PWC Risk Performance

8/8/2019 PWC Risk Performance

1/32

Seizing opportunityLinking risk and performance

Thought Leadership Institute


2/32


3/32

July 2009

Table of contents

The heart of the matter 2

Global business volatility seems more extreme than ever.How will your company manage the risks and rewards ofdoing business in unprecedented times?

The time to link risk and corporate performance management is now 3

An in-depth discussion

Uncovering the connections between risk andperformance reveals a fuller view of your companysstrategy and operations.

Business as usual is a riskier proposition 5

Siloed approaches to risk management create dangerous blind spots for business 6

Closer alignment of risk and performance management has become a

business imperative 8

An integrated approach to risk and performance management leads to

smarter risk taking 12Moving toward an integrated approach to risk and performance management 15

What this means for your business 16

Build the foundation for a more stable future:Start with a deeper assessment of risk and rewardacross your organization.

Start at strategy setting 18Doing more with less: Honing your arsenal of business metrics 20

Transforming disparate data into meaningful information 23

Creating accountability and incentives for integrating risk and

performance management 26

A call to action


4/32

2

The heart of the matter

Global business volatilityseems more extreme

than ever. How willyour company managethe risks and rewardsof doing business inunprecedented times?


5/32

3PricewaterhouseCoopers

The time to link risk and corporate performance management is now

The origins of the financial crisis will be debated for some time, but the fallout exposedone clear shortcoming: inadequate risk assessment practices. Too many companies took

on excessive risk with too little regard for reasonable, realistic long-term performanceexpectations. The debacle is focusing minds on more robust approaches to risk management,

with a new imperative to keep pace with financial innovation, performance incentives, andbusiness goals. Reforms will stretch risk management across the organization and involvesystematically linking risk and corporate performance management, leading to an informed

view of reward.

Extreme volatility, even financial crisis, isnt new to US business. Companies that keep theirproverbial eyes on the ballon improving performance, both financially and operationally

will emerge from these trying times better positioned to take advantage of opportunities.

However, conducting business as usual is in itself a risky proposition. Compliance-driven

approaches to managing risk no longer suffice in an increasingly volatile, interconnectedbusiness environment. Approaches to risk management need to provide business leaders

and their boards of directors with an integrated view of risk and performance that defineshow rapidly emerging events will impact operations, quality, and, ultimately, shareholder value.

Recent research shows that many companies fail to connect risk and performance in thecourse of basic performance management. Just 37 percent of nearly a hundred seniorexecutives at US-based multinationals surveyed by PricewaterhouseCoopers in 2008 saidtheir companies link key risk indicators to corporate performance indicators.

External stakeholders are already motivating companies to take a fresh approach to aligning

their risk appetites and performance objectives in a smarter, more systematic way. Companydirectors, credit rating agencies, and institutional investors alike are scrutinizing the risk-

reward relationship and formalizing their own linkages between risk and performance, creatingnew expectations and market demands for businesses. A further inducement is being craftedby the Obama Administration, which has telegraphed its clear intent to more closely tether

compensation in financial services to long-term performance, through either regulatory orlegislative action. The bonus culture has been a hallmark of Wall Street, but its not entirely

unique to the big banks. The reforms to compensation and incentives that emerge on WallStreet will likely have an influence on the wider American business community.

There is no handbook for integrating risk and performance management, but it should beunderstood at the start that this is not merely a defensive response to greater uncertainty in

the business environment and, for some, to pending regulation. Companies are recognizingthat the same drivers of increased volatilitycapital mobility, rapid innovation, and the

development of new business modelsalso offer opportunities that they must exploit toincrease revenue, improve shareholder value, and satisfy evolving customer demands. With

an integrated, principled approach to managing risk and business performance, companiescan seize with greater confidence the opportunities that an interconnected economy presents.

The process of connecting risk and reward starts at strategy setting. When company leaders

understand the greatest sources of value creation and destruction across their organizations,when they assign clear accountability for risk management and performance management,and when they systematically quantify the rewards associated with the risks, they change the

decision-making game for their managers.


6/32

4

An in-depth discussion

Uncovering theconnections between

risk and performancereveals a fuller view ofyour companys strategyand operations.


7/32

5PricewaterhouseCoopers

Business as usual is a riskier proposition

According to the 2008 World Economic Forum Global Risks report, while the financialconditions of the past decade allowed for an exceptional period of economic growth and

stability worldwide, the interconnected global business environment also presents newsources of increased volatility, including systemic financial risk, skyrocketing food prices,

rapidly extending supply chains, and a looming energy crisis.1

From Wall Street to Main Street, and now around the world, the effects of that systemic

financial risk are being harshly realized. Still, financial shocks arent new: A recentPricewaterhouseCoopers analysis revealed that the international mobility of capital has, over

the last two centuries, repeatedly produced financial crises by freeing large amounts of capitalto swell local markets. In todays networked world, such bubbles inflate faster than ever.2

Whether or not one subscribes to the argument that current levels of economic volatility arecyclical, one thing is certain: the pace of change and business innovation over the last decade

has been unprecedented. And it has dramatically increased the frequencyand scaleofeconomic disruptions.

Put into historical perspective, just one financial crisis affected the US in all of the

18th century (perhaps unsurprisingly, as the US was in its infancy), and five financial panics

occurred in the US over the next hundred years. In the course of the 20th century, the USsaw 11 major economic disruptions, and in just the first decade of the new millennium,the US has experienced two financial crises.3

In times of economic instability, the natural tendency among business leaders is oftento batten down the hatches, shy from increased risk, and ride out the storm. In fact,

some 80 percent of 101 senior executives at US-based multinationals surveyed byPricewaterhouseCoopers in 2009 said theyre likely to be more cautious about spending

and investing over the next 12 to 18 months.4 However, the ability to take smart, strategic,frequently large risks is becoming increasingly important not just to business growth butalso to sustainability and continuous operational improvement.

