PDCA description of risk and performance management system.
Dynamic changes and increasing competition in global markets have caused changes in the management of small and medium enterprises (SMEs). Due to this fact, many SME companies try to implement different methods for strategy and operation management, quality and improvement management, risk management, etc. But the problem is the efficiency and implementation of these methods in the SME company. One way to achieve higher efficiency is the integration of management methods, meaning the combination of performance management with quality, process and risk management. This approach is also recommended in the ISO standards for quality. It was reflected in a new revision of the ISO 9001 standards in the year 2015. Performance can be described by the financial and non-financial key performance indicators (KPI), covering the cost, quality and time indicators that have been implemented in the balanced scorecard framework (BSC). The aim of this chapter is to present a methodological framework, which leads to the integration of the key performance indicators (KPI) in relation to the key risk indicators (KRI), which may affect the KPIs and overall SME performance. This framework combines a process analysis and modelling with risk and qualitative or quantitative risk assessment techniques. The case study describes its practical implementation and the verification of the designed framework. The results of this research will help to build an effective management system for performance and risk management and quality management for the business processes of SMEs.
- risk management
- performance management
- risk analysis
- risk modelling
1. Introduction and overview of the motivation
Risk and performance management is a very broad and important issue in the business management field. Many companies try to apply and integrate risk management techniques and tools as part of their management processes. Many SME companies try to implement different methods for strategy and operation management, quality and improvement management, risk management, etc. But the efficiency and integration of these methods have a negative or positive impact on the SME company. One way to achieve higher efficiency is through the integration of management methods, meaning the combination of performance management with quality, process and risk management. This approach is also recommended in the ISO standards for quality. It is reflected in a new revision of the ISO 9001 standard (2015). Figure 1 presents the management framework in the SME industry according to the revised ISO standards. The top level presents the goals of companies described by performance indicators. The companies can be used for performance measurement, financial and non-financial key performance indicators (KPI), including cost, quality and time indicators. On the other hand, SMEs should understand the meaning of performance management and measurement.
Consequently, this chapter describes a system of how to integrate the key process indicators (KPI) and key risk indicators (KRI), which are then integrated into a management system for SMEs.
2. Performance and risk management
The integration of management systems is focused on performance and risk, and quality should be based on an effective management system applicable for SMEs. We can adopt common principles for the integration of the above-mentioned management methods.
Risk management means applying a systematic approach to assess and act on risks in order to ensure that the company objectives are achieved. Many papers have dealt with risk management issues in the areas of strategy, operations, finance and information security .
For practical reasons, this term can be defined as the systematic implementation of policies, various methodologies and tools, which help to identify, analyse and manage risks. A systematic review of the implementation of risk management in SMEs was accomplished in the chapter . This chapter demonstrated the importance of a risk management process in SMEs and emphasised the significant impact on their business strategy.
The possible impact of risk management on company performance was mentioned and described in the chapter . The author of this chapter introduced and confirmed that “an effective and integrated risk management system must improve the performance of the company”. It is necessary to describe the role of performance management at present based on a literature review of the previous studies and findings.
Performance management is an important part of management tasks today. The present trends in performance management include these common attributes:
Implementation of a long-term strategic plan and its translation via the key performance indicators
Measurement and execution of the key performance indicators
Forecast of performance
Support of information technology applications for performance management
Integration indicators focusing on cost, quality and time measurement in all organisational levels
Support of data mining and reporting
The core of performance management in SMEs is based on the adoption of the balanced scorecard methodology. This methodology was developed by Kaplan and Norton  to help SME managers to implement a relatively understandable system using four types of measures :
Internal business measures.
Innovation and learning measures.
Finally, if we compare the present principles of risk and performance management, the common attributes are as follows:
Implementation of process management and the plan-do-check-act (PDCA) cycle
Use of measurable indicators
2.1. Implementation of process management and the PDCA cycle
Process management or business process management (BPM) is a contemporary term used in many companies. Many successful companies have applied this management approach based on Hammer’s Business Process Reengineering Concept. Authors have developed Hammer’s and Champy’s ideas in related works today. Managers use the term BPM in many different ways. Some of them use BPM to refer to “Business Process Management” .
Business process management implementation is presented in the book, Business Process Management written by Jeston and Nelis . Weske, in the publication Business Process Management—Concepts, Languages, Architecture, describes the techniques for process modelling and the application of information technologies for BPM and workflow . Schmelzer and Sesselmann  discussed a practical view on process mapping and the organisation of processes in a company. Process mapping helps to identify key process parameters and set up key process indicators and risks. It will be used for the setup of the key risk indicators and the key performance indicators.
