One theme woven into countless articles on my blog over the years has been that, in spite of what different standards and best practices lead you to believe, risk assessments and other enterprise risk management (ERM) practices must be specially designed to the organization’s needs, culture, and skill sets to be effective.
(Many use the term ‘risk assessment’ to mean the entire ERM lifecycle. To keep it simple, this article applies to any stop along this cycle.)
Here’s a problem that comes up regularly…
A company, perhaps yours, is brimming with excitement to identify, assess, analyze and prioritize every risk to every objective.
That certainly is a noble cause, but unless your company only has a very small number of objectives, this is simply unfeasible.
If you were to try this, as many have and will continue to do, it won’t take very long for frustration and exhaustion to set in. Eventually, both ERM practitioners and business representatives become completely overwhelmed and throw in the towel.
Hearing this story over and over from all kinds of organizations and industries made me realize how ERM and working out share a lot in common…
How many times have you or someone you know gone all-in on an exercise regimen just to get overwhelmed and eventually give up?
More times than we’re willing to admit – including me!
This is especially common with New Year’s Resolutions. Goals and plans are made – I am going to start working out (either at home or the gym). While this works for a few weeks, most, over 80% according to one study, abandon their goals by the end of January.
Just as is the case with ERM, without proper preparation for high-intensity workouts, any ‘gung-ho’ attitude is likely to lead to consequences mentioned above.
Take someone who has exercised sparingly for the last 10 years. Do you think they are going to be able to do an intense HIIT, CrossFit, or DEKA workout right out of the gate?
Intensity is just one similarity between ERM and exercise.
Besides intensity, there’s variety (or the lack thereof in this case).
When setting out to identify, assess, or analyze risks, some practitioners tend to use the same methods, like a survey, for everyone and every phase.
Since certain methods only work in specific situations, this approach is disastrous for several reasons, including:
- Increasing the chance of missed risks and opportunities.
- Pushing some areas of the company to feel like they’re being held under a giant microscope, while others will feel like they’re being ignored.
- Fueling the perception that ERM is a check-the-box activity due to the seemingly boring repetition.
- Allowing bias to creep in, skewing results even further.
Going back to our comparison, a lack of variety in workouts can lead to boredom, but also overused and injured muscles.
Think of the body builders who focus all their energies on their upper body – they will have very well-defined biceps and chest muscles all being supported by teeny, tiny bird legs. 
To avoid this domino of impacts, you need to find the right intensity and variety that fits the company’s culture, needs, capacity, and skill sets.
Remember that, especially in the case of intensity, there is a sliding scale. You don’t have to go from nothing to the max overnight.
Allow me to illustrate this through a recent conversation.
A client wanted to do a huge deep-dive risk assessment activity spanning multiple corporate functions and business units, including different layers and support functions within each business unit, in just 3 months!
Whew – that’s exhausting just saying it!!
While the practitioner was all gung-ho, I cautioned him that was likely going to overwhelm both the business units and him personally.
Instead of this mammoth undertaking, I offered the practitioner the idea of what you can refer to as a ‘micro-commitment.’ Running a pilot for a new process with one department before rolling it out to the entire company is a common example.
In the case of my conversation with the client, a micro-commitment could mean doing a targeted activity in one area.
Taking things in smaller chunks is beneficial in even more ways than what’s mentioned above.
First of all, doing so will show that you’re making progress bit by bit, and secondly, conducting risk identification or other steps in the ERM process in big chunks runs the risk of information becoming obsolete.
I’ve come to enjoy exercising over the years, as you can see below. (The image is from a DEKA Fit race I ran with my husband and son.)
But, like our subject today, that wasn’t always the case. I would fall into the common traps – plan to work out 5 days a week, an hour each day; make up my own routine, which meant the same exercises all the time, etc. Too much, too fast, too boring. Then I started small, figured out what worked best for me and my needs and situation, and had some accountability – exercising became a true joy and regular part of my life (even when life gets a little chaotic and topsy-turvy).
Much the same is true with the ERM. While some short bursts of intensity may be needed at times, a company trying to maintain the same high level of intensity over the long-term, when they are not ready for it, can create a multitude of headaches.
Does the intensity and variety of ERM activities match your company’s culture, needs, and capacity?
Join the conversation on LinkedIn to share your thoughts and insights…
Is this concept a struggle in your company? Perhaps a micro-commitment on a specific area is the key to regaining momentum. Reach out to me to brainstorm actions that will provide the most push to progress quickly!
