Monitoring Area #3: Changes in the Internal and External Environment
The third and final major focus area of monitoring is looking at how changes in context impact objectives and risks to those objectives.
By context, we mean the internal and external environment the company operates in. Although specific situations will vary wildly, every company is impacted, in one way or another, by changes in their context.
Beyond this obvious truth, there are technical characteristics all companies should share in their approach to context monitoring, including:
- Analysis of the company’s internal and external environment should be happening as part of its strategic and annual planning process…if that doesn’t occur, better late than never, they say because…
- Ignoring these changes is akin to ignoring the proverbial ‘elephant in the room,’ which is why monitoring objectives cannot happen without monitoring context.
- Speaking of objectives, any context monitoring must involve a concrete strategic or business goal. Simply looking at internal and external changes in a vacuum could be detrimental, similar to driving blindfolded.
In the previous section, we covered pre-established metrics and their relationship with objectives and risks as one of the main drivers or triggers of risk monitoring.
Changes in context will often be the driver for up or down shifts in metrics.
Monitoring context itself expands into issues not attached to any metrics, and often involves nebulous or abstract issues and their impact to the company’s objectives and risks.
Unlike other areas, context monitoring is not a formal process per se but rather a “keeping an ear to the ground” type exercise through informal conversations, business updates, and research. This is where good listening skills will be important because you’ll want to focus on keywords, phrases, and concepts that keep coming up.
As we mentioned earlier, context monitoring is looking at changes both inside and outside the company.
Some internal sources of what could impact objectives and risks include business process updates, practices, people and technology.
Take people for example…
You may have a high turnover rate that is being reflected in a certain KRI. In this case, context monitoring will help you determine what is driving people to leave in such high numbers – the work culture, compensation, or some external driver.
Or technology, which is an issue of ever-increasing significance.
How exactly is the adoption of new core operating software going to impact different objectives and risks across the company? Is it reducing risk and increasing the chances of achieving a goal? Or vice versa?
On the other side of the coin, external sources can include any number of things, some of which we’ve written about in the past like inflation, supply chain disruptions, shifting consumer preferences, legislative or regulatory actions, any actions by competitors, and more.
Another big external source of shifts in context that often get missed are any trends impacting vendors and strategic partners. Many companies make the erroneous assumption that the third-party is monitoring their own context. Is that a gamble worth taking? Likely not, as any work connected to this vendor or strategic partner could come to a screeching halt, thus affecting objectives.
Like internal sources, conversations and business meetings will provide insights, but other sources include a PESTEL analysis, news and other media outlets like podcasts, industry journals and magazines, and industry events and milestones.
Regardless of the source or tools used for gather information, the key is to be curious.
Don’t assume you know something. That is when you could be surprised by a change you were not aware of.
With this information in hand, the job of the ERM function is to make linkages between shifts in context and objectives.
This is one example of how ERM is more of an art and not just about adhering to a process or checking a box.
Now what do you do with the information and insights coming out of your monitoring work?
Once the monitoring of risk responses, metrics, and context changes is complete and linked to objective(s), findings will need to be shared with the objective owner, not risk owner (if they are different).
The objective owner is ultimately the person responsible, plus they’re going to have the most insights.
One caveat is context changes that may need to be escalated to upper management and even the Board, which is especially necessary for changes impacting multiple objectives or even the organization as a whole. In this case, talk with the objective owner before escalating to anyone else.
As we discuss here, monitoring context and ERM in general does not completely guarantee the organization will come away unscathed.
However, monitoring based on the parameters outlined in this article helps create awareness of what could get in the company’s way of achieving its goals.
It may seem like a lot, but without this awareness of all 3 areas, the possibility increases that you and others in the company will be spending time putting out fires instead of pursuing goals.
What specific tools or techniques does your company use for monitoring risks and objectives?
To share your thoughts, simply join the conversation on LinkedIn.
This concludes our series on (risk) monitoring. Hopefully, it is clear that risk monitoring shouldn’t be a random exercise examining risk(s) in isolation. When approached in this manner, it can be devastating to the entire company.
If your company is struggling to conduct monitoring beyond looking at risks in isolation and would like help in creating a more robust system focused on objectives, reach out to me to schedule a call to discuss your goals and potential avenues for helping your company reach them.
Featured image courtesy of Burak K via Pexels.com