Berkshire Hathaway CEO Warren Buffetts insights on taking risk in volatile times offer a case

in point. In 2007, Buffett expressed uncertainty about the road ahead for his companys coreinsurance businesses but seemed confident in the organizations ability to effectively manage

risk and performance. In a letter to shareholders, he said the investment vehicle hadnt lostits taste for risk, yet added: We remain prepared to lose $6 billion in a single event, if wehave been paid appropriately for assuming that risk. We are not willing, though, to take on

even very small exposures at prices that dont reflect our evaluation of loss probabilities.Appropriate prices dont guarantee profits in any given year, but inappropriate prices most

certainly guarantee eventual losses.5

In many regards, increased risk is a cost of market entry. Take the case of home furnishingsretailer IKEA, which, out of necessity, maintains a fundamental acceptance of, and appetitefor, the increased risks associated with supporting a global operating model.

1. World Economic Forum, Global Risks 2008: A Global Risk Network Report (January 2008).2. PricewaterhouseCoopers,American Perspectives (October 2008).3. Ibid.4. PricewaterhouseCoopers,2009: Q1 Management Barometer(2009).5. Warren Buffett, Berkshire Hathaway Annual Report 2006 (February 2007).


8/32

6 Seizing opportunity: Linking risk and performance

The company sources its products from1,600 suppliers in 55 countries. Managingthe operational and reputational risks

associated with maintaining such a diversesupply chain could well become a minefield,

but IKEA could not produce its expansiveportfolio of offerings without those 1,600

global suppliers.

To maintain quality, safety, environmental,

forestry, and social standards, the companyhas developed a responsible supply chain

program, which features formal processesto ensure that all their suppliers produce

goods and services in accordance withinternationally recognized conventions

and standards. External auditors regularlymonitor both primary suppliers and largesub-suppliers. While taking on the risk

of sourcing internationally, IKEA smartlymanages that risk by implementing and

closely monitoring operating standardson a global level in order to maintain

corporate performance.

IKEA, however, likely represents more

the exception than the rule. As recentevents have shown, todays corporate risk

management practices have not always

proved up to the task of balancing increasedrisk appetites with the need to maintain bothfinancial and operational stability throughrapid change.

Siloed approaches to risk managementcreate dangerous blind spots forbusiness

Risk is, by definition, forward-looking. It isa measure of probabilityof either loss

or gaindepending on the circumstances

surrounding a given events occurrence.And that probabilityof value destructionor creationdirectly impacts a companys

performance objectives. In fact, studiesof large-cap companies have found that

nearly 60 percent of the time, failureto assess and respond to strategic or

business risks is behind rapid declines inshareholder value.6 Nonetheless, manybusiness leaders continue to view risk

and compliance as two sides of the samecoin, reflecting a common, organizational

focus on managing risk to prevent known,historical business failures rather than to

anticipate likely (or seemingly unlikely)game-changing events.

Compliance with regulatory and reportingrules is a non-negotiable feature of doing

business, but a risk management strategyfocused myopically on prevention is, by

nature, backward-looking and fails toaccount for the likelihood of change or

the possibility of growth. A holistic riskmanagement program, on the other hand,encompasses the tools and processes

used to identify, assess, and quantifybusiness threats and the measures taken

to prioritize, monitor, control, and mitigatethose threats.

In the wake of the high-profile lapses ofthe 1990s that led to increased regulatory

pressures, intensified shareholder activism,and a barrage of compliance requirements,

many companies began to view risk almost

exclusively as a threat to be mitigated.Without a doubt, increased regulatorycomplexityboth in the US and abroadand the layers of compliance processes

and controls associated with managing ithave forced organizations to shoulder new

burdens in terms of cost and productivity.But beyond the costs, a compliance-only

approach to risk management can have thedangerous side effect of distracting from the

principles that belie the requirements aroundthe need to balance risk and reward in awell-reasoned, transparent way.

According to a senior risk management

executive at one multinational energycompany, performance-focused risk

management can enable both complianceand business strategy. We found that if wemanage and design according to risk, we

6. PricewaterhouseCoopers,2008State of the Internal Audit Profession Study(2008).


9/32

An in-depth discussion 7PricewaterhouseCoopers

usually exceed any government requirementsthat anybody can lay on us, just becauserisk is such a logical way to do it. We know

the risk associated with a certain thicknessof pipe on a platform leg. We know the risk

associated with a certain type of valve ora certain type of pump in a refinery. And

we are going to design to a level higherthan most government expectations, hesaid, adding that the primary drivers of his

companys risk management programs aresafety and finance. We are more interested

in protecting an $8 billion book-value refinerythan any government is. Weve got a lot of

hide invested in those assets, and we wantnothing to go wrong.

Focusing too narrowly on regulatorycompliancean important but discrete

element of business riskcan result insilos of risk and performance information

that often hamper an organizations ability

to monitor critical risk interdependencies.Ironically, the same organizational structuresthat arose to manage compliance have now,at many companies, become insufficient for

addressing increasingly complex and oftenoverlapping global regulatory demands.

