For those of you who are new to the acronym, let’s begin by introducing Risk & Performance Management or “RPM”. RPM is the fusion of both risk and performance management as a single management process.
In my opinion, RPM is the natural next step for Enterprise Risk Management (or ERM). RPM will probably resonate more quickly with Management than ERM ever did. It aligns more with management’s immediate concerns and needed support for decision-making; and it uses terms that speak their language. At the end of the day, we are still talking about risk management for the enterprise. However, as new innovation emerges the enterprise risk management discipline must adapt with it.
So, how do RPM and ERM relate and/or differ? Here are some of my observations and perspectives. By no means is this a complete list or even the final authority on the matter, but hopefully, this list will help you gain a better understanding of what may be happening with this latest evolutionary cycle. (For the purposes of this column, I will refer to ERM standards in the context of the COSO ERM Framework and ISO 31000.)
- Performance vs. Risk Knowledge – Current ERM standards are basically designed to help you better identify, assess and respond to risk (better manage risk). Although the approaches may differ, they are all structured to ascertain, report and document the “knowledge” gained through their application. In effect, “risk knowledge” could be viewed as the driving purpose of these programs. In effect, the view is: increased risk knowledge leads to better risk management and control. This perspective is well outlined in ISO 31000. As practitioners advance the application of these standards, they naturally progress to the next logical step, which is: improved risk management leads to improved performance. RPM begins where ERM left off; irrefutably linking risk to company performance. Therefore, RPM makes company “performance” the driving purpose of program design, not necessarily “risk knowledge”.
- Satellite view vs. enterprise-wide view – Take a look at COSO’s ERM Framework. The scope for ERM as expressed by this standard is found directly in the definition of ERM itself – to be applied in “strategy setting and across the enterprise”; basically everywhere. It is in this perspective that the need for “risk registries” and complete documentation is born. It is also why ERM is often viewed as a labor and resource intensive exercise. I like to simplify the concept this way. If I want to know what the size of a piece of property is, I have two choices: 1) I can go onsite and survey the land at ground level; or 2) I can acquire an aerial photograph taken from an orbiting satellite and measure it in the comfort of my office. Both will get the same result, but the aerial photo method will save me a whole lot of time and money. Similarly, ERM surveys risk using the onsite method, RPM does it off of a photograph taken from a satellite. RPM takes an aggregate view of risk in your company, not to count every risk, but to isolate features in your risk profile that can be effected to create value.
- Effectiveness vs. Thoroughness – Once the differences in purpose and vantage point are understood, it is obvious RPM is an evolutionary change in ERM. Where ERM is committed to a thorough record of risk and the knowledge of the responses (controls) in place, RPM seeks to find where risk management effectiveness may be breaking down and to ascertain how well the ERM processes are contributing to company performance. RPM does not make the creation of a complete record of risk a priority, leveraging risk knowledge to drive performance is the priority.
- Dollar-terms vs. Scaling – Since ERM is committed to thoroughness, it is important to identify and assess risk in a uniform fashion “across the enterprise”. Therefore, scaled assessment methods are preferred, such as the “stoplight” method, to assure this uniformity. RPM doesn’t concern itself with uniformity as much as bottom-line results. Consequently, quantification in dollar terms becomes important and applied whenever possible.
- Shared core process – Although in my opinion, RPM is making all of the right steps to legitimately advance ERM to the strategic decision-making levels of the company, it still relies on the same proven core processes found in popular ERM standards. The main difference, in a nut shell is “perspective”. Perspective changes the application of these processes, not the processes themselves.
In closing, when you see the acronym RPM or the phrase risk and performance management emerging more and more, don’t be alarmed. ERM is advancing and evolving rapidly everyday on exciting new innovations, such as my firm’s patented ARQ™ risk accounting and performance measure. Embrace it, ride the wave. It might just be a “game changer”.
About the author: Gary Bierc is the founder and CEO of rPM3 Solutions, LLC, and the inventor of its patented ARQ™ risk accounting and performance measure. Gary is a respected innovator and published thought leader in the enterprise risk management space for over 14 years.
Copyright © 2011, rPM3 Solutions, LLC. All rights reserved.