If an organisation implements the integrated system based on process management, the management should be included for all processes in the enterprise and should improve and measure all the processes. This idea was described by the Deming cycle (PDCA methodology)—see Table 1. The plan-do-check-act (PDCA) methodology could be a useful tool to define, implement and control corrective actions and improvements.
|“Plan”||Establish policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organisation’s overall policies and objectives|
|“Do”||Implement and operate the policy, controls, process and procedures|
|“Check”||Assess and, where applicable, measure process performance against security policy, objectives and practical experience and report the results to management for review|
|“Act”||Take corrective and preventive actions, based on results of the management review, to achieve continual improvement of the management system|
2.2. Use of measurable indicators
Measurable indicators should be determined and implemented for the execution and measurement of results. These indicators should be defined according to the S.M.A.R.T approach (Specific—Measurable—Attainable—Relevant—Timely). The companies should try to define key risk and performance indicators (KRI—key risk indicators, KPI—key performance indicators) regarding the implementation of the risk and performance management system.
2.2.1. Key risk indicators
Many papers have dealt with KRIs and how they help to detect and reduce risk at an enterprise level. Researchers have elaborated many definitions addressing this issue. A risk indicator provides a forward direction and information about risk, which may or may not exist and is used as a warning system for future actions. With KRI indicators, a specific risk can be monitored. There are numerous definitions of KRIs: “An indicator is a key indicator if it serves a very important statement and does it very well” or “Key risk indicators are statistics or measurements that can provide a perspective into a company’s risk position, tend to be revised periodically (monthly or quarterly) to alert the company about the changes that may indicate risks” . Basically, the KRIs should be part of the metrics used by management to show how risky an activity is. Risk factors are commonly known as KRIs, and they can be classified as descriptive, performative or control indicators . The classification of the KRIs is shown in Table 2.
|Descriptive||Variables related to the expected impact of a risk event; they exhibit a low ability to predict its occurrence|
|Performance||Variables related to the probability of a risk event happening; they exhibit a low ability to address the impact of a risk event|
|Control||Variables related to managerial actions or decisions. Management can predict their evolution and can use them as indicators of how the control environment will be in the immediate future.|
2.2.2. Key performance indicators
Performance measurement is a fundamental principle of management. The measurement of performance is important because it identifies the gaps between current and desired performance and provides an indication of the progress towards closing the gaps. Carefully selected key performance indicators identify precisely where action should be taken to improve performance . The KPIs focus especially on the historical performance of the enterprise or its key operations and are important for successful management.
The main difference between KRIs and KPIs is that KPIs tell us if we will achieve our goals and KRIs help us with understanding changes in the risk profile, impact and likelihood of achieving our goals . Management reviews key performance indicators such as trends in direction and the magnitude of risks, the status of strategic and tactical initiatives, the trends or variances in actual results for the budget or for prior periods, and event triggers .
2.3. Summary of this subchapter
A review of the state of the art and an introduction of the methods for risk and performance management were the aims of the previous part. The next important step is to develop a methodology, which helps companies to implement an integrated system for risk and performance management. The development of a suitable and simple methodological framework is the aim of our research work. We focused on small and medium enterprises because they comprise an important economic sector and whether there are any applicable solutions for this kind of company. On the other hand, it is possible to find solutions in the market, but these solutions are applicable for large companies. This chapter presents our research results from the construction sector.
3. Design of the methodological framework
3.1. Description of the research methodology
The research has been conducted based on the following research question:
“Can the implementation of the selected process management tools help provide an understanding of the risks in SMEs in relation to business performance?”
The literature review, the development of the methodological framework and its verification in the case study were used to confirm or reject the research question. The methodological framework was developed based on the literature review and the analysis of the relevant papers and presented case study. The proposed framework was verified in the case study. We used various techniques to collect the data and to perform the subsequent analysis. The techniques used were as follows:
Personal interviews—this technique was used for the process analysis and the process description.
Brainstorming—this method was used to find problems with the company’s management.
Document analysis—an analysis of the company’s internal documents (financial reports, documentation of quality management system, etc.) was performed.
Interview—this method enabled the collection of information about the management strategy, vision and requirements.
These techniques were able to provide input for the modification of the proposed methodological framework.
