Skip to content

Risk and performance – two sides of the one coin

June 20, 2015

Managing risk and performance have always been key elements of governance. In Australia, both are now being given an enhanced importance though the Public Governance Performance and Accountability Act.  Although risk management and performance management are normally considered quite distinct, there are some key similarities and comparison can throw light on both disciplines.

The conventional meaning of risk indicates issues or factors to avoid. Performance management (which in this context means identifying performance indicators and then managing to achieve success as defined by those indicators) is based on setting targets to achieve. These may be considered as two faces of the same coin. They are both concerned with management principles designed to assess and then improve performance.

Risk management Performance management
A structured approach is undertaken to identify adverse events, and means of dealing with these so as to achieve business success. This includes: A structured approach is undertaken to identify ways of measuring and achieving business success.   This includes:
  • Setting the context
  • Defining the overall business goals and vision
  • Identifying risks
  • Identifying specific short-term targets
  • Assessing the likelihood and criticality of each risk
  • Selecting a feasible number of targets that, together, will span the business activity and therefore represent overall performance
  • Overall assessment and ranking of risks
  • Determining, where possible, the level of achievement against those targets to aim for
  • Selection of treatments to apply to risks
  • Allocate responsibility for achieving the targets, or at least monitoring performance
  • Allocation of management controls to ensure treatments are applied
  • Assess performance against targets regularly, and adjust management policies where appropriate
  • Continuous review of risks to delete irrelevant ones and consider new risks.
  • Reconsider regularly the relevance and appropriateness of the performance indicators

While there is not a strict one-to-one correspondence between the two activities, there are nevertheless considerable similarities. Indeed, one may consider risk management and performance management to be negative and positive aspects, the valleys and the peaks, of the same performance measurement issue.

Some other attributes of the risk management and performance management that are similar are described below:

  • The desire for quantification allied to the difficulty of doing so.
  • The need to integrate with general management approaches
  • The problem of identifying intermediate and final outcomes
  • The problem of setting levels to achieve or avoid

Risk management is therefore better structured to assess likelihoods and consequences of the outcome, while performance measurement is better at setting target levels and considering the chain of causality leading to achievement of that performance. Both facets of understanding are relevant to both forms of management information and control, and therefore there are opportunities for the disciplines of risk management and performance measurement to learn from each other.

The issue of whether risk management and performance measurement can be fully integrated is more problematical. One approach is to take seriously the definition of risk in ISO 31000, which refers to risk management covering not only adverse events, but also opportunities. The outcomes and goals to which performance management is directed can then be considered as ‘opportunities’ in a risk management context. For these events, we can use a risk management structure to define the probabilities and consequences of not achieving them.

Alternatively, the risk levels can all be set out in terms of performance targets. For example, there may be a lateness risk defined as a program being delivered more than seven days late. Instead, we could have a performance indicator of timeliness, with the measure being might be the proportion of programs delivered within seven days of the due date.

Neither of the above is totally satisfactory. Part of this is the different management emphasis that is understandably placed on avoiding disasters or achieving performance. Perhaps the best solution is an organisational one, to ensure that those parts of the organisation charged with coordinating risk management, and with collecting and managing performance information have close communication, or perhaps are the same group.

© Numerical Advantage 2015


From → Articles

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: