In both my experience and according to a white paper from PwC, a common ERM challenge is how an annual risk review becomes a check-the-box activity.
It shouldn’t be this way…
Regardless of the reasons, everyone from executives all the way down to entry-level managers and employees have enough “bureaucratic” burdens as it is.
An ERM program that falls into this trap runs the real risk of stagnating and eventually becoming irrelevant, which of course is the worst case scenario. What you want is an ERM program that engages stakeholders and helps them make risk-informed decisions.
Too often though, executives and other participants in the ERM process are given a list of identified risks at or around the same time each year. They will look at assessment results and any mitigation activities and then call it a day…
It’s not hard to see how this can eventually become just another exercise in futility.
3 ways to avoid the check-the-box trap in your risk review
Fortunately, the recurring nature of enterprise risk management doesn’t have to be something participants have to roll their eyes at.
Below are three strategies you can employ to ensure your organization’s risk review is engaging and ultimately valuable for participants.
- Consider the “context” of risk
There are several questions to consider when thinking about the context of risk. Some examples include:
- Is the risk part of the organization’s strategy, or is it connected to a business unit or project?
- How has the operating environment changed?
- Has the company expanded its offerings of products and/or services?
- Has the company moved into new markets or withdrawn from certain markets?
- Are there any new regulations that need to be factored into your risk review?
- Are there any new competitors that could pose a threat to achieving objectives?
- Have there been any leadership changes in your organization? What are the positive and negative risks to these changes?
- How have processes changed? Is there anything that’s being done differently since your last risk review?
- Is there any new technology that could be a positive or negative risk to the organization?
Of course, this is just a sample list of questions when considering the context of risk…there undoubtedly will be others specific to your organization.
Also, diving deeper into the characteristics of risk through questions like these is one way to prioritize and time the frequency of your risk review. I plan to delve more into this in a future article…
- Mix up your methods for the risk review and bring in outside perspectives
If the same method for your risk review is being used over and over again, participants will eventually become bored with the process and just want to get it over with.
To avoid the fatigue of doing the same thing over and over again, mix it up.
If you had one-on-one interviews with executives to discuss risks to the long-term strategy, get everyone together for a workshop. Or, if you used a survey with middle managers and their staff to examine operational risks, pick a two or three key players and interview them. Doing so may uncover additional details that may not get covered in a general survey.
Another way to mix things up is to bring in outside perspective, which could uncover additional details. And by outside, I don’t necessarily mean someone from outside the company…it could simply be someone from another division that may be able to offer useful perspective during the risk review.
The key here is to avoid the monotony of doing the same thing over and over again. We all know how exciting it is to fill out the same tax forms year after year. Avoid this dilemma by changing up your methods…
- Don’t have your risk review at the same time each year
At the first of each year, all of us roll our collective eyes at the fact that we have to complete our 1040 and submit it to the IRS (…if you’re in the U.S.). There are countless other recurring tasks that happen at the same time each year. Risk reviews at your organization don’t have to be the same way.
If you held a risk review in June for example, consider delaying it until September next year, especially if it isn’t a high impact or high velocity risk.
Also, and this is important, ERM shouldn’t be considered an annual exercise. The real goal of ERM is to create a culture where everyone from the CEO all the way down to entry-level workers factor risk into their decision making. I’m not saying every decision has to go through the formal identification and assessment process, but shifting the culture to consider risk in decisions is a key part of a mature, value-enhancing ERM program.
Having your risk reviews and ERM process fall into the check-the-box trap is something that can sneak up on you if you’re not careful.
Have participants in your risk reviews come to see them as a “check-the-box” activity? If so, have you been able get things back on track?
I’m interested to hear your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
And if you’re struggling to maintain engagement in your ERM process and risk review, please don’t hesitate to contact me!
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More