Odds are you have more risks to manage this year, but not enough resources to do it sufficiently. In fact, here are a few startling statistics from NC State’s 2017 report, The State of Risk Oversight: An Overview of Enterprise Risk Management Processes:
- 70% of large organizations interviewed believe the volume and complexity of risks has increased substantially over the past five years
- Nearly 80% of large organizations interviewed reported experiencing “operational surprises” on the level of “somewhat” to “extensively” in the last five years.
- 44% of all responding organizations state “insufficient resources” is a barrier to strengthening their ERM processes. This is second only to the barrier of “competing priorities,” which came in at 45%.
In the report’s summary, the authors noted, “We observe that the largest organizations, public companies, and financial services firms are more advanced in their risk oversight processes than the full sample of organizations, but there remain noticeable gaps in a number of key risk management processes.” The authors then suggest that organizations “evaluate existing risk management processes.”
Maturity Assessments
You can hire a consultant to assess your ERM program’s maturity in relation to others in the same industry. These formal assessments can be very useful, especially if you’re trying to determine next steps.
However, the results of these assessments are focused on the maturity of the program, not on the risks that continue to grow in “volume and complexity.” This kind of assessment can also be quite costly and time-intensive, so if you’re struggling with “insufficient resources,” it’s probably out of reach for you.
So, what’s the answer?
Perform in-house maturity assessments on your risk categories—not for the fun of it, but to determine if you can reallocate existing resources. Imagine that: a maturity assessment that gives you information about your risk universe, that requires no outside consultant, and that can help you free up resources so you can continue developing your risk information.
What’s not to love?
Relative Maturity
Every industry has hot-button risks. For example, banks and lending institutions are constantly aware of their financial risks, while the auto manufacturing industry is more in tune with liability risks. Although executives may indicate these risks “keep them up at night,” their high risk level keeps them visible. That means they’re likely to be managed thoroughly, with appropriate KRIs, strong controls in place, in-depth reporting, etc.
But, as noted in the statistics above, every organization in every industry has a wide assortment of risks, many of which are under-managed due to a lack of resources. Your organization is probably one of them.
While you can’t hire a bunch of new ERM staff (if you could, you would have done so already), you might be able to reallocate your existing resources for maximum benefit.
Here are the 5 simple steps:
Step 1: Conduct your own maturity assessment on your risks
To perform a quick maturity assessment on your risks, evaluate each risk category using questions such as these:
- Have all the risks been identified? Have the known risks been assessed?
- Is there a high probability that the risks will occur?
- Have risk tolerances or thresholds been established on the category or risk level? Are the risks within the thresholds?
- Have the risks been prioritized? (Or is the organization unable to reduce the risk further through additional mitigations?)
- Are response plans in place? What level of activity has been done?
- Have KRIs been identified?
- What kind of monitoring is being done? Is it sufficient?
- Are there controls in place? Are they working?
- How many resources (number of people or hours) are being allocated on a regular basis? Is this level of attention still appropriate?
You may be able to answer these questions by simply reviewing existing processes and the risk dashboard. Or you may want to make this review more formal and precise by using multiple-choice questions with points correlating to each answer. You can also interview the risk owners to gain a wider perspective and to determine if they would object to having resources removed.
At the end of the assessment, you should know the maturity level of each risk category.
Steps 2-5: Reallocating Resources
Step 2: Identify the most mature risk category (e.g. Financial, Operational, Reputation, and Compliance) based on the results of the assessment, taking into consideration all the risks within each category.
Step 3: Pull some (but not all!) of your ERM resources from the most mature risk category and place them on the least mature category. Be sure to analyze and report your findings, so leadership is aware of your methodical approach to managing in-house ERM resources.
Step 4: Using your reallocated resources, perform the necessary risk processes on the least mature category to bring it “up to speed.”
Step 5: Repeat steps 1-4 regularly to ensure that you are putting resources where you need them.
Just be sure that you continue to monitor and control risks in each category, so you’re not caught off guard by a risk event.
Have you ever conducted a maturity assessment on your risk categories? How did you use the results?
We’re always interested in learning about how organizations are doing maturity assessments and focusing their risk management resources. Please don’t hesitate to leave any questions or comments below, or join the conversation on LinkedIn.
And if your organization needs additional guidance on evaluating existing risk management processes stand or how to best allocate their resources, please contact Carol today to discuss your individual needs.
About the author
Ashley Jones joined ERM Insights by Carol in June 2017. She graduated from Florida State University in 2003 with a B.A. in Risk Management and Insurance and obtained the Project Management Professional (PMP) designation in May 2012. Ashley has fourteen years of experience in the fields of insurance and risk management, most notably as a Senior Risk Analyst within the ERM department of a $7+ billion property and casualty insurance company. When she’s not working on project or risk management, Ashley is busy writing, blogging, teaching, and speaking on a wide variety of topics.