10 / 32
10
/ Canadian Government Executive
// September 2015
P
ublic sector organizations are
challenged by Enterprise Risk
Management (ERM) to identify
and manage risks at the organi-
zational level. Today, organizations are
also asked to develop organizational per-
formance measures (PM) that have a ho-
listic view based on multiple nonfinancial
measures. We think the processes can,
and should be integrated.
Key risk indicators (KRIs) focus on
mitigating the impact of negative events
while key performance indicators (KPIs)
focus on ensuring positive things occur
as planned. These are often perceived as
opposite measures: one defines potential
adverse events while the other defines
success. In reality, a KPI can also be a KRI.
As an example, employee turnover can be
seen as an operational risk. The KPI might
be “retention rate,” but it’s clear that if re-
tention rates drop below a certain thresh-
old, a number of performance risks ensue.
In the federal government, the PM and
ERM processes were developed as sepa-
rate activities with little formal integra-
tion. The Treasury Board Secretariat (TBS)
provides guidance on risk management
and encourages departments to incor-
porate integrated risk management in
planning and reporting, business case de-
velopment, and departmental reporting
(Departmental Performance Report and
Report on Plans and Priorities). The Pro-
gram Alignment Architecture (PAA) and
the policy on Management, Resources and
Results Structures (MRRS) serve to ensure
that activities are logically linked to strate-
gic outcomes and that resource allocation
and re-allocation decisions are supported.
However, departmental risk assess-
ments are typically limited and often do
not illuminate how risks will affect the
critical success factors of specific strate-
gic goals which are stated in performance
management frameworks. In addition, or-
ganizations are not always successful at
developing and implementing adequate
Management
Better Performance
Linking Enterprise Risk Management
and Performance Management for
Dave
Coderre
Gregory
Richards
Table 1: HR data-driven risk indicators
Org Entity Volume Variability/Change Complexity
Entity 1
304
5 6 12% 1
12 4 28%
Entity 2
281
13 2 13% 2 16 6 32%
Entity X
463
28 6 21% 4 9 8 14%
performance measures for strategic initia-
tives. There is no explicit link between the
results of the ongoing assessment of risk
and performance management; and the
impact of risk on the continued validity
of performance measures tied to strategic
objectives is not addressed, particularly for
emerging risk.
Ottawa is not alone. The 2008 IBM CFO
Study found that 62 percent of enterprises
with revenues over $5 billion (USD) had en-
countered material risk events in the previ-
ous three years. Of those, nearly half (42 per-
cent) admitted to not beingwell prepared for
it. Themost frequentlymentioned risks were
not financial but strategic risks.
ERM, however, can only have meaning
if it is tied to performance. By linking risk
and performance measures, departments
can pursue strategic objectives that are
aligned with both current and emerging
risks. Public Safety, to cite one case, took
specific steps to ensure that performance
measures considered changes in risk by
anchoring their risk assessment to both
the PAA and Performance Measurement
Framework (PMF). Risks and opportuni-
ties — uncertainties that could affect the
achievement of departmental objectives —
are identified by the PAA program and are
based on the objectives established in the
PMF. Performance measures are then used
to assess the state of the risk and whether
mitigation has been effective. Public Safe-
ty, by linking risk management to perfor-
mance measurement, is more of a results-
oriented organization that can quickly and
effectively allocate resources based on
emerging risks.
Data-driven risk indicators
One of the challenges associated with in-
tegrating ERM and PM is that ERM frame-
works typically use subjective assessments
of risk. This, despite the fact that many de-
partments already have useful data which