Today, in most companies the responsibilities for risk management and performance management are separated: Performance management is the discipline of identifying critical success factors and goals of the company and breaking down these targets into operational activities. Risk management is focused on identifying and evaluating risks regarding probability and financial impact. I believe that an integrated management approach has to reconnect and balance these views:
Obviously, both disciplines use similar instruments and methodologies: Measuring relevant indicators is essential for performance management, i.e. financial indicators (turnover, profit, …) are used to measure the success of a company; but to provide assistance and actionable information to the operational business these lagging indicators are connected with leading indicators (e.g. order processing cycle time, error rate, delivery reliability etc) to reflect the well-known correlation between process efficiency, customer satisfaction, and increase in sales. On the other hand, capturing and measuring risks and risk indicators is the precondition for a disciplined process of enterprise risk management.
Business processes are the glue between both perspectives as they provide the classificationsystem for performance and risk indicators: the key business processes are to be designed to increase quality and speed, to reduce cost and to mitigate the risks. The knowledge about the critical success factors of a company or a business segment (“Why is a customer going to buy from you?”) are to be used to resolve the goal conflict between these four directions. From a management perspective, the main goal is to define the optimal balance between a performance-driven (“speed”, “quality”, “agility”, “chances”) and a risk-aware organization (“risk”, “loss”, “compliance”).
How can the company’s management be enabled to put that into practice? The key is to make the business operations transparent, i.e. management has to see and analyze what happens in reality. This is a point where a traditional performance management system (focused on financial indicators and regular reporting) has to be connected with operational monitoring capabilities (“Process Intelligence”, “GRC Analytics”) that allow dramatically reduced decision making timelines as the tolerance for latency is decreasing with the increased speed and agility of the business. In the medium term, looking at Continuous Controls Monitoring and the increased maturity of GRC solutions, we’ll see a lot of synergies between Business Analytics, Process Monitoring and Risk & Compliance Management.
For more information, please see www.grc-lounge.com
Contradiction = no / Agility between both = yes
...because the both topics are never static. You can build toward objectives of improved control, but unless those objectives remain dynamic - you will always find itself behind the pace of threat evolution. This is true whether those threats are internal, external or a combination of both.
So if we speak of 2 sides of the same coin, the question is how to connect them in the smothest way in terms of information management discipline... :)