N ove m b e r – D e ce m b e r 20 09 | Vo l u m e 1 1 , N u m b e r 6
O N
B A L A N C E
T H E
S T R AT E G Y
E X E C U T I O N
S O U R C E SPECIAL RISK MANAGEMENT ISSUE
Risk Management and the Strategy Execution System By Robert S. Kaplan
Besides rethinking strategy, perhaps nothing has preoccupied business leaders these past months more than their failures in risk management. In this opening gambit, Robert Kaplan explores how risk management can be better integrated into strategy execution. An analysis of risk management—its history and mainstream approaches —and of resulting market failures leads him to conclude that risk management should be viewed as a third leg of shareholder value creation, along with revenue growth and productivity. Here, Kaplan introduces two important concepts: a three-level hierarchy of risk; and the risk indicator scorecard, a parallel to the strategy scorecard that he and David Norton conceived nearly two decades ago. The financial crisis that erupted in 2007 revealed a major gap in the management systems of companies, especially those in the financial sector. Companies’ management systems were focused on shareholder value, revenue growth, productivity, cost control, and quality. But few explicitly incorporated risk. At recent speaking events, I have been asked whether using the Balanced Scorecard would have helped the failed companies avoid the catastrophe they inflicted on shareholders, creditors, and the world economy. I usually respond by articulating the hope that adopting the BSC, whose underlying philosophy entails seeking a balance between achieving short- and long-term strategic objectives, would have mitigated some of the excessive risk taking that the failed companies pursued for short-term financial gain. But, candidly, the measurement, mitigation, and management of risk have not been strongly featured in David Norton’s and my work.1 So the events of recent years have forced us to think more deeply about how to incorporate risk management into our strategy execution framework. Risk management is not new. People have been studying risk and its mitigation for centuries.2 International regulations, such as the Basel I and Basel II rules, have institutionalized risk management for banks.3 Actuarial societies and COSO (the Committee of Sponsoring Organizations of the Treadway Commission) have formalized a new discipline of enterprise risk management (ERM) and promulgated standards for implementing it. Many companies established risk management departments led by a C-level chief risk officer to comply with these and other regulations (such as Sarbanes-Oxley) as well as to help the enterprise manage its risk exposure. Risk professionals have their own organizations (the Global Association of Risk Professionals, the Risk Management Association), certification examinations, and a rich array of sophisticated risk modeling processes at their disposal. Yet despite risk management’s extensive history, sophisticated models of risk exposure, and a large population of risk management professionals, many companies affected by the crisis failed because of their excessive exposure to risk. Apparently, all were doing their jobs, and yet the system failed. Many interrelated factors contributed to the failures,4 but two in particular stand out: Continued on next page
In the aftermath of the global economic meltdown, risk management has taken on new importance, not only in the financial services sector, but across industries. This first-ever theme issue of Balanced Scorecard Report is devoted exclusively to the nexus of risk management and strategy. BSC cofounder Robert Kaplan presents his opening gambit on the subject (opposite); and we offer three Case Files from organizations as diverse as a NASA agency, a unit of a major bank, and a consumer products giant. These stories are based on presentations delivered at the Palladium Group’s 2009 Strategic Risk Conference, “Turning Risk into Opportunity.”
Executive Insight ........................................7 What Bad Things Could Happen? Risk Management at Jet Propulsion Laboratory Following two space shuttle disasters, NASA completely overhauled its risk management process to foster a culture focused on risk. Gentry Lee, chief engineer of JPL’s Planetary Flight Systems Directorate (which oversees all robotic planetary spacecraft), reveals the organization’s approach at every stage of a mission. Case File ....................................................10 Leadership and Strategic Risk Management: An SFO Approach No new processes or data required: it’s all about orientation. Here’s how one banking executive has made risk management as day-to-day a process as strategy management. Foster the right mindset with leadership, he advises, and use the SFO principles as a natural framework. Case Snapshot ........................................13 Integrating Risk Management into the Strategic Planning Process at Canadian Blood Services Have a glance at this BSC Hall of Fame organization’s pioneering approach to integrating risk management with strategy management. Decision Analytics ..................................14 Managing Operational Risk at Mars, Incorporated The company known for everything from M&Ms and Uncle Ben’s rice to Pedigree pet food has an impressive and rigorous system for identifying and managing operational and strategic risk. Besides its ERM process, Mars relies on a rich trove of analytic data to anticipate, prioritize, and mitigate risks—and share effective tactics across its business units and segments.
Balanced Scorecard Report
companies’ failure to explicitly account for risk when formulating their strategies, and their failure to monitor and manage the risks they had assumed. Fifteen years ago, Norton and I surveyed managers and learned that 85% of senior executives spent less than one hour per month discussing strategy; 50% reported they spent zero hours per month on strategy. But most senior executives spent even less time managing risk than they did managing strategy. Then, as now, they viewed risk management as a compliance function— something they could delegate to their risk professionals, who in most firms tend to be siloed and subordinate. If companies are to get serious about risk management, it must be embedded into the routines and processes of senior management, much as we have promoted strategy management within the organization through the use of our six-stage strategy execution system. The Risk Management Framework Enterprises face many different types of risk. I have found it useful to classify risks into three categories, based on their degree of predictability, controllability, and management, and, most important, on the magnitude of their consequences to the enterprise. Level 3, the lowest category, encompasses routine operational and compliance risks. Level 2 represents strategy risks, and Level 1 captures global enterprise risks. Level 3: Routine Operational and Compliance Risks At the bottom of the risk hierarchy, Level 3 risks arise from errors in routine, standardized, and predictable processes that expose the firm to substantial loss. In our work on linking strategy to operations, we distinguish between
2
strategic processes—those that are identified in the process perspective of an entity’s strategy map and scorecard—and vital processes: those vital to conducting business but that do not contribute to the differentiation of the strategy. Examples of Level 3 vital processes are maintaining and updating the financial accounting and tax systems (such as posting entries to the general ledger and the accounts receivables and accounts payables ledgers; and paying and receiving cash), protecting assets and information, and ensuring information security, privacy, backup, and disaster recovery. They also include the internal control processes that protect the firm from fraud, negligence, legal, and other potential regulatory liabilities. Any breakdown in a Level 3 process could expose the company to significant financial and information losses and expensive regulatory and litigation procedures. But even when these processes are performed perfectly, the company could still fail in its strategy execution. Through the extensive training of personnel and the establishment of standard operating procedures and internal controls, including the segregation of duties and dual authorizations, companies attempt to have zero defects in Level 3 processes. The internal audit department plays a key role in monitoring Level 3 risks by verifying that standard operating procedures are being followed without exception and by highlighting defects and deviations in compliance and routine operating processes. Further, SarbanesOxley audits are performed on Level 3 processes to provide external assurance on the effectiveness of a company’s internal controls. In short, Level 3 risks are known and avoidable. Risk management of these processes strives to achieve 100% compliance and zero defects.
