Академический Документы
Профессиональный Документы
Культура Документы
Leading risk indicators provide insight to factors that may negatively impact success and complement leading performance indicators to provide a more complete picture supporting the attainment of desired business outcomes.
Key Findings
Companies that use leading indicators outperform their competitors in terms of return on equity and return on assets. Leading risk indicators (LRIs) measure factors the business can control and manage. Risk-adjusted leading performance indicators (LPIs) accommodate both value creation and factors that can negatively impact value creation.
Recommendations
When developing metrics, remember that less is more. Limit the number of metrics to five to nine at any single managerial level. Use the LRI catalog to create organization-specific metrics that can be mapped into LPIs.
Table of Contents
Analysis.................................................................................................................................................. 2 Introduction...................................................................................................................................... 2 Risk-Adjusted Value Management.................................................................................................... 3 The Business Risk Model Overview.................................................................................................. 3 Target Audience and Positioning...................................................................................................... 6 Guiding Principles for LRI Development............................................................................................ 6 Risk-Adjusted Leading Performance Indicators.................................................................................7 Advanced Metrics.............................................................................................................................8
Applying the Business Risk Model.................................................................................................... 8 Leading Risk Indicators Catalog....................................................................................................... 9 Recommended Reading.......................................................................................................................12
List of Figures
Figure 1. Business Risk Model Outcomes...............................................................................................4 Figure 2. The Gartner Business Risk Model............................................................................................ 5 Figure 3. Simple Principles for LRI and LPI Development........................................................................ 7 Figure 4. Full LRI Example: Marketing Failure Index.............................................................................. 10 Figure 5. Full LRI Example: IT Production Availability Loss Index........................................................... 11 Figure 6. Full LRI Example: Poor Online Sentiment Index...................................................................... 12
Analysis
This is an executive summary of the Gartner Business Value Model. It includes the full text of "The Gartner Business Risk Model: A Framework for Integrating Risk and Performance," but only select examples of the leading risk indicator catalog. For a full version of the catalog, see "The Gartner Business Risk Model: A Framework for Integrating Risk and Performance" and "Toolkit: The Gartner Business Risk Model."
Introduction
Good risk management influences business decisions. Executive management teams struggle to make effective use of risk management because they fail to understand the relationship between business processes and the risks. Instead, they focus time and resources on operational data, which is not directly associated with the achievement of desired business outcomes. This disconnect results in wasted risk management efforts that deliver no value and perpetuates the idea that risk management is a waste of time. The Business Risk Model is designed to address this disconnect. Leading indicators extend the value of lagging indicators and provide a mechanism for gaining competitive advantage. LRIs provide insight to factors that may negatively impact success and complement leading performance indicators to provide a more complete picture supporting the attainment of desired business outcomes. Clearly, risk management efforts benefit from business context, but it is also true that business decision making benefits from risk context. This concept is the foundation of Risk-Adjusted Value Management (RVM), a methodology designed to address an even broader disconnect between strategy setting and strategy execution (see "Using Risk-Adjusted Value Management to Close the Strategy Gap and Gain Competitive Advantage"). RVM is a top-level methodology that integrates
Page 2 of 16
the Gartner Business Value Model with the Gartner Business Risk Model to produce a small, but critical, list of risk-adjusted leading indicators of business performance.
How they affect the chosen business strategy How to work collaboratively to effectively execute that strategy
Integrates measurable risk with performance management Can be implemented top-down, bottom-up or anywhere along the value chain Can be fully implemented in four to six weeks
The key components of RVM are the Business Value Model, the Business Risk Model and the financial sensitivity calculations. The Business Value Model is used to select the LPIs, which measure opportunities for the enterprise (see "The Gartner Business Value Model: A Framework for Measuring Business Performance"). The Business Risk Model is used to select LRIs, which measure threats to the enterprise. LRIs are used to adjust LPIs: LPI LRI = risk-adjusted performance indicators. The financial sensitivity calculations are used to monetize changes in risk-adjusted performance indicators. These calculations tie the indicators back to the income statement or balance sheet (see "Toolkit: Monetizing the Outcomes in the Business Value Model").
Page 3 of 16
the various risks. The scope of the Gartner Business Risk Model covers all the controllable activities performed within an organization by three broad categories:
Demand Management. All the actionable activities involved with generating demand for the products and services offered by the organization. Supply Management. All the actionable activities directly involved with supplying the products and services offered by the organization. Support Services. All other actionable activities involved with supporting the organization. These services operate within organizations by providing services to internal clients. They operate on business principles and provide internal services at a cost and quality that are acceptable to their clients when assessed against alternatives.
Each high-level business aspect comprises three business outcomes; for example, in Figure 1, Demand Management is made up of Market Responsiveness, Sales Effectiveness and Product Development Effectiveness.
