Integrating Enterprise Risk Management
with Performance Management Systems
Master Thesis
By
Ralf Bus
Faculty of Economics and Business
MSc BA - Management Accounting & Control
Student number: s2953692
r.a.j.bus@student.rug.nl
2
Abstract
When Enterprise Risk Management (ERM) is embedded within an organization, it is capable of becoming a driving force in creating value. Within the literature, integration of ERM within Performance Management Systems (PMS) is seen as promising. There is however a research gap in how this integration is created and a holistic approach considering both formal and informal PMS mechanisms is lacking. Moreover, the hospital setting stays relatively underexplored whilst the need to study this sector is vivid. Therefore, the goal of this research is to gain insight in how ERM mechanisms are integrated within the PMS in a hospital setting. An exploratory case study is performed in which the COSO ERM framework (2017) and the Ferreira and Otley PMS framework (2009) are used as a basis for describing ERM and PMS mechanisms. Data is gathered through 10 semi-structured interviews, collection of internal documents and observations. The results show that the integration of ERM occur, but that the integration is not very structured. This is in line with how the PMS is organized in the case setting. Informal dynamics and the PMS configuration are seemingly important on how ERM is integrated. In addition, the research shows how ERM has the capability to alter the PMS, such as directing the PMS configuration towards a more future orientation. The research insights contribute to the literature on how ERM could be integrated within PMS mechanisms and show some promising paths for future research.
Keywords: Enterprise Risk management; Performance management Systems; Informal dynamics;
3
Table of content
1. Introduction ... 5
2. Literature Review ... 8
2.1.1 Streams of research in Risk Management ... 8
2.1.2 The relevance of the COSO 2017 Framework ... 10
2.2 Management Control- and Performance Management Systems Framework ... 11
2.3.1 Finding Common Ground: integrating ERM Within Performance Management Systems ... 13
2.3.2 Vision and Mission ... 14
2.3.3 Key Success Factors ... 14
2.3.4 Strategies and Plans ... 15
2.3.5 Key Performance Measures ... 16
2.3.6 Target Setting ... 18
2.3.7 Performance Management System Use ... 18
2.3.8 Summary ... 20 3. Methodology ... 21 3.1 Research design ... 21 3.2 Case Context ... 21 3.3 Data Collection ... 22 3.4 Data Analysis ... 23 4. Findings... 24
4.2.1 Mission and Vision – Corporate level ... 24
4.2.2 Mission and Vision – Departmental level ... 25
4.3 Critical success Factors – Corporate level & Departmental level ... 26
4.4.1 Strategies and objective setting – Corporate ... 26
4.4.2 Strategies and objective setting – Departmental ... 27
4.5.1 Key performance indicators – corporate level ... 29
4.5.2 Key performance indicators – Departmental level ... 31
4.6.1 Target setting – Corporate level ... 33
4.6.2 Target setting – Departmental level ... 34
4.7.1 Performance Management System Use – Corporate level ... 34
4.7.2 Performance Management System Use – Departmental level ... 36
5. Discussion and conclusion ... 40
5.1 Discussion ... 40
4
5.3 Limitations and recommendations for future research ... 45
5. Reference list ... 46
6. Appendixes ... 52
Appendix 1a – COSO 2017 framework (COSO, 2017). ... 52
Appendix 1b – Simons’ Levers of Control 1995. ... 52
Appendix 1c – Otley’s performance management framework. ... 53
Appendix 2 – Holistic PMSs framework of Ferreira & Otley (Ferreira & Otley, 2009, p. 267). ... 54
Appendix 3: Interview protocol PMSs and ERM integration. Adapted from Ferreira & Otley (2009, p. 267 – 276). ... 55
5
1. Introduction
In the wake of multiple corporate scandals, different stakeholders now require more and more transparency, accountability, and manageability. As a reaction, more companies recently begun to introduce a separate Enterprise Risk Management function (Hereafter: ERM)( Meidell & Kaarbøe, 2017; Power, 2007; Woods, 2011). The most widely adopted ERM framework is that of COSO (Hayne and Free, 2014), which defines ERM as follows:
“Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives (COSO, 2004, p2.)” This definition implies that if ERM processes are embedded throughout the organization, ERM is capable of strengthening the possibility of achieving organization- or departmental objectives. However, by not having this embeddedness, adverse consequences might occur. ERM could become an activity that promotes ‘window dressing’. This implies that ERM is merely there to appease stakeholders and to meet regulatory requirements (Meidell & Kaarbøe, 2017). Consequently, integration of ERM within business processes becomes difficult (Arena, Arnaboldi & Azzone, 2010). Impoverished, decoupled ERM has even been identified as a possible trigger for the financial crisis (Power, 2009).
6
achievement, strategy setting, and monitoring capabilities (Arena and Arnaboldi, 2014; COSO, 2017). Moreover, ERM efforts become less compliance-oriented, more proactive, truly embedded, and performance-driven (Rana, Wickramasinghe and Bracci, 2019).
The process of integrating ERM within the control function is however not easily done. The integration of ERM is fueled or obstructed by existing control frameworks and perceived closeness of ERM actions to existing work routines (Arena et al.,2010). Recently, a study tried to find fundamental common ground for the COSO IC-IF (2013; 2017) framework in comparison to Simon’s (1995) Levers of Control (hereafter LOC). The study concluded that there is common ground, and ERM has more use than just a checklist exercise when integration is created (Balakrishnan et al., 2019). The research shows that by integrating ERM within the LOC framework, ERM mechanisms enhance the process of implementing appropriate business strategies. The paper of Balakrishnan et al. (2019) is however conceptual, whereas empirical research is needed to study how actors could create value through ERM (Rana et al., 2019). It provides a picture of commonalities and distinctions (Balakrishnan et al., 2019) but it gives no guidance on how ERM could be integrated within MCS or PMS. Moreover, I argue that the LOC framework is not sufficient for finding points of integration of ERM within the PMSs. The LOC framework neglects the organizational informal dynamics which is important within both ERM and PMS (Ferreira & Otley, 2009; Miller, Kurunmäki and O’Leary, 2008). This will be discussed more in-depth in the theory section.