Consider, for example, a global

pharmaceutical company that mustcomply with federal financial reportingrequirements and drug safety standards;

international trade and labor regulation;and global intellectual property

management provisions. Each category ofcompliance is rife with risk that permeates

every level of the organizationfromproduct lines to functional business units,

geographies, and the enterprise as awhole. But the knowledge about thesehighly interdependent risks resides in

information silos designed to simplifyand facilitate reporting and compliance.

Leadership is unable to get an integrated

view of the key connection points atwhich new risksand new opportunities

for business growth and operationalimprovementmight arise.

Without an integrated view of risk and

performance across the whole business,companies are doomed to repeat the failuresof the recent pastfrom high-profile supply

chain disruptions to extreme financialbreakdownsin which they took on

excessive risk without a fully informedview of reward.

Leading companies are already deploying

fresh, integrated approaches that shed lighton the path forward.

One global automotive manufacturer, for

instance, was experiencing significantlosses due to a key risk in its supply chain:supplier bankruptcies. In addition to the

direct costs of those failures, the companyfaced the indirect costs derived from thepoor product quality, unreliable supply, and

management distraction that resulted fromthe disruptions. The companys goals in

addressing the challenges were twofold:to enhance predictability across its supply

chain operations and to lower the costsof managing supplier risk. Only by takingan integrated view of interconnected,

global risks and their impacts on bothoperational and financial performance

would the company be able to achievethese very clear objectives. By analyzing its

suppliers business environments, identifyingleading risk indicators, and conductingrisk-adjusted evaluations of its suppliers

We found that if we manage and design according to risk, we usually exceed any governmentrequirements that anybody can lay on us, just because risk is such a logical way to do it.


10/32


pricing proposals, the automaker is now ablenot only to make more informed supplierselection decisions but also to quickly

identify troubled suppliers and take earlycorrective action.7

Looking at risk interdependencies across

the supply chain can undoubtedly yieldperformance improvements. Taking thatintegrated view to the next level and

considering risk and performance intandem, across a whole organization,

can further improve performance andreduce operating costs.

A British oil company, for example, had set

up various operating units as independentprofit centers, each hedging currency riskindependently. When senior managers

looked at foreign exchange transactions

across the business, they realized they

were creating unnecessarily expensivehedges that could be avoided. By viewingrisk across the company rather than insilos of risk and reporting information,

management was able to reduce coststhat accrued to the bottom line. Risk is

really a potential cost on capital, saysNeil Doherty, chairman of the Insurance

and Risk Management Department atthe Wharton School. So you can thinkof managing risk as really the other side

of the coin from managing capital.Doherty contends that a sophisticated

and comprehensive approach to riskmanagement (such as the one taken at

the British oil company), by which riskis viewed as an integral part of financial

management, can increase a companysvalue 3 to 5 percent.8

Closer alignment of risk andperformance management hasbecome a business imperative

The market is recognizing, now more thanever, the natural linkages between risk

and corporate performance, motivatingcompanies to integrate the management

of both in a more focused way.

According to a PricewaterhouseCoopersanalysis of 52 North American, European,and Japanese financial institutions, the

market tends to assign a higher price-to-book multiple to firms with more effective,

sophisticated risk management programs,

as measured by earnings volatility, capitaladequacy, and capital optimization(see Figure 1). These organizations

integrated risk and return at granular levelsacross the business; continually analyzed

the risk-reward relationship on new initiativesfrom inception; balanced qualitative and

quantitative views of risk in managementdecision making with statistical metrics,

stress testing, and business judgment; andemployed metrics that rigorously accountedfor market, liquidity, and operational risks but

that were flexible enough to reflect changingmarket conditions.

The linkages between risk and performance

management have historically been mademost apparent among financial servicescompanies, but they certainly extend

to other industries. In any industry, acomprehensive risk profile, aligned with

key financial metrics, can allow seniormanagement to compare the impact of

risk management activities on the marketvaluation of the business.

More than half of 101 senior executives surveyed by PricewaterhouseCoopers believe thecapital markets reward companies with a strong track record for risk management.

7. PricewaterhouseCoopers, From Vulnerable to Valuable: How Integrity can Transform a Supply Chain (November 2008).

8. Wharton School, Leveraging Risk Management,Knowledge@Wharton (March 1, 2006).


11/32


Credit rating agencies, under scrutinythemselves for their risk assessment

practices in light of the mortgage-backedsecurities market implosion, are now taking

up the charge of formalizing the linkage

between risk and performance. Since2005, the agencies have incorporated riskmanagement evaluations into ratings forfinancial services institutions, but for most

other companies across industries, thelinkages between risk management and

corporate performance remained implicit.A leading exception to that rule was

Canadian utility Hydro One, whichafter afive-year implementation of rigorous, holistic

risk management practicesreceived afavorable credit rating by both Moodys andStandard & Poors, resulting in a lower cost

of capital.9

That economic connection is poised to bemore clearly spelled out across the businessworld. Standard & Poors, in its central task

of determining creditworthiness, has begun

to take the enterprise risk management(ERM) analysis used for financial services

into sectors like industrial products, retailand consumer, technology, automotive, and

entertainment and media. The ERM analysis

will take into account an organizations riskmanagement culture and governance, riskcontrols, emerging-risk preparation, andstrategic management. Based on these

components, a company will receive oneof four ratings: weak, adequate, strong,

or excellent. As a result, a companys riskmanagement practices will be more formally

tied to its cost of capital.

If the experience of the insurance sectorover the past few years is an indicator, thisnew approach could result in credit-rating

changes for some companies, potentiallyimpacting their shareholder value and cost

of capitaleven their very access to capital.Capital may begin to dry up for those

companies with poor or inadequate riskmanagement practices relative to their peers.