Figure 1. Business Risk Model Outcomes
Product Development Effectiveness
Demand Management
Market Responsiveness
Sales Effectiveness
Supply Management
Customer Responsiveness
Supplier Effectiveness
Operational Efficiency
Supply Chain
Support Services
Each business outcome has a defined set of risk categories, and within each category, there are suggested LRI metrics and alternative measures that can be considered. The Business Risk Model is applicable to all industries. A high-level overview of the Business Risk Model is presented in Figure 2.
Page 4 of 16
Business Aspect
Outcomes
Market Responsiveness Marketing Customer Loss Aging Products Service Agreement Privacy Sourcing Manufacturing Sustainability Low-Cost Country Sourcing Delivery Human Resources Responsiveness Information Technology Responsiveness Finance and Regulatory Responsiveness Workforce (IT) Availability (IT) Information Security Network Security Ethics Internal Audit (Financial) Transparency Sales Loss R&D Customer Care Returns Supply Chain Planning Facilities Management Risk Management Natural Disaster Capacity Utilization Skills Inventory Internal Audit (IT) Application Security Server Security Environment Health and Safety Legal
Demand Management
Supply Management
Operational Efficiency
Equipment Failure Environmental Compliance Training Applications Data Security IT Investment Insurance Records Management
Single Sourcing Fire Identity and Access Management Change Management Desktop Security
Supply Chain
Support Services
Liquidity Compliance
E-Discovery Policy
Page 5 of 16
Leading indicators Each of these metrics is intended to be a leading indicator impacting a business performance metric. Trailing indicators, such as financial loss or impact, are not appropriate for this methodology. Sources These measures and risk categories are derived from Gartner research spanning every aspect of IT and the business operations that IT influences, which, in effect, is every aspect of business operation. Dozens of Gartner subject matter experts, as well as the experiences of hundreds of our clients, are used to identify and develop entries. Factors within your control The risk categories and LRI metrics are intended to address factors within your control. Risks such as natural disasters are not represented because you do not control the occurrence of hurricanes, but you do control your readiness to handle them if they do happen. Therefore, while natural disasters are not represented, business continuity is represented. Simple metrics For simplicity and consistency, the great majority of the metrics are defined as simple measures, normalized as percentages that reflect more risk as they increase. Conversely, LPIs should be defined as simple measures, normalized as percentages that reflect improved performance as they increase. This relationship simplifies the ability to create riskadjusted LPIs (see Figure 3). More advanced metrics are described below.
Page 6 of 16
LPI
LRI
Good
Bad
Bad Maximized
Source: Gartner (March 2013)
Good Minimized
Page 7 of 16
metric. The adjustment factor can be added to the simple construct above to bound the amount of risk adjustment. Risk-adjusted LPI = LPI - (adjustment factor x LRI) Using this simple calculation, if the LPI and LRI are percentages, then this adjustment factor will create an upper bound for how much the LPI can be discounted by the LRI. Risk adjustment factors are typically negotiated between the risk management leaders and business unit executives to represent just how much risk is represented by the LRI. This process is more fully explained in "Improve Business Decision Making With Risk-Adjusted Value Management: Creating Risk-Adjusted Key Performance Indicators." A practical example of this methodology is presented in "Achieve Desired Business Outcomes Through Risk Management: A Practical Example of Risk-Adjusted Value Management."
Advanced Metrics
Most of the LRI metrics in the catalog have been specifically designed to be simple percentages, but the real world may not be so straightforward. We recommend organizations keep implementations as simple as possible, but there may be cause to use more sophisticated metrics. The goal of this exercise remains to influence business decision makers who are not subject matter experts. If an implementation gets too complicated, then you will lose them. The following are suggested variations on more advanced metrics that may be baked into business reporting:
Trending. These are metrics where the actual value provides little insight, but a trend up or down may be very important. For example, the aftermarket satisfaction index may only be interesting if it shows a continued downward trend. Composites. Many times, a single metric does not tell a story, but a collection of metrics can be combined to provide desired insight. For example, information security may be a rollup of metrics from different aspects, including network security, data security and privacy. Program maturity. Another way to address circumstances where a single metric is not sufficient is to measure the maturity of an entire program as a proxy for the level of risk. For example, the maturity of the business continuity management program can be used as a leading indicator of readiness to address natural disasters.
Develop a risk dashboard for the board of directors Develop a small set of high-value, risk-based metrics Separate strategically relevant metrics from operational metrics Link strategy to execution
Page 8 of 16
Link risk to desired business outcomes Improve the relevance of risk and security-related activities Align risk and security-related activities to business processes
Risk Category: The broad area of risk that may have multiple LRI metrics. Business Outcome: The mapping of the category into the Business Value Model. Risk Description and Impact: A description of the risk category, the expected benefits of effectively managing this risk and the possible impacts if it is not appropriately managed. LRI Description: A description of the LRI metric. LRI Metric: The LRI metric calculation. LRI Example: A fictitious calculation example using the LRI metric. Risk-Adjusted LPI Example: A fictitious example mapping the LRI metric into a LPI from the Business Value Model. Alternative Metrics: The intent of the model is to provide a reference and starting point for organizations to create their own metrics. The alternative metrics section provides suggestions for other metrics aligned with the risk category that may be more applicable to the implementing organization.