Balanced Scorecard Report Editorial Advisers Robert S. Kaplan Professor, Harvard Business School David P. Norton Director and Founder, Palladium Group, Inc. Publishers Robert L. Howie Jr. Managing Director, Palladium Group, Inc. Edward D. Crowley General Manager, Newsletters, Harvard Business Publishing Executive Editor Randall H. Russell VP/Director of Research, Palladium Group, Inc. Editor Janice Koch Palladium Group, Inc. Circulation Manager Bruce Rhodes Newsletters, Harvard Business Publishing Design Robert B. Levers Levers Advertising & Design Letters and Reader Feedback Please send your comments and ideas to
[email protected]. Subscription Information To subscribe to Balanced Scorecard Report, call 800.668.6705. Outside the U.S., call 617.783.7474, or visit bsr.harvardbusinessonline.org. For group subscription rates, call the numbers above. Services, Permissions, and Back Issues Balanced Scorecard Report (ISSN 1526-145X) is published bimonthly. To resolve subscription service problems, please call 800.668.6705. Outside the U.S., call 617.783.7474. Email:
[email protected] Copyright © 2009 by Harvard Business School Publishing Corporation. Quotation is not permitted. Material may not be reproduced in whole or in part in any form whatsoever without permission from the publisher. To order back issues or reprints of articles, please call 800.668.6705. Outside the U.S., call 617.783.7474. Harvard Business Publishing is a not-for-profit, wholly owned subsidiary of Harvard University. The mission of Harvard Business Publishing is to improve the practice of management and its impact on a changing world. We collaborate to create products and services in the media that best serve our customers—individuals and organizations that believe in the power of ideas. Palladium Group, Inc., is the global leader in helping organizations execute their strategies by making better decisions. Our expertise in strategy, risk, corporate performance management, and business intelligence helps our clients achieve an execution premium. Our services include consulting, conferences, communities, training, and technology. The Palladium Balanced Scorecard Hall of Fame for Executing Strategy™ recognizes organizations that have achieved an outstanding execution premium. For more information, visit www.thepalladiumgroup.com or call 781-259-3737.
Join us! Sign up for the free BSC Online e-newsletter at www.thepalladiumgroup.com/bsconline. Become a member of the Execution Premium Community (XPC) at www.thepalladiumgroup.com/xpc. Sign up for the electronic version of BSR—available only to subscribers— at www.bsronline.org/ereg.
November–December 2009
Level 2: Strategy Risks Companies select strategies that they hope will create and sustain a competitive advantage that leads to superior financial returns. But earning superior returns requires companies to accept some risk. Companies wanting a risk-free strategy would have to invest all their capital in default-free and inflation-protected government bonds, an action that any of their shareholders could do individually just as well, and probably more cheaply. Strategy risk can be straightforward and easily quantifiable, as when a company accepts the risk of default when extending credit to customers; or it can be more speculative, as when a company invests in developing an entirely new product line or entering a new geographic market. To manage its various Level 2 risks, a company should identify the major plausible risks inherent in the strategy, attempt to mitigate and manage those risks, and then continually monitor the risk exposure it has accepted to earn superior returns. The risk management literature identifies a long laundry list of possible strategy risks, such as financial risk; customer, brand, and reputation risk; supply chain risk; innovation risk; environmental risk; human resources risk; and information technology risk. Such a list implies a complex risk management process perhaps specific to each type of risk. Recall, however, that the strategy map and Balanced Scorecard already contain all of an entity’s strategic objectives and the interrelationships among them: the learning and growth perspective contains objectives for people and technology; the internal process perspective has objectives for managing operations, customers, innovation, and environmental, regulatory, and social processes; the customer perspective shows
those linked to the customer value proposition and customer outcomes; and the financial perspective depicts those related to revenue, price, and margin objectives. The strategy map thus provides a natural framework for identifying, mitigating, and systematically managing the risks to a company’s strategic objectives in an integrated and comprehensive manner. Some companies, particularly those in financial services such as Bank of Tokyo-Mitsubishi UFJ and SwissRe, already incorporate a risk management strategic theme into their strategy maps. (This theme is in addition to traditional strategic themes relating to operational excellence, customer management, and innovation.) Defining a risk management strategic theme highlights risk management as a key component of the company’s strategy and makes it visible for resource allocation, monitoring, and discussion at strategy review meetings. I have tentatively concluded, however, that measuring and managing risk differs so substantially from measuring and managing strategy that it may be preferable to develop a completely separate risk scorecard. Strategy is about moving the company forward toward achieving breakthrough performance. The strategy map and scorecard provide the road map to guide this strategic journey. Risk management, in contrast, is about identifying, avoiding, and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination. The metrics for a risk scorecard and associated initiatives for preventing or mitigating risks seem fundamentally different from the BSC metrics and initiatives used to move a strategy forward.
At this time, the development of a risk scorecard is more conjecture and concept than actual fact. So I cannot present a working example of a complete, actual risk scorecard. But it would not be premature to consider some general principles for developing a risk scorecard and its associated initiatives. What Would a Risk Scorecard Look Like? Let’s start with the entity’s strategy map of linked strategic objectives. In building the BSC for the strategy map, we would, of course, formulate metrics for every strategy map objective, followed by targets for each metric and, finally, strategic initiatives designed to close the gap between targeted and current performance. Working from the same strategy map, we could build a risk scorecard by first identifying for each strategic objective the primary risk events that would prevent the objective from being achieved. For each risk event, we would select metrics that would be early warning or leading indicators of when the risk event might be occurring. Take, for example, the common learning and growth objective “Achieve strategic job readiness,” in which all employees in strategic job families have the skills, experience, and knowledge to perform their processes at a high level of excellence. This objective would typically have a BSC metric “percentage of employees in strategic job families rated as ‘very good’ or ‘excellent’ for relevant skills, experience, and knowledge”; a target of 90% or higher; and strategic initiatives involving in-class and on-the-job training, a pay-for-knowledge incentive plan, and planned job rotations. What risk events would threaten this strategic objective? They could be high turnover or retirements of experienced employees
3
Balanced Scorecard Report
in strategic job families, ineffective training programs, or lack of mobility. Risk metrics would thus reflect each of these potential problems—current turnover rates, number of actual or anticipated retirements, evaluations of training program relevance and effectiveness, and gaps between the demand and supply of fully qualified employees (such as when some locations have an excess supply of employees, while others, perhaps in different countries or continents, have serious shortages). For an innovation objective at a pharmaceutical company, the risks could be failed or delayed clinical trials. Supply chain risks could be disruptions in a supplier’s plant or bottlenecks at a distribution center. Following this approach, each strategic objective on the strategy map would have one or more risk metrics that would provide an early warning signal about when performance along that strategic objective is in jeopardy. A rising trend in a risk metric, or even a single observation above a pre-set control limit, would generate a management alert requiring immediate attention.
than wait for risk metrics to signal an adverse condition, management needs to estimate which risk events are the most likely to occur and will have the most adverse consequences to the strategy. Certainly this is easier to advocate than implement. In some circumstances, companies have sufficient historic data to estimate the likelihood of many types of risk events. Insurance companies can estimate the probabilities of events they insure against, including mortality, natural disasters, sickness, and car accidents. Financial firms have extensive historical data on the prices and correlations of financial instruments such as stocks, bonds, and derivatives, which give them the apparent ability to forecast the likelihood of losses of a given magnitude and to summarize their risk exposure with an aggregate metric known as “value at risk” (VaR).5 Unfortunately, the risks of some of the newer and more complex financial instruments, particularly mortgage-backed securities and their derivatives, were estimated from historic time periods that did not include a decline in U.S. housing prices. When housing prices began a nationwide decline in 2006 and 2007, the default rate and correlations among mortgage securities
Risk management should be anticipatory and preventive, not reactive. Therefore, rather
Figure 1. Calculating a Risk Score Likelihood of the Event Score
5
4
3
2
1
Rating
Virtually certain
Likely
Even odds
Unlikely
Remote
95%
75%
50%
25%
5%
Probability event will occur in the next 36 months
Magnitude of the Event’s Consequences Score Consequence
5
4
3
2
1
Highly adverse
Adverse
Moderate impact
Some impact
Little impact
For each identified risk, managers estimate the likelihood of an event’s occurrence and the magnitude of its consequences, usually on a 1-to-5 scale.