7
I therefore study how ERM is embedded within a hospital and especially how aspects of ERM are integrated within the MCS/PMS systems. In the public sector, the information that flows out of the PMS is often used to give background information on the performance. The PMS provides an overview of how well a certain subject performed, but lacks financial consequences, transparency, and incentives to effectively and efficiently pursue goal attainment (Hood, 2007; Speklé and Verbeeten, 2014). This is also true for hospital settings, where the PMS is used for learning capabilities but with a lack of accountability and misuse of resources (Walshe and Smith, 2016; Silva and Ferreira, 2010). Following this reasoning, the PMSs struggle to induce efficiency-seeking behavior and strengthening a hospital’s resource allocation and deployment. I therefore argue that by integrating ERM within the PMS of a hospital, deficiencies such as misuse of resources could be prevented. By mapping out and prioritizing risks, the most critical activities and accompanying resource needs can be identified on an organizational-wide basis (COSO, 2017). By accompanying this ERM information within the PMS, resource needs, objective prioritization, and transparency might be enhanced. A risk-informed performance management system could then have increased strategic validity through alignment of risk with strategy and resource allocation capabilities (Balakrishnan et al., 2019; COSO, 2017). Thus, I find reasons to believe that ERM integration within PMS/MCS has positive effects on both ERM and PMS/MCS. Following the above discussion, the research question of this study is as follows:
“How can Enterprise Risk Management be integrated within Management Control Systems/Performance Management Systems in a hospital setting?”
8
2. Literature Review
In the literature review the relevant topics on risk management are discussed first. ERM is explicated as a distinct field of research compared to traditional- and strategic risk management (Ch.2.1). The core characteristics of ERM and its implications for organizational performance are explained. Second, the select PMS framework will be discussed based on the literature on MCSs and PMSs (Ch.2.2). Lastly, possible avenues for integrating ERM with MCS/ PMS are elaborated upon (Ch.2.3).
2.1.1 Streams of research in Risk Management
Risk management has been an evolving theme within the literature over the past decades. Risks represent the vulnerability to losses or gains and the probability of the occurrence of the specific instance (Jaafari, 2001). Within risk management, three streams of research have been identified: Traditional Risk Management, Strategic Risk Management, and ERM (hereafter: TRM and SRM). The first two streams are presented in table 1. The latter is explicated more in depth hereafter.
9
reporting objectives. One of the advantages of ERM is that it overcomes the issue of the ‘silo-based’ approach in TRM. The aforementioned TRM focuses on partial processes of an organization, and SRM focusses on supporting top- and business level strategy decisions (Lundqvist, 2015; Verbano and Venturini, 2011). On the contrary, ERM takes into account the firm as a whole, considering all hierarchal levels and looks at risks cross-functionally, creating a more holistic approach (Mikes, 2009; 2011).
Some research uses the term SRM and ERM interchangeable (e.g.: Lundqvist, 2015; Slagmulder and Devoldere, 2018). I contest this view. SRM creates strategic growth and is there to support financial, and operational goals (Verbano and Venturini, 2011). However, ERM can be seen as an even more overarching mechanism, considering strategic, operational, reporting, and compliance objectives (COSO, 2004). Moreover, SRM can be seen as a category or type of risk (Kaplan & Mikes, 2012). SRM thus differs from ERM, since ERM focuses on all aspects of firm management and exceeds the points of focus of SRM and takes into account all types of risks (Verbano and Venturi, 2011). Moreover, due to ERM its holistic approach instead of a ‘silo-based’ approach, the danger of over- or underestimating risks to the entity is minimized (Cohen, Krishnamoorthy and Wright, 2017). Especially within a hospital this holistic approach of ERM is of importance. In a hospital, risks can stem from interdependencies and failures between processes and departments (Da Silva Etges et al., 2018). Many healthcare organizations are fragmented in nature and have little integration of business processes (Porter and Lee, 2013). ERM could however serve to create and expose interlinkages through a shared risk agenda (Meidell and Kaarbøe, 2017). Thus, the collaboration of interlinked processes through the use of ERM could create and preserve value (Da Silva Etges et al., 2018). Therefore, I argue that ERM goes above and beyond using TRM and SRM in a hospital setting.
10
2.1.2 The relevance of the COSO 2017 Framework
In order to study the integration of ERM within PMS/MCS a framework to analyze ERM in practice must be used. The selected framework serves as a structure to find ERM mechanisms that are leveraged within PMS/MCS to obtain additional benefits such as a more strategic and risk driven control system (Balakrishnan et al., 2019; Slagmulder & Devoldere, 2018).
Balakrishnan et al. (2019) used the COSO 2004 framework in searching for commonalities with the MCSs. The 2004 framework however lacks the impact of risks on strategy formulation, and merely focuses on actions that impact the strategies that are already chosen (COSO, 2017; Slagmulder and Devoldere, 2018). Moreover, the 2004 framework received critique for lacking practical relevance due to complexity complaints and only having theoretical relevance (Beasley, Branson and Hanckcock, 2010). Hence, the COSO organization found reasons for updating the framework by linking it more directly to strategy formulation (COSO, 2017). ERM is now seen as assisting in the strategy selection process by assessing strategic alternatives. Consequently, the upside of risk is taken into account and ERM could attain value creation (Fox, 2018; COSO, 2017). Therefore, the updated framework is used to examine how ERM takes shape within the PMS/MCS.
11
2.2 Management Control- and Performance Management Systems
Framework
In this research, I will extend the search of Balakrishnan et al. (2019) to find avenues for possible integration of ERM within MCS and PMSs. In analyzing the commonalities of ERM and MCSs/PMSs, the study of Balakrishnan et al. (2019) used the Levers of Control (hereafter: LOC) created by Simons (1995) as depicted in appendix 1b. In order to study the integration of ERM within MCS/PMS I argue that using the LOC framework is not sufficient to cover the full spectrum of PMS/MCS. The LOC framework is built on the premise that Management Control Systems are ‘the formal, information-based routines and procedures managers use to maintain or alter patterns in organizational activities’ (Simons, 1995, p.5). This subsequently means that informal controls are omitted. This has important implications for the so-called socio-ideological controls or social controls (Collier, 2005). Social controls are espoused in group norms, socialization processes, and within-group culture. These processes are often informal in nature and are able to shift power and influence. Moreover, social controls are able to modify formal controls through individuals who are perceived as powerful and could consequently adapt standards and norms relating to the use of formal controls (Collier, 2005). However, these types of controls are only slightly addressed in the Levers of Control framework through the formal belief systems that guide core values which still omits informal processes (Simons, 1995).
12
of Ferreira and Otley (2009) is used. In their definition PMS1 are viewed ‘as the evolving formal and informal mechanisms, processes, systems, and networks used by organizations for conveying the key objectives and goals elicited by management, for assisting the strategic process and ongoing management through analysis, planning, measurement, control, rewarding, and broadly managing performance, and for supporting and facilitating organizational learning and change’ (p.264). They use PMSs as a more general term since it captures a holistic approach of managing and controlling for organizational performance (Ferreira & Otley, 2009).