This executive summary of the catalog does not present all the detail available in the full catalog. Figures 4, 5, and 6 present examples of full entries with all the detail in the catalog. The full catalog is available in "Toolkit: The Gartner Business Risk Model." See Note 1 for a full list of the entries in the catalog.
Page 9 of 16
Risk Description
Marketing establishes the image of an enterprise. It sets the expectation for prospects, customers or constituents regarding how the enterprise can address their needs. If done poorly, marketing can inhibit or even prohibit the enterprise from meeting its mission.
Risk Impact
Poor marketing can set unachievable expectations among enterprise prospects, customers or constituents. It can also exacerbate unexpected problems by not effectively communicating what the enterprise is doing to address the problems. The effects of poor marketing can be long lasting and devastating to an enterprise.
LRI Description
The Marketing Failure Index reflects the inability to communicate desired enterprise attributes. Using surveys or focus group sessions, organizations can test how many of the primary desired attributes are identified by their customers and prospects. Marketing Failure Index = the number of desired attributes that fail to be identified by constituents* / the number of desired attributes being communicated * Using surveys or focus group sessions. XYZ Company has been communicating five key attributes about the enterprise to the marketplace. Using a statistically significant sample size, XYZ Company analyzed the results of a recent survey in which prospects, customers or constituents identified only three of those attributes when asked about the company. Marketing Failure Index = 2 / 5 = 0.40 = 40% The XYZ Company board of directors recognizes a causal relationship between failed marketing and market share. XYZ Company has a market share of 30%, and it has chosen an adjustment factor of 20%. With a Marketing Failure Index of 40%: Risk-Adjusted Market Share = 0.30 - (0.2 x 0.4) = 0.22 or 22% Market sentiment analysis
LRI Metric
LRI Example
Page 10 of 16
Risk Description
IT availability is the time that IT is delivering service through applications, databases, desktops, control systems and more to every business process dependent on IT services.
Risk Impact
IT failure impacts every business process dependent on IT services. In many businesses, without manual processes to compensate for IT failure, it means that dependent business processes must stop until service is restored.
The IT Production Availability Loss Index is a measure of lost production due to IT failure. IT Production Availability Loss Index = number of production hours lost / total number of production hours The ABC Company has 160 production hours each month. Last month, IT availability issues stopped the line for eight hours. IT Production Availability Index = 8 / 160 = 5% ABC is an automobile manufacturer. A new car rolls off the assembly line every 90 seconds. Every hour that IT is down costs ABC 40 units in lost inventory. The executives use a Risk-Adjusted Order Fill Rate as a leading indicator of line performance. ABC has an Order Fill Rate of 97%, and it has chosen an adjustment factor of 30%. With an IT Production Availability Loss Index of 5%: Risk-Adjusted Order Fill Rate = 0.97 - (0.3 x 0.05) = 0.955 or 95.5% Mean time between failure (MTBF), maintenance records
Alternate Measures
Source: Gartner (March 2013)
Page 11 of 16
Risk Description
Reputation is a social quality factor. It is the collected belief about the relative benefit or risk of interacting with an organization. Organizations must know what is being said online about them. They also must know what can be acted on, acting on it where possible and even controlling what is being said. They should understand reputation equity.
Risk Impact
Reputation is complex because organizations don't have direct control over it, but they can't ignore it. If an organization's reputation fails, then it can result in loss of brand equity, fewer sales, legal liability, denial of reputation (when a criminal creates false information and causes it to show up first in the search engine), and market capitalization lost over leaked information to social media sites.
LRI Description LRI Metric LRI Example Risk-Adjusted LPI Example Alternate Measures
The Poor Online Sentiment Index is a reflection of a poor online reputation. Poor Online Sentiment Index = negative comments / total comments* * Measured through auditable social listening platform in the past 12 months. ABC Computers tracks its online reputation through a social listening platform. In the past 12 months, it has been mentioned 1,200 times, and 300 of those comments were classified as negative. Poor Online Sentiment Index = 300 / 1,200 = 25% ABC has a Sales Opportunity Index of 88%, and it has chosen an adjustment factor of 20%. With a Poor Online Sentiment Index of 25%: Risk-Adjusted Sales Opportunity Index = 0.88 - (0.25 x 0.20) = 0.83 = 83% Employee training around online engagement, the first page of search engine results for your company name, influence analysis (trending up or down based on impact of controls), effectiveness of crises response when there is a reputation incident (12 hours or less).