3.2. Design of the methodological framework
The results of the literature review and the study of relevant case studies were used for the design of the methodological framework. The integration of the KPIs and KRIs via a process and risk management system is the aim of this methodological framework. This framework combines process analysis and process modelling with risk, as well as qualitative or quantitative risk assessment techniques. The process management and process modelling techniques were chosen because this approach is at the core of performance management. Process analysis helps to identify the key risks in business processes and to link the KRIs with the KPIs. The proposed framework is presented in Table 3; for its application in the case study, see the next section.
|No. 1: process analysis and mapping||Process mapping|
Process attributes description
|Processes are analysed and mapped|
|No. 2: process modelling||Implementation of process modelling methodology|
|Processes are described and modelled|
|No. 3: identification of key risk indicators (KRIs) and key performance indicators (KPIs) from the perspectives of BSC and risk modelling||Identification of KPI and KRI based on process analysis|
|KRI and KPI are defined|
|No. 4: implementation of management performance system||Setup of KPI and testing of relationship between KRI and KPI|
Design of system for planning, measurement and execution, auditing of KPI and KRI
|Performance management system is implemented|
On the other hand, this methodological framework was used for the verification of our research question, because the methodology combines the principles of process management with performance and risk management. This framework was developed for implementation in small and medium enterprises (SMEs).
These companies play a key role in the global economy. They represent 99% of all businesses in the EU. In the past 5 years, they have created approximately 85% of the new jobs and provided two-thirds of the total private sector employment in the EU. The European Commission considers SMEs and entrepreneurship as the key to ensuring economic growth, innovation, job creation and social integration in the EU .
The management of SMEs needs to implement a management system, which is compatible with international standards for risk and quality management based on “best practices” and without special requirements on human, finance and infrastructure resources. The proposed framework attempts to achieve the requirements discussed above.
4. Case study
The designed framework has been applied in a construction SME company. The case study describes the practical implementation and verification of the designed concept according to the steps presented in Table 3.
The construction company is a traditional Italian small company providing building services in the local construction sector. The company has implemented a quality management system according to ISO 9000 standards, has 43 employees and has total assets of 3 mil EUR. The company invests money in innovation activities for new materials and technologies in the construction sector.
4.1. Step 1: process analysis and mapping
Process analysis helps to identify the risks in business processes. Based on this analysis, it is possible to develop a process model and to link the risk with the activities in a process. The designed concept tries to integrate a process of objective modelling with risk and qualitative and quantitative risk assessment techniques. Two approaches based on different process modelling methods (EPC and BPMN) can be used effectively for process modelling. Process models help to link the risk with the activities in a process. The risk is a process attribute in this concept (see Figure 2), and the model can be used for risk factor calculation.
The process mapping collected all the process attributes and the relationships between them. The aim is to identify and describe all the process attributes and activities in the SME company. This means that the process analysis and mapping should include these particular processes:
Study of the internal documents and organisational structure of the company
Identification and description of all the processes in the company
Determination of controllable and measurable parameters
Definition of all the attributes
The results of this step can be summarised in a table. In this case study, Table 4 presents an example of how to describe the processes, sub-processes, process type, input, output, key process-measured parameters and key process risks.
|Processes||Subprocesses||Process type||Input||Output||Key process measured parameters||Key process risks|
|Offer/tender||x||x||Client requirements or tender call||Offer or tender documentation||Process time||Quality of project and relevant documentation|
|Preparing of offer or tender|
|Negotiation with client|
|Review of offer|
|Contract acceptance||Preparation of agreement||x||x||Accepted contract||Started construction works||Process time||No complete information, technical risks|
|Preparing of folder|
|Distribution of information|
|Takeover building site|
4.2. Process modelling
The ARIS (Architecture of Integrated Information Systems) methodology was used for the process modelling. The ARIS methodology allows the description of reality from another point of view. It offers methods for process analysis and takes a holistic view of the process design, management, workflow, and application processing. The ARIS approach provides not only a generic methodological framework but also a business process modelling tool. The other tools, such as the QPR Process Designer, provide a powerful solution, which enables us to describe, analyse, communicate and improve enterprise processes. The processes were modelled by two kinds of modelling software. The EPC methodology was chosen for ARIS, and BMPN notation version 2.0 was chosen for the QPR. Examples of the process mapping are shown in Figures 3 and 4.
The EPC diagram allows us to display and connect risk to an activity. The same process can be used with a documentation or IT interface. The disadvantage of the EPC diagram is that it is impossible to clearly separate the process through an organisation chart. A possible solution is to connect a “role” or organisational unit to each activity. However, this solution means that the EPC diagram is difficult for potential users from the evaluated company to read. The BPMN diagram allows organisational units to be split into separate blocks (in Figure 5—“Enterprise”), and each organisational unit into separated lines (swim lines), which are addressed to the roles in the organisation (in Figure 5—“Role 1” and “Role 2”) based on an organisational diagram of the company.