Ferreira and Otley (2009) combine the LOC framework and Otley’s (1999) performance management framework, and take the best of both worlds. Otley’s (1999) framework (see appendix 1c) addresses five central issues which are useful for studying and developing MCS (Ferreira and Otley, 2009). By using these five key issues and the LOC framework, Ferreira & Otley (2009) pose ten what questions and two how questions. These questions aid in analyzing a PMS within its organizational context by being a descriptive tool. It overcomes the limitations of existing frameworks that are not comprehensive enough and it aids in obtaining a holistic overview of PMS by integrating both formal and informal mechanisms (Chenhall, 2003; Ferreira & Otley, 2009). The twelve questions and the holistic framework are found in appendix 2.
1
13
2.3.1 Finding Common Ground: integrating ERM Within Performance
Management Systems
14
2.3.2 Vision and Mission
Setting an organization its vision and mission are considered as the ‘raison d’etre’ of an organization (Ferreira and Otley, 2009). It is a prerequisite for control, in order to evaluate performance upon it (Otley and Berry, 1980). A mission is explicated as the ‘overriding purpose of the organization in line with the values or expectations of stakeholders’ whereas the vision articulates a ‘desired future state: the aspiration of the organization’ (Johnson et al., 2005, p. 13). Both mission and vision are seen as the embodiment of the values and purpose of a particular organization and could guide organizations in which activities and strategies to pursue and which to avoid (Collins and Porras, 1996).
I argue that the selection of mission and vision occurs in separation and prior to implementing ERM mechanisms, since mission and vision is seen as a prerequisite to the existence of an organization (Kopaneva and Sias, 2015). However, as argued in the COSO framework: ‘Enterprise Risk Management can be used by organizations of any size. If an organization has a mission, a strategy, and objectives—and the need to make decisions that fully consider risk—then Enterprise Risk Management can be applied’ (COSO, 2017, p.3). ERM can thus aid in whether a strategy is aligned with mission and vision statements (COSO, 2017). However, when the vision and mission are not clear, risk mechanisms cannot uncover whether the strategy is aligned and which risks are faced concerning the mission and vision. Following the above, PMSs must convey the vision and mission statements as clear as possible in order for ERM to achieve added value and assess risks and strategy alignment (Ferreira and Otley, 2009; Collins and Porras, 1996).
2.3.3 Key Success Factors
15
ERM mechanisms might have important implications for the identification and monitoring of KSFs. An example of a KSF is revenue growth in foreign markets. Ultimately this could satisfy a vision that stands for becoming global market leader. However, the critical point of KSFs is that it is not a preset goal or factor but something that is perceived as important by the managers concerned (Ferreira and Otley, 2009). Thus, managers could have also identified a KSF accompanying this vision statement differently. The importance of ERM in this process is that it could guide the process of selecting and monitoring KSFs. ERM could guide the management dialogue by adding perspectives of changing environmental conditions (COSO, 2017). So, following the example, by assessing risks concerning revenue growth in foreign markets, feasibility might be tested. Risks that concern the KSFs might be discussed. ERM can add to this discussion by facilitating information through for instance scenario analysis and improve explanations about future effects on the KSFs to make risk-informed decisions (Meidell and Kaarbøe, 2017). By integrating ERM in the PMS processes, predictability, and the selection of the KSFs is strengthened, adding to the control and reporting function of the PMS (Ferreira and Otley, 2009).
2.3.4 Strategies and Plans
Strategy and plans set the direction of the organization in order to achieve organizational objectives (Ferreira and Otley, 2009). Means towards ends are defined in terms of strategic planning that are important for successful proliferation of an organization (Ferreira and Otley, 2009). One important aspect of this planning is the translation of strategic to operational goals and subsequent setting of standards toward achieving the desired goals (Chenhall, 2003; Malmi and Brown, 2008).
ERM could have a noticeable role within strategic planning, communication and execution mechanisms. First, the described means-end relationship of strategy setting aims to identify which actions are necessary for the successful development of an organization in order to achieve organizational vision statements (Ferreira and Otley, 2009). By integrating ERM within PMS mechanisms the strategic fit can be assessed. When selecting or assessing a strategy, decisions and trade-offs must be made. These trade-offs cover risks and uncertainty surrounding a future outcome which can be identified and increase the possibility of strategic fit (COSO, 2017; Balakrishnan, 2019).
16
structures (Currie et al., 2014; Allard & Bleakly, 2016) which impedes the attainment of strategic and operational consensus between the corporate level and the clinical departments (Inamdar, Kaplan and Reynolds, 2002). As a consequence, top-down strategic plans could be hampered at the clinical level by their great autonomy derived from their professionalism (Chreim, Williams and Coller, 2012). However, top-down strategies are still needed in the inherent complex environments to maintain control over performance and preserve organization-wide strategic direction (Zuckerman, 2006; Weigand et al., 2014; Rakich, 2000).
This tension might be partially resolved by integrating ERM mechanisms within PMSs. By implementing ERM in strategy and objective setting, the business context can be analyzed, organizational risk appetite can be set and alternative strategies can be evaluated in order to formulate business objectives (COSO, 2017, p. 7). Especially risk appetite could be an important mechanism for integration with PMSs. Risk appetite is at the heart of risk management and determines how much risk an organization is willing to bear and prescribes triggers for risks (Power, 2009). Hence, risk appetite and strategy setting should work ‘in tandem’ and consequently help setting objectives and accompanying resource allocation throughout the organization (COSO, 2017, p. 5). This enables ERM to create a shared organizational syntax considering what is deemed as acceptable and what not to ultimately assess strategic fit on all organizational levels (Arena et al., 2017; COSO, 2017). I therefore, refute the argument that ERM is not integrated with strategic planning (e.g.: Beasley, Branson and Hancock, 2017).
2.3.5 Key Performance Measures
Key Performance Measures are metrics that are derived from the KSFs, strategies, and plans, in order to assess actual performance (Ferreira and Otley, 2009). Simons (1995) directly links it to the success of an organization and the interactive use of PMS. The latter conveys the direction of senior managers’ attention and the subsequent consequence on driving employee behavior. As Ittner and Larcker (2001) mention, “The choice of performance measures is a function of the organization’s competitive environment, strategy, and organizational design (p. 379)”.
17
Smith, 2016). This implies that the measures must be selected with great care. If performance measures are selected wrongly, it is hard to gain insight into causality between critical success factors, performance indicators, and actual actions that affect performance (Ittner, Larcker and Meyer, 2003).
