Odds are you have more risks to manage this year, but not enough resources to do it sufficiently. In fact, here are a few startling statistics from NC State’s 2017 report, The State of Risk Oversight: An Overview of Enterprise Risk Management Processes:
- 70% of large organizations interviewed believe the volume and complexity of risks has increased substantially over the past five years
- Nearly 80% of large organizations interviewed reported experiencing “operational surprises” on the level of “somewhat” to “extensively” in the last five years.
- 44% of all responding organizations state “insufficient resources” is a barrier to strengthening their ERM processes. This is second only to the barrier of “competing priorities,” which came in at 45%.
In the report’s summary, the authors noted, “We observe that the largest organizations, public companies, and financial services firms are more advanced in their risk oversight processes than the full sample of organizations, but there remain noticeable gaps in a number of key risk management processes.” The authors then suggest that organizations “evaluate existing risk management processes.”
You can hire a consultant to assess your ERM program’s maturity in relation to others in the same industry. These formal assessments can be very useful, especially if you’re trying to determine next steps.
However, the results of these assessments are focused on the maturity of the program, not on the risks that continue to grow in “volume and complexity.” This kind of assessment can also be quite costly and time-intensive, so if you’re struggling with “insufficient resources,” it’s probably out of reach for you.
So, what’s the answer?
Perform in-house maturity assessments on your risk categories—not for the fun of it, but to determine if you can reallocate existing resources. Imagine that: a maturity assessment that gives you information about your risk universe, that requires no outside consultant, and that can help you free up resources so you can continue developing your risk information.
What’s not to love?
Every industry has hot-button risks. For example, banks and lending institutions are constantly aware of their financial risks, while the auto manufacturing industry is more in tune with liability risks. Although executives may indicate these risks “keep them up at night,” their high risk level keeps them visible. That means they’re likely to be managed thoroughly, with appropriate KRIs, strong controls in place, in-depth reporting, etc.
But, as noted in the statistics above, every organization in every industry has a wide assortment of risks, many of which are under-managed due to a lack of resources. Your organization is probably one of them.
While you can’t hire a bunch of new ERM staff (if you could, you would have done so already), you might be able to reallocate your existing resources for maximum benefit.
Here are the 5 simple steps:
Step 1: Conduct your own maturity assessment on your risks
To perform a quick maturity assessment on your risks, evaluate each risk category using questions such as these:
- Have all the risks been identified? Have the known risks been assessed?
- Is there a high probability that the risks will occur?
- Have risk tolerances or thresholds been established on the category or risk level? Are the risks within the thresholds?
- Have the risks been prioritized? (Or is the organization unable to reduce the risk further through additional mitigations?)
- Are response plans in place? What level of activity has been done?
- Have KRIs been identified?
- What kind of monitoring is being done? Is it sufficient?
- Are there controls in place? Are they working?
- How many resources (number of people or hours) are being allocated on a regular basis? Is this level of attention still appropriate?
You may be able to answer these questions by simply reviewing existing processes and the risk dashboard. Or you may want to make this review more formal and precise by using multiple-choice questions with points correlating to each answer. You can also interview the risk owners to gain a wider perspective and to determine if they would object to having resources removed.
At the end of the assessment, you should know the maturity level of each risk category.
Steps 2-5: Reallocating Resources
Step 2: Identify the most mature risk category (e.g. Financial, Operational, Reputation, and Compliance) based on the results of the assessment, taking into consideration all the risks within each category.
Step 3: Pull some (but not all!) of your ERM resources from the most mature risk category and place them on the least mature category. Be sure to analyze and report your findings, so leadership is aware of your methodical approach to managing in-house ERM resources.
Step 4: Using your reallocated resources, perform the necessary risk processes on the least mature category to bring it “up to speed.”
Step 5: Repeat steps 1-4 regularly to ensure that you are putting resources where you need them.
Just be sure that you continue to monitor and control risks in each category, so you’re not caught off guard by a risk event.
Have you ever conducted a maturity assessment on your risk categories? How did you use the results?
We’re always interested in learning about how organizations are doing maturity assessments and focusing their risk management resources. Please don’t hesitate to leave any questions or comments below, or join the conversation on LinkedIn.
And if your organization needs additional guidance on evaluating existing risk management processes stand or how to best allocate their resources, please contact Carol today to discuss your individual needs.
About the author
Ashley Jones joined ERM Insights by Carol in June 2017. She graduated from Florida State University in 2003 with a B.A. in Risk Management and Insurance and obtained the Project Management Professional (PMP) designation in May 2012. Ashley has fourteen years of experience in the fields of insurance and risk management, most notably as a Senior Risk Analyst within the ERM department of a $7+ billion property and casualty insurance company. When she’s not working on project or risk management, Ashley is busy writing, blogging, teaching, and speaking on a wide variety of topics.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More