Figure 1: The market values good risk management

Source: PricewaterhouseCoopers analysis, based on Bloomberg data, 2007

Risk management score

1.00.9

1.5

2.0

2.5

3.0

3.3

5 10 15 20 25 30 35 40 45 50

Price-to-book ratio (P/B)

1st QuartileAvg. P/B = 2.6

2nd QuartileAvg. P/B = 1.7

3rd QuartileAvg. P/B = 1.5

4th QuartileAvg. P/B = 1.3

Better Worse

9. Tom Aabo, John Fraser, and Betty Simkins, The Rise and Evolution of the Chief Risk Officer,Journal of Applied CorporateFinance (Summer 2005).


12/32

Projects title


13/32

Aligned with key financialmetrics, a comprehensiverisk profile allows senior

management to assess theimpact of risk managementactivities on the marketvaluation of the business.


14/32


Other stakeholders are homing in on thelinkages between risk and performance,driving management to provide more

transparency on both at an operational level.In fact, more than half of 101 senior executives

surveyed by PricewaterhouseCoopersbelieve the capital markets reward

companies with a strong track record forrisk management.10 Institutional investorsare already using comprehensive analyses

of risk, operations, and performance toassess a companys investment potential.

The California State Teachers RetirementSystem, the second-largest public pension

fund in the US with assets of $158 billion,has, for example, identified 20 risk factors

ranging from monetary transparency andcorporate governance to workers rightsand environmental complianceaffecting

its evaluation of current and potentialinvestments.11 Boards of directors

stakeholders in many ways allied withinstitutional investor motivationsare likely

to follow suit in seeking a more holisticview of risk and long-term performance,as well as of the corresponding data against

which to assess and monitor investment andstrategic decisions.

An integrated approach to risk andperformance management leads tosmarter risk taking

A principles-based approach to riskmanagement integrates risk with

performance across the entire organizationto help companies eliminate redundancies,

reduce costs, clarify roles, and designateaccountabilities. By its nature, such anapproach further leads to an understanding

across the organization not only of risk

appetitethe amount of risk an organizationis willing to accept in pursuit of valuebutalso of risk tolerance: the level of variation

an organization is willing to accept relative tothe achievement of a specific objective.

Companies are awakening to the meritsof assessing the risk-reward relationshipby more closely aligning risk and

performance management. But the gapbetween awareness and action remains

to be closed.

According to a PricewaterhouseCoopersManagement Barometer survey of 96

senior executives in 2008 at US-basedmultinational companies, just 37 percent ofrespondents said their companies linked key

risk indicators (KRIs) with key performanceindicators (KPIs). Of those companies,

roughly two-thirds said their organizationslinked key risk indicators to the management

of earnings volatility, capital optimization,and capital adequacy; and just over half saidtheir companies employed risk-adjusted

performance metrics to set businessobjectives and monitor progress

against them.12

Yet 45 percent of survey respondentssaid their organizations do not link riskand performance indicators at all, and

15 percent were uncertain whether theircompanies do so.

At its core, an integrated approach tomanaging risk and performance involvesassessing growth opportunities, evaluatingand quantifying a companys financial

appetite and tolerance for risk, andimproving operational effectiveness.

Corporate performance managementcomprises the processes and systems that

link employees and operations to corporatestrategy and business goals as well asthe metrics used to evaluate success.

An integrated approach to managing riskand performance is about using the right

information to achieve a meaningful viewof risk across a business and to more

accurately anticipate the associated impacton corporate performance. And its aboutlayering that information into strategy setting

and decision making.

10. PricewaterhouseCoopers,2009: Q1 Management Barometer(2009).

11. California State Teachers Retirement System, www.calstrs.com.



15/32


Take the example of a US fixed-satellitetelecommunications provider. Faced withfierce industry competition, rapid technology

innovation, and an economic downturnthats forced many customers to tighten

their purse strings, the company is underpressure to improve both operational and

financial performance in order to retainexisting customers, win new business, andmeet shareholder expectations. Managing

global satellite risksfrom a shortageof domestic engineering talent to trade

barriers, political risk, and excess supply oftelecommunications capacity (all of which

present associated market opportunities)is key to the companys success in achieving

its performance objectives.

By integrating risk and performance

metrics at the enterprise and businessunit levels, business leaders can better

assess the risk-reward proposition of

these business challenges and theirassociated opportunities, and more deftly

manage volatility. With a comprehensive

view of how the linkages between risk andperformance play out across the business,

leadership can make better decisionsregarding how to deploy resources to

protect, maintain, and create value.

For example, each business unit mightmap the probability of change, in a givenmagnitude, across key risk indicators for

customer satisfaction, process efficiency,and competition, against the potential

impacts on earnings volatility (see Figure 2).

Such an integrated view can helpmanagement decide how resourcessuchas capital and talentshould be allocated

to minimize volatility while achieving theorganizations objectives. Perhaps most

important, aligning risk and performance

Figure 2: Sample of potential linkages between risk and performance

Processefficiency

Saleseffectiveness

Competition

Externalfactors

Key risk indicators KRIs

Customer

Probability of 1%change in KRIs

1,000

100

10

1

0

0% 25% 50% 75% 100%

Impact of 1%change in KRIson EBITDA($ millions)

The probability of a1% change in eight

key risk indicatorsis mapped againstthe potential impactof that change onearnings (EBITDA).


