PROFESSIONAL CHAT: Beyond regulatory compliance - linking risk and performance

In the world’s larger economies, the issue of management and staff incentives has been heavily debated recently. While the origins of the global financial crisis will be debated for some time, the factor of many financial institutions taking on excessive risk with little regard for reasonable, realistic long-term performance expectations will dominate the debate. Shareholders, regulators, and even taxpayers in these economies are demanding changes to prevailing practices and want to see incentive plans that are more closely linked to risk-adjusted performance. A clear lesson from this is that bonus schemes and other staff benefits plans should recognize long-term value rather than short-term gains. While this may sound like common business sense, PwC surveys in Africa and around the world indicate that many companies fail to connect risk and performance in the course of basic performance management, with only 37 per cent of those surveyed saying their companies link key risk indicators to corporate performance indicators. The process of integrating risk and performance management starts at strategy setting. When company leaders understand the key sources of value creation and loss across their organisations, they assign clear accountability for risk and performance management and systematically quantify the rewards associated with the risks; they change the decision-making game for their managers. Risk is, by definition, forward looking. It is a measure of probability, of either loss or gain, depending on the circumstances surrounding a given event’s occurrence. That probability of value destruction or value creation directly impacts a company’s performance objectives. PwC studies of large companies show that failure to assess and respond to strategic or business risks is behind the rapid declines in shareholder value. Here in Rwanda, we can easily relate to this finding since one of the risks identified by financial services players from PwC’s recent risk survey is competition arising from new entrants. Many business leaders continue to view risk and compliance as two sides of the same coin, reflecting a common organisational focus on managing risk to prevent known, historical business failures rather than to anticipate likely or seemingly unlikely game-changing events. While compliance with regulatory and reporting rules is a non-negotiable feature of doing business, a risk management strategy focused primarily on prevention is, by its nature, backward-looking and fails to account for the likelihood of change or the possibility of growth. A holistic risk management program, on the other hand, encompasses the tools and processes used to identify, assess, and quantify business threats and the measures taken to prioritise, monitor, control, and mitigate those threats. The effect of increased regulatory pressures here in Rwanda as elsewhere in the region is that many financial institutions tend to view risk almost exclusively as a threat to be mitigated. Without a doubt, increased regulatory complexity and the layers of compliance processes and controls associated with managing it forces organisations to shoulder new burdens in terms of cost and productivity. However, beyond the costs, a compliance-only approach to risk management can have the dangerous side effect of distracting from the principles that underpin the requirements around the need to balance risk and reward in a well-reasoned, transparent way. Performance-focused risk management can enable both compliance and business strategy. When risk management is linked to business performance, any regulatory requirements will naturally be exceeded. In any case, the individual company is more interested in protecting its financial position than the regulator would be. Focusing too narrowly on regulatory compliance, even though it is an important but discrete element of business risk, can result in silos of risk and performance information that often hamper an organisation’s ability to monitor critical risk interdependencies. The author is a Manager with PwC Rwanda samuel.g.kariuki@rw.pwc.com