Monitoring Area #2: Risks and Objectives Based on Pre-Established Metrics
Whether they are formally documented or not, every company is going to have objectives.
In the end, (business) objectives state why your company exists and what its leaders care about, which is why each and every ERM activity, including monitoring, must be focused on objectives.
Simply monitoring a stand-alone risk without any connection to an objective won’t give you the full picture and could end up being worse than doing nothing.
Proper ‘objective-centric’ monitoring is more targeted and consists of monitoring risks and objectives based on pre-established metrics.
Please note the emphasis on pre-established.
Similar to the risk assessment phase, there are preparatory or pre-work steps that must be taken to monitor risks and objectives effectively.
It’s kind of like a barbecue – you don’t just throw some meat on the grill, flip it a few times, and call it done. You’ll want to prepare the meat with some sort of marinade or spice rub, prepare your cooking area beforehand, etc.
In the case of monitoring, this prep work really begins when objectives are documented and subsequently prioritized based on whether they’re mission critical or not. With this final list in hand, a risk appetite statement for each mission critical objective can be drafted, which (as we explain more in-depth here) describes the level and type of risk the company is willing to accept or not accept without any further actions or mitigations.
Once risk appetite has been set for a particular objective, you’re ready to begin developing a metric that will be used to monitor progress towards achieving the objective – called a ‘success’ metric, which is almost always an internal company measurement. Example metrics can include revenue, sales, employee turnover, and more.
A key risk to the objective will also have its own metric (key risk indicator) and can either be an internal or external measurement. Examples can include inflation rate, supply chain disruptions, or voluntary or regrettable turnover, to name a few. (Identifying or otherwise developing metrics for the purposes of monitoring is too extensive of a subject to include here, which is why we’ll be exploring this topic more in-depth in a future article.)
As an example, let’s say you have an objective around being “the best place to work.”
A ‘success metric’ for this objective, or KPI, could be employee engagement. A potential risk to this objective was identified as the culture driving valuable employees to resign, with the KRI being regrettable turnover rate.
Both the KPI and KRI could be set up very similarly, but they are each their own distinct metric.
With the risk appetite statement and metrics in hand, the last step before any actual monitoring is to identify:
- Target for each metric – where you want it to be
- Thresholds – the point where you and the business start to get concerned
- Limits – the absolute breaking point where a risk could make the objective unachievable or even put the whole company in more extreme circumstances.
Establishing these parameters will help you zero in on what you should be looking for as you receive regular updates on the metric data. Simply reviewing metrics without these guardrails will be meaningless, as management will have no idea if they’re treading in unsafe waters.
The actual monitoring takes place when receiving updates to the metrics at the agreed upon frequency for each metric. Some metrics may get weekly updates, some monthly, some quarterly.
While updating the data for these metrics, if you and/or the business realize a risk is trending towards or approaching an established threshold, the business should conduct some analysis to understand what is driving it and what can be done about it.
ERM is likely to be asked to facilitate the analysis process, especially since they will typically consist of using root cause analysis, a bow-tie diagram, or some other method to determine the reason a threshold has been or is about to be breached.
Once you know the driver(s) and potential actions that can be taken, develop a brief action plan. Don’t make the action plan development bureaucratic and keep the action plan itself as simple and straightforward as possible.
One point I’ve waited to make – metrics, thresholds, and limits are not identified by ERM in a vacuum.
This important task should be done through collaboration between ERM and the objective owner (for the success metric) and the risk owner for the KRI. Otherwise, there is no buy-in from the business on the outcome, and the whole effort was wasted. For some objectives or risks, it may be appropriate to get executive leader feedback and buy-in on targets, thresholds, and limits.
The key thing to remember is that the company must avoid reaching the limit established for each metric. I consider the limit as “no man’s land” – reaching this metric level is detrimental to the organization’s mission or vision.
Communications around your monitoring results should be handled in alignment with the urgency of the outcome. I talk about that topic more in this article.
Check back soon as we explore the third and final trigger – changes in context, or the internal and external operating environment.
Until then…
What type of metrics, if any, are used by your company to monitor risks and objectives?
Share your thoughts with other practitioners by joining the conversation on LinkedIn.
If you’re struggling to develop metrics, much less monitor them, to understand the health of your company’s objectives and risks, please reach out to me to discuss your company-specific situation and more.
Featured image courtesy of Burak K via Pexels.com
