Early in the 20th century, a small general store in east Tennessee began making buggy whips in the back room to boost revenue. Handcrafted from the finest leather, the whips soon became immensely popular. Before long, as professional trainer Ronald D. Moore relates it, the general store had to expand to keep up with the demand, and it eventually turned into a dedicated buggy-whip factory. It shipped its product all over the country and even to England.

As time passed, however, the horseless carriage began to reduce the nation's demand for buggy whips. A young son of the company founder suggested to his dad that they look at expanding their product line or otherwise changing their business. The dad's reply: "Don't worry, son. We have always done it this way, and look how successful we have been." Not long afterward, Henry Ford's assembly-line automobiles made buggies -- and whips -- obsolete, and the wildly successful buggy-whip manufacturer went bankrupt.

This anecdote highlights the dangers of ignoring operational risks in judging an organization's performance and future prospects. The buggy-whip company did just fine as long as the owner needed to do nothing more than manage his business processes efficiently. But in focusing his attention on far too narrow a set of indicators of his company's progress, he overlooked the enormous risks that were emerging in the marketplace. The integration of a view of business risk into a company's overall business performance management (BPM) strategy is absolutely critical.

Comprehensive Risk Management

Over the past couple of years, at the same time the acronym "BPM" has been joining the business lingo at a growing number of corporations, so too has "ERM," short for "enterprise risk management." More and more companies are beginning to recognize that they need to improve their ability to proactively manage risk if they're going to maximize their future operating performance.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as a process initiated by an entity's board of directors, management, and other personnel that is designed to identify potential events that could affect the entity and to manage the risks associated with those events. COSO goes on to specify that ERM practices should be applied in strategy-setting activities, then extended across the enterprise for the purpose of providing reasonable assurance regarding the achievement of the entity's objectives.

Such a comprehensive approach to risk management can strengthen a company's BPM efforts by preparing it for hazards that traditional financial forecasting and planning exercises would miss -- like those ignored by the buggy-whip manufacturer. Business performance management focuses primarily on performance monitoring to ensure that business objectives at various levels of the organization have been achieved with minimal variance from plan, so many of the key performance indicators (KPIs) captured in management reports reflect only historical performance data.

ERM, in contrast, evaluates the risk profile of the company across all of its departments and lines of business. The key risk indicators (KRIs) that ERM processes generate are predictive indicators of future performance. Thus, an organization that uses a combined BPM and ERM system to support management decision-making processes is basing decisions on a more complete picture of its past, present, and future performance. Looking at a company's KPIs without fully understanding the risk environment in which it operates leaves its management team open to being blindsided by impending disasters.

Even in companies that emphasize both BPM and ERM, the two are frequently disconnected, especially at the senior executive and board levels. These two processes need to unite for two compelling reasons. First, managing business risk is integral to managing business performance. Corporations that do not include risk assessments in their financial planning and forecasting cannot develop a realistic expectation of their future performance, nor do they see clearly the environmental factors that are most likely to affect their profitability.

And second, proactive management of performance and creation of shareholder value are possible only when both BPM and ERM are integrated fully with a company's routine management activities and embedded into the company's DNA. To be effective, ERM and BPM must soak into the daily operating standards and procedures of the organization. When it's not integrated with BPM, ERM remains an add-on -- and it usually isn't done very well. Regulatory pressures provide the impetus behind many companies' ERM initiatives, but boards and senior managers must understand that the biggest benefits of embracing ERM come from its use in proactively managing business performance.

Fortunately, joint ERM and BPM projects are appearing more practical to corporate managers today than they ever have before. Executives in all sorts of companies are accepting that they need to integrate the activities, and the enabling technologies are becoming increasingly easy to use and affordable.

Evolution of ERM

The financial-services sector has always been on the leading edge of enterprise risk management. Over the decades, financial institutions have become very sophisticated at quantifying credit, market, and trading risks. Until very recently, however, they continued to assess operational and compliance risks more qualitatively than quantitatively. With the release of the Bank for International Settlements' final Basel II guidelines last year, the regulatory impetus emerged for banks to quantify operational risks. For example, financial institutions are now required to determine the probability and potential dollar impact of events such as data-center outages or missed federal clearing deadlines.