4
and their derivatives turned out to be far higher than had been assumed in the VaR models, leading to the collapse of many financial institutions such as Bear Stearns, Lehman Brothers, Wachovia Bank, and Washington Mutual. When historic data are not available or adequate to quantify risk exposure, risk managers use another tool, the heat map, as a framework for stimulating discussion and, they hope, for gaining consensus on their subjective estimates of risk events. For each identified risk event—e.g., high turnover in a given strategic job family, an ineffective training program, unexpected retirements— managers estimate, usually on a 1-to-5 scale, two parameters: the likelihood of the event and the magnitude of the event’s consequences (see Figure 1). They multiply the two ratings to produce a heat map score of between 1 and 25. (See Figure 2.) Managers use the heat map score to set priorities for selecting and funding risk prevention and mitigation initiatives. Risk events that score 15 or higher on the heat map are the most likely and consequential; they get priority for the limited funds available for initiatives to prevent or mitigate risk. Thus the planning for coping with Level 2 strategic risks requires that managers identify the major risks to the strategy, establish an early warning risk scorecard to signal when adverse conditions are occurring, and set priorities for funding initiatives that will prevent or mitigate the most likely and consequential of the strategic risk events. Because of the comprehensive nature of the strategy map, which includes the processes most critical for successful strategy execution, the firm will be anticipating and planning for its most significant operational as well as strategic risks.
November–December 2009
Level 1: Global Enterprise Risks Level 2 risk management addresses the “known unknowns.” But the failures of many companies are triggered by the “unknown unknowns”: the unpredictable, unprecedented occurrences that create existential risk. Such events are often referred to as “black swan” events, based on the title of a highly popular book by Nassim Taleb that mocks attempts by companies to use quantitative models to measure and manage risk.6 Consider the VaR models used by many financial institutions (and the risk models used by credit rating agencies). These were based on data going back several decades during which there was no nationwide decline in housing prices. Senior managers at many financial institutions apparently believed that such an across-the-board decline was an extremely unlikely event, outside the 99% confidence interval of their VaR models. As a result, they had no alternative or complementary process for assessing or mitigating their exposure to rare events. Referring to the heat map tool, one can interpret a black swan event as having a probability ranking of less than 1 (highly unlikely) and a
Figure 2. A Heat Map
Likelihood of the Event
To be effective, risk management cannot be done in a siloed fashion by risk professionals only nor delegated to middle management functions and departments. Senior managers, during their monthly strategy review meetings (Stage five in the strategy execution system, Monitor and Learn), should allocate time to discuss critical operational and strategy risks. Risk professionals can lead or facilitate discussions of risk indicators and risk initiatives at these senior management meetings. Such periodic reviews would ensure that executives regularly discuss the company’s risk exposure and assess how well they are mitigating these known risks to the strategy.
High
5
15
25
Medium
3
9
15
Low
1
3
5
Low
Medium
High
Magnitude of the Event’s Consequences
By multiplying the “likelihood” rating by the “magnitude” rating, managers arrive at a heat map score of between 1 and 25. A score of 15 or higher represents a risk event that is most likely to occur and most consequential and should get funding priority for mitigation and prevention initiatives.
consequences ranking of higher than 5 (highly adverse). Myopia to existential risk was not confined to financial firms. The black swan event for General Motors and Chrysler was the doubling or tripling of oil prices, which made their profitable product lines of large, fuel-inefficient vehicles essentially unsalable to U.S. consumers, causing massive losses and tipping the already financially strapped and highly leveraged companies into bankruptcy. Neither company had planned or implemented a strategy that could generate positive cash flows in a world of high gasoline prices. Companies need to consider what unlikely event or combination of events could lead to their demise. As much as David Norton and I have preached for 20 years that you cannot manage what you don’t measure, Level 1 enterprise risks have humbled and chastened me. I now agree with Taleb that quantitative models may have limited applicability in predicting the likelihood of Level 1 risks, especially within a given time period. But I disagree with Taleb that managers cannot plan for or mitigate them. Using a physical
metaphor, a Level 1 risk to California is a severe earthquake along the San Andreas fault. Scientists believe that such an event is plausible within the next several decades, but they cannot predict either the year it will occur or its magnitude. Nevertheless, citizens can mitigate in advance the consequences of such an earthquake by constructing buildings that are earthquake resistant and by formulating emergency and disaster relief plans. Some companies do their Level 1 risk planning by conducting active discussions of unlikely events and their consequences. Goldman Sachs and JP Morgan Chase hold regular tail-risk meetings of senior management where they discuss the consequences of unlikely external events. (They are called tail-risk meetings because the likelihood of the events are in the “tail” of the probability distribution.) Such events could include a tripling of energy prices, a devaluation of the U.S. dollar, civil insurrection in China, a devastating earthquake or hurricane in a sensitive region, or war in the Middle East. The group assesses the ramifications of the event, the
5
Balanced Scorecard Report
impact on the company’s strategy, and what might be done to avoid or mitigate the adverse consequences should it occur. As the chief risk officer of JP Morgan Chase told me, “Most of the events we discuss at these meetings never occur, thank God; but a few of them have happened, and we have either already mitigated their consequences or, because of our prior contingency planning, acted rapidly to minimize the damage.” Scenario planning provides a systematic process to help managers consider the correlated consequences of future events. The scenarios are often triggered by natural acts (earthquakes, hurricanes, tsunamis), global economic phenomena (dramatic changes in energy prices, currency exchange rates, interest rates, economic growth rates, or regulation), or competitors’ actions. LG Display, the Korean producer of large LCD displays, conducts twoday war games three times a year in which four management teams (one representing LG Display; the others, its three largest competitors) assess how the company’s current strategy would perform against those that its competitors might deploy or counteract with. Following the Kaplan/Norton Strategy Execution model, managers can address these Level 1 enterprise risks during their deliberations in Stage six of the strategy execution system, Test and Adapt the Strategy. The CEO could lead a discussion around “the three things that would cause our strategy to fail.”7 The leadership team could engage in scenario planning, war-gaming, and tail-risk stresstesting to learn the sensitivity of the company’s strategy to events that occur outside normal business operations that they cannot control. From evolutionary biology, we learn that species that have become too specialized in a particular environment will
6
not have the requisite variety to survive changes in that environment. The discussions around Level 1 risks help the leadership team determine whether the company’s strategy is sufficiently robust to survive the disruptions that might occur from black swan events in its physical, economic, and competitive environments. Mitigate, Plan, Lead “Prediction is very hard, especially about the future.”8 Risk management requires predicting events, particularly unlikely ones that have never occurred. But despite the difficulty of risk management, senior executives who avoid, deemphasize, or delegate it do so at their peril. Risk comes in many forms and combinations. Some risks—Level 3 risks—are known and avoidable. We attempt to minimize their incidence through standard operating procedures, internal controls, and internal audits. Other risks, which we classify as Level 2 risks, are inherent in the firm’s strategy. The firm accepts them as necessary in its pursuit of superior returns but attempts to reduce their likelihood of occurrence or mitigate them. The strategy map provides a powerful framework for identifying strategic and key operational risks, which can then be monitored with a separate risk indicator scorecard. Heat maps display the likelihood and impact of risk events, helping managers set priorities and fund risk mitigation initiatives. Finally, some risks, from uncontrollable, external events, can threaten the firm’s existence. These Level 1 risks are especially difficult to predict but can be the most devastating should they occur. We advocate the regular use of tools such as scenario planning, tail-risk meetings, and war-gaming to make executives aware of such potential Level 1 risks—hoping that these tools encourage managers to adopt strategies that can survive
these risks and to develop countermeasures they can deploy should they occur. Ultimately, risk management requires leadership, especially when times are good and no clouds are visible on the horizon. CEOs must have the courage to turn down apparently profitable opportunities that expose the company to excessive risk. As M.D. Ranganath, chief risk officer of Infosys (a BSC Hall of Fame company), observed at the 2008 Harvard Business School Global Summit: Everyone does risk management in bad times. The strong test of risk management is whether it works in good times. Will top management stand behind the risk managers, avoiding temptation and saying no to things that put the enterprise at risk? I 1. As an exception, see the discussion of risk management as an internal process in pp. 73–77 of R. S. Kaplan and D. P. Norton, Strategy Maps (Harvard Business Publishing, 2004). 2. An excellent reference is Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk (Wiley, 1996). 3. Basel I, supplanted by Basel II, focuses on credit risk, establishing minimum capital requirements for banks. 4. Among them: using the wrong measures or not fully understanding the properties of the risk measures being used, using incorrect data for estimating risk measures, failing to understand correlations between risk measures, and taking big bets that unlikely events would not occur. 5. Value-at-risk is an estimate of the amount that can be lost at a specified probability of occurrence during a specified time interval. For example, a securities trader with a five-day, 99% VaR of $50 million has estimated that the current trading position has less than a 1% chance of a loss exceeding $50 million over the next trading week. 6. Nassim N. Taleb, The Black Swan: The Impact of the Highly Improbable (New York: Random House, 2007). 7. R. Simons identified three such occurrences in “How Risky Is Your Company?” Harvard Business Review (May 1999). 8. This quote has been attributed to people as diverse as Niels Bohr and Yogi Berra.
