Although there can be an infinite number of reasons for an organization to evaluate its risk and performance management, two main reasons that apply across-the-board include:
- You need to understand where your organization stands in order to plan where it should go.
- Executives want to know if what’s in place or being done is adding value.
In reviewing this year’s State of Risk Oversight report from NC State, I came across an extensive list of questions aimed at helping organizations understand their current risk management capabilities.
But after taking a more in-depth look at the list and the report in general, the questions seemed to be entirely focused on risk, or “threats,” to the organization.
As you may know from some of my recent posts and commentary from experts, simply focusing on what can go wrong is not a recipe for success in today’s dynamic, fast-paced world. At a high level, enterprise risk management shouldn’t be about preventing failure but instead about ensuring success. Risk and performance management must look at the whole picture.
Because in the end, performance is what executives care about.
Risk lists have several drawbacks. They not only focus on what can go wrong, but they are also overwhelming and not useful for decision-making in many cases. Risk lists are also backwards looking and usually only tell executives what they already know.
Coincidentally, a recent post on Norman Marks’ blog got me to thinking a little more about decision-making and performance. He states that the core of effective risk management is how an organization makes decisions. Simply reviewing meeting minutes and other records though will not be helpful in understanding this.
Instead, Norman explains that risk practitioners should consider “…how the decision-makers know what risks the board and top management wants them to take.” Below is a screenshot of Norman’s sample questions.
Additional questions for gauging the value of your organization’s risk and performance management
The questions outlined in Norman’s article are a great starting point for understanding how your organization makes decisions.
However, there are other issues around culture that you as a practitioner must understand in order to gauge the effectiveness and value of risk activities in your organization.
With that in mind, I would like to offer the following three general questions to ask in addition to Norman’s questions:
- How involved is management in defining behaviors they want to see in the organization?
- Has management reached an agreement on how much risk to take to achieve goals? Is the Board on the same page?
- What methods are used by the organization to understand risk before making decisions?
These of course are just some generalized questions to get you started…
In the end, most questions for gauging the value of risk and performance management will be organization-specific. Example questions like the ones above or in Norman’s article are a good start.
However, only someone with some level of understanding of your organization’s decision-making process will be able to articulate questions aimed at gauging the value of any current risk and performance activities.
When developing your questions though, keep the following in mind…
Be deliberate about each word in a question…
The following video from performance coach Todd Herman explains how just one word can either change the meaning of something or narrow the scope of the inquiry.
While coaching athletes, public figures, or business leaders, Todd doesn’t necessarily listen for the content of the question, but rather the specific words people use to describe a situation. Understanding these words provides a glimpse into the paradigms and ways people view business and life in general.
For example, if someone uses the word “allow,” they are automatically placing restrictions on possible answers without even knowing it.
In a risk and performance context, asking “Have we identified all risks associated with this objective?” is going to put the idea in people’s mind that there must be a structured process. As I explain here, getting value from ERM doesn’t necessarily require a structured, rigid process. A question like this also limits the frame of reference since it is very risk-centric.
Instead of asking if all risks have been identified, you could ask if the most significant or relevant risks been identified.
Even better, you could ask “Have we discussed the most significant risks with this objective?” or “Do you have a good understanding of the most significant risks?”
Be deliberate in how you develop organization-specific questions. Taking an ad-hoc, on-the-fly approach will likely result in you asking questions that box executives into a certain frame of mind. This will not get you the information you need to accurately assess the value of your organization’s risk and performance management activities.
Are there any specific methods you have used to gauge the effectiveness and value of your organization’s risk and performance management?
Have you ever, in hindsight, used words that changed the meaning or otherwise placed limitations on the response to a question?
I am interested in hearing your thoughts on methods and questions for gauging the effectiveness of risk and performance management. Leave a comment below or join the conversation on LinkedIn.
If you are struggling to develop the right questions for your organization, or are otherwise stuck in understanding how well your organization is managing risks and opportunities, contact me to discuss your specific situation today.