Performance Risk Management - the practical approach

Charles Schrock's Profile

Performance Risk Management is my new and immensely practical approach to integrating performance management and risk management. This is the breakthrough that finally allows the “good ideas” behind enterprise risk management to shine through.

I have written about many aspects of risk management in the past. I find the topic fascinating because it offers such great promise to help organizations of all types accomplish their goals better, faster, and more completely. Unfortunately, for years, I was frustrated by all of the static surrounding risk management. This static has made it virtually impossible to convey a clear picture of the benefits of risk management.

The static

I have spent many years thinking this through. I have always known that the core message of risk management is profound. It just seemed that there was so much static surrounding risk management that the message was always hidden in irrelevancies. I needed to understand which pieces of risk management theory were creating this static. What did I need to strip away for this message to come through loud and clear? I have come to the realization that much of this static resulted from two fallacies:

  • An improper primary focus on risks, themselves
  • Useless attempts to categorize risks; focusing on the artificial differences between risks rather than finding the universal similarities

As I started recognizing these two ‘static generators’, I was able to develop an approach to risk management that suddenly accomplished two things.  

First, risk management could be intuitively aligned with an organization’s performance objectives. More than that – risk management works only if it is aligned with performance objectives.  It suddenly started making obvious, practical sense to executive leadership. It’s not just a “nice theory”; it can help achieve bottom line results in a real and practical way.

Second, it became clearer why so many organizations have prematurely abandoned their risk management implementation projects. I understood that the mind numbing real-world complications that these organizations experienced were, actually, irrelevant.

Eliminating the static

The first clear realization was that risk management starts with objectives, not risks. It’s always about accomplishing objectives. Managing associated risks is simply an additional technique to help accomplish your goals. Everyone knows this intuitively. The problem was that risk management theory made, at most, a passing reference to objectives. That’s why risk management never felt right. It never actually aligned with what we knew to be true. An organization doesn’t want to expend efforts to “manage risks”. It will, however, expend effort on better techniques that help it accomplish its objectives better, faster, and more completely.

The second clear realization came to me when I recognized the waste in categorizing risks among “Strategic Risk”, “Compliance Risk”, “Legal Risk”, “Financial Reporting Risk”, etc., etc., etc. Risk management theory loves to focus on these categories. This disguises a lack of deeper understanding – the similarity among all risks. This similarity flowed from the first clear realization – a focus on objectives, not risks. While there may be many types of objectives, there is only one type of risk – an inability to effectively execute.

When you logically extend these two clear realizations, the results are profound. Once you do away with the process of classifying risks, you can focus on actually identifying the risks. Not only that, you actually have a practical framework to identify those risks – real world things that could go wrong relative to a specific objective. Useless theory melts away and practical understanding takes its place. It has allowed me to better communicate not only how an organization benefits from risk management,  it has also allowed me to develop a practical way to (i) initially implement risk management within an organization, and (ii) enhance management processes to deliver results better, faster, and more completely.

These are the two basic components of Performance Risk Management. Many benefits flow as a result which I will continue to address in subsequent posts.


Member's Profile

Thank you for this post on risk management. I fully agree that the focus needs to change from risk to objectives. I haven't been able to put my finger on the frustration I've felt in the risk management process until now.

As I look back on the Sarbanes-Oxley legislation and the significant spend that companies have incurred, it seems that if the focus was on the objectives and not the controls or the 'risk', these projects could be much more efficient. Too much time was spent categorizing risk as financial reporting, compliance, etc. and not on the multitude of objectives that arose from SOx.

I'm interested in what other readers think of changing perspective for risk management from risk to objectives. Or maybe people are content with the risk management approaches their organizations have taken??

Member's Profile

Thanks for your comments, Dan. Risk Leader ( is a new web site that is developing cloud-based risk management tools based on Performance Risk Management. If you get a chance to take a look, I would be interested in your thoughts in the direction that they're heading.

Member's Profile

I see a lot of benefit to linking risk management to performance management, a process that already exists in organizations. Risk management has been treated as a new and separate process that works for consultants selling a project that requires them for the maintenance, but doesn't work well when the consultants leave.

Member's Profile

The basis for PRM is, as you say, extending what organizations are mostly already doing -- managing performance. Adding the related element of "risk" to performance management helps bring a lot of performance-related concepts more clearly into focus. Organizations that embrace PRM are going to have as much of an edge going forward as those organizations that embraced MBO when Peter Drucker introduced it nearly 60 years ago.