Appendix I: The Business Risk Model
The business risk model emphasizes meeting the goals and objectives of a mission-driven institution. For many research institutions, business risk is synonymous with the risk of failing to execute a program efficiently or effectively. A business risk model is suitable, therefore, for managing the cultural assets of nonprofit organizations. It offers a way to accord library collections their proper value as assets, not just costs; to assess the factors that might put the collections at risk of not serving their full function in mission work; and to determine how best to mitigate those risks in a cost-effective manner.
Determining Business Risk: Developing the Business Risk Model
It is important for an organization to identify the business risks that exist in the environment in which it operates. To identify those risks, organizations must review their external environments. External business risks stem from economic, political, social, environmental, technological, and other external conditions. For example, many research institutions face risks with respect to technology and customer demand. The electronic media in which research materials can be made available are creating a demand for faster search tools and for remote access to research materials. A library's ability to meet this demand and remain a well-respected institution is a business risk.
An organization cannot fully understand its business risks unless it also understands its business objectives, strategies, and processes. Figure 2 illustrates these interrelationships.
Fig. 2. Interrelationships between business objectives,
strategies, processes, and business risk
As can be seen in the figure, the business objectives of an organization are continually threatened by risks. To respond to these risks, management develops strategies that enable the organization to meet its objectives. Strategies determine which business processes are necessary to meet management's objectives and which processes require controls to mitigate business risk.
No organization is immune to risk. Moreover, each organization's business risks change constantly. The nature and consequences of business risks facing organizations are becoming more complex and substantial. The speed of change, higher customer expectations, increased competition, rapid changes in technology, and countless other factors affect organizations in ways that managers are often unprepared to handle.
Risk is inherent in operating a business or running a program; an organization cannot eliminate business risks. Management has to decide how much risk is acceptable and to create a control structure to keep those risks within appropriate limits. The key to business risk management is achieving a proper balance of risk and control. An organization must expose itself to a certain level of risk to satisfy the expectations of its customers and stakeholders. A balance is achieved when the risk and reward expectations of stakeholders are understood and a system of controls that appropriately responds to the organization's risk exposure is in place. Therefore, a research institution's strategic management process should be designed to reduce business risk and attain its goals and objectives by implementing an appropriate and effective control environment.
If management fails to identify a significant risk or does not adequately consider business risks, the organization is unlikely to have in place control activities to manage those risks. Alternatively, if management does not consider environmental changes carefully, its existing control activities may no longer be adequate or appropriate. However, if an organization has a strong risk-management process, including an effective control environment, management can be reasonably sure that it has identified the significant business risks and responded to them appropriately. Figure 3 illustrates the typical flow of business risk-management activities.
Fig. 3. Flow of business risk-management activities in an organization
The aim of risk management is to create an environment in which managers feel comfortable making decisions that entail risk. It is vital that risk management be linked to business strategies, so that decisions reflect both the desired risk tolerances of the organization and its strategic objectives. For instance, a library or research institution's mission may focus on providing timely and effective service to its researchers. To fulfill this mission, the organization must acquire the right kinds of materials and have them available when they are needed. If risks exist that threaten the organization's ability to acquire the right materials and make them available, controls must be established to minimize these risks.
Managing Business Risk
After identifying and analyzing business risks, management decides how these risks should be managed. This requires comparing the costs of reducing business risks against the costs of potential loss from risks. There are four categories of possible responses to business risks—accept, transfer, avoid, and reduce. The first three are passive responses to risk while the last response is active. The four categories may be defined as follows:
- Accept: Accepting a business risk means doing nothing to avoid it. This response is based on a conscious decision that the costs of other responses outweigh the potential benefits or that the risk is acceptable.
- Transfer: Transferring the business risk to another party alleviates management's responsibility for managing it. Examples of this response are buying insurance and outsourcing.
- Avoid: Avoiding the business risk is a decision to change a business objective because no other response can reduce the business risks to an acceptable level in a cost-effective manner.
- Reduce: Reducing the business risk means reducing either the likelihood of its occurrence or the magnitude of its impact. Management usually establishes an effective control environment to reduce business risks.
If management decides to actively reduce risk, it must develop an effective multilevel control environment. The control environment sets the tone of the organization. It provides (or fails to provide) the discipline and structural foundation for all components of control. The control environment also has a pervasive influence on how an organization sets objectives and structures its business activities.
A multilevel control environment consists of three elements: strategic, management, and process controls.
- Strategic controls refer to those activities within the strategic management process that help management to understand the effect of external and internal factors on the business and strategy. Strategic controls define the environment of risk and control behavior and align the organization with these strategies.
- Management controls are those activities and elements that must be present in the control system throughout the organization if it is to effectively identify, assess, and react to business risks and attain its objectives. These controls develop from the results of environmental review performed during the strategic planning process.
- Process controls are the control activities performed at the process, or function, level. They are normally the responsibilities of process, or functional, owners who ensure that the control activities are in place and meet their objectives. In the process of managing or serving collections, for example, the process owner would be a collection custodian, a librarian, or a library technician. The specific controls designed to safeguard research materials would be defined as process controls.
Strategic controls and management controls are implemented at the organization level, while process controls must be implemented for each business process. The acquisition, maintenance, and service of research collections are business processes. Management controls represent the link between the strategic level and process level, as well as among the processes themselves. Effective management control drives effective business risk and control management throughout the organization.
Most organizations do not establish a one-to-one relationship between business risks and mitigating controls. Therefore, it is important to understand the impact of a number of controls at different levels when assessing the strength of the control structure. Taken individually, single controls may not provide significant defense against a business risk. However, when reviewed as a whole, the interrelationship between differing types of controls can provide an effective armor of protection for the organization. Figure 4 shows the sources of business risks and the control elements at different levels of the organization.
Fig. 4. Business risks and control elements at different levels of the organization
There are two important control messages in strategic analysis:
- Monitoring, assessing, and adapting to changes in the external environment are important aspects of managing business risk, particularly in the long term.
- The tone set by management for the overall control environment and management's level of commitment to functional efficiency and effectiveness have a significant impact on an organization's ability to execute its strategies and achieve its business objectives.
Because external environmental factors and management's tone affect the organization's ability to meet its objectives, it is important that management understand the importance of these elements. In a research institution, for example, the increased demand for online research capabilities is an external environmental change. Management's ability to recognize that change and react responsibly to it, considering all risk factors involved in meeting that demand, is an example of strategic control.
Monitoring and Feedback
A good management system and control environment must have two important elements. First, the system should encourage clear and frequent communication of vision, strategies, and implementation in a way that allows all employees to recognize their roles and their importance in achieving business objectives. Second, the system should provide relevant and balanced feedback regarding performance against objectives. Relevant suggests clear connections to what is important for the business to achieve, and balanced refers to combinations of quantitative or qualitative, and financial or nonfinancial metrics to give management perspectives from both outside and inside the organization.
For example, if a research institution's mission is to provide timely and effective service to its researchers, a relevant goal is to make materials available within a certain time after they are requested. The feedback on performance of this objective is balanced if management measures a quantitative metric of "minutes researcher waited to receive requested materials" and a qualitative metric of "degree of satisfaction researcher expressed in service provided." These measurements assure management that they are focusing on both aspects of service, speed of performance, and quality of service.
Identifying Business Processes, Process Owners, and Measures of Performance
Organizations consciously identify the business processes that help them fulfill their objectives. Organizations divide their business processes into two categories: core business processes and internal service processes. Core business processes are those that an entity uses to develop, produce, sell, and distribute its products and services. Internal service processes provide appropriate resources to the other business processes. One of the core business processes of libraries and research institutions is the acquisition and management of research collection items.
A core process must have proper management controls to reduce those risks that threaten the institution's ability to meet its objectives. Two risks that threaten these objectives are not acquiring the right materials and not properly maintaining those materials. For each business process that is critical to the execution of business strategies, management controls should provide assurance that the best people are selected to own processes and control process risks. In a research institution, the process owners are usually researchers or librarians who hold management positions.
Management must establish clear objectives against which the process owners can measure their performance. Process owners are encouraged to assess their business risks continuously and to build cost-effective controls into the process to ensure that business risks are held to an acceptable level. Finally, process owners are held accountable for process performance, process risks, and the quality of the process controls. Therefore, monitoring business risks and controls is often an additional process-owner responsibility.
Fig. 5. Activities performed continuously by the process owner
In Step 1, the process owner defines the process control objectives. An organization's control objectives can be related to its operations, its financial reporting, or its compliance with laws and regulations. The control objectives that are relevant in this report are the operation objectives. Operation objectives relate to achievement of the organization's mission—the fundamental reason for its existence. A clear set of operational objectives and strategies provides the focal point toward which the organization will commit substantial resources.
In Step 2, the process owner assesses business risk at the process level. After an organization has defined the objectives its process-level controls should achieve, the process owner must determine what controls are needed to achieve those objectives. This determination is based largely on anticipated business risk. Business risk is determined by understanding the internal and external factors that may affect the achievement of the process objectives. For example, if one of the objectives of a research institution's operational process is to negotiate acceptable prices for collection items, external factors such as inflation, supply and demand for the product, and competitors' actions may affect the degree of risk in achieving the objective. The mechanisms an institution builds into its procurement process to alert it to these events and enable it to respond favorably to them are examples of internal factors that affect business risk.
In determining the magnitude of business risk, management must estimate both the significance of the risk and the likelihood of its occurrence. For example, a potential risk that would not have a significant effect on the operations of the process and that has a low likelihood of occurrence generally does not warrant considerable attention. Management should recognize that some degree of risk will always exist, because resources are always limited and all internal control systems possess inherent limitations.
In Step 3, the process owner designs and implements appropriate and effective controls for the process on the basis of the risk-assessment results in Step 2. Controls usually involve two elements: a policy to establish what should be done and procedures to carry out the policy. Controls serve as mechanisms for reducing business risk.
Because every organization has its own objectives and strategies, there will be differences in process controls among organizations. Even when organizations have similar objectives, process controls are likely to differ, because each organization has its own managerial style and culture. These differences influence the degree and type of business risks that similar institutions may face. The process owner should consider these differences when designing and implementing controls.
In Step 4, the process owner measures the performance of his or her processes. Each process owner should design quantifiable measures that can be used to assess whether the process is operating effectively. These measures, which are commonly referred to as key performance indicators, detect weaknesses in controls and changes in external conditions that are not reduced by process controls. The process owner should investigate unexpected results or unusual trends that may indicate that the organization's objectives are not being achieved. In the procurement process example, where the objective was to negotiate acceptable prices for collection acquisitions, the process owner might establish acceptable ranges of prices for certain types of collections on the basis of the average of prices for those items over a period of time. The process owner would be alerted to a possible control failure if the price of an item fell outside these ranges.
Step 5 requires the implementation of a process to monitor process control activities. This is an ongoing activity because internal control systems and the control environment change over time. New management may step in, information systems may be upgraded, or new personnel may need to be trained in the control policies and procedures. Monitoring ensures that internal control continues to operate effectively through all these changes.
Examples of ongoing monitoring activities include the following:
- Communications from external parties either corroborate internally generated information or indicate problems. For example, customers implicitly corroborate billing data by paying their invoices. Customer complaints, by contrast, may signal billing system deficiencies.
- Supervisory activities provide oversight of control functions and identification of deficiencies. For example, review activities serving as a control over the accuracy and completeness of cataloging record entries are routinely supervised. Alternatively, duties of individuals are segregated so that employees serve as checks on each other. This deters fraud because it inhibits the ability of a staff member to conceal suspect activities.
- Data recorded by information systems are compared with physical assets. Inventories of research materials are examined and counted periodically. The counts are compared with accounting records, and differences are investigated.
- Operations personnel are requested to state whether certain control procedures, such as reconciling specified physical amounts to recorded amounts of items in their process, are regularly performed. Management or internal audit personnel may verify such statements.
The Library Manager as Process Owner
In a library or research institution, the five process-owner activities just described might be performed in the following manner:
Step 1. Define process-control objectives. The institution's mid-level management receives the organizational objectives from upper management. The organizational objectives include an objective related to the mission of the library or research institution such as "to serve the research community by consistently providing timely and effective service." The management of the library identifies those processes that directly address this mission and further identifies the objective of those processes. For instance, acquiring and replacing research collection items is a process designed to maintain the collection so that it is an effective research tool.
Step 2. Assess business risks at the process level. The library manager determines what business risks might prevent the institution from providing timely and effective service. Each risk is then ranked based on the likelihood of its occurrence and the expected magnitude of impact, should the risk occur. For instance, the institution may lack the technology necessary to provide quick searches for research materials by subject. The library manager assesses the likelihood that timely and effective service will not be provided, as well as how many researchers this might affect and to what extent. The manager makes a judgment about the degree of this risk and determines what controls should be instituted to mitigate it.
Step 3. Design and implement appropriate and effective controls. The library manager identifies what controls are necessary to reduce the risks of not meeting the process objectives. For example, to provide timely service, the institution may have instituted a priority service for its most frequent customers or its most recognized scholars. Alternatively, it may have measured and quantified its service requests over a period of time and developed librarian and technician schedules based upon when demand is expected to peak and recede.
Steps 4 and 5. Measure process performance and monitor process control objectives. The library manager should measure process performance and monitor process control activities. He or she can measure performance in providing timely and effective service by using customer satisfaction surveys and by periodically measuring the volume of customers served. These measurements should be reviewed and tracked to determine whether performance is improving or deteriorating. This monitoring function alerts management that controls are either not operating properly or are ineffective; on the basis of this information, management can determine what action needs to be taken.
The management controls that reduce the business risks associated with serving researchers include controls to safeguard research materials. These controls can take various forms, depending upon their purpose and the type of assets they are controlling. By looking at these safeguarding controls from a business perspective and linking them to the organization's mission, managers gain the insight necessary to protect and preserve their collections.
Step 2 of the process just described, (i.e., "Assess business risks at the process level") was the basis for the collection risk assessments that were performed by the Library of Congress, with assistance from KPMG LLP, from 1997 through 1999. The risk-assessment process conducted by the Library is described in the main body of this report.