18
2.3.6 Target Setting
Target setting covers the setting of performance targets and using these desired targets for evaluation of performance on the predefined performance measures. Target setting is critical to performance management and covers the tension between desired and feasible results of performance (Ferreira and Otley, 2009). The link with ERM and performance might help in target setting. An ex-ante risk inventory could give insight in possible future outcomes. The prediction of future events aid in setting action paths and anticipate possible future outcomes (Aureli and Salvatori, 2012). A performance target can be set towards a particular ‘risk threshold’. This means that to prevent a specific type of risk, a minimum level of performance should be attained to divert the impact of the risk (Woods, 2008). Consequently, future events are more predictable and ERM then helps in the setting of performance targets (Cohen et al., 2017; Aureli and Salvatori, 2012 ).
2.3.7 Performance Management System Use
Ferreira and Otley (2009) state that ‘the use made of information and controls is a cornerstone of the PMSs (p. 274).’ PMS use implies that although the mechanisms are formally set into policies, the effective use might diverge (Ferreira, 2002). Consequently, the type of use of control information can have a more significant impact on the functioning of the PMSs rather than the design of the system itself (Ferreira, 2002). In a hospital setting, the PMS use might be prone to several contingencies. A hospital setting often encounters multi-dimensional pressures, is driven by professional experience, and inhibits complex social structures (Currie et al., 2014; Allard & Bleakly, 2016). As a consequence, attaining strategic and operational consensus of the board of directors and lower levels of the hospitals seems hard and time consuming (Inamdar, Kaplan and Reynolds, 2002). Radical changes within healthcare are often opposed by professional groups, and managerial plans could be circumvented at the clinical level (Chreim, Williams and Coller,2012). Thus, PMS use instigated by top management with strict monitoring and oppression might induce resistance.
19
more adaptive to changing demands in their operating environment. Ideally, ERM aims to improve organizational ends through the creation of value and achieving targets with the inclusion of a wide range of activities (Arena et al., 2017). As a consequence, the performance of the organization as a whole is increased. This increase is because of a shared risk agenda, creating a holistic approach to interpret risks that endanger organizational goal attainment (COSO, 2017; Spekle and Verbeeten, 2014). Thus, when ERM is integrated, an ‘intelligence system’ is still capable of exploiting its learning capabilities but now embodies guidance and enhanced transparency leading to increased predictability and a shared syntax (COSO, 2017). Performance is then measured concerning a certain risk the company is facing as a whole and thereby increasing a fixed interpretation and ‘risk language’ across the organization (Meidell and Kaarbøe, 2017).
20
2.3.8 Summary
21
3. Methodology
3.1 Research design
The research question is aimed at understanding how ERM could be integrated within the PMSs in order to gain more insight into this issue (Rana et al., 2019). Following the logic in the theory section, both ERM and PMSs are dynamic and complex concepts that are hard to grasp in a few variables. Much of the risk- and performance management practices happen beyond the formalized structures and are by nature informally and implicitly espoused (Miller et al., 2008). Moreover, the theory on the integration of ERM and PMS is rather scarce and anecdotal. Contemporary studies lack empirical evidence and only discuss the importance of ERM integration with PMSs (Balakrishnan et al., 2019; Rana et al., 2019; Soin and Collier, 2013). And to the best of our knowledge, the how question of integration remains unanswered. Hence, exploratory qualitative case study research is conducted. Due to the complex and socially construed nature of ERM and PMSs, the fit between the research question and the research approach is justified (Eisenhardt and Graebner, 2007). Case study research is characterized by being a method ‘which focuses on understanding the dynamics present within single settings.’ (Eisenhardt, 1989, p.534). Thus, it allows us to study the phenomenon of ERM integration within PMSs in-depth within a specific context and consequently grasp the emergence of theory development (Eisenhardt, 1989). Its strength lies in the fact that there is the possibility to gather multiple and various sources of data. The multiple sources give us the opportunity for a close examination of the ERM and PMS mechanisms in action and how they interact (Yin, 2014).
3.2 Case Context
22
3.3 Data Collection
To improve the possibility to provide strong, reliable evidence and support the findings, data triangulation is performed (Eisenhardt, 1989). Multiple sources of data are used to enable a better understanding and theorization of how ERM mechanisms could integrate with PMSs (Eisenhardt, 1989; Yin, 2014). The primary sources of data are semi-structured interviews. The interviews will be conducted following the interview protocol in appendix 3. This interview protocol enables us to cover all relevant topics and to increase the reliability and comparability of the interviews (Yin, 2014). The framework of Ferreira & Otley (2009) and the COSO ERM principles (2017) are used as the basis of the interview protocol. The Ferreira & Otley framework is suitable as a descriptive tool and useful for an extensive MCS analysis (Ferreira & Otley, 2009), and will be used as the main guideline of the interview. The COSO framework is used to describe and analyze the ERM mechanisms and how they are integrated within the PMSs in the case setting. The interviews will be held with directors, business managers, controllers, and regular staff. This is necessary since ERM should be a mechanism that is supported throughout all layers of an organization (COSO, 2017). Moreover, it circumvents data bias, by having interviewees who view the focal phenomena from diverse perspectives (Eisenhardt and Graebner, 2007).
23
Note: due to confidentiality reasons the names of the interviewees are randomized throughout the results.
3.4 Data Analysis
In this study, a within-case analysis is used through the use of transcribed interviews (Eisenhardt, 1989). During the observations, notes will be taken. This is essential for knowledge abstraction when dealing with a lot of data (Gerscik, 1988; Pettigrew, 1988).
Data analysis will be performed through a deductive and inductive approach. To test whether prior theoretical assumptions are feasible, the deductive approach is used in analyzing the data (Fereday and Muir-Cochrane, 2006). This approach will help in mapping out the PMS at the case site, and in finding relevant avenues of ERM integration within PMSs which are identified in the literature section. The Ferreira and Otley (2009) components form the basis for the further analysis and description of the ERM and PMS mechanisms in situ. Data deduction is performed by grouping the data into categories of Ferreira & Otley’s (2009) six components of MCS and assessing this in comparison to the COSO (2017) framework.
