Integrating Risk Into Your Balanced Scorecard Prepared for: StratexSystems Webinar Series 27 September October 2012

Page  2 Content  Recapping on the Balanced Scorecard  Recapping on Risk Management  Integrating Risk into your Balanced Scorecard  Use of Business Drivers to define levels of Appetite & Exposure  Use of Risk taxonomy to identify Risks per Objective

Page  3 The Balanced Scorecard was introduced in 1992 “What you measure is what you get” Raison d'être for Balanced Scorecard was to provide a ‘balanced’ set of performance measurements.

Page  4 The Balanced Scorecard was followed by the Strategy Map in 2000 Strategy Map is a powerful tool for visualising Strategy, showing the cause & effect relationships and tensions within the strategy.

Page  5 Over the last 20 years, the Balanced Scorecard has continued to evolve… Raison d'être for Balanced Scorecard was to provide a ‘balanced’ set of performance measurements. “What you measure is what you get” - Kaplan & Norton, 1992 Performance Measurement With adoption, the Balanced Scorecard evolved to become more focused on strategy. Introduced the 5 principles 1.Translate the Strategy into operational terms 2.Mobilise change through executive leadership 3.Make Strategy a continual process 4.Make Strategy everyone’s everyday job 5.Align the organisation to the Strategy Performance Management The Balanced Scorecard is now positioned as a framework for enhancing strategic execution. A closed loop system of strategic execution 1.Develop the Strategy 2.Plan the Strategy 3.Align the organisation 4.Plan operations 5.Monitor and Learn 6.Test and Adapt the Strategy Strategy Execution

Page  6 The credit crunch and subsequent fall-out is rewriting the rules on strategy execution (and risk management)

Page  7 Kaplan & Norton on Risk and the Balanced Scorecard HBR June 2012  Three categories of Risk  Preventable Risks  Strategy Risks  External Risks Managing Risk is very different from managing Strategy

Page  8 Kaplan & Norton on Risk and the Balanced Scorecard - What we think…  The 3 categories are just a relatively simple risk taxonomy  Managing Risk is not different to, but a fundamental part of, managing strategy From the father of BSC, no direction on how to integrate Risk in the BSC.

Page  9 So what do we mean when we say “Risk”? The possibility that an event will occur and adversely affect the achievement of objectives. COSO Integrated Risk Management Framework the effect of uncertainty on objectives, whether positive or negative. ISO31000 The uncertainty of future events that will impact on the achievement of objectives, either positively (opportunities) or negatively (threats). Andrew Smart The uncertainty of future events, incorporating both lost opportunities as well as threats materialising, which will impact our ability to achieve business objectives. Client No organisation can create value without taking risk. “ You have to speculate to accumulate”

Page  10 What is Risk Management As much about exploiting opportunities as preventing potential problems. Risk Management is an essential part of good management “coordinated activities to direct and control and organization with regard to risk” risk management framework; “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management processes throughout the organization” risk management process; “systematic application of management policies, procedures and practices to the tasks of communication, consultation, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk” ISO31000

Page  11 There are two major risk management standards which have influenced our thinking… COSO 1994 & 2004 ISO The Risk Standard 2002 AS/NZS BS

Page  12 Over the last 20 or so years Strategy & Risk Management frameworks have evolved largely in isolation Balanced Scorecard 1992 ISO COSO Internal Controls Framework 1994 Strategy Maps 2000

Page  13 So to the question…. How to integrate Risk into the Balanced Scorecard? 1.Use Business Drivers to define levels of risk appetite and risk-taking  Links risk management in the strategic process  Shapes the conversation about risk  Enables the monitoring of the alignment of risk-taking to strategy  Enables us to answer the question: Are we operating within Appetite? 2.Use your Risk taxonomy to enable the Risk Identification process per objective

Page  14 Risk Appetite has a central role to play in the integration of strategy and risk management  The COSO definition provides ‘What, Who, When and Why’ of risk appetite  What: the amount and type of risk  Who: an organisational entity  When: over a defined time horizon  Why: to achieve the objectives of the entity Risk appetite is the amount and type of risk that is acceptable to be taken by an organisational entity over a defined time period, to achieve the objectives of that entity – COSO Enterprise Risk Management Risk appetite sets the boundaries within which strategy is executed – StratexSystems Risk appetite sets the boundaries within which strategy is executed – StratexSystems

