The Challenge of Integrating Risk into Performance

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


If you did a search on this topic, you will find a variety of research reports, including:

They all agree on a couple of things: (a) that the integration of risk considerations into the setting of strategy and optimization of performance is a key to long-term success, and (b) few are doing it effectively, with any degree of formality, in practice.

A summary of the Vlerick report by Slagmulder in Financial Director makes some key points (the highlights are mine):

“The biggest challenge in performance management today is the increased attention that needs to be paid to the risk-reward trade-off. Companies have been ignoring the risk side of performance management for too long – a lot of attention has traditionally been paid to performance measurement and monitoring (i.e., the reward side of the equation), but all performance is essentially linked to risk. Risk is intrinsic to doing business.

“The recent financial and economic crisis has shown that a failure to integrate performance and risk management can leave businesses struggling in the face of uncertainty. For example, at some banks the group risk management function was alerted to potential subprime losses long before the senior management appreciated the severity of the problem. Often, it was not until a presentation was made to the Chairman that included both performance and risk aspects that the size of the problems became known to the board.”

Other key points in the Vlerick report include:

  • It is no longer sufficient to provide reporting that solely focuses on performance, while ignoring the risks that may affect the company’s results.

  • Boards generally seem to be very aware of the importance of considering risks in their decisions and in their performance evaluations. Board members tend to perform their own implicit assessment of strategic risks when they discuss new strategic initiatives. Such board risk assessments are usually not formalised, but are part of the regular discussions on long-term strategy and potential uncertainties related to that strategy.

  • With respect to integration of risk and performance in strategic decision making, it is common practice by management to identify and report risks to the board as a part of M&A proposals, business development plans, or strategic reviews. Such integrated reporting typically comes on top of the specialised reporting that focuses specifically on (operational) risks.

  • Risk-enhanced performance management must evolve from an ad-hoc event under pressure of the economic downturn, to a continuous process that must be embedded within the company’s governance processes. Unfortunately, many companies’ efforts in the area of performance and risk management seem to focus too much on meeting regulatory requirements (“ticking the boxes”) and not enough on how to integrate performance and risk management for more effective strategic decision making.

But, the authors make this damning observation:

“In our research we did not detect a single best practice of integrating risk and performance reporting.”

The EIU report concurs with the pessimistic view of current practice.

  • Successfully integrating the management of risk and performance requires strong processes that reach deep into the organization…. It’s even more vital than the involvement of senior executives.

  • The economic turmoil of the past two years has taught executives of the need to anticipate risks and plan for alternative scenarios. But learning a lesson and acting on it are two different things. Many organisations lack the right processes to create the kind of robust and flexible business plans suited to a fast-changing environment. The most adaptable plans are informed by data from everywhere in the organization — from the salesperson who meets a competitor leaving a customer’s office to the accountant who notices a buildup in a particular product’s deferred expenses. These clues usually remain buried deep in the organisation. Plans fail to incorporate the full range of risks. Individuals may be forewarned, but the organisation is not forearmed. Like the Titanic, the corporation is a big boat with a small rudder, speeding into the future with a limited ability to turn.

  • Unfortunately, among many managers, performance targets fail to match up to the reality they face every day. In the survey, these respondents — who tend to be VPs or business-line heads – say that pressure from above forces them to accept performance objectives that they consider too optimistic.

These respondents are also likely to say that:

  • The leaders of their organisations show little enthusiasm for considering risk when setting performance objectives (82%).
  • There is little perceived need in their organisations for the integration of risk and performance management (86%).
  • There is insufficient focus on risk in their organisations, i.e. the balance between risk and opportunity is skewed towards opportunity (73%).

The LSE report adds only a little to the discussion: it reflects an outdated (IMHO) view of risk management and the research is based upon a study of a single energy company. However, it does repeat and thereby reinforce some of the main points:

The recent economic crisis has focused attention on risk management, but managing risk is all about achieving objectives (Woods et al. 2008; Cotter, 2009; Van der Stede, 2009). Senior managers in particular, are expected to build sustainable performances: create value at acceptable risk levels over time (Calandro and Lane, 2006). To this end, they should be clearly aware of the multiple sources and types of risks (CIMA, 2007).

A stronger focus on risk in performance reports addressed to senior managers can address such expectation. Incorporating risk into performance management processes can foster a better understanding of the overall organisational risk exposure and improve business results.

The report also points to the value of a tool that enables integrated risk and performance reporting to the board and executive management — but the tool is not sufficient by itself.

In conclusion, integrating risk and performance management is not a matter of implementing a single management tool. It can be more important to focus attention to a set of organizational elements: some can constitute obstacles (barriers), some can facilitate incorporating risk into management processes (facilitators, levers). In the end, risk is often implicitly related [to] performance management: performance management tools, if used in particular ways, can provide risk information with minor efforts.

Personally, I like that last point — that the best approach may be to require that all performance reports include information about related risks.

I don’t know about you, but I believe it is important to know not only that you have achieved the desired speed of 100 kph (performance data, or KPI) but that you are not 100 metres from a brick wall (risk data, or KRI).