Companies in industries other than financial services are also under pressure to ramp up enterprise risk management initiatives and increase these systems' sophistication. In 2002, the Sarbanes-Oxley Act introduced a new slant on the regulation of risk management for all companies listed on U.S. stock exchanges. Now many businesses view ERM as an attractive way to ensure that they're compliant with the law.

Further accelerating the need for risk management to be integrated companywide is the trend toward outsourcing business processes, customer service, call centers, and IT. Whether the outsourcing service provider is local or overseas, turning these functions over to another business requires a company to improve its understanding and monitoring of risk across the entire process chain. For that reason, management teams are increasingly acknowledging that ERM is crucial for running their organization.

At the same time, technological advances are assisting companies with connecting the disciplines of managing business performance and managing enterprise risks. One of the biggest obstacles to combining these activities has been the need to consolidate all the necessary information from disparate software platforms, locations, and business units. However, in the past three to four years, as the Internet and the XML data markup language have become ubiquitous, they have begun to serve as a gateway for information exchange. Some software vendors now provide extract, transform, and load (ETL) and data-management capabilities through XML protocols, which facilitate user-friendly data management and eliminate the need for costly interfaces to pull information from multiple platforms into a single software system. In addition, sophisticated new data-management applications can bring information together from a variety of databases and multiple technology platforms to give end users a single view of the enterprise. Some enterprise resource planning (ERP) software providers have even begun building functionality and placeholders into their database mechanisms that help financial institutions identify and monitor risks such as loan losses and operating losses from a Basel II perspective.

Fortunately for businesses that feel they need to implement ERM, COSO issued a report in September 2004 entitled "Enterprise Risk Management -- Integrated Framework." Its 1992 predecessor, "Internal Control -- Integrated Framework," became the U.S. standard for internal controls. Likewise, the new report purports to become the U.S. standard for ERM. Companies now, for the first time, have an authoritative framework and road map for implementing enterprise risk management.

Through the combination of the regulatory impetus of Basel II and Sarbanes-Oxley, the development of COSO's authoritative framework for ERM, the management challenges posed by companies' increased reliance on outsourcing, and the availability of technology tools that facilitate easier merger of data from various sources, investment in BPM and ERM integration is beginning to seem to a growing number of organizations to offer a good value proposition. Several international banks, including ABN AMRO, already have plans to combine BPM and enterprise risk management activities as an integral part of their reporting practices.

Quantifying the Unknown

Employing ERM, and then merging it with BPM, is all about understanding the impact of risk on performance and developing strategies to manage that risk. But quantifying the impact of risks isn't easy. How can a company calculate the benefit of preventing a harmful event from occurring? How can it prove the financial value of its risk management efforts? Anecdotal evidence and some early work in academic circles are beginning to furnish ammunition for convincing skeptics that companies which are well-managed from a risk perspective tend to have fewer blowups -- and better market capitalization. Expect to hear more in the business press in the near future about the correlation between share price growth and how well an enterprise manages its risks.

Still, because it's a relatively new field, the growth in popularity of ERM has triggered anxiety among management teams and boards, an anxiety that is amplified by Sarbanes-Oxley and Basel II. They're concerned that their information needs now extend well beyond the performance metrics that historically fall under the business performance management umbrella. But they're not clear on what kinds of reports -- providing what specific data -- they need access to in order to fulfill their risk-management obligations to shareholders. What key risk indicators are necessary in addition to the KPIs that have always been included in BPM? What else should their enterprise be measuring? And how can these new metrics combine elements of history plus predictive-risk-management indices? These are tough questions to answer.

A good place to start is to look at what could go wrong with a business process or program and then develop metrics that would provide early warning if things started going south. For example, suppose a telecom company is running a telemarketing campaign to sign up customers for long-distance service, and it wants to comprehensively evaluate the performance of this campaign. From a standard BPM perspective, it might focus on metrics such as total number of calls made, percentage of calls in which the householder was contacted, percentage of calls converted to sales, and average length of call. However, when the evaluation includes a risk perspective, managers' attention may turn to the gifts and short-term rate rebate the call center is offering anyone who signs up. Because of these incentives, the campaign may be at risk of cannibalizing the company's established customers, encouraging them to terminate their existing service and sign up again through the campaign. In addition, some new customers may stay only through the end of the rebate promotion, then return to their previous service provider. If the telecom integrates ERM and BPM, it may add to its measures of campaign performance the retention rate of new customers and the proportion of campaign respondents who were already using a different long-distance plan from the company. A set of combined ERM and BPM metrics would provide better information than BPM data alone in support of decisions such as whether to continue the campaign. (See "9 Steps To Jointly Develop BPM and ERM" on the next page for additional guidance.)

Although Basel II provides extra motivation for financial services institutions to combine risk management with performance management, an organization's industry doesn't matter much in the establishment of joint ERM and BPM processes. Nor does its size. Good risk management is, simply, good business performance management. A large institution may think through the process in a more comprehensive way than a smaller company, and it might have more extensive technology resources. But company culture can be a significant roadblock, and it's especially problematic within very large organizations. Some of their managers traditionally are sensitive to sharing information like risk profiles across lines of business -- the typical silo mentality.

Conceptually, the integrated framework applies to any organization. What's critical is for everyone in the company to understand that the enterprise needs to bring transparency to everything it does. That runs counter to the way corporations traditionally were managed, so the CEO and other senior executives must emphasize the transparency message. Indeed, the Sarbanes-Oxley Act requires them to do so. An organization's risk profile impacts its future operating performance, so reviewing performance outside of the context of the entity's risk profile can render the company blind to impending problems. This blindness can't be corrected through easy, surface-level first aid. Instead, it must be dealt with at a deep process level. Understanding the benefits of integrating ERM and BPM comes down to understanding that embedding risk management into routine management activities ingrains it into a company's lifeblood -- its DNA.

To get a copy of the COSO report "Enterprise Risk Management -- Integrated Framework," contact the American Institute of Certified Public Accountants (AICPA). Call 888-777-7077 or visit www.cpa2biz.com.

9 Steps To Jointly Develop BPM and ERM

So, what should an organization do once it decides to take a proactive and preemptive approach to managing its risks and integrating enterprise risk management (ERM) with management of its performance? Here are nine basic steps to follow:

1. If you don't have one, establish an enterprisewide risk-management infrastructure, including an ERM framework, organizational structure, tools, techniques, and methodology.
2. Develop a risk-management reporting system that covers all levels of your organization, from the department and business-unit level to the entire enterprise.
3. Determine which types of reports the executive committee and board need and which should stay at the department and business-unit level.
4. Decide which information you'll need on the risk side. Determine whether this data is all available in existing databases; if not, figure out how to capture it.
5. Examine BPM metrics and databases to see whether there is anyduplication between them and the new ERM metrics.
6. Develop a conceptual report design on an integrated BPM-ERM reporting system that covers all levels.
7. Determine whether your organization has the skill sets and bandwidth to develop such an integrated reporting system in-house or if you will need outside assistance. Since the process often fundamentally alters a company's culture, it may be helpful to retain outside advisers to serve as catalysts for change.
8. Ensure that appropriate measurement processes (be they individualdivisional, or at the line-of-business level) are in place to embed the joint BPM-ERM approach into the corporate culture.
9. Engage your senior executives -- especially your CEO -- and directors, since their sponsorship is essential to success.

Jay Singh is practice director, governance and risk management, in the New York office of Parson Consulting, a Chicago-based financial-management consultancy.

Sridhar Kadaba is Parson Consulting's practice director for global financial services. He is based in the New York office.