Opinion | When It Comes to Enterprise Risk Management, We Need to Measure What Matters

By: | August 17, 2020

Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected].

I define enterprise risk management as: “A decision-making discipline that addresses possible variations to organizational goal outcomes.”

Goals are an important part of any business’ growth, and many of the organizations I’ve worked with have amazed me with how poorly constructed their goals are. It’s no coincidence their risk management practices are also often inadequate.

The bottom line is that good risk management requires understanding of what it is intended to deliver. One critical objective of risk management is to protect what is most important for an organization — protect their plans, their reason for being, their value.

The way risk management delivers this is by putting close-protection practices in place around organizational goals as part of an early warning system that monitors and anticipates changes so that you can get in front of undesired outcomes and leverage opportunities as they come.

It is mission-critical, therefore, for an organization to set goals and targets that deliver what is truly needed. After all, you will only get what you measure.

But often we see goal metrics that are too blunt and easily misconstrued.

For example, in the health care universe, organizations may want to reduce patient interaction time for cost-efficiency. When blunt goals are set to reduce interaction time, more often than not the patient may feel they were rushed through an assembly line, left with a deeply compromised experience, and possibly misdiagnosed by their doctor.

Metrics do drive outcomes, but they also drive behaviors.

This law of human nature was expressed by social scientist Donald Thomas Campbell. In simple terms, Campbell’s Law states that measuring the wrong things can drive immoral or corrupt behavior, leading sometimes to unintentional negative effects that can make a problem worse.

The late Steve Jobs saw this: “Incentive structures work, but you have to be very careful of what you incentivize people to do, because various incentive structures create all sorts of consequences that you can’t anticipate.”

These behavioural concepts came flooding back to me with recent discussions on the reimagination of police duties, not just in America, but around the world. Certain police behaviors drove me to ask some rudimentary questions. What metrics drive police behavior? What incentivizes the police today? What are their current performance goals?

As with every organization I work with, the first question asked is: What are the goals, metrics and incentives for your organization? This should be no different for our police.

My understanding is that measures of police performance commonly used today are year-over-year crime rates, offense clearance rates, service response time and enforcement productivity (number of arrests and fines issued). Sometimes public satisfaction surveys are used on a regular basis, but from what I understand, most departments still do not make use of this resource.

Key questions to ask ourselves: Are these indicators a sufficient or fair way to measure police performance? Are these metrics fostering unwanted behavior? Are police goals, ambitions and values well understood? Attracting suitable employees?

The internal audit world faced a similar situation a few years back, seen only as an “I gotcha organization,” catching corporate “crimes” versus preventing them. By applying risk management principles, auditors reinvented themselves as ones who now aspire to protecting corporate value and “crime” prevention.

Could this apply to police? Can we move away from brimming, privately-run prisons to preventing the crime at its source? What gets measured gets improved. So let’s measure what matters to us. &

More from Risk & Insurance