24
4. Findings
The Findings section is presented in line with the structure of the literature section. First, some general findings will be presented to give a clear understanding of how the PMS takes shape in the case setting. Second, the relevant results concerning the different questions of Ferreira and Otley (2009) are discussed. The findings are structured around departmental and corporate outcomes in order to exhibit how corporate policy is translated into departmental policy. Within the case setting there is a tension found in how the PMS is organized. On a corporate level, processes, policy, and mechanisms are created which cascade down into the departments of the organization. In executing these procedures, the departments receive a lot of freedom. As a result, corporate policy and procedures not always flow logically into departmental PMS mechanisms. In order to exhibit this tension, the results are separated in a corporate management and departmental management paragraph of each Fereira and Otley (2009) framework question. Four of the respondents represent the corporate level and five of the respondents represented departmental level management. One interview covered a combination of corporate level staff member and a departmental level staff member.2
4.2.1 Mission and Vision – Corporate level
On the corporate level, a mission and vision statement is made with the purpose of cascading down into the organizational departments. Momentarily, a new vision and mission are under development. In setting the vision, the external environment is taken into account. However, whether risks affect mission and vision statements remains inconclusive. What comes to the fore is that risk management aims to support the mission and vision and the consecutive steps taken. Moreover, interviewee central management 1 stresses that risks are mostly taken into account in the consecutive steps after setting vision and mission statements:
Interviewee central management 1: “Yes but you frame it differently (Risks). That’s why I say indirectly. I think if you ask my colleague’s that they would say: no we have a SWOT and we think about developments. But you could say that return and risk are two sides of the same medal. (...) But where this takes place in mission and vision statements is a good question. Is that the end product or a refinement on lower levels? I think it is the second. Because the first is your positioning. But if you
truly want to direct you have to take the second step.”
2
Corporate level: board member, policy director, head of Business control and Head of group control, head of BI.
25
4.2.2 Mission and Vision – Departmental level
As a main translation in guiding the organization components, the mission and vision translates into the A3 annual plans that separate departments compose. However, they can be very different and might diverge from the corporate mission and vision statement. Some have smaller iterations whereas others have large iterations and set their mission and vision in isolation of the central mission and vision:
Interviewee decentralized management 1: “Well if you look at the UMCG statements, every department can identify with it. But it is not as concrete in every department. Within department X it
is. But department Y has its own mission and vision statement. So how are you going to bring that together. That’s difficult.”
In general, the mission and vision is seen as a construct which is relatively stable over time. In setting the mission and vision statement, the respondents do not think that ERM has had any impact. One of the department managers explicate that the mission and vision is set in collaboration with the department. Year on year the A3 plan is adapted. When asking one of the respondents if risks potentially impact vision and mission setting, the respondent mentions that risks are a separate subject and that risks are assessed after choosing a direction:
Interviewee decentralized management 2: “What we do now is... Year on year we make an annual A3 plan. That covers all kinds of goals. So that are no risks. The risks we cover in our T-reports. But they
will not be used anymore in the near future. But that is specifically aimed at risks. So then I assess subjects whether it will be fine or not. This is a risk. If we want to go here, than the barrier could be X
or Y.”
Moreover, the respondents confirm the relative stability of mission and vision statements. Mission and vision are chosen by the departmental management, and risks do not influence the setting of mission and vision but come in to focus when the mission and vision statements are set:
Interviewee decentralized management 1: “Well no. I think you have your mission and vision. So you choose a certain direction. And in these directions you have some risks. But it is not the other way around. If we have risks in a certain direction it does not say we cannot have a mission or vision in that direction. But you need to control these risks. Then the question is how. If the risks are to big you
26
4.3 Critical success Factors – Corporate level & Departmental level
Formally, the critical success factors are explicated in the A3 annual plan. These factors stress the corporate critical success factors. Aside from anecdotal evidence and the formal anchoring of critical success factors in the A3 annual plans, there is no linkage found between critical success factors and ERM in the case setting. There was confusion about critical success factors and KPIs, in which the interviews were often distracted towards a conversation about KPIs. This was true for both the departmental and corporate level interviews.
4.4.1 Strategies and objective setting – Corporate
The strategy and objective setting process starts out top-down. Each 5 years, a mission and vision with underlying strategies are set. Subsequently, annual A3 plans are composed by analyzing three separate documents: the validity of the previous A3 plan, a strategic KPI dashboard as input for the KPIs on of the A3 annual plan, and the strategic risk analysis. The strategic risk analysis is an inventory of all the strategic risks the hospital is facing. This comparative exercise aims to identify whether strategic risks are taken into account in the strategic plans as explicated in the A3 annual plan. If not, a new strategic goal is formulated:
Interviewee decentralized management 3: “So in principle the risk analysis has been scanned in a sense that we looked what was not present in the A3. So things should be added or in the analysis we
noticed that it is not a strategic risk at all. If you look at it from the total strategy that is not a huge issue at all.”
On a corporate level, the external environment and strengths and weaknesses are analyzed and taken into consideration. However, some coin that in the initial strategic planning process, risks are implicitly taken into account in directing strategic focus. For instance, the choice of complex care is linked to budgetary constraints and developments in the sector. When choosing between strategic plans, alternatives are not taken into account, but there is a discussion about priorities:
Interviewee central management 3: “Well you use your strategic risk analysis in the sense of where we are now. If you want to focus on in a specific market where you have defined a huge risk of a
shortage in human capital, then it would be stupid to choose that market. (..) there has been a discussion about priorities. That is also a form of choosing between alternatives.”
27
consequences. However, there is no clear formulation of risk appetite aiding in these decisions. Moreover, some of the respondents do mention that control efforts and a correct risk mitigation response is sometimes too late. Therefore, it is argued that the risk processes should receive more attention to become more specific and proactive:
Interviewee central management 4: “Yes but it could also have happened much earlier. Sometimes the process is a bit reactive. Whereas you rather want to be more proactive.”
In the future the hospital wants to make the strategic planning process more concrete by increasing predictability and strategy alignment of the departments. Consequently, budgeting and policy activities are combined. Within this revised planning process, risks inform corporate management decisions in budget allocation and policy dissemination as communicated towards the departments:
Interviewee central management 1: “So what we said is we want to make the spring meeting more concrete. And on that basis we could evaluate what would come out of it. Can we tell how it helps in
where we want to be in 2025? And then as board of directors could make choices in things we want to facilitate or not. Before the budgeting cycle we would already tell it to the departments in order to
circumvent surprises in the budgeting cycle. (…) Well look, I think that the risks are there to aid in deciding what our guidelines are.”
4.4.2 Strategies and objective setting – Departmental
Due to a high amount of freedom, the strategic planning processes of the departments vary. This degree of freedom stems from the fact that strategy is set from two different processes: the medical policy and the corporate A3 annual plan. The first is an internal process within a department that is guided by the medical professionals who enjoy freedom in the medical policy. This is incorporated within the departmental strategic A3 annual plan. The latter is perceived as being very multi-interpretable and hard to adopt due to complexity issues. One of the respondents mentioned that the specific department did not even have an A3 annual plan. A consequence of the strategic freedom and diverging strategy processes results in strategies that might diverge from the corporate strategies:
28
integrate that into the department of internal medicine for example. That (department) is quite a complex whole. (…) And then not every department has a very clear A3 annual plan. They all have
annual plans, but not all in accordance with this method.”
