In the last post “Reasons for failure to prepare a risk management strategy” I discussed that just 40-50% of the organizations have a risk management strategy. While it gives a measure of confidence to know this, the question arises – are these strategies effective? How do we measure the effectiveness and suitability of a risk management strategy? I went through various frameworks to find out which metrics to use for it. I did not find a clear-cut list, hence derived the following dozen metrics from them to conduct an annual assessment for effectiveness of risk management strategy.
1. Percent of business strategy objectives mapped to enterprise risk management strategy
2. Percent of business value drivers mapped to risk management value drivers
3. Number of times audit committee reviews risk management strategy.
4. Number of times board discusses risk management strategy in board meetings.
5. Number of times board reviews risk appetite of the organization.
6. Number of times CEO invites risk management teams to participate in business strategy formation and proactively identify business risks. On the negative side check out the number of times, risk functions were not invited for business strategy discussions.
7. Number of times business strategy implementation failed due to improper risk mitigation. Compare this with number of times timely intervention of risk managers resulted in faster implementation
8. Number of times improper risk mitigation delayed business strategy implementation. Judge this against number of times timely intervention of risk managers resulted in faster implementation
9. Number of times the organization received negative media coverage due to improper risk mitigation. Evaluate against number of times timely risk mitigation strategy prevented a media disaster.
10. Number of times the organization faced legal problems due to improper risk mitigation with number of times risk departments prevented legal problems
11. Number of times the actual risk level of the organization exceeded the risk appetite of the organization. Analyze this against number of times risk departments controlled risks from exceeding risk appetite of the organization.
12. Amount of financial losses incurred due to ineffective risk management. Balance this with amount of financial losses prevented due to effective risk management.
Although, this is not an exhaustive list, it does give a starting point. In my opinion, heads of risk management must conduct an annual review of risk management strategy and initiatives in line with these metrics. It will depict whether the risk management strategies are effective or ineffective. Then share the results of the review with CEO, board and audit committee. It will give a clear indication of the value addition done by risk management functions during the year to senior management. In Churchill’s words-
“However beautiful the strategy, you should occasionally look at the results.” -Winston Churchill