How do you justify investment in more risk resources when the results are hard to measure?

Many years ago, I recall posing the question to an experienced HR executive during a workshop on SMART objectives, “if I’ve done my job well, how do I as a risk manager, measure the value of something that didn’t happen?”. He didn’t have an answer and I was left with the challenge of measuring the seemingly unmeasurable.

This is the paradox of measuring the value of risk management: those of us charged with managing uncertain outcomes have to demonstrate the outcomes of our work – with certainty.

Yet, it’s an inescapable fact that business cases require the realisation of benefits and those benefits need to be measurable and measured. Financial measures, such as ROI, require a direct impact on revenue and expenses and while they’re increasingly used for risk management investment, they ignore important non-financial benefits.

So, what is the best way to justify increased investment and how can the results be measured?

According to the Deloitte Extended Enterprise Risk Management Global Survey 2018, an increased focus on opportunity management to create value is helping to drive up investment in risk management, “with EERM now having a more balanced outlook of addressing the downside of risk as well as capturing the upside opportunity, the related annual spend seems to have significantly increased”.

While 48% of respondents cited cost reduction and 20% increased revenue as a key factor in business cases for investment in risk management, other key factors cited in exploiting upside risk: greater flexibility to address market uncertainty (26%); unlocking access to technology (19%); and improving confidence in the brand (18%) would only have a tenuous link to ROI.

Unsurprisingly, a large proportion of respondents still based their business cases on managing downside risk with no direct financial impact: 43% citing reduced regulatory exposure; 41% internal compliance requirements; and 34% citing fewer third-party related incidents.

What is abundantly clear from the Deloitte survey results is that non-financial measures, like KRIs, remain most appropriate for measuring risk management and justifying additional investment.

To be effective, KRIs must be comprehensive, relevant, contextualised and visible to key decision makers.

The first step to establishing a comprehensive and relevant set of KRIs is to start with the organisation’s key risks and develop a wish list of leading and lagging KRIs with input from key stakeholders. Think broadly about policy breaches, audit results, near misses, minor incidents and external events that could serve as good leading indicators. Higher probability risks tend to be better suited to lagging indicators, however, catastrophe risks can also be measured in simple binary terms.

Next, perform a discovery process to find out what risk-related metrics are already being reported throughout your organisation. I’m usually pleasantly surprised at the amount of risk-related data already available in departmental reports. Address gaps in your wish list by talking to your IT department about data your systems could, or do collect, but isn’t being reported.

Once you understand what data is available from individual systems, consider what relationships and patterns could be highlighted across multiple data sets using data mining and analytics. One company I worked with obtained powerful insights when, for the first time, it was able to analyse data across all of its finance and HR systems in one location with business intelligence. This connected the dots to enable risk profiling for fraud, corruption and conflicts of interest amongst others, which in turn drove decisions regarding resource investment and deployment. New technologies, like cognitive computing, take this even further by introducing deep learning capabilities.

Risk appetite and risk tolerance are essential to giving context to KRIs and to determine when action needs to be taken. When limits and targets are agreed upfront with key decision makers and approved by the board, much of the subjectivity and bias is removed from decision making. KRIs that exceed limits create a mandate for action. When root causes and other contributing factors are identified, business cases become simplified.

KRIs also play a critical role in good corporate governance and while many risk management functions have developed KRIs, a lot will admit they are not having the desired impact. Speaking to directors often reveals that risk management reports don’t appear to be adding value to discussions about strategy and performance.

All too frequently, KRIs are reported in stand-alone risk reports and discussed in isolation from strategy and performance, but when integrated into the balanced scorecard (or equivalent) risk and performance can be considered in tandem. This also improves line management accountability and helps ensure risk doesn’t fall to the bottom of the agenda.

While the ultimate value of risk management will always be in the management, not the measurement of risk, as Peter Drucker famously put it, “if you can’t measure it, you can’t improve it”. Well-implemented KRIs, delivered to the right audience and tracked over time are of great benefit in ensuring risk management is measured, improved, supported and valued.