Whether risks are taken into account in strategic planning varies in the perception of the respondents. What stands out is that there is no formal procedure for incorporating risks. Similar to the corporate procedures there is no risk appetite defined on departmental level. When risks are taken into account it is mostly implicit, not mentioned as risks and is seen as a kill or go decision in a specific choosing of a strategic direction. Then, departments check whether the plan is feasible and if there is enough budget or resources. If not, the plan won’t be executed:
Interviewee decentralized management 4: “Well risks…. Then it is the feasibility of the plan succeeding. (…) so the risk of a project is if you do it, you must also succeed in it. But before you start
you need to take care whether you have the people. Otherwise you won’t start.”
In the strategy execution there is a more explicit role for risk management. First, the hospital organizes monitoring activities upon risks, and makes an inventory on which risks are faced in a department. Up until now, departments had to deliver the T-reports. These T-reports incorporated progression of strategies and plans are monitored through these reports and every department has to report on their top five risks that are a threat to the performance of the department. Risks concerning the A3 annual plans are then discussed and alleviated:
Interviewee decentralized management 2: “Well i am thinking if it is steering. You set a goal with each other. So once you set the goal with each other you also want to achieve it. And subsequently, there are risks or barriers that hinder you form attaining the goal. And you always want to alleviate
these risks. Or at least make them negotiable.”
However, despite mentioning these risks, some of the respondents recognize that the monitoring and inventorying of risks is too reflective and misses the point of being forward looking, especially concerning the old planning method through the T-reports:
Interviewee decentralized management 5: “You have a report for the first four months of the year up to April. You will discuss this at the end of May or early June. Then at the beginning of June you will
say what you saw as a risk in the first four months and what you could do about it. So it lags too much.”
29
4.5.1 Key performance indicators – corporate level
The UMCG uses multiple KPIs. The indicators cover for instance service quality, personnel issues and financial performance. The KPIs are assessed in the autumn and spring meetings. Recently, a strategic dashboard is created to gather information about strategic performance indicators and this dashboard is a replacement for the T-reports. This is explicated in the strategic dashboard. The KPIs are used to retrieve information from the departments on their performance and their implications for progression on multiple corporate strategic domains. Consequently, the results are discussed and strategic performance is assessed on a corporate level. Moreover, the frequency of evaluation is increased. The board of directors will evaluate the strategic KPIs on a monthly basis. The evaluation is used as an early warning system and to assess whether a department is performing as anticipated:
Interviewee central management 1 :“If you have good information provision it says whether you are on the right track. In the A3 model you don’t talk about the KPIs but about what you are doing. (…) The KPIs give confirmation about whether you are doing the right thing. And the second thing is: The KPIs will show you where you might encounter risks. Especially with what I call cross referencing. For
instance when you see absenteeism and staff turnover grow. That is a truism. When a certain department is worse off than others. Then something is wrong, for instance the management style.
So it is a trigger. An early warning system.”
In the case company, visible efforts are made to integrate risk informed thinking within the use of KPIs. Not only are KPIs used to discuss and monitor performance, but they can also reflect a certain risk. On a corporate level the surgery room scarcity is seen as an issue. The underlying risk is not filling agreements with insurance companies about turnover. Therefore, the KPI of surgery room capacity is closely monitored:
Interviewee central management 4: “Well, OR hours is one that is measured. OR hours is important because there is scarcity in capacity. That is a big issue, so we want to follow how it develops. The risk
in it is that we cannot retrieve our turnover as discussed with the insurers. So we look at the departments at what the turnover level is (…) you can very neatly follow what happens. And if there is
30
The KPIs are used to monitor risks on an aggregate level and whether these risks affect corporate goals. If there is a negative development in a strategic KPI, the organization can act upon these negative developments when signaled. In the new planning and control processes there will be a more constant monitoring of these risks. Ultimately, this monitoring leads to better organizational control:
Interviewee central management 5 : “Well that is under construction. But what we want to do is give everyone access to the dashboard where the KPIs are measured. The intention is to incorporate it in the PDCA cycle. So if there are any diversions or risks we discuss them together. Then, on a corporate
level we have an overview of which risks are present and how it could affect attaining our goals.” Risks also influence the selection of KPIs. The business intelligence center composed the strategic dashboard in collaboration with the different departments of the organization. One source of information that influences the content of the strategic dashboard is the strategic risk analysis. Eventually, new risks or developing risks might influence the future content of the strategic dashboard:
Interviewee central management 4: “Yes, that is what we intent. I think that at the moment we encounter new risks, we will change the strategic dashboard. It could very well be that we will control
on different indicators. We want it to be more interconnected. More dynamic.”
One respondent stressed that this process is still in its infancy but that risks will become more visible through the use of a strategic dashboard:
Interviewee central management 2: “Not yet. We are in early development. But it depends on whether you want to name it risks or if you say you control a certain indicator in which you also mitigate a risk. But the fact that you can control the development of your risks better is the whole
purpose of the dashboard. It is meant for directing your strategy.
31
4.5.2 Key performance indicators – Departmental level
Apart from reporting obligations on corporate KPIs, departmental KPIs are more diverse and dependent on characteristics of the department. For instance, a department that performs surgeries has different KPIs than a department that does not perform surgeries. The KPIs are used to report about performance. Up until now they were incorporated in the T-reports. The board of directors would evaluate the outcomes on the KPIs with the vocal department that were under scrutiny. Positive or negative results would be assessed and follow up actions are identified:
Interviewee decentralized management 4: “Yes but sometimes they select things. So where you diverge from the A3. Now we don’t have an issue with it but back then we had it. Then they ask: How
many (activity X) were reported? Compared to last year, is it an increase? Do you diverge from the national average? Do you diverge from the national average length of stay? What is the cause of
that? These kinds of things.”
The meetings are used to reflect on the outcome of a KPI, why the KPI is underperforming and what the underlying risks might be. Moreover, departments report on risks that flow from a specific score on a KPI. When performance is lagging behind, underlying risks are uncovered and follow up actions would be identified:
Interviewee decentralized management 6: “Until now we had evaluation in the T-reports. Then all these items would come to the fore (personnel, production and financial issues). Accompanied with
quality parameters. And in addition risk descriptions would be added.”
