The Bottom Line

Award-winning Risk (and Performance) Management

 Email Article  

Tweet  

  

  

The Open Compliance and Ethics Group (OCEG) presented its GRC Achievement Awards to six leading companies last week.   Among the winners was Carnival Corporation, which was highlighted in Eric Krell's case study Inside Carnival Corp: A GRC Case Study last year for Business Finance Magazine.  Carnival's approach is worth considering because they have clearly integrated governance, risk and compliance (GRC) into their overall performance management framework.   Like the company I referred to in my blog post, How Well Do You Manage Your Risk?, Carnival has applied GRC management at every applicable level within the organization, essentially making risk "everyone's job."  There are a lot of similarities between leading companies' approaches to performance management and GRC management.  Let's take a look at how Carnival tackled the problem.

Carnival is a highly decentralized company whose individual cruise line businesses operate in a highly autonomous way.  They adopted a holistic approach to GRC management across all these businesses in such a way that best practices and results can be shared among them.  Along the way they identified some key enablers for their GRC objectives that will sound very familiar:

• Executive and board support for a proactive (internal) audit function - this program went beyond just reviewing financial controls by focusing on operational controls and ways to facilitate business improvements
• A process approach to managing the business - they analyzed their companies in terms of the business processes and identified the risks associated with each of these processes using the COSO risk classification framework, which allowed them to better evaluate the financial reporting, operational and compliance risks associated with each of these processes
• A process approach to Sarbanes-Oxley compliance - they used their process classification model to link processes, risk and financial accounts to identify the financial reporting risks existed within the company and what controls existed to mitigate these risks
• Strategic risk questions from the board - the board pushed to get the company to consider the exposure to external and strategic risks, which in turn led them to examine the business processes associated with these risks; ultimately, this led them to implement an enterprise risk management system (ERM)

This same operational and process focus are also key enablers to successful corporate performance management (CPM).

Carnival's approach is not unlike the approach I wrote about in one of my white papers, Sarbanes-Oxley Act Compliance: Reconciling Transactional Data with Financial Reports.  At the time I wrote it the SEC had not yet adopted its compliance rules and, while the SEC has yet to extend the compliance requirements into the broader area of effectiveness and operational efficiency (as recommended by the COSO framework), Carnival's success as well as that of many of our customers shows that this is an approach worth considering.  I identified three key ways profitability modeling and optimization (PMO) solutions can benefit Sarbanes-Oxley compliance:

• Documentation - the process-based approach for PMO is one of the key enablers identified by Carnival's award winning implementation of GRC
• Internal Controls - the 3-way validation process that's a key part of any leading PMO implementation acts as a natural monitoring system for the effectiveness of internal controls and can help eliminate exposure to compliance risks
• Material event analysis - I show how a business activity monitoring solution can be extended to perform automated material event analysis using the KPIs already monitored

In addition, a customer pro forma analysis process and external/strategic scenario modeling (see How Well Do You Manage Your Risk?) are other examples of how a PMO solution might benefit ERM.

I'm not the only one to make this connection.  In his recent article The Future: Enterprise risk-based performance management, Gary Cokins elaborates how companies can use many of the same principles of performance management to systematically manage their risks by using operational risk as a key lever to link their risk exposure to their risk appetite with a series of key risk indicators (KRIs).  Robert Kaplan also highlights the need to use predictive analysis to model the potential impact of key operational and strategic risks as part of the strategy execution system in his recent article, Risk Management and the Strategy Execution System.   

Like GRC, performance management needs to be everyone's job.  Both share a common enabler: a process-based approach.  Successful companies implement powerful measurement systems that link their processes to their results so that they can more effectively manage them.  Pro-active companies extend these capabilities with predictive modeling to that they can better manage even the most unthinkable situations that might occur.  Volatility is the new normal.  How well are you equipped to adapt and flourish? Spreadsheets are probably not the answer.