Do you feel like starting a risk identification conversation is similar to opening a can of worms? Or opening Pandora’s box?
Do you cringe at the thought of trying to herd the cats (or senior leaders) during the upcoming risk assessment workshop?
I get it.
Why?
I’ve had these same feelings – dreading the unknown of the conversation that could lead to nowhere and everywhere at the same time. Having to spend half of the workshop constantly reminding people of the scope of the workshop, however it was defined. You as the facilitator leave mentally and physically exhausted, while participants are dizzy and mildly frustrated or lost when they leave.
This is what it feels like to lead a risk-centric risk identification or risk assessment workshop.
Not fun.
And ERM (done well) should be fun. (But maybe that is just me being a nerd. If so, oh well.)
So how can you avoid these icky feelings and instead feel confident as you walk into the conversation?
Risk is defined in ISO 31000 as the “effect of uncertainty on the achievement of objectives.” As we point out on a regular basis, ERM is not just about managing a list of risks to prevent failure but about ensuring success, or as Hans Læssøe says:
“It is NOT about managing risks, it IS about optimizing performance.”
For ERM to do this and avoid those icky feelings, the specific objective of the inquiry must be clearly established before identifying risks.
In risk management parlance, specifically the ISO 31000 standard, this is known as establishing the context, because as the standard explains:
“Risk management takes place in the context of the objectives and activities of the organization…The context of the risk management process should be established from the understanding of the external and internal environment in which the organization operates and should reflect the specific environment of the activity to which the risk management process is to be applied.” [emphasis added]
I have spoken about establishing the context, or setting the scope, in the past, but it’s always been more topic driven and broader picture.
You can identify risks all day long, but if you do not establish the context, or the objective you are identifying risks to, you will most certainly experience those dreaded feelings.
However, simply declaring something an objective isn’t good enough. And to be clear, I’m not saying the ‘objective of this workshop’ or a similar generic phrase.
What I mean by objective can be boiled down to one simple question – “what are we as an organization meant to do?”
When examined through this lens, there are essentially two types of objectives: strategic and business.
Strategic Objective
If your company is setting strategic goals, which it should hopefully be doing, there will be different levers that can be pulled for achieving them. These levels, or objectives, would be value creation objectives.
The goal can be anything – increasing market share, hitting a certain amount of revenue, or something else.
To achieve strategic goal(s) like this, your company will need to work on X – that X is your objective.
If the goal is to increase market share, an objective could be to broaden the expanse of customers using existing products. For another goal, like increasing revenue, objectives (or levers) could consist of diversifying the target market, geographic expansion, roll out new products, and more.
Please note this does not get down to the project or initiative level. The objective is simply the lever the company is going to pull to achieve the goal and not necessarily ‘the how’ that will apply at the project/initiative level.
Business Objective
Every function within the company should have an objective, but instead of it being connected with a strategic goal, objectives that fall into this bucket will link back to the company’s mission statement.
How do the activities of a particular business function support the company’s mission? These types of objectives are considered value preservation objectives.
Take HR for example…how does this function support the company’s mission? Ensuring the timely recruitment and retention of quality employees that enable Company A to do X.
Before discussing risks within a business function, the objectives have to be clearly understood by everyone. After all, employee retention may be a risk, but absent a clear understanding of objectives, what is it a risk to?
Understanding the Business Objective
One thing you don’t want to do as a risk practitioner is to use valuable time during a risk identification workshop to figure out what the objective is. This is where the commonly overlooked importance of relationships comes in.
Before any risk identification conversations or related activities take place, you as the ERM practitioner can reach out to executives and business leaders ahead of time and explain how objective(s) will be the foundation of the conversation.
While you can ask about strategic and business objectives directly in an open-ended way, that may be a little intimidating.
Instead, you can explain to the executive or business leader – “Here is my understanding of your function’s contribution to our mission. How does this sound to you? Am I on target?
Having this information on hand before the workshop helps ensure conversations during risk identification will be tied to a specific objective.
Also having this information and buy-in will be tremendously valuable for boosting ERM’s reputation among executives and the company at-large.
When you start having conversations around this or that risk, the first question that should come to mind is – ‘How will this risk keep us from achieving the ______ objective?’
Skipping preparatory steps like establishing the context is one of several commonly made mistakes in the risk identification process.
Taking the time beforehand to have all your ducks in a row will ensure you’re not playing whack-a-mole ERM style, but instead, are providing valuable insights to decision-makers.
Does your company identify risks to strategic or business objectives or does it just create a list of risks?
Please join the conversation on LinkedIn to share your thoughts.
If your company is struggling to make your identified risks meaningful to leaders, please contact us today to schedule a call to figure out how to move ERM from risk-centric to objective-centric and increase confidence in the achievement of your company’s objectives.