The main advantage is that the process is clearly separated into the organisation’s units, roles, risk distribution and responsibility. It is possible to see which role can be responsible for some risk because this risk is placed in a specific line. The second advantage is that the risk is connected to a specific activity. Thus, it can provide distinct help in conducting a quantitative risk assessment, because in that case, the owner of the process knows all the process attributes (see Figure 2).
4.3. Step 2: identification of the key risk indicators (KRIs) and key performance indicators (KPIs) from the perspectives of BSC and risk modelling
The company first had to determine the measurable strategic goals. The method used was the balanced scorecard. This method supports linking the goals between all the perspectives; Figure 5 shows examples of the goals and metrics (indicators). The important aspect of the BSC, as a process measurement method, is the definition of the number of metrics/indicators and the period of measurement in relation to total production costs.
The company must define strategic goals from four perspectives. The most important global indicators in the balanced scorecard in the construction sector are focused on:
Cost of the process
Skills and knowledge operators
These global indicators were identified based on personal interviews with the owners and managers of construction companies. The relationship of the aforementioned indicators with the BSC perspective is presented in Figure 5.
|BSC perspective||KPI 1||KPI 2||KPI 3||KPI 4|
|Financial||Cash flow||Net profit||Stock turnover||Turnover claim|
|Customers||Client satisfaction||New clients||Client loyalty||x|
|Business processes||Service quality||Number of errors||Percentage of projects delivered on time||Average of labour hourly cost|
|Learning and growth||Resource consumption for training||Workers satisfaction||Number of prestigious projects||Resource consumption for research|
The specification of the KPIs was done through interviews with the owner and the project manager from the case study company based on the previous step, and the important KPIs and risk indicators were identified based on process analysis and mapping. The determined KPIs from the BSC perspective are shown in Table 5.
An evaluation of the list of risk factors, which were established as important factors in the construction project during the case study, was conducted after the identification of the KPIs. This means that each risk factor from the list was evaluated for all the KPIs (if a KPI is influenced by that factor).
Table 6 presents how many risk factors could have an impact on a KPI (there is a number for each KPI; it is also expressed by a percentage). An evaluation of the relationship between the risk groups and the KPIs was also performed. This allows us to find the most significant risk groups for a company’s performance. It was found that the most significant risk groups are Financial (31 connections) and Contractors (32 connections). These two were followed by Subcontractors (26), Clients (24), Equipment (20), Legal (20), Political (19), Consultants (19), etc. We analysed all the risk factor groups for each perspective to find the significance of each risk group. We performed that analysis by conducting interviews, and part of the output table sheet is shown in Table 7.
|BSC perspective||KPI 1||KPI 2||KPI 3||KPI 4|
|Financial||Cash flow||26/33%||Net profit||60/77%||Stock turnover||24/31%||Turnover claim||15/19%|
|Customers||Client satisfaction||27/35%||New clients||13/17%||Client loyalty||8/10%||x|
|Business processes||Service quality||31/40%||Number of errors||18/23%||Percentage of projects delivered on time||32/41%||Average of labour hourly cost||7/9%|
|Learning and growth||Resource consumption for training||6/8%||Workers satisfaction||2/3%||Number of prestigious projects||4/5%||Resource consumption for research||3/4%|
|KRI => CREDIT RISK|
|Risk factor||Profit||Stock turnover||Turnover claim|
|1. Inflation and sudden changes in prices||1|
|2. Exchange rate fluctuation||1||1|
|3. Incomplete and inaccurate cost estimates||1|
|4. High competition in bids||1||1|
|5. Unmanaged cash flow||1||1|
|6. Delayed payment in contracts||1||1|
The identified risks were recorded in a risk model. This model shows the important groups of identified risks and helps to classify the risks into categories. The different colours used in Figure 6 (for a better illustration of the process) divide the risks into operational (red) and strategic (yellow) risks. Each risk group may also have a different colour (see Figure 6), for example, for categorisation, priority or responsibility. As shown in Figure 6, each risk group can be broken down into individual risks.
As mentioned above, each risk can be monitored by the KRI(s), which influenced the KPI(s) in connection with enterprise performance. This idea is presented in Figure 7. We also demonstrate an idea for systematic measurement, assessment and evaluation through the risk management system (RMS) for SMEs, which is one of the research results. There is also an assumption that each risk is connected with a responsible person (persons), and the RMS provides an online report about the condition of the project risks and the enterprise KPIs.
