Objective-Centric Risk Monitoring: Providing Actionable Information

INTRODUCTION

MONITORING AREA #1: RISK RESPONSES

MONITORING AREA #2: RISK & OBJECTIVES BASED ON PRE-EXISTING METRICS 

MONITORING AREA #3: CHANGES IN BUSINESS CONTEXT – coming soon

Introduction

If you’re a parent, then you instinctively know the importance of monitoring.

The explosive growth of smartphones, social media, and video games over the last 15-20 years means the need to monitor what our kids are exposed to is much more vital than in the past.

Falling down on this important job can have cascading effects that will negatively impact their lives for years, even a lifetime.

Although there is one key difference we’ll discuss in a bit, risk monitoring is much the same.

Much time is taken to set goals, identify risks, and determine the ones the business should focus on. Monitoring is one of those ‘back-end’ activities that, in spite of its importance, is often neglected, or as internationally acclaimed author and GRC expert Michael Rasmussen explains:

Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility.

I used that quote, written by Rasmussen in 2019, when I originally wrote about risk monitoring, but it’s included now because it’s even more relevant today.

In the original risk monitoring article (see below), I took a very risk-centric approach, meaning ERM’s sole purpose was to help the organization avert failure. Case in point, risk monitoring was originally defined as:

“Activities focused on understanding changes to the environment and specific risks to the organization.”

That certainly frames it as a necessary task for addressing threats to the organization.

But as some would say colloquially, that’s so 2010s!!

Instead, as Tim Leech and now me and others repeatedly say, the purpose of enterprise risk management should center on achieving objectives and not preventing failure.

ISO 31000 even reminds us… “risk is the effect of uncertainty on objectives.” (emphasis added)

What does this mean to ERM practitioners? Our practices should be focused on enabling risk-informed decision-making.

We should be trying to see into the future, not focusing on the past unless we are trying to learn from it. Remember the saying, “past is prologue”?

ERM should not be about documentation but actively helping leaders navigate the uncertainty that surrounds us every day.

That being the case, the definition of risk monitoring should be tweaked slightly to read:

“Activities focused on understanding changes to the environment and specific risks to the company’s objectives.

Executives across industries have a common complaint that risk-list ERM, being focused on averting failure, doesn’t provide any helpful insights for decision-making. I previously wrote about this backwards-facing mindset, and Imran Zia expanded upon it in a recent LinkedIn post:

Many risk and GRC functions still treat risk as a backward-looking exercise focused on yesterday’s incidents, last quarter’s issues, or historical data. It’s like trying to drive a car by staring in the rear-view mirror.

The objective-centric approach to monitoring is most certainly not backward looking and breaks risk information down so it makes sense from a business perspective. This enables decision-makers to act promptly if and when the risk or context goes beyond acceptable levels.

At its core in a sort of medical sense, monitoring is trying to understand 3 things:

  1. The health of the objective,
  2. The health of the risk, and
  3. The health of action plans (projects) and related mitigations/controls.

But keep in mind – what you’re monitoring is different than what you’re looking for.

For example, let’s say you’re going to monitor the state of employee engagement.

In this case, you’ll be looking at absenteeism, voluntary turnover, the numbers of people with performance improvement plans, and other indicators for clues around what you’re monitoring, employee engagement in this case.

Three different triggers that will prompt this monitoring include:

  1. Risk response, specifically status of action plans and effectiveness of controls and mitigations.
  2. Risks & objectives based on pre-determined business metrics.
  3. Changes in business context, or the internal and external environment.

The rest of this article dives into these different triggers.

Monitoring Area #1: Risk Responses

Monitoring Area #2: Risk & Objectives (based on pre-established metrics) – coming soon

Monitoring Area #3: Changes in Business Context (internal and external environment) – coming soon

Pages: Page 1, Page 2, Page 3
CONTACT SDS NOW
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Learn More

Find more SDS Insights

As seen on UCLA Extension
SDS Client Logo of Carrier Management
SDS Client Logo of Demotech
SDS Client Logo of NAVEX
SDS Client Logo of Navex Next

Improving insurance carrier performance, decision-making, and value through creative, transformative risk and strategy solutions.

Subscribe to Receive Weekly Blog Updates

Copyright © 2025 ERM Insights by Carol; d/b/a Strategic Decision Solutions. Privacy Policy.