Liew Nam Soon, Ernst & Young

The recent turmoil in the financial sector has highlighted the lack of sufficiently effective risk management among banks and other financial institutions. All too often, efforts in risk management are dispersed, isolated and unrelated to the wider organization strategy. Financial institutions should be adopting a more comprehensive and integrated risk management approach that not only takes into account strategic, operational, financial and compliance risks, but one that is also intimately linked to performance management.

Moving towards a risk-enhanced scorecard
One of the most effective ways to link performance and risk management is the integration of risk factors into an organization's performance management tool of choice. Currently, the balanced scorecard (BSC) is by far, the most popular tool for this.

In using the BSC, an organization typically defines its goals and the related key performance indicators (KPIs) for each of the four main perspectives of the classic BSC – financial, clients and stakeholders, internal business process, and learning and innovation. These KPIs enable the organization to measure and monitor its performance. However, in an increasingly globalized and complex business environment, financial institutions should go a step further to enhance the BSC with key risk indicators (KRIs) so as to effectively align performance with risk management.

New rules such as the Sarbanes-Oxley (SOX) Act in the US tend to deal primarily with only one aspect of risk management, that is, to ensure the reliability of financial reporting. Without denying the fundamental importance of this, it is perfectly possible for a financial institution to be fully SOX- and Basel II-compliant and yet suffer from inadequate risk management. In fact, more shareholder value could be destroyed as a result of strategic mis-management and poor execution than financial mis-reporting. A BSC enhanced with KRIs will enable management to plan, measure and monitor risks at each level of the organization as well as be able to frequently gauge if and when it is appropriate to modify strategy, objectives and operating procedures.

As with KPIs, great care should be taken when defining KRIs for a BSC. What are the risks and who owns them? What communication channels should be used to promptly inform the owner of risks associated with new events? Is a KRI really measuring what we want it to measure? If so, are we measuring it correctly? Incorporating suitable KRIs into the BSC helps to ensure that risks are detected and taken into account before they show up in the financial figures of an organization. A "risk-enhanced" BSC is therefore a systematic tool that helps organizations achieve integrated risk and performance management.