Michael Rasmussen, an internationally recognized author and expert on governance, risk management, and compliance, explains:
Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility.
It is not surprising then to see how risk monitoring is considered a “big win” by many…
This article dives into this challenging topic and explain its importance and high-level considerations for ensuring risk monitoring is done in a way that helps the organization manage risks efficiently to meet or exceed its goals.
Risk Monitoring Defined
Despite the impression many organizations may have, the ERM process is one without a true end point.
This process consists of actions that have to occur in a certain sequence in order for ERM to be a helpful tool in achieving the organization’s strategy and goals.
Once risks are identified, assessed, and a response is decided upon, the organization will then need to monitor risk(s) to see what has changed and how it impacts the organization.
Finding a definition for risk monitoring proved to be a challenge, but at its core, risk monitoring can be defined as:
“activities focused on understanding changes to the environment and specific risks to the organization.”
The “environment” is anything the risk is linked to. Internally, the environment can include objectives, practices, and processes. External environment examples include (but are definitely not limited to) regulations, competition, economic factors, geopolitical concerns, and vendors.
Monitoring a risk and relevant issues surrounding it focuses on looking for three things:
- How the risk is changing;
- The effect those change(s) will have on objectives or other factors of the internal or external operating environment; and
- Whether the organization took enough risk to achieve its objectives.
Why is risk monitoring so important?
To say that risk monitoring is important would be an understatement.
Without following through on the risks that were identified, assessed, and mitigated, it is all just a one-time exercise.
Despite the importance of this part of the risk management process, it is not clearly understood and a struggle for many companies.
In a recent report from the Center for Excellence in ERM at St. John’s University, organizations consider monitoring to be in the top five areas that need improvement. Results from the 2019 State of Risk Oversight report from NC State show that just over 40% of organizations were either “not at all” or “minimally” satisfied with their measures to monitor top risks.
To be clear, unlike other resources on this topic you may encounter, this article will focus on monitoring the risks themselves and not the ERM process.
The following quote from Norman Marks’ World-Class Risk Management provides a great explanation on the importance of risk monitoring:
Risks need to be monitored so that management can act promptly if and when the nature, potential impact, or likelihood of the risk goes outside acceptable levels.
That quote alone should provide enough explanation, but to expand on Norman’s point a little, monitoring is important because risks and other factors, both internally and externally, are constantly changing.
And it’s not just change in the risk itself (i.e. severity, velocity, etc.) that has to be considered…
The risk source and effects on the organization can change as well. Also, what your organization considers an acceptable or desired level of risk can change. After all, your financial situation changes, your reputation, your management team, etc. They all change.
Once you understand changes in the risk, risk source, and impacts on the organization, it is possible that adjustments will need to be made to the strategy, assessment of the risk itself, risk response, and more.
It is also possible that during the risk monitoring process, you can find “pleasant surprises.”
Perhaps the risk isn’t as big of a deal as once thought. Maybe too much is being done and you can (and should) allocate resources elsewhere. Adjustments can be made to mitigation and other activities to ensure the risk is in line with your organization’s desired tolerance level.
Without doing this sort of follow through, all of the effort to identify threats and opportunities to strategic objectives will be wasted. The odds of a strategy or project failing will be much greater. As explained by Hans Læssøe in his book Prepare to Dare:
History shows plenty of examples of fantastic decisions, which were poorly executed and not followed through [emphasis added] from management, and hence failed rather than succeeded.
Why risk monitoring must be approached with care
Hopefully you now understand the importance of risk monitoring and how it is a make or break point in the ERM process…the next significant point to understand is the importance of not taking a haphazard approach.
Simply saying that you will be “listening to the grapevine and act[ing] accordingly” isn’t going to be sufficient. You need to have a process for ensuring the insights are provided in an effective manner.
A haphazard risk monitoring process can quickly become futile and overwhelming.
Consider this – you go to the gym to try and get in shape and start using random machines without even learning if you are doing the exercise properly. Despite the fact that you go 3 times a week, you never notice any results. However, by having goals and a plan for how you’re going to reach them, you will certainly see the fruits of your labor in a reasonable amount of time.
Unfortunately, neither COSO nor ISO provide much guidance in their risk management standards on effective risk monitoring.
The first vital step to effective risk monitoring is laying a solid foundation.
You can’t monitor something you don’t know exists, which is why you must first identify the risk(s). Next, you’re not going to know what to monitor if you don’t assess the risk.
Also, developing a tolerance, at least informally, is important for knowing when a risk is at an acceptable level for the organization.
As you will see in the following sections, other points about prioritizing which risks to monitor, sources of information, who will be responsible for monitoring and reporting all have to be considered with care.
Will all risks require the same level of monitoring?
Suffice it say that if your organization tried to monitor all risks the same, it will quickly become overwhelming and a huge waste or resources. It will not provide executives with useful information for making decisions on what to do next.
Not all risks are created equally, so not all have to be monitored.
You have to prioritize, especially if your team is small, but how?
First, if it is reasonably possible the change with the risk or risk source will require action, the risk should be monitored.
However, monitoring doesn’t have to be done equally across all risks that fall into this category.
How much monitoring a risk requires will depend on a host of factors, including the likelihood of change, the speed at which the risk will change, and the level at which the risk will go outside acceptable limits.
The sliding scale below should help you understand which risks need less monitoring and which ones need more.
If the likelihood of the risk changing or the speed at which it will change is low, less monitoring is required.
If there is a high change of the risk changing, if it’s volatile, or the consequence of ignoring the risk are significant, more monitoring will be required.
It’s not just the risk itself that will require monitoring, but any action plans too, which is another reason why it’s important to take special care to prioritize these activities.
This, of course, is always an evolving process. As monitoring occurs and changes are made based on the results, you may learn a particular risk needs less monitoring, or maybe even more.
As Norman Marks explains, you “take a risk when determining how much monitoring to perform and of which risks.”
Where to find information for monitoring risks…
Actual risk monitoring itself will be a research-oriented task to see how a risk or risk source is changing.
In fact, the same resources used for identifying risks can also be used in the monitoring phase of the ERM process. However, you have to be cautious that you don’t solely rely on these resources since tunnel vision can set in.
Generally speaking, these resources can be broken into two sources – internal and external.
Examples of internal resources can include:
- People in the organization with knowledge about the risk and the business unit(s) it impacts. Informal conversations with these individuals can yield valuable information about the status of a risk.
- Key performance indicators such as sales, revenue, customer retention, cost of goods sold, and more can show how a risk is changing. It’s important to note that KPIs are historical metrics.
- Key risk indicators is a combination of both historical and leading indicators that, when used correctly, can act as an effective early warning system. However, many organizations struggle with developing useful KRIs. (Click here to learn 3 steps to developing an effective KRI system.)
- Internal audit reports are also a great source for monitoring risks since they will be evaluating whether business units are taking the agreed-upon actions regarding a particular risk.
Just looking at internal resources is strongly discouraged. To monitor risks and provide feedback that is valuable for decision-making, you have to look outside the organization as well. Examples can include:
- News aggregators – Programs and services like Google News, Reddit, Flipboard, and TweetDeck can help you keep your finger on the pulse of events that could affect a particular risk or topic. Different aggregators are geared toward a particular audience, so be careful to choose platforms relevant to your industry and needs.
- Data mining – The amount of data available today is miles ahead of where it was even a few short years ago. If you need to get data relevant to your industry and specific risks, hire one of many firms out there who specialize in gathering and analyzing data.
- Trade magazines/publications – Monthly or quarterly periodicals from industry-specific groups can be helpful in learning about risks specific to your organization’s niche. Talking with executives and other individuals in the company about what they’re reading can also help you understand how a risk is changing.
- Speaking with peers at industry events – Chances are there are conferences and trade shows you can attend that can provide helpful information for understanding risks. This also goes back to the importance of relationships.
This is not an exhaustive list of sources – you may find others that can be helpful.
The important thing to remember is to not just rely solely on internal resources. Doing so can be detrimental to the organization and could potentially lead to ERM being discontinued.
Who should be responsible for monitoring?
Up to this point, everything we have been discussing about risk monitoring is pretty uniform regardless of the organization.
When we start discussing who will be responsible for monitoring and reporting risks though, things can begin to vary widely based on the organization. Like ERM in general, how you approach risk monitoring is not one-size-fits-all.
With that said, it can be hard to provide specific examples of how your organization will go about monitoring risks, but in general, who is responsible for monitoring will often depend on the risk level and how your organization approaches ERM.
For risks specific to one business unit, the risk owner can take on monitoring in addition to mitigation and other tasks.
If you are dealing with a true “enterprise” risk that affects more than one business area, it may be best to have ERM be responsible of monitoring.
Below are three general examples of how your organization can assign risk monitoring responsibilities.
- Risk owner monitors AND reports
- Risk owner monitors and ERM reports
- ERM monitors AND reports
Bear in mind that you can have variations within each of these – tweaks such as frequency, tools, how, and what will be made as you go along. Criteria like changing risk velocity or impact could require a change in who monitors the risk.
It’s also important to note the importance of collaboration. Neither the risk owner nor ERM will have all of the information they need to effectively monitor a risk. The risk owner will be an expert with issues specific to the business while ERM will have a broader view about the risk and how it factors into the organization’s strategy, relevant regulations, and other business units.
Reporting the results of risk monitoring…
At some point, any new information learned from monitoring a risk will have to be reported to decision-makers so they can determine the next steps. Will adjustments to the strategy for the organization as a whole or a specific project need to be made? Will resources be re-directed to other risks that are more important than initially thought?
Many of the same concepts presented in The Ultimate Primer for Effective Risk Reporting will apply here as well.
But just as all risks don’t require the same level of monitoring, they also do not require the same level of reporting as well.
As I explained in a presentation at MetricStream’s GRC conference and as Norman Marks and others confer, if nothing has changed with a particular risk, how much do you need to discuss it?
These reports should focus on what has changed, so executives and other decision-makers can make informed decisions on where to go from here. While you may include a line or two about a particular risk not changing, going into too much detail about every risk that was monitored would be overwhelming.
If this were to occur, the report would be cast aside, and the whole effort would have been a terrible waste. In fact, your organization would lose the whole point of ERM!
Has your organization struggled to effectively monitor risks?
Have you found any surprises as a result of monitoring that led you to reassess the risk or your response to it?
I am interested to hear your thoughts on this often misunderstood part of the ERM process. Please feel free to leave a comment below or join the conversation on LinkedIn.
If your organization is struggling to develop its own process for monitoring risks, contact me today or visit StrategicDecisionSolutions.com to learn how I help organizations overcome this and other risk management challenges.
Featured image courtesy of Burak K via Pexels.com
