How do you manage risks with the balanced scorecard? How is risk management integrated with the balanced scorecard? I’ve been thinking about this. A little thought brought me to three conclusions about the balanced scorecard and risks.
To get to these conclusions I asked myself the question, “Why would the balanced scorecard not include the management of risk?”
The risk of the strategy not being implemented
The first is about risk of the strategy not being implemented: A balanced scorecard is about implementing strategy and so when we ask the management team what their strategy is, they respond, including how they wish to manage the risks of that strategy not being implemented. They (should have) have already though about the risks and should be articulating a strategy that already has risks considered and mitigated in the way they intend to implement changes, develop capabilities and their choices of objectives, measures, targets, actions, initiatives.
So, one would expect that the risk to the implementation of the strategy is already embedded and operationalised in the strategy map and balanced scorecard. You can make sure by asking in the articulation and design stages about the risks. You can easily add it by asking the question, for each objective, what risks are in here and have you mitigated them.
Having made the strategy implementation risks implicit perhaps does not help, but they should be there if the right questions have been asked, and the management team have a well thought through strategy that you are capturing.
Different risks need to be tackled in different ways
There are lost of different risks that need to be identified. The balanced scorecard is primarily a tool of strategy articulation, communication and implementation. But there are risks for finance, health and safety, fraud, compliance (Regulatory risks), there are operational risks (processes failing) there are market risks (external events) and many others (the Chief Exec gets run over by a bus).
Having spent six months sitting in a compliance team helping them develop reporting for the FSA there are many detailed risks specific to particular activities and aspects of the business that I would not expect a strategy focused balanced scorecard to address in detail. It is not a panacea. It is not the only way the organisation is managed.
I would expect those risks to be identified in objectives by managers at the level at which those risks would be managed (as a part of the management of that objective, at the level at which that needs to be managed). I would expect them to be managed by the risk management processes that sit in different parts of the business.
Given “a strategy map and balanced scorecard is for a management team, and a set of balanced scorecards is for an organisation” the mechanism of exception reporting between layers should escalate those issues about risks that need to be raised upwards to manage the operational detail in addition to the strategic intent.
It is about identifying, exploring and discussing risks
Its about what gets discussed in use. This is about discussing the ongoing and emerging risks that have been identified, monitored and are being mitigated, as the strategy is being implemented and the operation is being managed.
This puts the question, “Are we considering the risks and are we managing them appropriately?” or something similar, firmly in the agenda of the operational and strategic review meetings. It is in the meeting agendas I give my clients
Overall conclusion about balanced scorecards and risks, and risk management
So I think we need to be clear:
- What sort of risks we are addressing and which others we may not address directly.
- How the way that the strategy map and balanced scorecard were designed includes of excludes risks and whether it is dealing with their identification, monitoring or mitigation (or another part of the management of risks).
- The balanced scorecard should not get in the way (and should support) the normal management of risk that a management team are/should be thinking about and acting upon in their review meetings.
I hope this helps (Sorry for long answer, but I was thinking about it too long) ;-)