Making Outdated ERM Processes More Adaptable

Outside of both my personal and business LinkedIn pages, I am not too keen on social media.

That’s changed somewhat in the last couple of years with Instagram. Besides it being a great tool for keeping in touch with gym friends and seeing what my son’s class is working on at school, my family and I enjoy watching the plethora of dog videos and skits people publish. There’s one channel in particular my husband and I like because of his light-hearted, humorous take on life in Florida.

Known as “omgitswicks“, Josh Robinson really makes my husband laugh with this signature line – “glad I caught it on my flip phone!”

It’s funny because, as we all know, the flip phone has been obsolete for at least 10 years. Could you imagine shooting a video, editing it, and uploading it to Instagram using a phone that you could barely send text messages on?

The point is this – the flip phones that were so common and state-of-the-art in the late 1990s/early 2000s are completely inadequate in today’s landscape.

Much the same could be said for ERM processes. What may have worked 15, 10, or even as recent as 5 years ago is likely obsolete today.

What’s different about this when compared to cell phones is that few organizations recognize how the business world has changed and how ERM needs to catch up.

This is something I encountered recently when speaking to a company about its top risk list.

Once a year, this company does their big risk assessment to update their top risk list. I know from other conversations that many companies have been taking this annual (…or even more infrequent) approach for years or even a decade or two.

Like our flip phones though, this approach is completely obsolete in today’s world of volatility, uncertainty, complexity, and ambiguity, or VUCA.

Top risk lists are a controversial subject in of themselves. In the context of today’s article, the following comment from Grant Purdy captures this extremely cautious sentiment when he states:

I do agree with you that such lists have limited, if not destructive value. They support the false paradigm of static ‘list management’ where an organization thinks it ‘knows its risks’ because it lists them once a year and sends that list to the Board.

As for the specific organization I was speaking with, changes in the regulatory and economic landscape, which are factors outside this company’s control, were compounding certain financial risks. The question among executives was whether this risk should be added to the list even though the annual assessment was still months away.

Many companies opt to just wait, leading many like Grant and others to have the cynical view that ERM should really be called enterprise ‘list’ management. Maybe if they are daring, they add it to the “emerging” risk list for the sake of saying “we captured it”…but the risk leader typically recognizes that this is strictly a cover themselves if/when something blows up in the near future.

But how exactly can a rigid process for the top risk list be transformed into an agile one?

As an ERM practitioner, this can be a tough needle to thread.

If a particular risk process was developed by the risk leader years ago, and they are still with the company in a different role, you don’t want to exactly say that what they did was horrible.

Also, you don’t want to (and shouldn’t!) do things on a case-by-case basis. You want to have a process by which your company can add risks off-cycle, or what we can refer to as ‘risk injects.’ Inject essentially means “to introduce a new or different element into something,” which is perfect for this situation. You need the ability to introduce a new risk at any point in time during the year.

Making a Risk Inject Reality

The key to solving this dilemma is through setting materiality thresholds for each assessment category (e.g,, financial, legal, operational). If a particular risk exceeds one or more of these thresholds, it should be added off-cycle.

To determine these thresholds, look at your impact rating criteria, which usually consists of a 1-5 scale, for each of the assessment categories. The number of customers impacted, percentage of revenues, or profits – any metrics relevant to your company’s risk assessment categories should be guiding the selection. Also, think about your company’s risk appetite. The risk appetite should help you gauge what level within the impact rating criteria to choose for setting materiality.

Don’t forget – your company’s leadership should be the individuals to approve this change in process without applying it to a specific situation.

A particular risk would then be material enough to add to the top risk list off-cycle if it hits these specific thresholds you set.

Let me address this possibility before we move on. Many may state that arbitrarily assigning a 1, 3, or 5 is pointless and even dangerous, which is why criteria based on a concrete number is so important. What makes something a 1, 3, or 5 in operations? A 1, 3, 5 in financial? And so on. This debate goes back to having standard risk assessment criteria, like I discuss in detail in this article.

To address potential biases when it comes to this scoring, don’t share the materiality figures or thresholds with anyone outside of the leaders who approve the addition of this filter. This helps ensure you get a more objective assessment rather than someone’s gut feeling when the risk is discussed as an “emerging risk” or otherwise.

The type of risk is not important – what is important are the materiality thresholds.

The next time a new risk or situation is being discussed, quickly assess the risk using your standard impact criteria  and apply it against the materiality threshold to determine how to proceed.

This is one way your company’s ERM process for creating and updating top risk list(s) moves from a strict rigid cycle to being more adaptable.

Like our flip phone example, nothing can stay static, and that includes ERM processes. To be an active servant in the organization, and not ‘list’ managers, your program has to mature over time and become adaptable to challenges of living and working in a VUCA world.

Establishing materiality thresholds to ensure any risks or issues that pop up mid-cycle can be added to your risk list and factored into any planning is just one way for doing this.

Is your company still using ERM processes that were suitable 10 years ago but are not reflective of the company today?

To share your thoughts and experiences, please feel free to leave a comment below or join the conversation on LinkedIn.

And if you’re stuck using rigid ERM processes and would like to make them more adaptable to better serve the company, reach out to me to discuss your current situation.


Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights