The profile of reward and the risks it runs can hardly be higher. Just in the last few days we have seen media headlines about alleged million pound plus salary overpayments in an NHS trust to further issues around votes on remuneration reports, for example the report in the Telegraph of Imperial Tobacco facing investor revolt over its bonus revamp.
These risks include operational reward risks (an often overlooked area) such as making sure that payrolls are run accurately with appropriate tax accounting and payments through to communications between remuneration committees and the shareholder advocacy groups such as, in the UK, the ABI or in the US ISS.
Risk is part of business operations. What is important, if not essential, is to measure and manage those risks in a systematic framework. This allows us reward professionals to discuss risk issues confidently with the business, our colleagues in external and internal audit as well as the regulators. A systematic process allows us to define and agree our risk appetite with our organisations and reduces (although will never abolish) surprises from our reward activity. I am a great believer in two philosophic approaches. One is that we always underestimate the frequency and impact of random events. The recent best seller “Thinking fast and slow” by Kahbneman is a fascinating book on these issues. Likewise, we will always be subject to “black swans” the disruptive large scale random event that no one was expecting.
An overall approach to reward risk
Rosario Longo has published a very good blog “Risk and Reward Risk Management” which gives an excellent overview and structure for looking at reward management risk. He identifies the key stages and stakeholders in the analysis of risk – mostly from an operational reward risk perspective but the approach is also applicable to the wider questions of strategy, executive remuneration and so on.
His approach on risk measurement and evaluation is very similar to an approach I developed that allows the use of a relatively simple Microsoft Excel spread sheet to generate a visualisation of risk scores in an organisation. Rosario makes the excellent point that risk scores and measurements are not absolute numbers but an expression of relativity in relation to the known reward risks that organisations may face.
The visualisation approach
It must be recognised that my approach is essentially a sub-set of the type of systematic approach that Rosario has suggested. Much of the data feeding in to my spread sheet will have been collected by the methods and collaborations suggested by him. I would add that much of the generation of indicators in my approach are a result of the implicit knowledge of the person drawing up the risks and metrics. An experienced reward professional will know where the key choke points in reward operations lie and what issues tend to occur during bonus planning and reward processes.
First step: the listing of reward risks
There are a number of approaches to listing the risks in reward. I like to use a systematic approach by looking at the individual reward processes and then considering the risks attached to each process. When I last carried out a process like this I came out with a list of over 300 risks. Here are some examples of reward risks:
Lack of understanding by senior management of the reward process
Issues with Regulators over reward
Levels of base salary insufficient to recruit
US Benefit structure not appropriate for culture
Vendor costs not being controlled
Communications with employees insufficient
Remco has insufficient market data
Table 1 Examples of reward risks
It would be good practice to collaborate on the list with stakeholders such as Remco, HR business partners, the Finance and Audit departments etc to get their views on what they see as reward risks.
The list of reward risks is not static; it will change with time and such issues as changes in legislation, tax, reporting requirements, code changes and so on. A quarterly review of the list would be a good starting point.
Some organisations run risk databases; such as Operational Risk departments – or may even have access to external risk databases. All of these are good sources of intelligence on risk in reward.
Once we have a list of risks we more on to the next stage of probability.
Second step: listing probabilities
This is the most difficult stage of the process. In the vast majority of cases we look to our (and other) organisational history to see what has “gone wrong” or “needs improvement” in the past. In addition we must also scan events to look for issues that have occurred in other organisations, either in our sector or elsewhere. Again, access to an external risk databases is a good way of keeping up with risk issues. Advisors can also be a good source of advice around incipient risks.
At the end of the day risk is largely down to individual judgement. Unless you have risks with a high frequency which allows mathematical modelling such as Monte Carlo simulations then you have to make an informed judgement call on the probability of risk based on history. However, as investment advisors are keen to point out, past performance is no predictor for future results”. Also any risk listing will be specific to the organisation to which it relates – it is all about context.
My model uses a risk weighting of 1 to 10. Where a rating of one is highly improbable and ten is certain. Once again, the rating is not static. Risk probabilities change over time, so the probabilities must be reviewed frequently to ensure we are capturing as many of the issues as possible with their shifting probabilities.
I am sure that statisticians or actuaries would have much more sophisticated approaches to this process; but I have designed the approach so that HR and reward professionals have a basic framework to start their risk mapping, if you have access to more sophisticated approaches then do use them.
It is important, from a methodological standpoint, not to read false accuracy in to the risk probability approach. At the end of the process we are looking at the relative levels of risk in our organisation to give some focus as to where we should concentrate resources; not a forecasting tool.
Third step: listing impact
This is perhaps easier than listing probabilities. Again we use a simple 1-10 scale where one indicates no impact to ten – the end of life as we know it. What we are looking at here is what impact would the risk have on our organisation? For example, would incorrect tax payments on employee remuneration lead to reputational and financial damage? Would not paying our R&D staff insufficiently result in them leaving with long term damage to our research effort? Again, we are looking at an estimate of impact, ranging from some minor inconvenience to putting the existence of the organisation at risk. As an example of this we have seen some companies run in to very serious financial problems in the UK as they had not fully considered the risks they were taking with their final salary pension schemes and the funding requirements nearly bankrupted them.
Another story around impact and probability. When working in the City I was advised to carry an emergency gas mask. I questioned the advice. It was pointed out to me that the probability of a terrorist gas attack in the City was small (although perhaps higher now than in the past), the probability of being on an over ground or underground train catching fire and filling with smoke was considerably higher – but still low. However, the impact of either of these events was a ten. So while I hope I never have to use the mask, it only takes one occurrence of the above and me to have the mask to save my life. We do tend to underestimate low probability, high impact events; as a former scout leader, “be prepared” it a good motto for reward risk as well as scouting.
At this stage we have a list of risks, a listing of probability against each risk and a score for the potential impact of the risk.
Forth step: Risk correlation multiplier
My initial model of risk in reward did not contain a risk correlation multiplier. However, I have come to the conclusion that difficult as it is, consideration has to be given to this issue. What is a risk correlation multiplier? Simply put, if a risk occurs how likely is it that the risk will cause an increase in another risk factor. Taking a simple example of payroll. The risk is that we are not paying our employees correctly. There is a correlation (and I am not strictly talking of statistical correlation here) between not paying employees correctly and not paying the correct statutory deductions in the relevant country. What I have done is added a correlation multiplier to the score for the risk of not paying employees correctly to reflect it will increase risk in other areas. If you pay employees in different countries, perhaps on split contracts, the issue of where payment is made, where, and how much tax is due and the implications of getting it wrong, impact on a number of other risks and pose a real operational threat.
Once again we are in the world of estimates. The more statistically aware will see I am multiplying estimates by estimates by estimates; giving a number which arguably has no real meaning. However, as noted above we are not looking for an arithmetical answer but relativities of risk in our organisation to allow us to focus resources in the most effective way possible.
We are nearly at the end of the process…
Fifth step: Generate the risk score
This is simply the product of the probability, impact and risk correlation multiplier. The risk score is a single number that allows us to rank our scores and see where the highest risks in our environment appear to exist.
Final step: mapping the risk
As figure one above shows, it is possible to produce a useful graphic that shows where are key risks are concentrated. This is really beneficial when talking to stakeholders, who may not need the detail of the process, but allows them to focus in on the key risk factors.
Clearly if you have 300 risks, mapping them like this will not work. In that case it is easy to return to our original process map of reward and use this approach to map risk against each process with an overall map showing a cumulative risk for each process in our reward product stable. Once again individual circumstances and trial and error will lead us to a process that is optimal for us and our organisation.
Managing the risks
Once we have the information on the likely risks in our reward environment we need to consider how to manage them. In my model I use a column called “mitigation”. That is what we can do to reduce the risk. It may be, for example, that we review the risk with an external advisor or with our Finance department to see how the risk can be reduced. Linked to this is the next column which I have called “Controls”. So, for example, if we are concerned about inappropriate payments being made from payroll we can have four eyes, or even six eyes sign off on non-regular payments. Or, perhaps mandate a random sampling and checking of the payroll. Again, our colleagues in external and internal audit can be of great help in designing controls on our key risk areas.
Having appropriate key performance indicators is one approach to managing risk matrix issues. We need to know and measure before we can attempt to control. It is not possible to attach KPI’s to every reward process; but there are many that we can. For example, we can look at attrition statistics, together with leaver interviews to deduct if pay levels are an issue and track this over time. Payroll and pension payment errors are easy to use for KPI’s.
Many years ago when I worked for Ford Motor Company, everyone in the business, over a certain level or employed in certain key areas were required to undertake a course in statistical process control (SPC). I suspect this may be a little old fashioned these days; but I found it a very useful way to look at error occurrences and decide if they were random issues or there was an underlying systematic problem that needed to be addressed. KPI’s and SPC taken together are very powerful tools for spotting issues before they become (or as they become) problems. Every organisation will have their way of managing risk, but having an organised systematic approach, from the very simple to the very sophisticated is a very good way to start on the risk management journey.
For me, the final part of the risk management mapping is identifying the risk owner. Who has responsibility for the process in which there are risks? This helps focus our attention on the whom as well as the what of stakeholder risk management.
One of the other important outputs from risk mapping is to agree with management the risk appetite of an organisation. What risks within the matrix are acceptable and which are unacceptable. Risk is part of business and the costs of mistakes are again part of the cost of business. The question arises as to how much cost (including indirect cost such as reputational damage) is an organisation prepared to “allow”? What risks are completely unacceptable and need to be completely removed if that is possible or a willingness to spend more or less on mitigation of risk. This is an area where a risk mapping in reward can add real value to a business.
The mapping of risk in reward is a key process. It gives some comfort to management, auditors and regulators that we are aware of the risks of our activities and the steps we have taken to measure, control and mitigate as appropriate.
The two frameworks, from Rosario Longo and my spread sheet based approach provide a very useful toolkit for a systematic approach to risk in reward and at least forms the basis for a comprehensive risk structure.
Risk mapping adds value to our activities and processes for the business as it both prevents unnecessary costs and contributes in a very positive way to the governance of our organisation.