Also, a decrease or increase in a specific KPI could be a trigger for identifying a risk. In one of the critical processes of a department, there was scarcity in capacity. At the time of the interview, there was a latent risk of too little capacity of surgery rooms and personnel. An underlying risk is not serving enough patients, which leads to turnover loss. Moreover, surgeons could lose their qualification due to too little performed surgeries per year. Consequently, this could also affect other services and could mean that other services might also not be performed anymore due to a loss of license. In this example, the monitoring of the specific KPIs serves to control the risk and trigger a response:
Interviewee decentralized management 6: “What we specifically see in the production of service Y. We do not produce what we want, which leads to capacity risks. And that risk you see in your production figures. That has an explainable loop. So that’s how we use the data: can we do this? Or what can we influence? Or are we dependent on others? So you try to make connections. And that is
32
The other respondents confirm that KPIs could trigger an underlying risk. The outcome is a reflection of something going wrong and might be a dormant risk:
Interviewee decentralized management 4: “Well more in the sense that if you need to achieve a KPI but you don’t. Then what is the underlying reason? Then that are your risks of course. (…) Well the
biggest risk is financially. Do you manage to stay in the budget? Another risk is whether there is patient flow or not. (…) What is the absenteeism rate? That are KPIs in which you can see if your
personnel are satisfied. All these things are measurable numbers.”
Next to the formal methods of using KPIs and reflecting on risks, KPIs are used within a department in several ways. Most of the respondents mention the usage of KPIs in regular work meetings within a department to discuss and analyze (extraordinary) trends:
Interviewee decentralized management 1: “Formally it is translated into our sector report (Risks). Informally it is our bi-weekly meeting with the department manager. So it’s a bit. Well your risk-indicators are your KPI’s actually. You have a budget of 100 and you cannot exceed it. We report about that. But having to few personnel is a risk indicator. That’s your risk when you deliver care. That’s why you won’t achieve your turnover. (…) It (Risks) could have a relationship with one of your
KPIs.”
Nonetheless, the respondents mention that most of the initiatives on risks within its KPIs is rather implicit. The respondents do think it is hard to discover a pattern of risks across departments and it might be difficult to implement a policy that spans over all departments. Consequently, strict risk monitoring is seen as a challenge:
Interviewee decentralized management 6:”Well, signals from the dashboard. but… risks that are monitored… well it is not that structured at the moment. We supposed to mention risks in the T-reports. And what you see is that risks stay the same. Personnel or capacity. But I think it is a huge challenge: How will we conduct risk-oriented management? And how will I monitor it? But when you
look at capacity, that is a huge issue. You cannot fix that in one department. It is a collaboration between multiple disciplines and units. But how will you tackle such a risk? That is going to be a huge
challenge.”
33
Interviewee decentralized management 1:“We are working on a dashboard that will help in matters concerning the UMCG annual plan. To translate them to the departmental plans. Not every department has a very clear A3 annual plan. They do have one, but not conform the A3 method. And now we are in the process of translating that (corporate policy) into dashboards. To put your norms in
there and test on outcomes or process metric steering. That is taking shape now. (…)Because there is a consistent definition(of metrics in the dashboard) and a consistent calculation you could potentially steer on outcomes. For instance, if you measure in the same way, you can compare with each other.
Then you can add it up. In the past, this was not the case.”
4.6.1 Target setting – Corporate level
Within the UMCG there is no formal procedure for setting targets. Corporate targets are devised towards divisions by taking into account agreements with insurers. The hospital makes agreements with insurers about the amount of service delivery based on supply and demand. In general, risks are not seen as intervening in the target setting process. A role might be controlling the ambitions of a certain department its plans and check whether their targets are feasible. Nevertheless, the respondent also points to the fact that it is not set in a predefined process and the target setting process is not that structured. One of the respondents mentions that the potential value of risk management in target setting is up until now only hypothetical:
Interviewee central management 5: “Well, now it doesn’t. Well in principle it should influence ehh. It should influence your goals. So if you have a certain target it should be linked with each other. So if you say: as a department I want to grow in a certain care service with 10 million. That is my goal. But
I know that I do not have enough people. Well than it influences each other because it is not realizable. So in that sense the risks influence the goal. Well at least you need to make visible which
34
4.6.2 Target setting – Departmental level
On the departmental level the target setting occurs similar to the process on the corporate level. All the respondents mention that most targets are given from the corporate frameworks that are diffused throughout the organization. These are mostly KPIs that focus on the business operations. Risks do not inform the target setting process on the departmental level. It is seen as two separate worlds. The ambitions for a certain goal are set, and a department does everything in their power to achieve those goals. As a result, risks and ambition levels are in tension with each other. A risk can threat the achievement of a certain target. Despite this threat, the target stays the same:
Interviewee decentralized management 6: “Well that gives tension sometimes. For instance with the 1000 surgeries of service X while you know the organization can only handle 900 or 950. The ambition remains achieving 1000 surgeries. There will always be this type of tension. You could say: let’s just do
900. But that does not match with this department.”
4.7.1 Performance Management System Use – Corporate level
The planning and control cycle offers boundaries in which the departments need to operate. The type of control of the hospital is characterized by a large amount of freedom. Many control and performance management issues occur in conversations between the board of directors and departmental management. The input for the conversations is data gathered at the departmental level. This data is used to inform the board of directors. However, it is dependent on the person or the organizational department whether the outcome of the conversations has an effect on the performance level and whether follow-up actions are taken. The conversations are mostly used to discuss performance, aid in the adjustment of planning and control and retrieve background information of performance:
Interviewee central management 5: “Well, to have a feeling of departmental plans and the direction they wish to choose. Whether it is realizable. (…) So it is more like retrieving background information
35
The high amount of freedom in strategy formulation and strategy execution of departments origins from their power through professional know-how. Moreover, respondents say that the corporate policy is multi-interpretable. When arrangements are made on a corporate level, there is still room for departments to alter the plans and give alternative interpretations towards it. As a consequence, the hospital finds difficulty in dividing resources. Moreover, quality improvements are seen as cumbersome. Money is being spent, but it is not fully clear whether it is invested in the right manner. There is no money left to invest in additional projects:
Interviewee central management 5: “If you know better what goals we have such as we want to innovate. And we know how much money we have. Then it should be more in line. Eh .. but then you
touch upon our internal control issue. So in which things are we going to invest and in what not? At the moment that does not work very well. Ehh. I wouldn’t say we have not thought about it but. But
our financial resources are split and there is no money left.”