16/32


information in such a way can help businessunit leaders forge a common view of thedivisions risk tolerance and appetite,

which is critical to the companys ability tomanage its risk portfolio and overall business

performance.

This kind of comprehensive, portfolioview of investment opportunities and theirsensitivities to specific strategic, financial,

and operational risks empowers businessesto explore the risk-reward relationship in a

realistic, informed way and make investmentdecisions that are in line with reasonable

performance expectations.

Consider the example of one global financialservices company that operates across theMiddle East and North and sub-Saharan

Africa. This company ranks the risk level inevery country in which it does business on

a scale of 1 to 10 (1 being least risky and10 being most risky). Those ratings reflect

a combination of economic, political, andmarket risk in the sector and in the region,relying on externally available qualitative

datato which the company assignsquantitative ratingsas well as internally

developed quantitative evaluations. Based

on the countrys risk rating, the companydetermines capital allocation.

According to the organizations vice

president of country and counterparty risk,A certain return-on-capital threshold has to

be met. We do business in jurisdictions thatare graded a 7 or 8, which inherently have a

lot of political and economic risk. But wenevertheless do business there and areprofitable. By setting the bar for

performance and measuring an opportunityagainst it in the context of the risks

surrounding it, the company can moreconfidently proceed into less traditional,

riskier territory.

An integrated risk and performancemanagement process can help

companies:

More accurately quantify risk appetite

and tolerance in the context of businessstrategy.

Systematically identify potential risks

across the business portfolio andmitigate (or exploit) their impacts onfinancial and operational performance.

Explicitly assess specific risks when

creating and evaluating performancegoals of new projects or investments

at the business unit level and in thecontext of the companys overall businessportfolio.

Channel company resourcesfinancial

and operationalto initiatives where therisk-reward proposition is clearly defined and

better meets basic conditions for success.

Better align the financial incentives forrisk taking with potential outcomes.

Moving toward an integrated approachto risk and performance management

Integrating risk and performance managementfor financial and operational improvement

may seem like common business sense. Butas research bears out, its easier said than

done. The barriers to systematically linking riskand performance measures are real for many

companies, but not insurmountable.

An overwhelming majority71 percent

of the senior executives surveyed by

PricewaterhouseCoopers ManagementBarometer said the biggest challengetheir organizations face in linking risk

and performance indicators is that the


17/32


information resides in too many placesacross their companies.13 FurtherPricewaterhouseCoopers research found that

just 35 percent of more than 200 financialservices institutions surveyed agreed that

their organizations maintained one set ofintegrated systems for financial and risk

reporting.14 As management teams know,fragmented information is difficultif not impossibleto act on.

Accountability is often also an obstacle:

43 percent of respondents toPricewaterhouseCoopers Management

Barometer survey noted that their companiesdid not have a single executive who was

accountable for systematically linking riskand performance. Further, 40 percent of

respondents to that poll also noted that thebusiness case for linking risk and performance

management remained unclear; the benefits

of taking such an approach werent readilyapparent at their companies.

Information is at the heart of many of

the challenges that companies facein integrating risk and performance

management into strategic planning,forecasting, and even compensation

decisions. Without an integrated visionof risk and performancebased on real,accessible information and an accountability

structure that supports itthe risk-rewardrelationship, and the incentives supporting

it, can easily remain misaligned.

Having accurate, timely, company-widerisk and performance information at the

ready for deeper analysis enables senior

management to evaluate how risk playsout across a businesss operations and

impacts financial performance in both theshort and long terms. But the pressure

to deliver on those near horizons drivesmany business strategies today and poses

another significant challenge to taking alonger view of risk and reward. Accordingto 85 percent of respondents to a 2009

PricewaterhouseCoopers survey of 101senior executives at US-based multinationals,

the focus on short-term risk was amongthe factors that contributed to the current

financial crisis.15

According to the finance director at onemultinational home appliance maker, the

urge to maintain or improve short-term

share price performance often eclipsesthe principles driving a longer view ofrisk and reward: If you are looking atmaking a major acquisition, managing risk

is obviously important. But if executiveleadership is worried about what the market

is going to say about this move in the nextfew weeks or the next quarter, then it could

get derailed.

If the current financial crisis is any indicator,

it is clear that a narrow focus on the nextquarter can easily sabotage the principles

of solid risk and performance management,especially when the two are viewed as

discrete functions within an organization.

According to a 2009 PricewaterhouseCoopers survey of US-based multinationals, thefocus on short-term risk was among the factors contributing to the current financial crisis.

13. PricewaterhouseCoopers,2008:Q2 Management Barometer(2008).

14. PricewaterhouseCoopers, Leveraging Compliance: Standardization and Simplification of Risk Adjusted Performance Reporting (2006).



18/32

16

Build the foundation for amore stable future: Start

with a deeper assessmentof risk and reward acrossyour organization.

What this means for your business


19/32

17PricewaterhouseCoopersPricewaterhouseCoopers

Leading an organization to think aboutand act onrisk and performance in an integrated

way will face its roadblocks. But by focusing first on a few key areas for integration andimprovement, companies can make great strides toward implementing a fresh approach that

meets the challenges of an interconnected world.

There is no step-by-step handbook for designing a risk-based performance management

program. But the underlying principles and the questions business leaders must ask of theirorganizations before setting out are universal. Business leaders should consider the following:

What are the greatest sources of value creationand destructionacross my business?

Where or when has my company most clearly failed to realize or deliver value to keystakeholders? Where have we been most successful?

Where does accountability for risk and performance management currently reside within

my organization? Does that accountability structure facilitate the integration of businessinformation around potentially risky opportunities?