T O
L E A R N
M O R E
A pioneering approach is highlighted in “Aligning Enterprise Risk Management with Strategy Through the BSC: The Bank of Tokyo-Mitsubishi Approach,” in BSR September–October 2005 (Reprint #B0509D). Reprint #B0911A
I N S I G H T
What Bad Things Could Happen? Risk Management at Jet Propulsion Laboratory
existing available system into risk pieces, asking, “In what ways could this system go wrong under each situation it will encounter during the mission?”
E X E C U T I V E
November–December 2009
By Gentry Lee, Chief Engineer, Planetary Flight Systems Directorate, Jet Propulsion Laboratory
“How”: Ranking the Risks
Adapted by Lauren Keller Johnson, from Lee’s presentation at the Palladium Group’s Strategic Risk Conference, April 2009, in New York
It’s one thing to understand that all organizations must manage risk strategically. It’s quite another to know how, precisely, to make strategic risk management a disciplined practice in your own company. In the aerospace industry— where high-stake risks lurk everywhere—executives have honed risk management to a fine point. Jet Propulsion Laboratory (JPL) is no exception. Drawing from JPL’s long and sometimes painful experience, Gentry Lee lays out his organization’s systematic approach to managing risk. His account offers valuable lessons for executives in any industry. In the aerospace industry, the possibility of failure lurks at every turn. I often say, “You have to be properly paranoid.” The Columbia disaster (along with several other mission failures) was a wake-up call for the industry to establish stricter risk management discipline.1 We set out to build a culture around this. With every project we work on at JPL, we invest a huge amount of time and attention in identifying, weighing, and mitigating risks. These are immense, one-of-a-kind projects— everything from trying to blast apart a comet and analyze its contents to landing a rover on Mars to assessing atmospheric chemistry on Venus. In some missions, people’s lives are at stake. In all of them, large amounts of taxpayers’ money are at risk. We can’t remove risk entirely from anything we do, but we can manage it. And we’ve developed a systematic approach for doing that. I like to present this approach as the “what, how, when, and who” of risk management as practiced at JPL. “What”: Identifying the Risks The instant a project is confirmed
and a budget established for it, we identify the risks—all the bad things that could happen with the project. Bad things can take three forms: (1) performance (the project doesn’t meet the desired objectives), (2) cost (it eats up more money than you budgeted), and (3) schedule (it takes longer to complete than you wanted). Take the Phoenix mission to Mars. Phoenix was a robotic spacecraft on a space-exploration mission to Mars under the Mars Scout program. The Phoenix lander descended on Mars on May 25, 2008. Mission scientists used instruments aboard the lander to search for environments suitable for microbial life on Mars and to research the history of water there. This mission was cost-capped; we had only so much money we could spend. We needed to figure out how to get the job done with the money we had. One technology system required for the spacecraft was radar, but existing systems had been flown only in airplanes, not spacecraft. Because we had no money to develop a new radar system for the Phoenix, we broke down the
There are a lot of bad things that can happen with any project, but you have to identify the most important ones. We use two criteria to do this prioritization: bad things that are (1) most likely to happen and (2) would have the worst consequences if they did happen. Think of it as an equation: Risk ranking = likelihood of happening × severity of consequences
The project team for each mission creates a 5-by-5 matrix, where one axis represents likelihood from 1 to 5, and the other represents severity of consequences from 1 to 5. (A 1 on the likelihood axis might mean a 1-in1,000 chance of happening; a 1 on the consequences axis might represent a minor nuisance. A 5 on the likelihood axis represents relatively high likelihood; a 5 on the consequences axis represents a catastrophic outcome.) Each
About Jet Propulsion Laboratory Jet Propulsion Laboratory (JPL) is a federally funded research and development center and NASA field center located in the San Gabriel Valley, north of Los Angeles. JPL focuses on constructing and operating robotic planetary spacecraft, although it also conducts Earth-orbit and astronomy missions. In addition, JPL is responsible for operating NASA’s Deep Space Network. JPL’s current projects include the Cassini-Huygens mission to Saturn, the Mars Exploration Rovers (Spirit and Opportunity), the Mars Reconnaissance Orbiter, and the Spitzer Space Telescope.
7
Balanced Scorecard Report
team calibrates the probabilities as appropriate to their project. Using their knowledge and experience, team members position each risk to the mission in the matrix based on its likelihood and consequences. For example, a risk that has a 1-in-10 chance of materializing (a relatively high degree of likelihood) and that would seriously compromise the mission (a severe consequence) if it did happen would go in the upper-right portion of the matrix and be shaded red, indicating that it counted among the worst risks. All reds must be mitigated. Yellow indicates less serious risks that still need mitigation, and green indicates minor risks that we can live with. “Newness” criteria help us rank risks in the categories of performance, cost, and schedule. For example, if an engineering component has never been used in the environment of a mission we’re planning, the risks are much higher than if the component has been flown once in the same environment—which, in turn, is riskier than if it’s been flown multiple times in that environment.
the science instruments were very new, so we assigned reserves of up to 40% for those. (Even that margin wasn’t enough: the cost of one of the science instruments exceeded the reserve.) Once you’ve established cost and schedule reserves, you have to create a burn-down plan: How will those reserves be used up as the project progresses? Then you have to track use of the reserves carefully. If the burn-down plan is violated (for example, you start running out of the extra money or time you budgeted for the project), you need to stop and figure out what’s going on. “When”: Making Risk Management an Ongoing Discipline JPL practices risk management constantly, through every phase of a project. We analyze the risks associated with a project’s design and development and the risks that could surface during testing and launch. As each project advances, some risks disappear and new ones emerge. The project team reviews the risks once each quarter as the project advances, prioritizing them using the likelihood-and-consequences weighting model.
