Skip to main content
ERM and Strategy

The Convergence of Enterprise Performance Management and Risk Management

This article, published by Protiviti, describes a Performance/Risk Integration Management Model (PRIM2), which is a framework allowing companies to integrate strategy, risk management, and performance management in a changing operating environment in order to better create and protect shareholder value.  PRIM2 places risk and risk and performance management in a broader strategic context for the organization in several ways:

  • It creates real-time transparency into the entity’s operations, facilitating continuous alignment of strategy, risk management capabilities, and performance management
  • It allows for proactively identifying, sourcing, and mitigating a strategy’s inherent risks
  • It provides for consistent communication and deployment of strategies across the entity
  • It ensures a strategy’s execution integrates strategic plans with risk and performance management

While a PRIM2 process and infrastructure will vary across organizations, there are several core elements that should be included in any PRIM2 framework.

Governance

One key element in the PRIM2 framework is governance, establishing and maintaining a flexible corporate structure that optimizes balancing an entity’s value creation objectives and performance goals (Aspire) with the policies, processes, and controls needed to preserve enterprise value (Protect).  This balance can be achieved by placing a high priority on preserving reputation and brand image in an entity’s enterprise management and monitoring capabilities.  The governance process can provide oversight for strategy formation, positioning the entity for strategy execution, balancing the entity’s aspirational goals with its risk appetite, and providing a means to monitor a strategy’s progress through operational guidelines and policies.

Aspire

Aspire is another key PRIM2 element involving an entity’s articulation of its strategy, capabilities, and infrastructure.  An entity’s strategy sets its aspirational direction and strategy selection depends on an entity’s desired destination, its clarity of purpose in developing and communicating clear strategy objectives, a clear linkage from objectives at the corporate-level to those in lower levels of the organization, and the capabilities and infrastructure needed to successfully execute the strategy.

One way for a company to implement this portion of the framework is by using a strategy articulation process, where the major components of a strategy are depicted in a format that can easily and effectively be communicated through the organization.  A strategy articulation map is often the format used as the primary strategy communication means.  Strategy visualization is another method that can be used where technology is used to visualize strategic priorities, interdependencies, and critical risks.

Protect

Protect is another key element of PRIM2 in which an entity identifies and sources risks inherent in a strategy, establishes its risk appetite, and identifies capabilities to preserve shareholder value.  Corporate strategy requires thoughtful risk-taking and consideration of plausible scenarios over various time horizons.  In managing risks, an entity should take on only the risks that are manageable within its risk appetite and should minimize exposure to other risks.

To effectively protect an entity, risk management planning should be incorporated with strategy development.  Risks and risk tolerances can be addressed by creating an effective risk model so the entity can identify the most relevant risks to achieving any strategic objectives.  This helps establish a common language for discussing business risks and can make risk evaluation and tracking more effective and efficient.  The risk model can then be used to design an enterprise risk assessment process to identify and source the entity’s most relevant risks.  Tolerances consistent with the entity’s overall risk appetite can also be set for high-priority risks, providing assurance that the organization is remaining within its risk appetite.  Key risks can then be linked clearly to the entity’s strategic objectives using the strategy articulation map.

Aim

Aim is the component of the PRIM2 framework that defines key metrics and sets targets to translate strategy and risk appetite into performance expectations for the entity to reach its risk-adjusted aspirations.  First, an organization must identify the value drivers that affect its ability to execute its strategy and create economic value.  This can be accomplished through “value decomposition,” a strategic linking process identifying the entity’s major predictive or output performance drivers.  Then, metrics reflecting these value drivers can be selected, enabling the entity to track progress towards achievement of strategy objectives, risk mitigation, and compliance with internal policies and external regulations. 

Metrics should include key performance indicators and key risk indicators.  Key performance indicators are performance measurements that monitor progress towards achievement of strategy objectives and value creation and are the primary means of communicating business results across an organization.  Key risk indicators provide leading and lagging indicators for critical risk scenarios.  Selected metrics should meet several key indicator criteria: linked to strategic objectives, key risks, and value drivers, controllable or influenceable, actionable, simple, credible, integrated, and measurable.

Once metrics are established, targets should be set for each key indicator.  Target-setting should include several critical inputs: past performance, internal benchmarks, external benchmarks, strategic alignment, and risk tolerance.  Targets should be set on an enterprise-wide basis, and both long-term and short-term targets should be set.  Once targets are set, metrics can be communicated throughout the organization, a process often accomplished using a performance dashboard.  The quality, source, and latency of data used are important to whether the metrics used are truly key indicators and to whether the targets are viable.

Plan

Integrated business planning is a PRIM2 framework component that involves linking strategic planning with risk mitigation planning, budgeting, forecasting, and resource allocation.  The planning process details steps necessary to achieve strategic objectives and articulates performance plans with specific policies, procedures, and integrated key metrics.  Budgets are then linked to these performance plans to establish accountability for results and ensure integration with intended performance expectations.  The goal of allocating resources in this manner is to achieve corporate strategy and manage risks to be within the entity’s risk appetite.

Measure

Another PRIM2 element is measure, where performance results are consistently and continuously measured against targets allowing an entity to measure its progress towards strategic objectives and its mitigation of critical risks.  Monitoring also allows for gathering information on exceptions and performance variations.  This requires real-time analytics to create a proactive organization that can respond quickly with any necessary actions when an event occurs.  A balanced scorecard or dashboard is often used to create a common language for monitoring.

Achieve

Achieve is the PRIM2 element calling for an organization to realign its strategy or tactics when needed to meet or exceed performance expectations.  Realignment allows an entity to quickly take corrective action if there are areas of sub-performance, whether by adjusting budgets, redirecting resources, remediating controls, making process improvements, or ceasing certain activities.  Corrective actions should be taken when results are outside of tolerance ranges for targets.  Plans should also be reviewed periodically to see if environmental changes have impacted their relevance.

Enable

The final key element of a PRIM2 framework is enable, which describes the need for a robust technology platform to enable effective and timely capture of operating results and their reconciliation to targets.  To avoid introducing decision-making risk due to poor-quality data there are two key considerations in incorporating metrics in a technology platform: the correctness of data sources and the validity and timeliness of data.  Information sourcing is important because many key metrics require forward-looking information from third parties with data integrity that is less assured.  Data quality is also important, but only needs to be sufficient to meet the requirements of the business function.  If data quality issues arise, there are several appropriate actions that can be taken: identify and analyze, correct, delete, ignore, or prevent.

Original Article Source: “Performance/Risk Integration Management Model”, Protiviti, 2008