Think of climbing into an aircraft that doesn’t have an aircraft control system and the Air Traffic Control rooms don’t function properly. Would you be willing to go for a free ride in the plane?
If I say risk management functions play the role of Air Traffic Control rooms and provide the relevant feedback to the business, you would mostly agree. But what are the systems in place to see whether the risk management functions are fulfilling the role of Air Traffic Control rooms properly. If Air Traffic Control rooms fail, the planes crash and the same happens in business. Isn’t then performance appraisal of risk management functions critical?
Generally, I have seen risk management functions do an appraisal within the team and sometimes take feedback from senior management. This is despite the fact that in most surveys conducted, the business teams respond that they face challenges with risk management functions and highlight quite a few shortcomings. As the year is ending, the functions would be busy preparing annual budgets and strategies. This would be the right time to obtain feedback and do a proper evaluation.
Let us take an example of the fraud department and study the process of performance appraisal for the department.
1. Senior Management
Get uncensored honest feedback from the senior management. Not the form filling one, where meets expectations means haven’t committed a big blunder till date. Check whether senior managers are ticking the appropriate boxes to keep the risk management function out of their hair for another year or is it genuine support for improvement. Ask the probing and difficult questions to the audit committee and CXO level:
a) Does the risk management function help you to perform better?
b) Did the risk management function add value to the business during the year?
c) Where you worried during the year that some unpleasant risks will appear that have not been identified before?
d) Does the risk management function makes you feel confident that the business is running on course?
That will give out a message to senior managers that the function is geared to take up a bigger role in business and partner with them for success.
2. Business Teams
Though the risk management functions issue reports relating to operation risks, the feedback of business teams is restricted to obtaining their replies to the observations made in the reports. Risk management functions rarely go back to business teams for an evaluation. One way is to conduct a yearly survey to obtain business teams assessment on performance. The other way is to incorporate a value scorecard system. This ensures that after every assignment, the business teams’ feedback is obtained in the value scorecard. This enables the function to take corrective measures promptly to provide better service in the next assignment. Some of the questions to ask are:
a) Did the risk management assignment offer value to your business operations?
b) Did the risk management teams partner with you to solve your concerns? For instance, in a fraud investigation, did the report help them identify the suspect, and give a solution to prevent future frauds?
c) Did the risk management team give you a practical solution or recommendation to mitigate the risks?
d) Do you get prompt replies to your request for help or advice?
Build a value scorecard with 10-15 questions. A periodic assimilation of the responses will highlight the strengths and weakness in performance of the risk management functions.
3. Other Risk Management Functions
If one wishes to breakdown the silo approach to risk management, then each risk management team should be evaluating and giving feedback to the other teams. For instance, a fraud department should get feedback from compliance and business ethics function.
This is the most beneficial of feedback, because other risk management teams actually understand the nature of work, issues and challenges. Obtaining feedback opens doors for sharing best practices and aligning the work. With numerous functions managing business risks, there are some un-addressed risks as each department assumes that the other is fulfilling the responsibility. Hence, some relevant questions need to be asked. Here are a few examples:
a) Do you believe we are complimenting your work or are working at cross purposes?
b) Do you get information on our work to tie up and give a joint strategy to address related risks?
c) Do our teams collaborate well together on joint projects?
d) Do we share our methodologies, knowledge and best practices to benefit each other?
Working in isolation isn’t going to help the function, other teams or the business. Hence, taking feedback from other functions is really important.
4. Risk Management Team
Doing a fair and honest evaluation of team performance is of paramount importance. If possible, implement a 360 degree performance evaluation system. A top down evaluation system will not work for risk management function, as most of the interaction with business teams is done by middle and junior managers. They are aware of business team attitude towards risk management. Even the office rumour mill gives some useful information of acceptance and popularity of the risk management function. Some of the questions the team should be asking are:
a) Are we viewed as business partners by operation teams and do they think we add value to their business?
b) Are we doing the best possible work to mitigate the risks?
c) Are we using standard tools, methodologies and knowledge to give the best possible service to business teams?
d) Do we have a good talent pool that understands the business and associated risks?
Unless the risk management function does an honest self-evaluation, it is unlikely to find the gaps and improve. Hence, a good deal of time should be spent on it.
A good performance appraisal is possible after assimilating the information from all four sources and asking a lot of probing questions. Rather than shy away and get defensive it is best to take the feedback in positive light. Without feedback the function is directionless. Here is a small video pf HCL on performance appraisal. It brings the point home.