Aligning risk to objectives – using Key Performance Indicators

How often are we advised that we should “identify and manage risk against objectives”? Sounds easy, but how many of us are doing this effectively, especially at the strategic level?

Understanding your objectives
At the tactical level, objectives are often defined as deliverables. For example, release a product on time, increase new sales by x%, cut costs by £Xm. But as you move further up the organisation, objectives are often composite or intangible: deliver a world class transport system; improve safety; increase customer satisfaction. While it is relatively straightforward to identify risks to deliverables, it is often more difficult at the higher level. Therefore, we need a way to make these higher level objectives more tangible.

Using Key Performance Indicators
A major step is to identify Key Performance Indicators (KPIs) for each objective, which can be measured at regular intervals to track progress and achievement.

Generally these KPIs are already in place within the organisation and are linked to objectives. For example, improving safety will be the responsibility of the Health and Safety Executive, who will have KPI targets for increasing public, employee and contractor safety. They will be collecting and analysing hazard information and introducing new measures to reduce incidents. The customer service department will have goals to improve the quality of response, reduce waiting times, and provide better methods of communication. They will have commissioned surveys and gathered statistics on customer feedback to measure effectiveness of the various initiatives.

Figure 1: identifying risks (threats and opportunities) against KPIs

However, too often, analysis of these performance measures is too late to influence outcomes. For example, efforts made to improve customer response and communications might be negated by the failure of a new IT system. Therefore, we need to find a more proactive approach to ensure these KPIs (and the resulting objectives) are achieved, by proactively identifying risks against them and managing those risks.

Managing risks against Key Performance Indicators

You might start by doing a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis. However, you then need to follow this through by recording the risks (threats and opportunities) in a risk register, where they can be tracked and ownership clearly identified. Even more important, you need to initiate response actions, to ensure you do something about them i.e. mitigate the threats and exploit the opportunities.Another technique for ensuring KPIs are met is to identify and manage systemic risk, drawn from across the organisation. Smaller repetitive risks can easily combine to create a major impact, but often go unnoticed because the information is not recognised or readily accessible at a higher level. For example, staff turnover or inadequate training may be an underlying problem; in which case, customer services may have to work together with the Human Resources team to find a solution. The root cause of risk may lie within (lack of staff training) and/or outside the organisation (failure of a major contractor). In either case, proactive action must be taken to address the risks.

However, it’s never possible to manage all identified risks, so you will need to prioritise and focus on the most important ones. You may need to do some form of cost benefit analysis to make sure you get a return on the investment you spend on managing the risks.The end result

During the early stage of setting objectives, the discipline of establishing KPIs, identifying risks and agreeing response actions are a major part of the iterative process of ensuring the objectives are realistic and achievable. Once progress is underway, ongoing management of existing and emergent risk is essential to stay on track.