5 -

FERMA Sept. 2008 (Federation of European Risk Management Associations)

“The one thing

CFOs shouldn’t do

in their quest to

smarten up risk

management

procedures is let the

pendulum swing so

that it “take s a life

of it’s own”

John Howard, CEO of Independent Auditors

(CFO Europe , February 2009)

Risk identification is the first step towards risk mitigation and counter action

Good planning must include “Plan B” as well

Main challenges experienced in

operational, commercial and financial

risks - consciousness is growing around

sustainability

The question is, how this awareness of

risk is built into performance

management cycles and mitigations

- 6 -

Risk Identification

* FERMA, Sept. 2008 (Federation of European Risk Management Associations)

Operational risks: production,

quality, disruption of quality,

costs and deadlines

Today

Tomorrow

Commercial risks: competition,

client partnerships, market

strategy

Financial risks: interest rates

and foreign exchanges, debt,

cash flow, financial markets

Environment risks, sustainable

development

68%

50%

50%

46%

33%

30%

17%

30%

Most important categories of risk faced by the companies according to

Europe´s risk and insurance managers

In wich area(s) are risk assessment and mapping linked to decision-

making?

*

*

42%

39%

54%

42%

6%

18%

54% of organisations link risk analysis

with strategic planning and 42% to long-

term decision making like acquisitions

and investments

This is good news, but what to do when

– without warning – the economic

situation changes negatively during the

planned periods? Think about the worst

case scenario.

“Plan B”

Many organisations do not adequately consider the risk associated with performance management

Key principles of IPRM

- 8 -

Four principles of Integrated Performance and Risk Management

Focus should be on improving an

organization’s ability to manage

performance, achieve desired

results, illuminate and balance the

tradeoffs between performance

and risk

Performance-driven

IPRM demands the formulation of

a risk intelligent strategy that is

executed through an approach that

balances pursuit of performance

objectives with the management of

risk within a defined tolerance level

Risk Intelligent

The assessment of value and risk

drivers across the value chain is a

necessary to institutionalize IPRM

into management an execution of

core business activities

Value Chain Focus

The IPRM model is comprised of

an integrated cycle of closed-loop

processes, shared definitions, and

a common foundation that aligns

an organisation around a balanced

approach to performance and risk

Common Foundation

The four key principles of IPRM are key to realising value from a risk intelligent business strategy

- 9 -

Performance-driven, Risk Intelligent

Unrewarded Risk:

Nothing is gained from

taking the risk

Relates to risk areas such

as regulatory compliance

Rewarded Risk:

Provides a premium if

managed well

Relates to strategy and

business decisions, where

value is created

Integrating risk into performance management is about rewarded risk

Risk

Develop insights into what is a

rewarded risk and what is not

Make sure the leadership team

understands the company’s risk

/ reward profile

Focus the organisation’s

activities on its key risks and

rewards and how to best

manage themNeglect compliance and you are

out of business!

Avoid all risks and you will forego

the reward!

Focus of IPRM

Product & Services

ChannelsCustomers

Regions

SuppliersSales and

deliveryMarketingProduction

Product

mgmt. & development

Supply

Support functions

Financial and Operational Risks to Value

Value Creation and ProtectionRewards

Inherent

Risks

Ris

k In

tellig

en

t

Bu

sin

es

sS

tra

teg

y

Ris

k In

tellig

en

t

Ex

ec

uti

on

Rewards

Residual

Risks

Strategy Business Model Operational Execution

Value Chain Focused strategy, assessment, and execution

- 10 -

2. Execution of a risk intelligent strategy entails

identifying and linking value drivers and risks to

the building blocks of an organisation’s extended

value chain, including underlying assets and

human capital

1. A risk intelligent business strategy not only defines

strategic direction and return levels for the business, but

also the risk appetite associated with it (risk-reward profile)

3. Day-to-day execution of targets and risk mitigation action

throughout the value chain

- 11 -

Risk Management integrated into the Performance Management cycle…

Risk management is integrated into the activities of the performance management cycle

Run the business

and monitor

performance

understanding

changes in the risk

profile

Active intervention

to realign and

improve the

business

PLANand Target

MEASUREand Evaluate

INTERVENEand Realign

Align the business

to deliver on

strategy and

understand

exposure

StrategyStrategy

Planning

Budgeting

Operational ReportingManagement

Reporting

External Reporting

Analysis

Intervention

Forecasting

ValueCreation andPreservation

Ongoing risk

assessment and

management

To deliver most value this cycle must be effective (deliver high performance), manage exposure to

uncertainty (integrate risk management) with a maximum efficiency (with minimum resource).

