With the Risk-Based Performance Management methodology there are three ‘scorecards’ which we use to visualise strategy and risk management data and inform the management conversation and decision-making. The three scorecards are:
- Performance Scorecard
- Risk Scorecard
- Control Scorecard
Each of the Scorecards have a similar structure but different content. The basic structure of the scorecards show the main item, the accountability for the item and related indicators. This means that for the Performance Scorecard we would present the Organisations (or Business Unit) Objectives, the Accountable person for each Objective, Appetite Alignment status, Aggregated Objective Score (based on the underlying KPIs), Key Performance Indicators (KPIs), and KPI score.
The Performance Scorecard is designed to enable a management team to focus on the performance of the Organisation with each of the Accountable people speaking to their Objectives. Typically the Performance Scorecard is used in conjunction with the Strategy Map providing an additional level of detail.
An example of a Performance Scorecard from StratexSystems.
The Risk Scorecard would include the Organisations Key Risk, the Accountable person for each Risk, Appetite Alignment status, Aggregated Risk Score (based on underlying KRIs), Key Risk Assessment data, Current Risk Exposure (in currency value), Key Risk Indicators (KRIs) and KRI score. The Risk Scorecard is designed to enable a management team to focus on the organisation’s risk profile. It enables the management team to review the Risk Appetite Alignment, -are we operating within appetite or are we outside? It provides risk assessment data and exposure values alongside KRI status data so current risk taking can be discussed as can any emerging trends shown up from the indicators. It also highlights any mixed messages that might be coming from the risk assessment results and the indicator data. Naturally they should be giving the same message but often, particularly in less mature risk management environment, they can be different which can highlight the need for further work to embed the process and develop the knowledge, skills and culture. Again, each of the Accountable people should be in the room and around the table and speak to, and lead the discussion around their risks.
An example of a Risk Scorecard from StratexSystems.
The Control Scorecard would include the Organisation's Key Controls, the Accountable person for each Control, Aggregated Control Score (based on the underlying KCIs), Key Control Assessment data, Key Control Indicator data and KCI score. Like the previous two scorecards, the Control Scorecard brings focus to, and informs the management conversation and decision-making, in this case around the controls environment and effectiveness within the organisation. Again, each Accountable should lead the discussion about their controls.
An example of a Control Scorecard from StratexSystems.
Each of the three scorecards above have an important role in, informing the management conversation and decision-making around strategy execution and risk management. Individually, they ‘speak’ to and align each of the three lines of defence. The Performance Scorecard would be the primary tool for the First line, the Risk Scorecard would be the primary tool for the second line and the Control Scorecard would be the primary tool for the Third line. However each of the three lines are going to draw information and insights from each of the Scorecard’s and they will help reduce the silos that can be so problematic between the lines.
A key benefit of the Risk-Based Performance Management methodology is that it provides an overarching framework to bring together and align the organisation so that the strategy is delivered, sustainably and within appetite.