Each project is also reviewed by an outside risk reserves, you have to create a burn-down review team, plan: How will those reserves be used up as with the frequenthe project progresses? cy of external review accelerating as the launch date approaches. At the outset, We then assign cost and schedule this team weighs in once a year; reserves (extra money and time) as we get closer to launch, the to the mission based on the risk ratings. The Mars Reconnaissance team reviews the risks three times within six months. Reviews can Orbiter, a spacecraft designed to be added on an ad hoc basis, investigate the history of water too, if at any juncture the project on Mars, is a good example. The team and the outside review team Orbiter contained spacecraft sysdisagree. tems that had been flown five times before, so JPL assigned the The risk assessment process isn’t craft itself a 15% cost and schedalways scientific. You have to use ule reserve. On the other hand, judgment sometimes. It’s easy to Once you’ve established cost and schedule
8
identify the most salient risks; they’re the ones most likely to happen and carrying the worst consequences. What do you do about the more subtle ones—the bad things that, if they happened, wouldn’t necessarily cause catastrophe but might create constant annoyances? In some cases, you might decide that constant annoyance is bad enough that you want to mitigate that risk. Sometimes, even if the risks are huge, you may decide to go ahead anyway. JPL’s Deep Impact program is a good example. The goal of the program was to have a spacecraft smash into a comet and have another spacecraft observe the impact for scientific research. We launched in spite of identifying several red risks related to systems engineering. Why? There would be no other comet accessible for at least three and a half years, so we decided to take a chance. Soon after we launched Deep Impact, we realized that its attitude control system was not properly designed from a systems engineering point of view. During the spacecraft’s six-month flight to impact with the comet, we fixed a half-dozen problems, any one of which could have caused the spacecraft to miss the comet altogether. So the mission ended up being a success, in part because we were mitigating risks during flight. When conditions have permitted, we’ve also delayed some launches because of the risks. The Mars Science Laboratory (MSL) is an example. Known as Curiosity, this NASA rover will perform the first-ever precision landing on Mars. The rover will carry more advanced scientific instruments than any other mission to Mars to date. It’ll include instruments for the analysis of samples scooped up from the soil and drilled powders from rocks. It will also
November–December 2009
investigate whether Mars may have supported microbial life in the past or is supporting such life now. The MSL can be launched only during a one-month period that comes around every 26 months. If you miss that window, you have to wait another 26 months. It was a $400 million decision to hold off launching, but we decided to do it because we hadn’t achieved key milestones. The risk of catastrophe with a premature launch was too great, and we realized we were trying to do too many new things at once with the project. It’s very hard to make this kind of judgment call. But sometimes you just have to do it. You also have to learn from the risk management process. Ours has a feedback mechanism that helps us compare predicted risks against the actual problems that emerge during a project and use the differences to assess risks on subsequent projects. “Who”: Putting the Right People on the Right Risk Management Tasks Each JPL project has a risk review team, made up of a handful of engineers who have long and broad experience. They’ve worked on dozens of projects and have seen how risks manifest themselves. They can smell trouble. And they know how to interrogate the very smart members of the project team (people who are supremely confident in their own judgment)—without belittling them. The risk review team members ask challenging questions about the project team’s assessment of the risks, and if they’re not comfortable with the answers, they keep challenging. These are confrontational exchanges, and there are huge egos involved. The tension is good. It’s valuable to have smart people confronting each other. But the project man-
optimism, looking for signs that agers have to ultimately address particular team members might be the risk reviewers’ concerns. underestimating the time they’ll If they don’t, a confrontation need to complete their part of the between the project manager and the risk manager could end The risk manager’s job is to oversee the up costing the project, ask the hard questions, and move project manager people around if necessary to manage her job. cost- and schedule-related risk. We measure Most risk review people’s optimism, looking for signs that team members are from JPL, particular team members might be underestiand some come mating the time they’ll need to complete from NASA. their part of the job. Occasionally (as in the Phoenix radar problem), they come job. We try to get an accurate from the Department of Defense sense of anticipated costs and or private industry. The key is to schedules, and we move people find team members who have the around if necessary to tasks they specialized knowledge (of areas can manage more effectively. such as motion dynamics, radar, Risk management isn’t easy. You and electronics) needed to anahave to get beyond the theory lyze and mitigate particular risks. and find a way to put it into So, the composition of a risk practice in a disciplined way. review team might change as Understanding the what, how, the risks evolve during a project’s when, and who can help. I journey through the design, test1. In 2003, the space shuttle Columbia disintegrated ing, and launch phases. In addiover Texas during reentry, killing all seven crew tion, for especially risk-intensive members. Damage to the shuttle’s thermal protection system occurred at launch, but NASA managers limprojects, we may establish a tiger ited the investigation into the damage during flight 2 team to focus on a particular risk. because they felt little could be done. The disaster Each project has a risk manager whose job is to oversee the project, ask the hard questions, and move people around if necessary to manage cost- and schedulerelated risk. He understands that the biggest sources of cost and scheduling risk are (1) too much work, (2) an inability to accurately estimate how much time or money a task will take, and (3) a lack of understanding of the steps needed to accomplish the work. The risk manager actively manages these sources of risk. For example, at JPL, we break down project milestones by people—who’s doing what for each milestone. Then we ask them how much time they think it will take to get their part of the job done. We measure people’s
prompted significant changes in risk assessment and management at the agency. 2. A tiger team is a specialized group assembled to test the effectiveness of an organization’s ability to protect assets by attempting to circumvent, defeat, or otherwise thwart the organization’s security. (Source: Wikipedia)
Gentry Lee is responsible for the engineering integrity of all of JPL’s robotic planetary missions. Previously he oversaw the engineering aspects of the twin rover missions to Mars (2004) and the Deep Impact and Stardust missions. He was chief engineer for the Galileo project (involving Jupiter exploration) and served in a variety of positions on the Viking project (the first successful landing on another planet). Lee is also a novelist, television producer, and computer game designer. He coauthored four best-selling novels with Arthur C. Clarke and collaborated with Carl Sagan on the award-winning Cosmos documentary series. Reprint #B0911B
9
C A S E
F I L E
Balanced Scorecard Report
Leadership and Strategic Risk Management: An SFO Approach Based on a presentation by Jack Klinck, Executive Vice President and Global Head of State Street Alternative Investment Solutions, at the Palladium Group’s April 2009 Strategic Risk Conference
How can risk management be fixed? Banking executive Jack Klinck (and former chairman of BSC Hall of Fame company Mellon Europe), offers two solutions, neither requiring a new framework or process. First, since risk management is both a strategic and a defensive discipline, it must be unsiloed and integrated with strategy management. Second, it must be directly linked to leadership—and leaders must foster a culture of risk-mindedness. The five principles of the StrategyFocused Organization provide an excellent model for helping embed risk management into the corporate DNA. The global financial crisis has prompted financial services firms to reevaluate their assumptions about the way they manage risk and the internal discussions they hold about risk, both at the board and management-team levels, noted Jack Klinck. Klinck heads State Street Corporation’s Alternative Investment Solutions (AIS) unit, which provides fund accounting, fund administration, and risk services for approximately $400 billion in alternative assets, including hedge funds, private equity funds, and offshore funds. With the flood of analysis (and the benefit of hindsight), many causes of the financial crisis are familiar by now. From a risk perspective, said Klinck, there were five basic triggers. First, financial services firms were confident they could contain product risk by slicing it and packaging the pieces as securitized investments. As the packages became more mixed, the underlying risks became obscured. Second, because risk management was siloed by type of risk (credit, operational, market, counterparty), managers misunderstood risk correlations among assets. Third, the industry ignored the potential for systemic risk—defaults and other risk events occurring simul-
10
taneously. Fourth, the fragmented regulatory environment reinforced the notion of risk as solely a compliance issue. Finally, the push for high profits in the short term became so extreme that many players looked past the risks they were taking. The crisis, Klinck noted, caused managers across his bank’s business units to look with fresh eyes at how they were managing their businesses. They realized management was vertically oriented, with not enough consideration of the horizontal interrelationships and of the ways each business affected the others. Making Risk Management Part of the Corporate DNA Risk management is both a strategic and a defensive discipline, as it touches every type of external and internal threat, known and unknown—from financial risk to competitive threats, and from reputational risk to event risk. Because risk permeates every area and aspect of business, a siloed approach to managing risk makes no sense. Companies not only need to adopt a holistic view of risk, but they must also integrate risk management into their overall management system so that it is part of their corporate DNA.