Integrated Performance and Risk Management demands a Common Foundation

- 12 -

Common Foundation

Information OrganisationGovernance,

Policy & ProcessesSystems & Technology People

Shared understanding ofvalue creation across the organisation

Shared understanding of key risks to value creation and preservation

Appropriate set of KPIs and KRIs, reflecting key value and risk drivers

Clear governance, accountability and co-ownership

Appropriate transparency for governing bodies

KPI and KRI targets cascaded throughout the organisation

Initiatives and project portfolio linked to value and risk drivers

Finance, risk and business line managers work together in a partnership

Planning, measuring and intervention processes interlinked

The board and management are aligned with the risk intelligent strategy

Comprehensive information strategy and supporting technology

Promote commitment to targets and associated risk (tone at the top)

Establish performance and risk-related management incentives

Deploy and develop talent

Focus Alignment Integration Behaviour

"Only doing what matters“ "Pulling in the same

direction“"Talking the same language“ "With everybody on board“

How can we integrate the management of performance and risk?

Opportunities and risks to strategy execution are evaluated across the value chain

and should be reflected in KPIs and KRIs

- 14 -

Strategy Increase market share by improving customer satisfaction

Key value driver

Risk driver

KRI

Value driver

KPI

Fast delivery

Loss of a key logistics

partnerEfficient distribution

Average

shipping cost

per unit

Percentage on-

time deliveries

Logistics

partner credit

rating

Mix of orders

to logistic

partners

Product & Services

ChannelsCustomers

Regions

SuppliersSales and

deliveryMarketingProduction

Product

mgmt. & development

Supply

Support functions

Revenue Growth

Customer Satisfaction

Shareholder Value

KPI

KPI

Design and build the IPRM Model

- 15 -

StrategyStrategy

Planning

Budgeting

Operational

ReportingManagement

Reporting

External

Reporting

Analysis

Intervention

Forecasting

Strategic risk

assessment, risk reward

profile

Risk sensitivity

analysis, simulation

Risk & opportunity report, KRIs

Risk & information

measurements

Risk update analysis

Response to risk,

counter action

Forecasts on risk drivers,

intervention projects, scenario

development and simulation

Earnings guidance,

projections

Key Risk Indicators (KRIs),

Scenario Development

A dashboard reflecting relevant rewards and risks will focus operational

management's attention on decision making and counter action

- 16 -

Strategy

“Increase market share by improving customer satisfaction”

Key Performance Indicators Status Target

Revenue Growth > 5%

Customer satisfaction > 95%

Percentage of on-time deliveries > 89%

Average shipping cost per unit < €40

Key Risk Indicators Status Target

Logistics partner credit rating > 90

Mix of orders to logistic partners < 1/4

Lagging indicator

Lagging indicator

Leading indicator

Leading indicator

Leading indicator

Leading indicator

Lagging indicators are

backward looking reflecting

a historic result, while

leading indicators are

forward looking reflecting a

future state

Risk

Loss of a key logistics partner

Management attention and accountability has to be focused on performance and

the associated risks based on the delivery of strategically relevant information

- 17 -

Business plan (year)

3% 9%7%

The targeted revenue growth of the upcoming

year's budget is 7%

The identified risks and opportunities result in a

range of revenue growth between 3% and 9%

Commentary on key risks and opportunities focuses

management attention on the right things to monitor

& decide

Revenue growth

Loss of key logistic partner

Launch of the new products in Asia

Successful new product launch from main competitor

Key risks

Updated forecast (year) in Q2

3% 7%5%

During Q2 a key logistic partners falls bankrupt

Major problems in the distribution and unsatisfied customers

occur as per prior risk assessment

The updated forecast shows a smaller spread in estimated

revenue because the 9% target now cannot be achieved

anymore, growth forecast for the year is reduced

Launch of the new products in Asia well underway

New product launch from main competitor still

successful

Key risks

Better knowledge of the inherent uncertainties in plans enables better decision making and communication to the

market and stakeholders

Copyright © 2009 Deloitte AS. All rights reserved.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss

Verein, its member firms and their respective subsidiaries and

affiliates. Deloitte Touche Tohmatsu is an organization of member

firms around the world devoted to excellence in providing

professional services and advice, focused on client service through

a global strategy executed locally in nearly 140 countries. With

access to the deep intellectual capital of approximately 165,000

people worldwide, Deloitte delivers services in four professional

areas, audit, tax, consulting and financial advisory services, and

serves more than 80 percent of the world’s largest companies, as

well as large national enterprises, public institutions, locally

important clients, and successful, fast-growing global growth

companies. Services are not provided by the Deloitte Touche

Tohmatsu Verein and, for regulatory and other reasons, certain

member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu

nor any of its member firms has any liability for each other’s acts or

omissions. Each of the member firms is a separate and independent

legal entity operating under the names “Deloitte”, “Deloitte &

Touche”, “Deloitte Touche Tohmatsu” or other related names.

Deloitte & Touche DA is the Norwegian member firm of Deloitte

Touche Tohmatsu. In Norway, services are provided by the

subsidiaries and affiliates of Deloitte & Touche DA (Deloitte AS,

Deloitte Advokatfirma DA and its subsidiaries), and not by Deloitte &

Touche DA.