Therefore, corporate management wants to be in control more on specific corporate goals. The renewed planning and control cycle instigates initiatives that align corporate policy more with departmental policy. Departments still enjoy high degrees of power and freedom in their strategies and plans. However, the strategic dashboard (as a replacement of the t-reports) aims to direct departments to specific corporate strategic goals. These strategic themes must be incorporated into the departmental policy. As the respondents mention, this will potentially enable the organization to divide resources in a manner that supports the hospital in its goal attainment and giving focus in corporate strategy allocation. Within this process there is a role set for risk management mechanisms. The selected strategic fields are informed by risks that the organization is facing:
Interviewee central management 5: “So if you want to invest something, then this money needs to be extracted from another department. But that is not possible at the moment. So our internal control mechanism hinders us. When our goals are more specific, and you adjust your risks towards them and
you know where you want to put control efforts. Then you also know where to put your money. So that will have an effect.”
36
Interviewee central management 4: “Well, the goal is to steer more. (…) And what we want do no now is look whether there is a deviation in the information and then sharpen control measures. So we
want to sharpen the steering of a department. (…) so yes, we want to use it to adjust and intervene quicker. We typify it now as steering information.”
This new planning and control cycle can be characterized by a shift from informing top management towards a more directing role of the top management. PMS use shifts towards management by exception by means of the strategic dashboard. Extensive reporting is abandoned and the dashboard is more frequently and strictly monitored. Monitoring aims to inform the corporate management about the development of strategic execution. If performance is lagging behind, corporate management might take the opportunity to discuss this with the specific department and impose strict control requirements. The management by exception is aided by risk information, since this is one of the building blocks of the themes that are under management by exception principles:
Interviewee decentralized management 3: “Well if you look at the KPI. Once you see a risk in a KPI then you start to analyze or take action. That’s what we do: analyze by exception.”
4.7.2 Performance Management System Use – Departmental level
Within a department there is a dichotomy on how performance management information is used. Processes that concern patient safety are very well articulated. The information that supports patient safety is pervasively used to guarantee patient safety. The departments do not take any risk in patient safety. Therefore, a lot of monitoring, control and priority is given to issues and risks concerning patient safety:
Interviewee decentralized management 2:”The primary goal is to get patient safety in control. (…) But then again, patient safety is always first. I would rather have a loss of 200.000 euro’s then a patient
that dies because we did not have a nurse in on that specific moment.”
37
are useful for their department performance. As a consequence, they do report over these KPIs but do not use them to inform and steer departmental performance. All in all, there is much freedom in how PMSs are used within departments. Some even mention that departmental policy can diverge from corporate policy:
Interviewee decentralized management 5: “The mission and vision is eventually formed by the Board of Directors. And if these are not aligned or clash you need to do something about that (Departmental
and corporate mission and vision). But I don’t think that is happening.”
This departmental freedom also translates into how performance is assessed by corporate management. On the departmental level, some of the respondents experience difficulties in how ill performance is handled. When a certain department delivers bad work, the respondents feel that they are not judged by it and repercussions will not follow. One of the respondents mentioned that qualitative results or the personal title of the departmental head may be a more important factor that transcends other performance metrics. Consequently, repercussions of ill performance are omitted:
Interviewee decentralized management 5: “With a side note that some things are measured differently. No one likes to have bad financial numbers year on year. Neither does the person that has the bad financial numbers. However, if he publishes the journal nature or science, everyone is happy. I even reckon that when you have good financial figures but never have a high-profile success like A
Veni Vidi Vici grant or prizes like that…. If that is allocated to a person or department, that has heavier weight than having budgetary shortcomings. Because that is the luxury we have as a hospital.
It’s not like we run out of money so we need to fire people. There is still leeway for making these choices. (…) There is still (financial) space. That’s what makes we don’t experience repercussions. We
are not judged in a strict way on our financial results.”
Other respondents air their grievance about the fact that there is no repercussion and that there is no strict control on financial performance:
Interviewee decentralized management 1:”We give accountability. There is no culture of blame here. We do discuss things with each other but we do not judge. That’s the idea. In some cases we can be more strict. Because the notorious big spender always gets away with it. And departments that want
to do more stay nicely within budget. And then there are also departments that do not care because they get away with it every time. That can be organized more strictly.” (…) “It is more like diagnostic
38
On a departmental level there is the hope that risk management can become more integral and standardize performance through steering on specific issues and solve the performance evaluation issues as mentioned above. During a meeting on this theme there were many business controllers and departmental managers. The attendees expressed their support for the plans but were questioning how implementation should take place. One of boundary is that the diversity in the hospital is big, which makes it difficult to create one standardized process of risk management and risk informed steering:
Interviewee decentralized management 1:“Because the diversity is too big. You cannot make it one whole piece here. If person E will sit here, and does the Risk management for the whole UMCG, it
would look very different from the departmental level. So I think it will be difficult to make it a consistent and integral whole. But you can make a derivate. The departments know where their risks
are. And of course some of them are equal. They are in parallel. But the question is. On the departmental level it is more operationally focused. And here (central level) it is more strategic
minded. I think that is the big difference.”
Nonetheless, risks do influence the use of performance information in the hospital. Risk thinking is informally incorporated in how performance management is used. Moreover, centralized steering on strategy might be possible through the use of dashboards and management by exception on these dashboard outcomes. This is also supported by the management of the departments who hope that the dashboard helps in aligning strategy and the execution of strategy. Consequently, control over organizational strategy is facilitated. Whenever a department experiences a deviation, they can put in place more strict control. By using risk informed dashboard, the bureaucratic burden of the departments can be loosened and the control on strategic issues can be strengthened whenever it is needed.
Interviewee decentralized management 2: “For me it means: steer on risks. So less control. Less sharing of everything. In that sense I think: it should help me in being more efficient. Bring in scope risks. And partly we do that already automatically. Otherwise it is not doable from my position. It is too much. I hardly have support. And everything comes your way. I have 250 employees. So you cannot be everywhere. So I steer on risks. And from a central point of view, the UMCG level. I say it
like that since I feel I am a decentralized department. I participated in a project called ZIRE. You should look that up (reporting efficiency project). But in principle you are going to look. You are not
39
Some of the respondents believe that the developments concerning the planning and control cycle, risk informed thinking and the strategic dashboard will shift PMS use to a more centralized focus instead of decentralized. One of the business controllers mentioned that this will even potentially change the role of the business controller:
Interviewee decentralized management 6:“What is going to give tension is that we used to be working for the department only. So we stood up for our own department. But now we have to evaluate as well. Not only say everything is possible but also represent the corporate concern. We did