How does my organization currently measure the potential impacts of riskand quantifythe associated reward? Do we do that in a systematic way, on a continuous basis?

Where is such risk and performance information currently housed in my company?Does it reside at the business unit or functional level, and if so, is it readily accessiblefor consideration at the corporate level?

Is my companys information structure facilitating the natural connections between risk,operational improvement, and business performance or prohibiting those connections from

being made?

What events has the market rewarded in the past? What events have they punished?Is the markets perception of my companys risk profile consistent with my own view of it?

Are the incentives for taking a principles-based, integrated approach to managing risk and

performance aligned at every level of my organization? Does leadership promote a culture of

risk-based performance management?


20/32


21/32

What this means for your business 19PricewaterhouseCoopers

Company leadership recognized that these

performance objectives and operating goalswould not be achieved without consideringthe impacts of the risks surrounding them.

Hydro One implemented an ongoing,three-phase risk management program

starting from a collaboratively developed,company-wide risk profile accounting for

specific sources, levels, and likelihoodsof risk; moving into individual discussionsabout the companys risk profile with the top

30 or 40 executives; and ultimately drivingtoward risk-based investment appraisal

and planning sessions, at which the riskmanagement and investment planning teams

would jointly develop a risk-based approachto allocating company resources.

In one instance, the company recognizedthe ostensibly conflicting operational

and financial interests it held in helping

consumers reduce their energy consumption.Dramatically increased demand on thecompanys aging assets, however, posed asignificant risk to many of Hydro Ones core

business objectives: customer satisfaction,distribution reliability, and operating

efficiency. Acting on this alignment of riskand performance information, Hydro One

launched an energy conservation initiativethat made it the first electricity company in

the world to provide customers with freePowerCost Monitors. The companys2006 pilot study showed that real-time

electricity monitors helped customers reduceelectricity consumption by up to 15 percent,

thereby alleviating some of the burden onHydro Ones assets and helping it achieve

both corporate and residential customersatisfaction ratings above 80 percent.17

Figure 3: Sample of potential linkages between risk and performance

High

Med

Low

Decreasing Stable Increasing

Risklevel

Risk momentum

Business and strategic risksRisk factors affecting the ability of eachbusiness unit to meet earnings targets;typically managed at the business unitlevel

Operational risksRisk factors involved in operationalfailures and resulting in potential loss;typically managed by central corporatesupport

Financial risksRisks resulting from volatility inunderlying market factors and arisingfrom uncertainty around the ability ofcounterparties, suppliers, or customersto meet financial obligations

Business strategy

External factors

Commodity price

Process efficiency

IT systems

Suppliers

Technology & innovation

Regulatory

People

Environmental

Interest rates

Equity

Foreign exchange

Pension risk

Receivables

Counterparty

Customer

Competition

Reputation

Legal

Fraud

17. Anette Mikes, Enterprise Risk Management at Hydro One, Harvard Business Publishing, July 3, 2008.


22/32


Hydro Ones integrated risk and performancemanagement program clearly illustratesan approach that links potential risks to a

companys long-term business strategy tothe very real results of near-term operational

execution, creating a continuous feedbackcycle between planning and performance.

Such a cycle (see Figure 4) necessarilybegins with a clear articulation of business

objectives, derived from the overarchingcompany strategy. Once a leadership team

has identified the risks that directly threatenor serve business objectives, it can assess

and quantify their potential performanceimpacts (financial and operational) in

order to make risk-informed decisionsabout investment opportunities, resourceallocation, and management accountability.

With risk-informed performance measures

in place and accountability aligned to reflectan integrated, cross-functional approach

to risk and performance management,company leadership can continually monitorexisting and emerging risks, and identify

areas for both financial and operationalperformance improvement.

Doing more with less: Honing yourarsenal of business metrics

When it comes to measuring the links

between strategy and execution, less mayactually be more. A few essential, risk-

informed performance indicators, tiedto the processes that offer the greatest

opportunities for value creation or valuedestruction, will serve a leadership teambetter than a cumbersome laundry list of

metrics will. This sharpened arsenal of risk-

based performance indicatorsoperationaland financialcan become an early warningsystem for likely threats, a means of

realistically linking risk and reward basedon the organizations risk appetite, and a

tool for identifying areas for improvement.

Among the financial measures mentionedearlier (earnings volatility, capitaloptimization, and capital adequacy), a

few additional metrics are involved instrategy setting and decision making. The

following two questionsand the measuresassociated with their answersmight feature

prominently in an integrated approach to riskand performance management.

What have I reallygot to lose?All toooften, companies assess the anticipated

rewards of a risky transaction withoutevaluatingand actually quantifyingjust

how much they are willing to lose if anopportunity sours. Often referred to as value

at risk, the answer to this basic but difficultquestion represents the amount a companyis willing to lose, over a given amount of

time, if an initiative fails. Assessing thismetric, and understanding if and how it can

change, enables leadership to realisticallyassess downside risksand exit or close

down an initiative if circumstances warrant.

How much shock can my balance sheet

endure? Surprising as it may sound, manycompanies dont have a firm handle on

how much money would be required for

the business to survive in the event a riskyopportunity turns into a worst-case scenario.Referred to as economic capital in the financial

services sector, this is a key metric fordecision making around any potentially riskybusiness initiative. Unfortunately, according to

PricewaterhouseCoopers survey of more than200 financial institutions, few respondents

believed that this strategic measurementconcept was well understood outside the

risk function: Only 9 percent of respondentsbelieved their board of directors was veryknowledgeable about economic capital,

while 22 percent considered their board notknowledgeable at all. As such, respondents

agreed that downside risk was not beingextensively used in measuring business unit

performance and was used even less indetermining compensation.18 But as market,

18. PricewaterhouseCoopers, Leveraging Compliance: Standardization and Simplification of Risk Adjusted Performance Reporting (2006).