Numerous tools are available to help companies identify risk factors and assess risks. But risk management is as much—if not more—a matter of sound leadership and governance than it is about creating new analytics and metrics. Risk management is about building a new approach into an existing process (strategy management). It involves a shift in orientation—looking at performance from the flip side— whether to understand the implications of skyrocketing sales (suggesting not only marketing success but also, say, a slip in client acquisition standards) or the impact of staff cuts on client servicing. How can an organization bring risk to the forefront of its management process? One way is by trying to better understand how the risks in one business unit or line affect another. An enterprise may have dozens of relationships with one client. What does that mean in terms of its overall risk exposure—and that of any individual unit? During the peak of the financial crisis, said Klinck, “we realized we weren’t evaluating the product overlap with many of our clients and counterparties.” Today, he added, it’s important to ask your management teams, “Are you having the right conversations across the business to identify and manage strategic risk?” “Are your people paying attention to what the performance indicators are telling them—and about the indicators’ impacts on other performance areas?” And perhaps most important, “Are you listening to your people?” Ultimately, an organization’s people are its best leading indicators. State Street AIS already had in place several management tools and techniques—notably, strategy maps and Balanced Scorecards (BSCs). As a self-professed fan of the Kaplan/Norton Strategy
November–December 2009
Management system for several years, Klinck felt it was only natural to mirror this approach for building strategic risk management into the organizational DNA. He saw no need to invent a new framework or process for managing risk. “By tying risk management to our existing strategic framework, we’ve been able to implement what we consider a sound, sensible, eminently
The Role of the Theme Team in Risk Management Although their focus is strategy, strategic theme teams are an invaluable mechanism for risk management as well. When the financial crisis struck, State Street AIS’s theme teams provided a natural forum for discussing key issues across its businesses. Management quickly got valuable insights about the changing markets, and the teams highlighted emerging risks that could affect many areas of the business. Theme teams assemble and circulate Balanced Scorecard performance reports before every strategy review meeting. As frontline analysts, they help ensure that discussion is driven deep into the organization and that response takes place at the right level. Theme teams discuss the strategic implications of the subpar objectives along with those in the green, objectively noting the biggest risks to the strategy and the business. They can perform in-depth analysis to uncover the drivers of a potential risk, to conduct scenario planning, and simply to generate creative new ideas. They can bring together management from different areas of the organization—and of the entire enterprise—to explore issues and find holistic solutions. During the crisis, AIS’s theme teams met more frequently, to facilitate rapid response and organizational learning.
feasible approach to risk management.” The strategy map and BSC provided a flexible framework for clarifying priorities, adjusting the emphasis of specific themes as needed, recalibrating targets, and reprioritizing initiatives—while maintaining the underlying strategy. The Five Principles of Managing Risk State Street AIS’s approach to risk management roughly follows Kaplan and Norton’s foundational principles for strategy management: the five principles of the Strategy-Focused Organization. (See Figure 1, next page.) 1. Executive leadership. First and foremost, senior management, and not only the chief risk officer (CRO) or the risk management group, should be responsible for risk management. (The converse is also important; AIS’s head of risk, for instance, as part of the senior management team, participates in all strategy review meetings and key decisions.) A leader’s enlarged role in risk management, by the way, does not mean that the CRO’s role is reduced. In fact, the CRO must work with the businesses and manage the “escalation procedures” —all the steps involved in a risk mitigation effort. The CRO’s independence ensures that senior managers aren’t tempted to unduly influence or compromise any standards and that they balance responsibility with authority. As organization leader, Klinck sets the appetite for and approach to risk, clarifying the strategic direction and path to getting there. For example, the leading private equity administration business that State Street AIS acquired in 2007 had been growing at a rate of 35% a year. Establishing a risk management infrastructure and culture from the start was critical. “We aligned the private equity unit’s strategic objectives to AIS priorities and collaborated on devising client
acquisition criteria.” The leadership team, Klinck added, also provides the model for values and behavior. That includes cultivating not only risk-mindedness but also team members’ willingness to be candid in assessing performance, rather than sugarcoating the picture for the boss. Because State Street AIS grew through a number of acquisitions, it was particularly important that the unit understand the way each of its three groups affects the others. Besides recognizing the need to create a coordinated approach to marketing and client service (to minimize client confusion) and the need for an integrated approach to technology (to ensure seamless client servicing), senior management saw the need to develop coherent standards for risk management among the acquired units. For example, the leadership team strenuously debated managing client acquisition risk: How can the company achieve business growth targets while avoiding clients that don’t match the organization’s strategic risk profile? Few organizations allow such debate, Klinck noted. But, he added, “we’re convinced that when the financial crisis hit, AIS was in a much stronger position than many of our competitors.” 2. Measurement. The same BSC measures that provide an early indication of strategic performance success or failure also serve as key risk indicators when analyzed from a 360-degree perspective. The red/amber/green “traffic light” assessment on the strategic objectives, measures, and initiatives shows—in the context of the whole strategy map—how subpar performance puts other goals at risk. Thus, this assessment gives managers the ability to respond rapidly with corrective action. The color-coding provides in effect a “heat map” of key strategic issues, showing their connection with
11
Balanced Scorecard Report
other indicators and helping the organization identify trends and gain insights. For example, an amber rating on a sales win/loss analysis metric would suggest not only that sales losses are in line with projections but also that wins may be declining—a risk that would need to be investigated. 3. Alignment. The strategy map and strategic themes provide the structure for aligning businesses, teams, and individuals to the organization’s common goals. Alignment also encompasses risk. Said Klinck, “We look at our themes and objectives to ask, ‘Will they promote the right behaviors—or create conflicts?’ For example, ‘Are our incentives to grow promoting undue risk taking? Are we investing in the right places in product development to meet the latest marketplace requirements for transparency?’” The strategy map thus serves equally as a “shared risk agenda.” 4. Engagement. An organization’s staff is probably the most effective leading risk indicator. “We try to engage staff as much as possible” and to listen carefully to people throughout the organization, noted Klinck. Well before
the financial crisis, State Street AIS already had in place a culture that encouraged employee dissent and candor in discussing strategic issues. Developing the business unit strategy maps generated awareness and ownership of AIS’s strategic priorities and of the role each business has in contributing to them. Its theme teams bring together a broader group of people involved in strategy implementation. Yet another group is developing initiative teams. Every quarter, the executive team holds a town hall meeting at a key location to provide a forum for open discussion with local leaders. 5. Governance. Traditionally, governance in financial services firms occurs mainly through the business units, resulting in a siloed approach to managing risk and strategy. A solid governance structure can help emphasize the mutual impacts of different groups or performance drivers, at the same time ensuring that dialogue occurs horizontally and at multiple levels. Strategy review meetings are as critical to risk management as they are to strategy review itself. At AIS’s monthly strategy
Figure 1. The Five Principles of Strategic Risk Management
1. Executive Leadership
2. Measurement
5. Governance
Strategic Risk Management
3. Alignment
4. Engagement
Strategic risk management parallels the approach to strategy management embodied in Kaplan and Norton’s five principles of the Strategy-Focused Organization.
review meetings, the strategy map is assessed as a whole. Klinck and his team review the heat map of red/amber/green ratings of performance against objectives, examining the ratings’ implications and ramifications. Then they explore a given strategic theme in detail. Each strategic theme owner leads a discussion on the assessment results, looking at their impact on strategic outcomes, both negative and positive. “We actively debate the risks and implications—focusing on the horizon, not the past,” said Klinck. “This approach allows us to manage strategic risk even in the absence of perfect measures.” To be robust, a strategic risk management approach must embed risk management into the organization in good times as well as bad. It must treat risk holistically, as an integral part of strategy and performance management. In this way, organizations can adapt to change—even rapid change—with speed and agility. “We hope,” said Klinck, that “by recognizing the importance of a proactive, holistic approach, the entire financial services industry will emerge from this crisis stronger.” I Prior to joining State Street AIS, Jack Klinck was vice chairman of Mellon Financial Corporation and president of the Investment Management Solutions Group. Previously he was chairman of Mellon Europe. Early in his tenure there, he introduced the Balanced Scorecard management system; in 2004, Mellon Europe was inducted into the Balanced Scorecard Hall of Fame for Executing Strategy.
