When first learning about ERM some years ago, it seemed that following best practices set forth in standards like ISO 31000 or COSO were sufficient.
However, as my career has progressed, so too has the scope of ERM. No longer is it just about avoiding loss and reassuring regulators, but as Norman Marks clearly states in his book Risk Management in Plain English: A Guide for Executives:
Risk management is not about avoiding harms. It is about increasing the likelihood of success. It is about understanding what might happen and acting to increase the extent and likelihood of success.
As time went on, it became clear to me that “risk management” best practices were doing more harm than good toward this end. It also became clear that if ERM was going to move beyond a mundane regulatory exercise and deliver real value to the organization, practitioners were going to have to start thinking outside the box lest they be rendered obsolete through automation, AI, and other emerging technologies.
Rather than strictly relying on resources with the risk management or ERM label, practitioners will need to see how concepts from seemingly unrelated places can be re-purposed or “re-tooled.” (This is something I’m always on the lookout for as a risk and strategy consultant.)
One area where many organizations struggle is how to best assign a risk owner…and understand how a risk owner differs from a mitigation owner or an action plan owner.
Like so many things related to ERM, business, and even life, it may sound like a simple thing to do, but it’s not easy.
You wouldn’t think finding the right person to handle this important task would be challenging, but it can be. For example, it may make sense to assign ownership to the department that identified the risk, but that isn’t always the best idea. The department that spotted the risk may have done so because they can see what’s going on throughout the organization, but that doesn’t mean that they should own the risk.
So what can be done to address this dilemma about risk ownership?
While not explicitly a resource for risk management, there is a valuable product known as Pip Decks that can be a valuable tool. (NOTE: I am only a user of this product and in no way being offered any compensation for recommending it.)
These “business recipe cards” invented by Chris Burdett are like traditional recipe cards your grandmother would have used for apple pie, meatloaf, and other dishes but are for business processes instead.
Have a big presentation coming up? There’s a Pip Deck for that!!
Running a workshop? Find the relevant card to organize and execute a successful meeting.
Which brings me to the “Sphere of Influence” (or “Circle of Influence”) Pip Deck card that you can “re-tool” to drive your company’s risk ownership processes. This specific card was designed to help “focus your energy and attention where it counts.”
I think everyone will agree – time is finite, and it’s impossible to focus on everything. Anyone who attempts to do so will easily become burned out.
This is where the “Sphere of Influence” deck comes in. As you can see, this particular recipe consists of three concentric circles – Control, Influence, and Concern.
Continue reading for a quick breakdown of each of these…
Control – in the context of risk ownership, the control circle consists of worries or “risks” that can be directly controlled and/or addressed. What this means is the department or individual has direct control over the budget and/or people involved in any mitigation activities. It’s the most logical step to assign full risk ownership in this situation.
Influence – this particular circle consists of risks or worries that a department or individual can do something about either directly or indirectly. They won’t have “control” of the budget or people, so they can’t “own” the risk outright, but they will have the expertise to take the action(s) needed to address the risk. However, since they can influence how the risk is handled, they can be noted as an impacted stakeholder, potentially be a mitigation owner, and not be responsible for all aspects of risk ownership. Owning a mitigation vs. the full risk are two different things.
Concern – the outermost circle in the Sphere of Influence pictured above is where those risks you absolutely can’t do anything about (yet) should go. An owner will not be assigned per se to these items. Risks falling into this category should really be considered the organization’s emerging risks and therefore be placed into a monitoring status.
The Sphere of Influence method or technique seems quite straightforward and can be applied in other areas like project management, or even the mitigation exercises.
The important thing to remember is to try it out on one supportive department before rolling it out company-wide. It’s likely your company-specific specific process using this technique will have to undergo a few iterations, whether it is in how it is being described to the participants, how you have differentiated between risk owner versus mitigation owner, etc…
Processes like assigning a risk owner can seem intimidating at first, especially if your only point of reference are the well-known risk management standards. However, being creative and branching out to different tools that aren’t labeled for such purposes can help ERM bridge the gap and deliver the value company leaders need and expect.
What other non-risk tools or processes have you modified for your company’s ERM needs?
I’m always interested in learning about creative solutions others have used to help improve their company’s ERM practices. To share your experience, please leave a comment below or join the conversation on LinkedIn.
Also, if you’re struggling with risk ownership or some other aspect of ERM, and it seems like nothing you try ever works out, reach out to me to discuss your specific situation and potential solutions.