So why is it that organizations are unable to integrated risk and performance? Reading these reports gave me some ideas, which I shared today on my other blog.


Posted on Nov 26, 2012 by Norman Marks

Share This Article:    

  1. Mr. Marks, I have a question for you:

    I am dealing with a corporate security manager who does not believe a risk-based IT/Information Security control approach.  The person states that his company implements IT/information Security controls without identifying the risks.  Hence, in his company's GRC tool, it contains only the policy, control standards, and control procedures in the policy mgmt.  Do you have any thoughts on this? 

    Thank you for your opinion. 


  1. Norman:

    Thanks for raising this issue. It has major implications and applications to the internal audit profession.  My belief is that the way a large number of internal auditors complete audits has played a significant role creating the perception that there is little or no relationship between control and risk management and performance.  At Risk Oversight we have been promoting the core premise that shifting assesssments away from "process centric", "risk centric", "control centric" appraoches to "objective centric" assessment is a key part of what is needed to strongly communicate that the central purpose of risk management is to increase certainty objectives will be achieved at a tolerable level of residual risk status. 

    The irony is that it is the way internal auditors and ERM practitioners have approached their task that is a centeral reason why so few organizations have integrated risk and performance.  This needs to change.  It is fair to say that traditional risk management and internal audit practices that focus on forming subjective views on "control effectiveness" represent one of the biggest risk to better governance.  

    My newest article "Board Oversight of Management's Risk Appetite and Tolerance" scheduled to appear in Conference Board Director Notes December 19, 2012 discusses the three main handicaps they face. Traditional internal audit and ERM are two of the three handicaps.

  1. Tim

    rather than blaming the CRO and the CAO , I would ask the question  does the management not get what they deserve ? When management has a lack of vision and does not install an integrated management system linked with the strategic and operational objectives of the organisation  , then you can not expect CRO and CAO to audit the effectiveness and efficiency of such management system , which should indeed their prime responsibility .

    In most organization I see a lack of a clear vision and design of an integrated management system and a lack of culture to work horizontally ( or cross-functionally ) towards the execution of the strategic and operational objectives .In particular the lack of the right cross-functional holistic team culture is what worries  me the most  given the  high increase of legally,  technical, socially  complexities an organization has to cope with . ( as a result too many vertical experts who do not work holistically) .

    When you read the book on Steve Job and how all the medical experts handle his cancer treatment  then you get a good flavor why its so difficult to get a holistic balance approach coordination  in todays organisations . That does not mean  that indeed the CRO and CAO should not be more holistic/horizonted  focussed rather than what you call vertical focussed ("process centric", "risk centric", "control centric"  )

  1. Jan:

    To clarify, I am not "blaming" CROs and CAEs as much as lamenting a missed opportunity for auditors and the IIA to clearly communicate that the real purpose of risk and control management should be to increase certainty objectives will be achieved.  I believe that doing that requires clarity on the objective(s) being assessed, and visible linkage to the current risks, risk treatments/controls, residual risk status information and current performance levels. 

     Unfortunately COSO 92 and the draft COSO 2013 puts limited emphasis on the importance of what I call "measurement controls".  Measurement controls are the mechanisms that measure how well specific objectives are, or are not being achieved, in essence performance measurement controls. If they had, auditors would be better equipped today to exam this element of their organizations risk treatment/controls frameworks. The fact that COSO has announced that they plan on refusing multiple requests to integrate what COSO calls an "integrated control framework" and ERM is a real tragedy.  

    COSO's view of what consitutes an integrated control framework includes sticking to their 1992 position that setting and communicating objectives is not part of a control framework; measurement controls are not a key element of an integrated control framework; and ERM and control frameworks are best kept separate.  I have great difficulty accepting all of these conclusions.  Those conclusions, if left unchanged in the final 2013 COSO framework, are not in the best interest of stakeholders generally, and customers of IA functions in particular.  

  1.  Tim's commentaries are right on the mark and furthermore are the primary reason why COSO should have been buried many moons ago. The way to get this problem resolved consistent with what he is saying is to spend less time talking to  those organizations that have caused this problem and more time talking with the key decision makers out there such as the Boards, the regulatory agencies, etc. to re educate them. The fact of the matter is that not only are the internal auditors not equipped to handle what it is he is saying but as well the external auditors.

    We have a white paper published on the future role of internal audit in ERM but it ties in performance as  well. The point is that whereas this is the future role, internal auditors should have been doing this all along. It is important to understand why they have not been doing this because if we do not do this, then we will keep on supporting those organizations that are not helping. And why would we want to do that?


  1. Tim , I understand your point . A good article on the future role of internal audit in enterprise risks management can you find on

  1. I completely agree with Marks. There needs to be more of an integration of risk management with the performance strategies of the organization. It seems like there is very little reward when the outlook is completely limited to a C.Y.A. mentality. A compartmentalized approach may ensure regulatory compliance, but yields little benefit concerning the actual performance of the organization.

Leave a Reply