T O
L E A R N
See “Mellon Europe: Mobilizing Change Through Executive Leadership,” in BSR January–February 2005 (Reprint #B0501F). Also see Mellon Europe’s write-up in the Balanced Scorecard Hall of Fame Report 2005 (Product #9157). Both are available at www.harvardbusiness.org. Reprint #B0911C
12
M O R E
C A S E
S N A P S H O T
November–December 2009
Integrating Risk Management into the Strategic Planning Process at Canadian Blood Services By Dodge Bingham, Manager, Palladium Group, Inc. In the aftermath of the global financial crisis, organizations all over the world are beginning to manage risk in earnest—by moving it from a siloed to a central business activity. Experienced users of the strategy map and Balanced Scorecard are ahead of the game: they realize that the BSC management system represents not only an appropriate tool for risk management but also one that allows integration of risk management with strategy and performance management—the ideal. Consider this summary example from veteran BSC user Canadian Blood Services. At Canadian Blood Services (CBS), managing risk is literally a matter of life or death. CBS, the blood supply system provider for Canada (except Quebec), was created in 1998 in the wake of a national health crisis, when HIV and Hepatitis C tainted the nation’s blood supply (then managed by the Canadian Red Cross). Since its inception, CBS has transformed itself into a model of management excellence. Its use of 1.
the BSC management system and its pioneering work in building its Office of Strategy Management earned it a place in the BSC Hall of Fame for Executing Strategy in 2007. CBS’s transformation has taken it from strategy management to enterprise risk management (ERM). In recent months, CBS began evolving its ERM into a process that is integrated with strategy management. Figures 1 through 3 illustrate the steps involved in identifying and synthesizing risks, the first two steps in CBS’s risk methodology. Figure 1 shows where risk management enters the process—in the Translate the Strategy stage. Figure 2 shows the key questions CBS asks in the first two steps. Subsequent steps involve analyzing the risks (e.g., vulnerability and magnitudes, mitigation actions) and creating a risk profile (e.g., devising a risk heat map and creating an escalation plan). Figure 3 shows how CBS identifies critical measures —not merely measures of performance against key objectives, but measures that will help CBS track and manage the risks to those objectives. CBS decomposes each objective to arrive at key drivers and ultimately the most critical measures. For illustrative purposes, only one strategic objective is shown. I
Process Define destination 1. Quantify the vision and gap 2. Define the change agenda 3. Define issues
Develop the strategy 1. Construct strategic analysis 2. Formulate the strategy
2. Translate the strategy 1. Strategic objectives 2. Performance measures 3. Strategic risks
Process
Major Question
A. Identify risks
A. Risk identified
What risks will prevent us from achieving our objectives?
1. Identify the objective 2. Select the drivers 3. identify the gaps and risks
B. Risk synthesized
Develop the plan 1. Identify strategic initiatives 2. Select initiatives 3. Assess risks 4. Develop business plan
B. Synthesize the risks
C. Analyze risks D. Create risk profile
1. Review risk across objectives 2. Create synthesis of key risks
What are the top risks for analysis and monitoring?
3. Objective
Primary Drivers 1. Alignment of offerings to physician needs
Partner with customers and stakeholders
Secondary Drivers
Measures
1a. Verify demand for new services
1a. Acceptance rate among physicians
1b. Physician use of new services
1b. Usage rate among physicians
Risk: Loss of service to hospital; trend to consolidate services
13 Reprint #B0911D
D E C I S I O N
A N A LY T I C S
Balanced Scorecard Report
Managing Operational Risk at Mars, Incorporated By Lauren Keller Johnson, Contributing Writer Adapted from a presentation by Larry Warner, Staff Officer of Risk Management, Mars, Incorporated, at the Palladium Group’s Strategic Risk Conference, April 2009, in New York
A diversified consumer products giant with global operations can’t afford to ignore risks to the strategic initiatives launched by its business units. At Mars, Incorporated, executives set out to foster a culture in which managers aren’t afraid to talk about, wrestle with, and vanquish the perils that can prevent crucial initiatives from generating desired business results. Sumptuous chocolate. Savory coffee drinks. Minty chewing gum. Premium pet food. It’s all so delicious that the notion that Mars, Incorporated (maker of these and other delights), worries about risk might never cross a happy consumer’s mind. But like any company, especially a global, diversified consumer products firm, Mars faces risks to its strategy, whether to growing one of its chocolate brands in China, constructing a new manufacturing plant, or introducing a new line of dog food. An array of perils threatens every initiative. These risks cover the gamut: lack of sufficient capacity to meet demand, unexpected moves from competitors, a spike in commodity prices, new regulations. To manage these and other risks, Mars has established a rigorous process that makes savvy use of decision analytics and information technology (IT). It all began in 2003, when senior management sought to promote a culture of risk-mindedness, to allow business units to determine what was achievable in the context of their annually defined goals and objectives. The management team developed a formal enterprise risk management (ERM) approach to provide Mars with a proven, sustainable framework for anticipating and mitigating complex business risks—
14
tangible and intangible, existing and emerging—across the entire organization. After pilot-testing its ERM process in 2003 and 2004, Mars refined it and rolled it out to most of its business units between 2005 and 2007. Starting in 2007, it purchased a technology solution to fit its ERM process needs, including automating the reporting of risk analytics. Today, approximately 40 of the company’s business units and its six product segments (such as chocolate, pet care, and drinks) conduct annual ERM (or risk assessment) workshops and quarterly reviews, and provide quarterly dashboard updates to company leaders. The company’s ERM process aims to manage two classes of risk. Operational: risks to the shortterm initiatives developed by the business units to execute the company’s annual operating plan
bottom up. The steps in the process are as follows: 1. Defining and prioritizing initiatives 2. Anticipating the risks to those initiatives and developing risk “treatments” 3. Rating the probability of successfully executing the initiatives, given the risks and treatments at hand 4. Analyzing risk data to make business decisions Defining and Prioritizing Initiatives During each unit’s annual planning process, unit managers meet to review the company’s operating plan and develop a list of initiatives that their units must carry out to help execute the annual plan. Managers define their initiatives according to strict rules that require specificity and measurability. For example, instead of describing an initiative as “Drive core brands in chocolate,” they would define it as “Achieve chocolate’s growth target of 5% by focusing on building the core brands.” A T
A
G L A N C E
Mars, Incorporated McLean, Virginia Founded: 1911 Ownership: Family-owned, privately held Annual revenues: $30 billion-plus
Strategic: risks associated with the long-term execution of a unit’s strategy, such as long-range manufacturing capacity needs.
