In order to have a risk management effort that ultimately “creates, protects, and enhances shareholder value,” you must first have a successful risk identification process.
I’ve said it many times, and have heard it repeated elsewhere, that risk identification serves as the foundation for the entire risk management process…without it, the entire process is just a house of cards waiting to fall.
A key part to successfully identifying threats and opportunities to your organization is making sure you involve the right people in the process.
Now I want to emphasize, when I say a key part, I don’t mean the only part. To borrow an often used saying for business, “a process is only as good as the results.” I’ll get more into this a little later.
For the moment though, I want to discuss the human side of risk identification and what you need to consider for ensuring you have the right people involved.
The big question you have to ask – what is the subject matter?
Understanding the type of risks, or subject matter, is the big question you will need to answer first as it will drive who should be involved in the process.
As I discuss on my blog, LinkedIn, and hear elsewhere from others, risk identification should play an important role in a variety of situations or subjects ranging from long-term strategy to short-term projects and everyday operations.
For example, if you’re evaluating threats and opportunities to the organization’s strategic plan, you’re not going to want to involve lower level managers and their support personnel.
Below are some general parameters on the people you need to involve depending on the type of risks or subject matter you’re considering.
- Strategic risks – Top executives and their direct reports, and possibly even a small group of board members.
- Project risks – Manager of the project, subject-matter expert(s), and other interested parties, such as managers from other departments that may be involved in or impacted by the project.
- Operational or process risk – Manager of the division over the process, any of their direct reports, subject-matter experts, and any other interested parties.
- Widespread view of risks = possibly everyone. If your goal is to get a high-level understanding of risks facing the organization, you’re going to need to cast a wider net in order for the risk identification to be successful.
Once you have determined the right people for your risk identification, you can then determine the proper method(s) you should use that fits the role of the individuals participating in the exercise.
For more on choosing the right method for your risk identification, I invite you to download a copy of this quick eBook – 5 Effective Methods to Identify Risks in Your Organization (see form below).
Now before I wrap things up, I want to circle back to that saying I mentioned earlier about how a process is only as good as the result.
Having a smooth process is important, but it’s only half of what makes for successful risk identification – having the right people involved will only get you so far.
In order for the process to be effective, you must get more than just surface information – you must get to the heart of concerns of those in the discussion.
The key to doing this is trust…
I could write a whole article on this topic alone, and I probably will at some point in the future.
But quickly for now, an ERM professional has to be trusted and respected among the board, executives, and mid-level managers in order for the ERM process to deliver value to the organization.
To cultivate this trust, assure executives and other participants that they will have the opportunity to review and approve language before moving on to other stages of the ERM process.
Also [and this is very important], do not ever, I mean EVER, go and divulge something you were told in confidence. If you were to go to someone’s boss and tell them “…you’ll never believe what Fred told me,” you will lose people’s trust, probably permanently.
Without this trust, participants in a risk identification or assessment exercise will only tell you the nice-to-know concerns or things you already know. At worst, the activity becomes a documentation exercise and feels like a huge waste of time.
I know this is a slight detour from my original topic, but I felt it was important and needed to get it out there.
I’m interested to hear your thoughts on finding the right people for risk identification, and furthermore, the general issue about respect and trust for the ERM professional. Please feel free to leave a comment below or join the conversation on LinkedIn.