23/32


Figure 4: Integrating risk and performance management

Managementinformation& businessintelligence

Riskprofile

Riskassessment

Integratedaccountability& information

structures

Risk-informedperformance

indicators

Identify risks to businessobjectives across key risk

categories, developing acompany-wide risk profile

Using risk profile, assesslikelihood and potentialimpact of identified risksto establish risk tolerancelevels across organization

Using risk-informedperformance indicators,monitor progress andemerging risks to businessobjectives to identify areasfor performance improvement

Based on risk assessment,

align resources andaccountability structure withinitiatives that fall withincompany risk tolerance

Execute on strategy,identifying key risk-informed performanceindicators to gauge financialand operational progress

Determine key business objectives based oncompany strategy, establishing risk appetiteacross the organization

identifym

onito

r

imp

l

emen

t

align

asse

ss


24/32


25/32


subcontracting to a metal fabricator, an A&Dcompany might consider timely delivery acore risk to business objectives and mightwork with the subcontractor to assess itscurrent and proposed levels of resourceallocations to anticipate or mitigate anyrisks to the delivery timeline. Whatever theresponse, companies can continually monitortheir key risk indicators, aware that operatingconditionsand the required responsesare in constant flux.21

In establishing an integrated view of riskand performance, every company willdevelop its own tailored tool kit of risk-informed performance indicators. Butwhatever metrics a company determinesto be most informative and actionable, thedata underlying those measures must beconsistent across the whole business foran integrated approach to risk andperformance to stick.

Transforming disparate datainto meaningful information

Moving toward an integrated view ofbusiness risk and performance doesntnecessarily require an IT overhaul. For many

companies, the information required to linkup risk and performance data, and layer itinto strategic planning and decision making,already exists. But its often buried in datasilos and systems across business andfunctional units that never sync up. In fact,almost 80 percent of 101 senior executivesat US-based multinationals surveyedby PricewaterhouseCoopers in 2009 sayquality and timeliness of information areamong the top challenges for improvingrisk management in the next two to threeyears.22 However, when the information is

consistentand accessibleacross theorganization, leadership has access towell-integrated insights into target areasthat represent risks to, and opportunitiesfor, operational improvement.

For example, one multinational food andbeverage company faced the challenge ofproviding meaningful information to its boardabout the frequency and significance ofbusiness conduct incidents. Data about suchincidents resided in systems tied to customerand employee hotlines, employee surveys,certification processes, and ad hoc reporting.With a team of PricewaterhouseCoopersdata management specialists, the companywas able to standardize its incidentmanagement and reporting processesto provide the board of directors withsynthesized, meaningful enterprise-wideinformation that could also be broken downby division, location, and incident type,offering insight into the current situation and

forward-looking trends. With this incrementalbut important step toward improved datamanagement, the company was able toidentify key risk areas in its operationsandto facilitate better decision making aboutfuture investments in ethics and compliance.

While companies may maintain troves ofdata in various operating systems, thatdata does not always constitute meaningfulinformation. It is the ability to transformdata, wherever it resides, into actionablemanagement information that facilitates

the integration of risk and performancemanagement.

Japanese pharmaceutical company Takeda,for example, integrates internal informationwith external data obtained from a third-party service provider. Because everyone[in the pharmaceutical industry] has thisinformation, the competitive advantagederives from the measures you take out andhow quickly you react to the information outthere, says Axel Mau, chief financial officer(CFO) for Takedas German subsidiary.

Armed with this type of market-orientedinformation, Takeda can drill down intoperformance issues. For example, if thecompany hears that a competitor is planningto launch a product in a particular region,Takeda will crunch numbers in real time inthe new system and right away, the sales

21. PricewaterhouseCoopers, How to Fortify Your Supply Chain through Collaborative Risk Management (January 2009).



26/32


27/32

In an increasinglyinterconnected world,a more collaborative

accountability structuremay help companiesbetter manage riskalongside performance.


28/32


force can put efforts in that region to hold themarket share or increase it. If you haveto wait a month before we have an analysis

as we sometimes have had to in the pastthen its rather difficult.23

Creating accountability and incentivesfor integrating risk and performancemanagement

When it comes to managing risk andperformance, companies appear to besplit in their approach to oversight. While51 percent of the executives surveyed byPricewaterhouseCoopers 2008 ManagementBarometer said that one person (mostfrequently the CFO) or group is responsiblefor both risk management and performancemanagement, 49 percent reported thatoversight resides with a combination ofexecutives.24

In some sectors, such as financial servicesand energy, chief risk officers are mostoften accountable for risk management andmitigation. But in many other industries,accountability for risk typically falls to theCFO, with input from the chief operatingofficer. A centralized, top-down approach

to risk may work for some companies,but as recent events have shown, a morecollaborative, integrated accountabil itystructure that provides appropriateincentives at every level of the organizationmay be better suited to managing riskalongside performance in an increasinglyinterconnected business world.

