7 Commonly Made Mistakes in the Risk Identification Process

common risk id mistakes

The risk identification process, and ERM in general, naturally involves a bit of trial and error. What works for one organization may not work for another, which is why any “best practices” advice you run into should be viewed at a very high level only.

When working through how you will identify and assess risks, you will need to consider many factors specific to your organization – company culture, the number of respondents you will have, and the scope of the inquiry are a few common ones. As you move through the process, you should discover any shortcomings and easily adjust.

While any experienced ERM professional will recognize the need to make adjustments in the risk identification process, there are a few mistakes that are totally avoidable. Falling into one of the following 7 traps could lead to a loss of executive support and the ERM initiative being seen as more of a nuisance than a value-enhancing endeavor.

  1. Being reactive to an issue rather than proactive

We’ve all probably made this mistake at some point in our lives – waiting until something is actually an issue before taking steps to address it. When identifying risks, many companies will overlook a particular area because it does not appear to be a concern right now. Making this mistake can totally negate the point of having a ERM program in the first place.

  1. Not using a methodical approach to identifying risks

Taking a haphazard approach to risk identification is fraught with all sorts of negative consequences. Simply pulling risks out of thin air and jotting them down can lead to critical risks being missed and a general loss of credibility to your program among senior executives. Therefore, it’s important that you take time to develop a methodical risk identification process that considers the participants, the scope of the inquiry and more.

  1. Not viewing risks within the larger context of the organization

A big part of what sets ERM apart from traditional risk management is the fact that it considers risks across the entire organization and not within a particular business unit. ERM not only considers risk(s) at the business unit level, but also how it affects other units and even the company’s business strategy. This is a key reason why risk identification and ERM should involve cross-functional leaders from different areas within the company.

  1. Identifying a risk without understanding scope

When interviewing business unit managers, holding workshops, or gathering surveys, it’s common for managers to emphasize a particular risk in their area. It may very well be a significant risk – in their respective department. However, when you consider the risk at the enterprise-level or combine it with other risks, it may end up being rather minor. Not considering whether a risk is important to the organization as a whole and its objectives can cause you to waste valuable time and resources on risks that are ultimately insignificant.

  1. Not tailoring the risk identification process to your organization or the participants

This particular mistake warrants its own section since so many organizations will use the same approach for everyone within the company. Falling into this trap can lead to resistance, confusion, and ultimately a failed risk identification exercise. For example, busy executives don’t want to use a detail-oriented approach focusing on a minor process. On the flip side, you don’t want to use an interview if you’re soliciting input from a larger pool of people.

  1. Relying on a single risk identification method

Using only one risk identification method can have all kinds of negative consequences for your initiative. The method you use with middle managers and front-line staff will not work so well with executives. Furthermore, using a mix of methods ensures you produce a more comprehensive list of risks. For example, a participant may be more comfortable disclosing something on a private survey rather than mentioning it in a workshop or brainstorming session. The ultimate goal of the risk identification process is to understand all possible scenarios that can affect the company.

  1. Thinking risk identification is a one-and-done activity

Too often, organizations will look at a risk only once and then drop it. Larger organizations may conduct a formal review annually or twice a year, but it’s important to remember that risks are always changing so you should always be looking. Building a culture where everyone in the organizations is thinking about risks on a day-to-day basis is a key component of a successful, value-enhancing ERM program.

Keeping these mistakes in mind when working through the risk identification process will go a long way toward ensuring a successful outcome. This information – and lots more! – is covered in my free eBook: 5 Effective Methods to Identify Risks in Your Organization.

What mistakes or pitfalls have you encountered while identifying risks? How did you adjust and move on?

Feel free to leave a comment below or join the conversation on LinkedIn to share your thoughts.

To learn more about the five best risk identification methods you can use, download 5 Effective Methods to Identify Risks in Your Organization, plus our bonus 1-page chart you can keep with you or pin on the corkboard for quick reference.

Featured image courtesy of “Dashu83” via Freepik.com

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More