Recommended Reading
Some documents may not be available as part of your current Gartner subscription. "The Gartner Business Risk Model: A Framework for Integrating Risk and Performance" "Toolkit: The Gartner Business Risk Model" "The Gartner Business Value Model: A Framework for Measuring Business Performance" "Toolkit: The Gartner Business Value Model" "Toolkit: Monetizing the Outcomes in the Business Value Model" "Definition: Risk-Adjusted Value Management" "Improve Business Decision Making With Risk-Adjusted Value Management: Creating RiskAdjusted Key Performance Indicators"
Page 12 of 16
Gartner, Inc. | G00247514
"Achieve Desired Business Outcomes Through Risk Management: A Practical Example of RiskAdjusted Value Management" "Using Risk-Adjusted Value Management to Close the Strategy Gap and Gain Competitive Advantage" "The Gartner Supply Chain Risk Model: Integrating Supply Chain Risk and Performance" "Toolkit: The Gartner Supply Chain Risk Model" Note 1 Risks and Metrics Available in the Full Catalog The following is a list of the risks and metrics available in the full catalog:
Marketing Risk: Marketing Failure Index Transparency Risk: Inadequate Transparency Index Online Reputation Risk: Poor Online Sentiment Index Channel Cost Risk: Channel Cost Index Customer Loss: Customer Loss Index Sales Loss Risk: Sales Loss Index Forecast Inaccuracy Risk: Forecast Inaccuracy Index Aging Products Risk: Aging Products Index R&D Risk: R&D Failure Index Product Management Risk: Product Management Failure Index Service Agreement Risk: Agreement Ineffectiveness Index Customer Care Risk: Customer Care Failure Index Delivery Risk: Late Delivery Index Material Quality Risk: Material Quality Failure Index Order Fill Risk: Order Fill Failure Index Privacy Risk: Privacy Failure Index Returns Risk: Aftermarket Dissatisfaction Index Service Accuracy Risk: Service Inaccuracy Index Service Performance Risk: Service Performance Failure Index Sourcing Risk: Sourcing Management Failure Index
Page 13 of 16
Supply Chain Planning Risk: Supply Chain Planning Failure Index Vendor Risk Management (IT) Risk: Poor Vendor Management Index Supplier Agreement Risk: Supplier Agreement Ineffectiveness Index Supplier Care Performance Risk: Supplier Care Failure Index Manufacturing Risk: Poor Manufacturing Index Facilities Management Risk: Facilities Planning Failure Index Facilities Security Risk: Facilities Security Incident Index Enterprise Asset Management Risk: Unplanned Asset Cost Index Business Continuity Management Risk: BCM Readiness Index Sustainability Risk: Excessive Energy Cost Index Risk Management: Risk Assessment Failure Index Workforce (IT) Risk: IT Workforce Planning Index Skills Inventory Risk: Skills Risk Index Training Risk: Inadequate Training Index Identity and Access Management Risk: Role Inefficiency Index Availability (IT) Risk: IT Production Availability Loss Index Internal Audit (IT) Risk: Audit Inefficiency Index Application Risk: Application Failure Index Change Management Risk: IT Change Variance Public Cloud Risk: Cloud Rogue Index Information Security: Infosec Program Maturity Index Application Security Risk: AppDev Noncompliance Index Data Security Risk: Competitive Intelligence Loss Index Desktop Security Risk: Desktop Security Failure Index Infosec Governance Risk: Security Governance Decision Index Network Security Risk: Incident Management Maturity Index Server Security Risk: Patch Failure Index IT Investment Risk: IT Investment Waste Index Ethics Risk: Unethical Behavior Index
Page 14 of 16
Environment Health and Safety Risk: EHS Regulatory Actions Index Insurance Risk: Mismanaged Insurance Index Liquidity Risk: Excessive Cost of Capital Index E-Discovery Risk: E-Discovery Delay Index Internal Audit (Financial) Risk: Ineffective Internal Financial Audit Index Legal Risk: Legal Awareness Index Records Management Risk: Storage Growth Index Compliance Risk: Audit Exception Index Policy Risk: Policy Management Risk Index Low-Cost Country Sourcing (LCCS) Risk: LCCS Index Natural Disaster Risk: Natural Disaster Index Equipment Failure Risk: Equipment Failure Index Single Sourcing Risk: Single Sourcing Index Emerging Market Risk: Emerging Market Expansion Index Delivery Risk: Late Delivery Index Capacity Utilization Risk: Maximum Capacity Utilization Index Environmental Compliance Risk: Environmental Noncompliance Index Fire Risk: Fire Readiness Failure Index Human Error Risk: Human Error Index
Page 15 of 16
GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM
2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartners prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity.
Page 16 of 16