3 Ways to Avoid the Check-the-Box Trap in Risk Review

In both my experience and according to a white paper from PwC, a common ERM challenge is how an annual risk review becomes a check-the-box activity.

It shouldn’t be this way…

Regardless of the reasons, everyone from executives all the way down to entry-level managers and employees have enough “bureaucratic” burdens as it is.

An ERM program that falls into this trap runs the real risk of stagnating and eventually becoming irrelevant, which of course is the worst case scenario. What you want is an ERM program that engages stakeholders and helps them make risk-informed decisions.

Too often though, executives and other participants in the ERM process are given a list of identified risks at or around the same time each year. They will look at assessment results and any mitigation activities and then call it a day…

It’s not hard to see how this can eventually become just another exercise in futility.

3 ways to avoid the check-the-box trap in your risk review

Fortunately, the recurring nature of enterprise risk management doesn’t have to be something participants have to roll their eyes at.

Below are three strategies you can employ to ensure your organization’s risk review is engaging and ultimately valuable for participants.

  1. Consider the “context” of risk

There are several questions to consider when thinking about the context of risk. Some examples include:

  • Is the risk part of the organization’s strategy, or is it connected to a business unit or project?
  • How has the operating environment changed?
  • Has the company expanded its offerings of products and/or services?
  • Has the company moved into new markets or withdrawn from certain markets?
  • Are there any new regulations that need to be factored into your risk review?
  • Are there any new competitors that could pose a threat to achieving objectives?
  • Have there been any leadership changes in your organization? What are the positive and negative risks to these changes?
  • How have processes changed? Is there anything that’s being done differently since your last risk review?
  • Is there any new technology that could be a positive or negative risk to the organization?

Of course, this is just a sample list of questions when considering the context of risk…there undoubtedly will be others specific to your organization.

Also, diving deeper into the characteristics of risk through questions like these is one way to prioritize and time the frequency of your risk review. I plan to delve more into this in a future article…

  1. Mix up your methods for the risk review and bring in outside perspectives

If the same method for your risk review is being used over and over again, participants will eventually become bored with the process and just want to get it over with.

To avoid the fatigue of doing the same thing over and over again, mix it up.

If you had one-on-one interviews with executives to discuss risks to the long-term strategy, get everyone together for a workshop. Or, if you used a survey with middle managers and their staff to examine operational risks, pick a two or three key players and interview them. Doing so may uncover additional details that may not get covered in a general survey.

Another way to mix things up is to bring in outside perspective, which could uncover additional details. And by outside, I don’t necessarily mean someone from outside the company…it could simply be someone from another division that may be able to offer useful perspective during the risk review.

The key here is to avoid the monotony of doing the same thing over and over again. We all know how exciting it is to fill out the same tax forms year after year. Avoid this dilemma by changing up your methods…

  1. Don’t have your risk review at the same time each year

At the first of each year, all of us roll our collective eyes at the fact that we have to complete our 1040 and submit it to the IRS (…if you’re in the U.S.). There are countless other recurring tasks that happen at the same time each year. Risk reviews at your organization don’t have to be the same way.

If you held a risk review in June for example, consider delaying it until September next year, especially if it isn’t a high impact or high velocity risk.

Also, and this is important, ERM shouldn’t be considered an annual exercise. The real goal of ERM is to create a culture where everyone from the CEO all the way down to entry-level workers factor risk into their decision making. I’m not saying every decision has to go through the formal identification and assessment process, but shifting the culture to consider risk in decisions is a key part of a mature, value-enhancing ERM program.

Having your risk reviews and ERM process fall into the check-the-box trap is something that can sneak up on you if you’re not careful.

However, by following these general ideas and thinking outside the box, you can avoid this trap and have engagement from executives and be an active participant in the decision making process.

Have participants in your risk reviews come to see them as a “check-the-box” activity? If so, have you been able get things back on track?

I’m interested to hear your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.

And if you’re struggling to maintain engagement in your ERM process and risk review, please don’t hesitate to contact me!

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More