It’s that time of year…
Time of year for what you may be asking? Income tax filing? Spring Break?
No, the time of year I’m talking about are all the top risk reports that are released around the New Year. These reports typically consist of a list of top 10 risks facing businesses and the broader world in the year (or 10 years) ahead. Examples can range from pandemic-related risks to climate change, cybersecurity and more.
Many people comment on these and place a high amount of significance on them, including thought leaders I quote often here on my blog.
Although a previous article discusses top risk reports as having some use, mostly at prompting further discussion, basing decisions on these reports can be more destructive to your company than just doing nothing at all.
Besides, none of the reports agree on exactly what the top 10 risks are. Take a look at the following lists from NC State’s ERM Initiative and the World Economic Forum and you’ll see the variety of perspectives on this subject.
Again, these lists can perhaps be a good starting point for further discussion and research, but as I explained to someone recently, top risks are in the eye of the beholder, which is why, when I do discuss some of the risks mentioned in these reports like cybersecurity, I only do so in the context of its impacts on the business.
A report like the ones cited above may look easy, but identifying top risks for your company is a bit more complicated.
However, considering that many tend to place a lot of emphasis on lists like NC State’s or WEF’s, your Board or executives may want to know what the company’s top risks are. What determines top risks will vary from one organization to the next. Instead of forwarding some generic report that bears little to no relevance to the true situation, below are questions you can use for identifying top risks for your company.
1. What objectives does the risk impact?
To properly analyze and prioritize risks, each individual risk needs to be linked to a business or strategic objective. Doing so provides context to the risk(s) and a better understanding of where/how they impact the company. Simply having a list of risks with no connection to the company’s value drivers means it will be impossible to know the best, most impactful places to focus limited time and resources.
As Tim Leech, consultant and author who coined the phrase “objective-centric ERM” explains:
“…the evidence is clear – risk list ERM was/is a seriously dangerous wrong turn that won’t support what RM should do – help companies make better decisions on the way forward.”
For example, when we’re talking about strategic goals, top risks will consist of those things that could prevent you from reaching them. The same is true of business objectives – here are the biggest things that get in the way of the company fulfilling its day-to-day functions (i.e., customer service, product fulfillment, technology, back-office functions, etc.). Just be mindful that if the number of risks impacting business objectives is not limited (say to 5 for each area), then you can start delving into operational risk territory. You want to understand the pervasiveness of these risks to business objectives, which is why they are “enterprise” risks.
2. Which of these risks are above the company’s tolerance?
Simply linking risks to objectives is a huge step for many, but when it comes to identifying top risks, it’s just the first step. From here, the next step is to understand the risks that are above the company’s tolerance. As we’ve discussed before, not every risk warrants regular attention. In fact, risks that are below the company’s tolerance level represent opportunities!
The point is this – if a risk is within the company’s tolerance, or within the limits it has set and is willing to take, it shouldn’t be considered a top risk…even if it is constantly talked about (cough – “data privacy” and “cyber risk”) by leadership.
Top risks are going to be those that exceed what management has deemed acceptable. When harnessed the right way, the company’s tolerance can be a helpful tool for how to best approach a certain objective or allocate resources.
3. What are the cumulative effects of risks linked to a particular objective?
An individual risk on its own may be well within the tolerance, but that doesn’t necessarily mean it can be eliminated as a top risk just yet. While this one individual risk may not be a big deal, there are several other risks linked to the same objective. When you start examining the interconnectedness of all of these risks, you should hopefully understand that there’s no one single risk that can take down a company.
However, one risk that may be minor on its own to could trigger other major risks downstream, leading to a chain reaction that can end in disaster. These downstream effects often get overlooked, but they’re often the source of the fabled “black swan” events.
This interconnectedness is why linking risks to objectives is so important – if they’re considered in isolation, you won’t necessarily pick up that one minor risk could trigger disastrous consequences if left alone.
Another way to look at the cumulative effect of the risks is to ask, after you have assessed each of the linked risks, what is our current confidence level in being able to achieve this objective? If the confidence is too low (below an acceptable level set by the CEO or objective owner), then this needs to be escalated for resource allocation.
4. Which of these risks can we control? Which risks do we need to just monitor?
This may take you by surprise, but I personally don’t consider things that are outside the company’s control as top risks. If you can’t do anything about it, and all that can be done is to just monitor the situation, then is it really a top risk?
If a particular risk is outside the company’s tolerance and the company can take steps to reduce its impact, likelihood, or both, then it should be considered as a contender to be a top risk. Steps can include making changes in how the company approaches a certain objective, how resources are being allocated, and more.
However, if you have a large number of risks that meet both criteria – being outside the tolerance and actionable by the company, then management (not the ERM practitioner!) should determine which of these should get the most immediate attention.
Once mitigation steps have been taken and the risk is within tolerance, it should join the list of risks being monitored to make sure it remains within the established thresholds and limits.
Thinking about how risks like those listed above will impact strategic goals and what should be done to adjust is something CEOs do all the time. As ERM professionals, it’s our job to take things the final mile by connecting risks to objectives so executives have actionable information for making the best decisions possible. And by the way, you should be working closely with your strategy peers to make this happen in a fluid and repeatable process.
Therefore, while it is okay to review lists like ones from NC State or the WEF, they should not be used to drive decisions about your company’s specific top risks.
How much does your company rely on top risk reports to inform decisions about strategic goals, resource allocation, risk mitigation, or even risk taking?
Please feel free to share your thoughts – you can either leave a comment below or join the conversation on LinkedIn.
And if you’re struggling to understand your company’s top risks and feel that you get stuck on these lists, reach out today to discuss your specific situation and potential options for identifying top risks for your organization.