Page  15 Risk Appetite should be integrated into your organisational strategic framework Business Goals Business Model Business Drivers Internal AnalysisExternal Analysis Business Objectives Strategy Appetite Appetite Alignment Risk Management Performance Management Appetite Identify strengths & weaknesses Identify threats & opportunities Is our business model fit for purpose? Are we operating within appetite? Manage threats & opportunities Are we on-track to deliver? Manage strengths & weaknesses Appetite Setting Execution Formulation Setting  From high-level strategies to specific business objectives  Define specific business objectives and appetite for specific entity’s  Allocation of scarce resources by entity, risk category, product lines Setting  From high-level strategies to specific business objectives  Define specific business objectives and appetite for specific entity’s  Allocation of scarce resources by entity, risk category, product lines Execution  Are we on-track to achieve our business objectives  Are we operating within appetite (are we taking too much, or not enough risk?)  Do we have the right level of controls in place to meet internal and external compliance drivers?  Are we aligning our change agenda to our strategic agenda? Execution  Are we on-track to achieve our business objectives  Are we operating within appetite (are we taking too much, or not enough risk?)  Do we have the right level of controls in place to meet internal and external compliance drivers?  Are we aligning our change agenda to our strategic agenda? Formulation  Development of high-level strategies and allocation of scarce resources, including capital  Given our business context, what is our appetite for risk?  Given our appetite, have we got the right business model?  Are we comfortable with the assumptions we have made? Formulation  Development of high-level strategies and allocation of scarce resources, including capital  Given our business context, what is our appetite for risk?  Given our appetite, have we got the right business model?  Are we comfortable with the assumptions we have made?

Page  16 Risk Appetite is the ‘glue’ that brings together Strategy & Risk Performance Management Risk Management Strategy Management Appetite What are we trying to achieve? Are we on track? What is our Risk Appetite? Are we operating within appetite? Governance & Communications Culture

Page  17 We use ‘key’ Drivers to define levels of risk appetite and shape the conversation around risk (and strategy) Business drivers Capital Income Reputation Shareholder value Share price Economic value add Profit Strategy Align Risk-taking to Strategy Manage Risk Manage Performance Appetite Governance Communication Culture

Page  18 Using drivers to frame appetite setting enables the Board to set clear operating boundaries Business Drivers Low Moderate High Extreme Capacity Limit Income X% X% X% X% Capital Up to X £M X £M to Y £M X £M to Y £M X £M to Y £M Above X £M Reputation Up to X vol. Bad coverage

Page  19 Appetite Alignment Matrix is a key tool for monitoring the alignment of Risk-taking to Strategy  Enabling monitoring of risks which are outside of Appetite  Shows where we are taking to much and not enough risk  Changes the risk conversation  Answers the question: Are we operating with in Appetite?

Page  20 So to the question…. How to integrate Risk into the Balanced Scorecard? 1.Use Business Drivers to define levels of risk appetite and risk-taking  Links risk management in the strategic process  Shapes the conversation about risk  Enables the monitoring of the alignment of risk-taking to strategy  Enables us to answer the question: Are we operating within Appetite? 2.Use your Risk taxonomy to enable the Risk Identification process per objective

Page  21 Common categorisation of risk Strategic Risk uncertainty related to strategic choices Execution Risk uncertainty related to execution of the chosen strategy Operational Risk uncertainty related to processes, people, technology, change etc Credit Risk uncertainty related to a counterparty's ability to meet their obligations Market Credit uncertainty related to the market value of a portfolio Risk uncertainty of future events that will impact on the achievement of objectives

Page  22 The Strategy Map articulates how an organisation creates value Financial Customer Internal Process Learning & Growth Increase Investment Returns by 25% Sustainable Growth Increase Retention of competent staff by 10% Increase Shareholder value ObjectiveKPIsInitiativesTargets Increase Investment Returns by 25% YTD % Increase in investment returns 25%  Implement new portfolio mgt system Objective Statement of what strategy must achieve and what’s critical to its success KPIs How success in achieving the strategy will be measured and tracked Targets The level of performance or rate of improvement needed Initiatives Key action programs required to achieve Priorities

Page  23 However, to create value, risk-taking must be aligned to strategy… Financial Customer Internal Process Learning & Growth Increase Investment Returns by 25% Sustainable Growth Increase Retention of competent staff by 10% Increase Shareholder value ObjectiveAppetiteAlignmentExposure Increase Investment Returns by 25% Objective Statement of what strategy must achieve and what’s critical to its success Appetite How much risk are we willing to run to achieve the objective? Exposure How much risk are we currently running? Alignment Is our current risk-taking aligned to appetite? ModerateHighOver-exposed