Workforce: 65,000-plus employees
The two risk classes are dealt with differently through the company’s ERM process. In this article, we focus on the process Mars has developed for managing operational risks. This process is strongly driven by unit managers, revealing an organizational culture that values engagement from the
Business segments: Chocolate, Pet Care, Wrigley Gum and Confections, Food, Drinks, Symbioscience
Operations: More than 230 sites, including 135 factories, in 68 countries
Major global brands: M&Ms, Snickers, and Dove; Pedigree, Whiskas, and Sheba; Doublemint and Orbit; Uncle Ben’s and Dolmio; Klix and Flavia; and Wisdom Panel and Cocoapro
November–December 2009
During the workshop, managers discuss and debate the initiative definitions and rankings, ultimately arriving at agreement on both. This process establishes alignment with and accountability for the initiatives. Anticipating Risks and Developing Treatments During each workshop, facilitators also have business unit managers draw on their knowledge and expertise to list the risks that could hamper their ability to achieve the initiative’s objectives. This information is entered into a template for the workshop. For example, leaders in a particular food unit might define the following initiative: “Aggressively grow and build the ready-to-heat rice business by expanding the product line to generate 5% net sales growth and maintain share above 25%, while increasing product availability to 50% distribution.” The risks to this initiative could include possible aggressive countermoves from competitors and potential spikes in commodity prices. Managers next develop risk “treatments”—activities designed to mitigate or leverage the specific risks they’ve identified. These, too, are entered into the workshop template. For instance, to combat the risk of competitor countermoves, the management team may define treatments centering on accelerating product innovation and conducting a competitor analysis. Again, managers discuss and debate, achieving consensus
Figure 1: Hypothetical Example of Initiative Risk Assessment
on both the risks and their treatments—further strengthening alignment and accountability.
9 8
Rating Initiatives’ Probability of Success For each initiative, unit managers highlight the three to four most critical risks and risk treatments in the template. Using anonymous voting technology, the management team votes on the probability of successfully achieving the initiative during the upcoming year, given the risks and risk treatments listed in the template. They use a scale from 1 to 9 to indicate the probability of successfully achieving the initiative’s objectives. A 9 indicates a 90% or greater probability of success; a 1 represents a 10% or less probability. The initial votes often show some type of distribution. To build alignment, team members discuss the range of scores, challenge one another’s assumptions, and reconsider their scores based on their peers’ positions. For example, if one manager believes (based on his experience) that a proposed risk treatment won’t be effective, he might argue for a score of 5 instead of the 7 advocated by his peers. The debate is open, honest, and collegial. That’s because everyone involved knows that the goal is to understand one another’s positions and arrive at the best-informed assessments possible. Managers then rate each initiative from 1 to 9 again; usually, a smaller distribution results. The final vote results in a risk profile for the initiative that gets color-coded: below 5.0 is red; 5.0–5.9, orange; 6.0–6.9, yellow; 7.0–7.4, blue; and 7.5 or greater, green. If consensus is still lacking after the second vote, managers gather additional information outside the workshop and reconvene to share it and get aligned.
8.5
7
Probability of Success
At the beginning of an ERM workshop, managers rank their initiatives in order of importance for the next operating year. For instance, if a business unit manager listed 15 initiatives, she would then rank them from 1 (most important) to 15 (least important).
6.6
6 5
4.5
4 3 2 1 0
Cat food (2)
Bar chocolate (1)
Product relaunch (3)
Initiative (Rank)
Initiatives are ranked by the probability of success in achieving objectives, given their risks and mitigation activities. The numeric ranking in parentheses reflects the initiative’s importance.
The risk assessment ranking can reveal important information. In Figure 1, the ranking for a cat food initiative (8.5) may actually suggest that too many resources are being applied to the initiative, or that managers are underestimating their capabilities. It may even imply that sales generated as a result may be beyond the company’s capacity to produce. The product relaunch initiative, with a priority ranking of 3 and a risk score of 4.5, may need to be postponed so that its resources are redeployed more effectively. Finally, business unit heads submit a summary report to their segment leaders and to corporate headquarters showing the final agreed-upon risk profile for each operating plan initiative. Senior executives have access to the templates the unit managers have filled out, so they can drill down into greater detail. Analyzing Risk Data and Making Decisions After initiatives are put into action, unit leaders review each initiative’s progress on a quarterly basis—reassessing the risks and treatments and deciding
15
Balanced Scorecard Report
Asia-Pacific Segment
KEY
Organization/HR
Western Europe Segment
Sales/Marketing
CIS* Segment
Finance
North America Segment
Manufacturing/Distribution
Commercial
* CIS = Commonwealth of Independent States—the confederation of former Soviet Republics
Mars can break down risk into corporate function categories by region. In this hypothetical illustration, the biggest risk to the CIS segment is commercial. Sales and marketing risk is the biggest risk category for the Asia-Pacific and Western Europe segments. The latter two might confer with peers in the North America and CIS segments for solutions.
whether to change an initiative’s risk profile score. They update a one-page dashboard depicting execution performance for all initiatives and documenting any changes in risk profiles, adding comments on why specific changes were made. The updates are submitted to both the segment and corporate headquarters. For example, suppose the profile for the initiative “Relaunch Pedigree brand to achieve a 10% growth target” improved from yellow to green over the past two quarters of the year. The initiative owner’s dashboard comments may be something along these lines: “Shipments started in period 2 to meet advertising schedule. Advertising on air. Massive presentation to all customers was executed during period 1, with excellent customer participation.” These dashboards are a potent communication and decisionmaking tool. If an initiative shows a decreasing probability of success, managers discuss the situation and decide how to address the problem—for example, by redirecting marketing or other resources toward the troubled initiative. The dashboards are so simple and concise that they’ve eliminated a lot of reporting that managers used to do. And they create transparency for each unit.
16
Since automating its ERM process, Mars has compiled enormous volumes of risk-related data. To date, the system contains 500 operating-plan initiatives with risk profiles, 3,800 risks coded by type (e.g., legal, financial, and sales and marketing), and 4,200 risk treatments—all generated by the company’s business units in multiple geographies. It also contains three operating-plan cycles’ worth of data. Thanks to these volumes of data and the system’s power, Mars can now slice the data in various ways and customize how they are presented—gaining valuable insights for business decisions. For example, executives can examine pie charts showing how risks are distributed across categories for a particular business unit, the entire company, a product line, or a geography; and how risks are changing over time for each area of interest. Consider these hypothetical examples. Product insights. Suppose a large percentage of the risks documented for a particular product fell within the sales and marketing category. By getting a global view of common risks, the company can identify common risk treatments for that product across a region or the world—for example, increasing the number of salespeople for that product.
Segment insights. The system allows segment management teams to compare units or regions to identify common problems. The analysis might show, for example, that one business unit’s risks were clustering increasingly within manufacturing/distribution. It also enables teams to spot trends early. Geography insights. The system allows for identification of common issues across regions or problems within a given region. (See Figure 2 for a hypothetical example.) Finally, managers can use ERM software to review other units’ initiatives—and gain insights into how to address common challenges. This creates a learning environment within the business, enabling one unit to learn from and build on the success of others. Managing risks to a company’s strategy is never easy. But by establishing a disciplined ERM process, companies can make risk management as routine as other business responsibilities. A rigorous process can also help managers adopt the mindset needed to openly discuss and mitigate the dangers to their business strategy. Mars, Incorporated, has excelled at ERM—not only encouraging bottom-up engagement in risk management among unit heads, but also using IT to support the gathering and analysis of riskrelated data. Whether unit heads are seeking to introduce new products, expand into new geographies, or beef up manufacturing capacity, the process Mars has developed positions them to anticipate, prioritize, and mitigate the risks, as well as share effective risk management tactics across units. Result? The company has sweetened the odds that each strategic initiative will produce the business results everyone’s looking for. I Reprint #B0911E
To subscribe to Balanced Scorecard Report, call 800.668.6705. Outside the U.S., call 617.783.7474. bsr.harvardbusinessonline.org
Product #B09110
Figure 2. Comparing Risks by Region: Hypothetical Example (dummy data)