At one major multinational energy company,for example, accountability for managing bothrisk and performance is shared by managers(who are close to project execution) and

company leadership (who maintain oversightof the risks to the companys full portfolio ofinitiatives). The project manager or businessunit manager is responsible for evaluating theoperational risks to execution and near-termbusiness performancesuch as volatility in

the pricing of materials and contracts, andrisks to labor and productivity. However,the companys response to macro risks, suchas labor strikes, natural disasters, or politicalinstabilityand their associated performanceimpactsis considered outside the projectmanagers or business unit managers scopeand resides with a leadership team at ahigher level in the organization.

Fostering the right behaviors aroundsmart, performance-driven risk taking atthe operating level of a company is alsocritical to the success of an integrated riskand performance management strategy.

At Westinghouse Electric, a subsidiary ofToshiba that builds and maintains nuclear

power plants, the companys nuclearengineers had not been conditioned totake business risksin fact, quite thecontrary. But as it started facing pressureto grow through new business ventures,new markets, and new technologies,Westinghouse leadership decided to alignincentives around smart, performance-basedrisk taking.

Freeing up a core group of senior managersto pursue new business ideas andinnovations, the company teamed them

with efficiency experts who focused thepotentially risky propositions with metricsthat rigorously accounted for a projectsupsideand downsidepotential. From theground up, all managers are now evaluatedon criteria aligned with Westinghouses riskand performance management strategy, suchas the number of customer calls and salesproposals they make. To date, the programhas helped Westinghouse move into two newgrowth areas.25

Of course, from the C-suite to the factory

floor, incenting the behavior that createsa culture of risk-based performance

management often requires the teeth ofcompensation to drive accountability.

23. PricewaterhouseCoopers, Management Information and Performance: CFOs Face New Demands for High-Quality DataThat Drives Decisions (June 2007).


25. Brian Hindo, Rewiring Westinghouse,BusinessWeek(May 19, 2008).


29/32


30/32


Revising incentive strategies to align riskand performance requires considerableorganizational change, and many companieswill find it a difficult road to travel. In fact,according to PricewaterhouseCooperssurvey of more than 200 financial institutions,a minority of responding companies29percentsaid that the KPIs on which seniormanagement are graded, and the incentiveschemes derived from them, were basedon risk-adjusted performance.30 Even in theaftermath of the financial crisis, less thanhalf of 101 senior executives respondingto PricewaterhouseCoopers ManagementBarometer survey in early 2009 consideredaligning compensation with prudent risktaking a top priority.31

Ensuring the alignment of risk, performance,and compensation is no easy task. Wall Streetbanks, where the pressure is most acute totie compensation to long-term performance,are resisting pay curbs, fearing a drain of toptalent to less-regulated industries. Harkingback to Warren Buffetts 2006 letter toBerkshire Hathaway shareholders, the self-proclaimed Typhoid Mary of compensationcommittees presciently argued that truecompensation reform could happen onlyif the worlds largest institutional investorsdemanded a fresh look at the whole system.

At Berkshire Hathaway, however, Buffettclaims to keep incentive structures simpleand fair, to ensure that executives arecompensated for their performance andincented to take the smartest businessrisks possible.

When we use incentivesand these can belargethey are always tied to the operatingresults for which a given CEO has authority.We issue no lottery tickets that carry payoffsunrelated to business performance, wroteBuffett. If a CEO bats .300, he gets paid for

being a .300 hitter, even if circumstancesoutside of his control cause Berkshireto perform poorly. And if he bats .150,he doesnt get a payoff just because thesuccesses of others have enabled Berkshireto prosper mightily.32

A call to action

The effects of misaligned risk and

performance management strategies arenow reverberating throughout the financialservices sector, across industries, andaround the world. While the effort to addressthe systemic risk permeating the financialmarkets will require global collaborationamong public- and private-sectorstakeholders, companies can tackle changefrom the inside out by taking smarter risksto improve that which is squarely in theircontrol: operational performance. Integratingrisk and performance management foroperational improvement (and, ultimately,improved financial performance and

shareholder value) not only makessense; it also is a business imperative.

The benefits of taking such an integratedapproach, founded on the principles ofsolid risk and performance management,are difficult to quantify in places, but thecosts of hesitating are daunting. A recentPricewaterhouseCoopers analysis of600 companies affected by supply chaindisruptions caused by convergent riskfactors found that, following the disruptions,average shareholder value at these

companies plummeted, their stock pricesexperienced greater volatility, and theysuffered sharp declines in return on salesand return on assets relative to their industrypeers. More intimidating even, the effectsof the disruptions on the companies stockprices were still apparent at least one yearafter the disruptions were announced.

The time to consider a fresh approach tomanaging risk and performance across anorganization is now. The world is watching.Consumers, investors, and regulators are alllooking to businesses for the kind of change

that will help restore confidence in the globalmarkets. And, as weve discussed here, thatchange can start with a few relatively simplesteps toward a systematic, more effectivelinking of risk with reward in every businessdecision.

30. PricewaterhouseCoopers, Effective Capital Management: Economic Capital as Industry Standard? (2005).


32. Warren Buffett, Berkshire Hathaway Annual Report 2006 (February 2007).


31/32


32/32

30% total recycled fiber

This publication is printed on Finch Premium Blend Recycled.It is a Sustainable Forestry Initiative (SFI) certified stock using30% post-consumer waste (PCW) fiber and manufacturedin a way that supports the long-term health and sustainabilityof our forests.

www.pwc.com/us/managing risk

To have a deeper discussion about how this subjectmay affect your business, please contact:

Joe AtkinsonUS Advisory Risk Leader215.704.0372

[email protected]

Gary ApanaschikUS Advisory Corporate PerformanceManagement [email protected]

Dave PittmanUS Advisory Operations [email protected]

Documents

PWC Risk Performance