A Changing of the Guard

Just as enterprise risk management may be perceived as being on its last legs, in comes risk and performance management. I think of risk and performance management, or RPM, as the correct way in which we should consider risk as it relates to mission accomplishment. I think it is the most natural next step in risk management.

By Christopher E. Mandel

RPM should resonate more with management than enterprise risk management, or ERM, ever did. It aligns more with management's immediate concerns and needed support for decision-making; and it speaks the language of business best. At the end of the day, we are still talking about enterprise-wide risk management, just finally with the proper focus on results versus losses.

Here are some key ways in which these two processes can be distinguished:

Ineffective at Managing Risk (05/01/13)
RIMS Attendees Talk Drones, Product Recall (05/01/13)
Navigating the Fear Farm (03/01/13)
Who is the Real Gambler? (05/01/13)
Abuzz With Energy (04/12/13)

Performance vs. Knowledge. Current ERM standards are designed to help identify, assess and respond to risk. Although the approaches may differ, all ascertain, report and document the "knowledge" gained through their application. Risk knowledge could be viewed as the driving purpose of these programs.

As practitioners advance the application of risk standards, they naturally progress to the next logical step, which is to improve performance. RPM begins where ERM leaves off, linking risk to company performance. Therefore, RPM makes company performance the driving purpose of program design, not risk knowledge.

Aggregate vs. Enterprise-wide view. Consider the Committee of Sponsoring Organizations of the Treadway Commission ERM Framework. ERM's scope as expressed by this standard is found in the definition of ERM itself to be applied in strategy setting and across the enterprise. The need for risk registries and labor-intensive documentation is emphasized. ERM surveys risk within and across silos, where RPM measures from a top-down perspective, the perspective from which most planning culminates. RPM takes an aggregate view of risk, not attempting to count every risk, but to isolate and identify key elements of your risk profile.

Effectiveness vs. Thoroughness. Once the differences in purpose and vantage point are understood, RPM may supplant ERM. Where ERM is committed to a thorough documentation of risk and the responses or controls tied to those risks, RPM's focus is to find where risk management effectiveness breaks down. RPM does not make recording risk a priority, but leverages the most relevant risk knowledge to drive performance.

Quantification vs. Qualitative Scaling. Since ERM is committed to thoroughness, it is important to identify and assess risk in a uniform fashion. Therefore, more subjective qualitative assessments are common, such as uniformly color-coded thresholds. RPM doesn't concern itself with uniformity as much as bottom-line impacts.

Shared core processes. RPM practiced well legitimately advances ERM to the strategic decision-making level of the company. Yet it still relies on the same proven core processes found in popular ERM standards like ISO 31000. The main difference is perspective. Perspective changes the focus and application of these processes, not the processes.

While many ERM practitioners have been focusing on the link between risk and results, the RPM process is an evolution of ERM, and instills more discipline into the practice of risk management.

CHRIS MANDEL is the president of Excellence in Risk Management LLC, and executive vice president of rPM3 Solutions LLC. He is a long-term risk management leader and former president of RIMS.

November 1, 2011

Newsletter Sign-up