Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing



        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Enterprise Risk Management Addresses the Agency Dilemma

        I have written before about enterprise risk management, which is an essential piece of both performance management and corporate governance. Every aspect of business entails risk. Everyone who makes a business decision is – whether consciously or not – making trade-offs between risk and reward. Assessing risk is tricky in business because it means different things to different people depending on where they work and their specific role in an organization. From a broad view, risk management becomes an “enterprise” issue for three reasons. One is to ensure that risk management is harmonized across the company and consistent with the corporation’s risk tolerance. A second purpose is to manage cross-functional risks – things that happen in one part of the company can have negative impacts on other areas. The third is to address the risk elements of what’s called the agency dilemma.

        Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from management. The agency issue exists where the best interests of the principals are either not congruent or in conflict with the interests of the agents (the professional managers running the corporation). Agency issues are rife in any large-scale business, at times to the point of distorting business practices in whole industries. For example, motion-picture distribution companies might be better off if they were to handle a larger number of lower-budget films, but today’s industry is driven by producers and agents whose interests are best served by making blockbusters. For the producers and “above the line” talent, these projects have large potential payoffs while the outsized risks are mainly borne by others.

        Much of the focus in the economics literature has been on the shareholder/senior management version of the principal/agent problem and the various mechanisms used to align their interests, such as stock-based compensation plans (increasingly with vesting provisions to encourage a long-term view) and other incentive-based plans. Indeed, one reason “performance management” has been the focus of so much IT investment is the need to have measurement capabilities and incentive plans that align the strategic interests of the corporation with the objectives of executives, managers and employees.

        Yet the explicit focus of many performance measurement and incentive compensation plans has been on goal achievement with little regard to the risks. In this respect, the risk aspect has been more implicit, leaving it up to the employees to use their judgment or relying on supervisors to police risk-taking and set the tone for risk tolerance. Fortunately, most of the time this works well enough. Unfortunately – as recent disasters have demonstrated – it doesn’t always. And it strikes me that in most of the latter cases, one of the contributing factors has been the lack of attention to the risk aspects of the agency dilemma.

        Just as shareholders’ concerns are not always going to be aligned with senior management’s, middle managers’ objectives may not always be well aligned with those executives. I think this is especially true when it comes to making decisions about risk. Reputational risk, for example, is usually of greater value to the senior managers (who are more closely identified with the company) than to those running business units or functional areas. For this reason, and because they almost always are evaluated explicitly on some sort of output measure (volume, profits, cash flow and the like), lower-level managers have every reason not to err on the side of caution. Senior executives also may (intentionally or not) court disaster by stressing output without measuring risk. In such a case, a line manager may forgo required maintenance in order to meet some rush order. Ninety-nine times out of 100 this doesn’t matter. But the one time it does, catastrophe ensues.

        Thus when risk is not measured explicitly, midlevel managers are put into a position where they have a strong incentive to ignore or undervalue risks (from the shareholders’ and executives’ perspectives), even if senior executives would support a decision to, say, forego the rush order or negotiate some alternative. Part of this is human nature – it’s hard to disprove a negative. Without explicitly being able to demonstrate that they made the appropriate trade-off, a middle manager may be penalized for choosing the safer option. Over time, if employees learn that making a sensible trade-off only leads to grief, they stop making sensible decisions.

        Compounding the problem is the difficulty of appropriately defining and measuring risk. One of the factors that inhibit explicit enterprise risk management is that, outside of several already heavily regulated industries, there is limited experience with establishing formal systems for measuring and monitoring business risks. Banks and insurance companies, for example, have centuries of experience developing analytical frameworks for risk management and devote a great deal of management horsepower to compliance. (Despite this, disasters happen with depressing regularity, but that’s another topic.) Consequently, organizations may not collect risk metrics and may not even understand or agree on what those metrics ought to be. The lack of data, in turn, can inhibit the development of formal enterprise risk management systems and processes. Yet despite this lack of experience, I suspect that it’s possible to assemble a sufficient number of risk metrics to make this part of a performance measurement system. For example, in the maintenance example, the appropriate control is to monitor a system that schedules the work and can raise cautionary flags when it is delayed. A built-in audit function also could be added to compare actual to budgeted maintenance spending and flag this if outlays lag expectations.

        Another contributing factor to the neglect of enterprise risk management is the absence of this important factor from purveyors of “balanced scorecards.” This technique emerged as a way to address the unintended negative consequences of simplistic performance measurement systems that focus on one or a few metrics. They are “balanced” because they incorporate metrics that model the kinds of trade-offs that managers want employees to make. If, for example, call centers only measure call times, customer satisfaction will suffer because agents will attempt to get them off the phone as soon as possible, regardless of whether their questions have been answered or their issues have been addressed. A balanced scorecard would include first-call-resolution percentage as a compensating metric.

        Some companies have developed sophisticated systems that properly balance objectives so employees are rewarded for making the right trade-offs. Still, few include risk explicitly; I think “risk” ought to be a separate category alongside the typical array of “financial,” “internal business processes,” “customer” and “learning and growth.” Incorporating risk explicitly in performance management systems helps manage the agency dilemma. Because managers are explicitly evaluated on risk, they have incentive to apply the proper balance in day-to-day decision-making. Moreover, this approach addresses the agency dilemma since those further up in the hierarchy can be alerted when risk thresholds are exceeded.

        Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.

        Regards,

        Robert Kugel – SVP Research

        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for ISG Software Research. His team covers technology and applications spanning front- and back-office enterprise functions, and he runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).

        JOIN OUR COMMUNITY

        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@isg-research.net

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all


        Analyst Perspectives Archive

        See All