Page  24 Effective risk management supports value creation and protection... Financial Customer Internal Process Learning & Growth Increase Investment Returns by 25% Sustainable Growth Increase Retention of competent staff by 10% Increase Shareholder value ObjectiveRisksMitigationThresholds Increase Investment Returns by 25%  Unexpected changes in interest rates  Unexpected Equity movements  Appetite  Tolerances  Controls  Initiatives  Policy & procedures  Processes Objective Statement of what strategy must achieve and what’s critical to its success Risks The threats and opportunities (risks) exist which may impact achievement of objectives Thresholds The appetite and tolerance thresholds used to monitor risk Mitigation The activities undertaken to manage risk

Page  25 Many different types of risks make up the organisational risk universe Financial Customer Internal Process Learning & Growth Increase Investment Returns by 25% Sustainable Growth Increase Retention of competent staff by 10% Increase Shareholder value Increase Investment Returns by 25% Strategic Risk Operational Risk Insurance Risk Finance Risk Hazard Risk

Page  26 Many different types of risks make up the organisational risk universe Financial Customer Internal Process Learning & Growth Increase Investment Returns by 25% Sustainable Growth Increase Retention of competent staff by 10% Increase Shareholder value Increase Investment Returns by 25% Strategic Risk Operational Risk Insurance Risk Finance Risk Hazard Risk Unexpected changes in interest rates Unexpected Equity movements

Page  27 Risk categorises can be used to support risk identification and integration of risk in the Balanced Scorecard Increase Investment Returns by 25% Insurance Risk Underwriting Risk Operational Risk Strategic Risk Hazard Risk Financial Risk Business Risk Reputation Risk Process Risk Market Risk Credit Risk Liquidity Risk People Risk System Risk External Events Legal Risk Claims Mgt Risk Reinsurance Risk Product Risk Premium Risk Civil disruption Health & Safety Accidents Natural

Page  28 How do we define a risk? The risk of (what, where, when)….. caused by (how) ……resulting in..…(impact/consequences) Examples  The risk of financial deficit at end of year caused by decreased in-patient activity and revenue, resulting in rationalisation of service offerings.  The risk of exceeding A&E waiting times, caused by increased demand and staff vacancies, resulting in not meeting community expectations and adverse patient outcomes

Page  29 Where do we define Risks? Objectives Key Risks Key Controls

Page  30 The Objectives, Risks and Controls structure is central to Stratex solutions 30 Objectives KPIsActions Key Risks KRIsActionsAssessmentKey Controls KCIsActionsAssessment Events Certification Risk Appetite ProcessesInitiativesSystems People & Roles Assets Operational enablers are aligned to strategy Governance Commentary Workflows Audit Trails Build a strategy focused, risk aware culture

Page  31 So to the question…. How to integrate Risk into the Balanced Scorecard? 1.Use Business Drivers to define levels of risk appetite and risk-taking  Links risk management in the strategic process  Shapes the conversation about risk  Enables the monitoring of the alignment of risk-taking to strategy  Enables us to answer the question: Are we operating within Appetite? 2.Use your Risk taxonomy to enable the Risk Identification process per objective

Page  32 Q&A

Page  33 About StratexSystems “StratexPoint enabled us to reduce the value of our operational losses by 94%, the volume by 63% and our economic capital provision by 23%” - Head of Operational Risk, HML - Skipton group “StratexPoint enabled us to reduce the value of our operational losses by 94%, the volume by 63% and our economic capital provision by 23%” - Head of Operational Risk, HML - Skipton group Our mission To provide an integrated strategy and risk management solutions which enhances strategy execution, enhance capital efficiency by 15% and reduce operational losses 25% while providing 100% confidence that your business is operating within appetite.

Page  34 Post credit crunch, Financial Services clients face challenges beyond traditional ‘Risk Management’ Lack of an integrated, enterprise-wide solution Too many spreadsheets Systems reinforce silo processes Compliance focused risk tools Intensive and intrusive FSA oversight Board and Senior Management pressure Political pressure to reform and do things differently Basel 3, Solvency 2, S166 Confidence in our approach Proven partners Low Risk Keep us out of the newspaper Cost effective Confidence in our approach Proven partners Low Risk Keep us out of the newspaper Cost effective Deliver strategy Reduce capital provision Reduce operational losses Reduce / eliminate fines Enable the right culture Deliver strategy Reduce capital provision Reduce operational losses Reduce / eliminate fines Enable the right culture “Operate within Appetite”

Page  35 Examples of where our solution has added real and tangible business value 60% 23% 182 Op losses HML seen a 60% reduction in operational losses within 18 months Regulatory capital HML also seen a 23% reduction in regulatory capital Initiatives Consolidated global portfolio of major initiatives to enable single view of status & risk

Page  36 Demonstration

Page  37 Free trial of StratexLive Stratex Bootcamp  30 day free use of StratexLive  Regular ‘coaching’ session online  Load your own data  Add your own users  START NOW