The development of a methodology for risk assessment and a simulation based on a sustainable enterprise risk management (SERM) approach for SMEs was the next aim of this research. A diagram developed for the concept is shown in Figure 8.
4.4. Step 3: implementation of the management performance system
The implementation model was developed based on the previous research for the development and the application of the framework. This model describes the interaction and procedures between the risk and performance management and can be used for the design of software—Figure 8.
For the software model application, there is an expectation that users will be divided by knowledge level. The model anticipates different levels of knowledge in the users. This is the reason that the inputs are strictly dependent on the users’ experiences, and there is a logical recommendation for some evaluation of the skills of new users. There is an assumption that the software should have a Learning and Growth Ability for the users’ support and improvements in the risk simulations.
There is a strong need to determine and understand the dependencies between the KPIs and the KRIs for the implementation of risk management to function properly. An understanding of the paths and the dependencies of the linkages between risk and performance can distinctly enhance, among other things, the profitability, quality and competitiveness of a company.
The setup of the KPIs and the testing of the relationship between the KRIs and KPIs are important goals to address that issue. The most important KPIs were identified for the SME construction company—see the previous chapters.
The next important step is to identify the areas of dependence between the KRIs and the KPIs. The design of experiment (DOE) methodology was applied in this research. A factor analysis was also applied to provide an evaluation of the results and better understanding and support for decision-making . This analysis can help in identifying the influence of input factors on the values of output. This method is often used to detect more and less significant factors. Therefore, it should answer the questions in the defined hypothesis. This means that it is able to provide a clear view of the dependencies between the different KRIs which affected a KPI.
Based on this graphical output, it is possible to determine which KRIs from specific KRI groups have the main influence on specific KPIs. An example of a DOE application is shown in Figure 9. The case of the KPI “on time delivery” from the database is demonstrated there. Many potential risks influence this KPI.
The number of subcontractors, the materials used and changes in the project database was used for this experiment. For these risks, the possible KRIs, which have a dominant character, were chosen. Next, the experiment with all the possible combinations of the individual KRIs was processed, and the results of the analysis show how these combinations affect the output. The results were obtained via MS Excel based on the SMEs owners’ experiences and from the project databases.
The final step was to design the experiment based on the DOE methodology and to present the results through the arranged charts (see Figure 9). As shown in Figure 9, the DOE allows the dependencies between the KRIs and the KPI to be clearly displayed, in order of each KRI within the possible risk (Risks 1, 2 and 3). This statistical tool allows us to identify the important KRIs, which influence the KPI, and to focus on them effectively for the KPI.
This chapter deals with the relationship between risk and performance management. The idea was to create a general methodological framework for the implementation of risk and performance management in SMEs according to any requirements defined by the revised ISO quality management system or by the owners. The designed framework tries to combine objective process modelling with risk management and qualitative or quantitative risk assessment techniques. The designed framework was evaluated based on the results of the process analysis and interviews with the managers of the case study company.
The proposed solution integrates process management and performance and risk management according to one methodological framework. The definition of how to integrate the key performance indicators (KPIs) in relation to the key risk indicators (KRIs) was an important step in the implementation.
The next task was to describe the relationships between the risks, the key risk indicators and the key performance indicators in connection with the risk management software for SMEs. Part of the designed model and the results is shown in the case study. It was verified that the KRIs influence the organisations and the KPIs based on different dependencies between them. It is possible to break the dependencies down into a transparent graphical model, for example, with an implementation of the statistical tool (in this case study, the DOE).
The case study describes an example of the implementation of the proposed framework in a real SME construction company from an EU country (Italy). Our first experience with the proposed concept in this case study shows the benefits of this solution—the relationship between the KPIs and the KRIs. Finally, we conclude that the research hypothesis formulated in the introduction was confirmed by the results of the case study. The implementation of the selected process management tools helped provide an understanding of the risks in the SME in relation to its business performance.
The application of mathematical methods for risk simulation, such as the Monte Carlo simulation, for more complex analysis and its verification, may be one possible direction for further research work. However, a barrier for robust mathematical methods is the quantity and quality of storage data for SMEs.
This research has been supported by the Ministry of Education, Youth and Sports of the Czech Republic under the RICE—New Technologies and Concepts for Smart Industrial Systems, project No. LO1607, by the European Commission under Marie Curie action FP7, project Risk Management Software System for SMEs in the Construction Industry (RiMaCon), project No. FP7-2012-IAPP-324387 and by the Student Grant Agency of the University of West Bohemia in Pilsen, Grant No. SGS-2015-020 “Technology and Materials Systems in Electrical Engineering“.