The risk identification process, and ERM in general, naturally involves a bit of trial and error. What works for one organization may not work for another, which is why any “best practices” advice you run into should be viewed at a very high level only.
When working through how you will identify and assess risks, you will need to consider many factors specific to your organization – company culture, the number of respondents you will have, and the scope of the inquiry are a few common ones. As you move through the process, you should discover any shortcomings and easily adjust.
While any experienced ERM professional will recognize the need to make adjustments in the risk identification process, there are a few mistakes that are totally avoidable. Falling into one of the following 7 traps could lead to a loss of executive support and the ERM initiative being seen as more of a nuisance than a value-enhancing endeavor.
- Being reactive to an issue rather than proactive
We’ve all probably made this mistake at some point in our lives – waiting until something is actually an issue before taking steps to address it. When identifying risks, many companies will overlook a particular area because it does not appear to be a concern right now. Making this mistake can totally negate the point of having a ERM program in the first place.
- Not using a methodical approach to identifying risks
Taking a haphazard approach to risk identification is fraught with all sorts of negative consequences. Simply pulling risks out of thin air and jotting them down can lead to critical risks being missed and a general loss of credibility to your program among senior executives. Therefore, it’s important that you take time to develop a methodical risk identification process that considers the participants, the scope of the inquiry and more.
- Not viewing risks within the larger context of the organization
A big part of what sets ERM apart from traditional risk management is the fact that it considers risks across the entire organization and not within a particular business unit. ERM not only considers risk(s) at the business unit level, but also how it affects other units and even the company’s business strategy. This is a key reason why risk identification and ERM should involve cross-functional leaders from different areas within the company.
- Identifying a risk without understanding scope
When interviewing business unit managers, holding workshops, or gathering surveys, it’s common for managers to emphasize a particular risk in their area. It may very well be a significant risk – in their respective department. However, when you consider the risk at the enterprise-level or combine it with other risks, it may end up being rather minor. Not considering whether a risk is important to the organization as a whole and its objectives can cause you to waste valuable time and resources on risks that are ultimately insignificant.
- Not tailoring the risk identification process to your organization or the participants
This particular mistake warrants its own section since so many organizations will use the same approach for everyone within the company. Falling into this trap can lead to resistance, confusion, and ultimately a failed risk identification exercise. For example, busy executives don’t want to use a detail-oriented approach focusing on a minor process. On the flip side, you don’t want to use an interview if you’re soliciting input from a larger pool of people.
- Relying on a single risk identification method
Using only one risk identification method can have all kinds of negative consequences for your initiative. The method you use with middle managers and front-line staff will not work so well with executives. Furthermore, using a mix of methods ensures you produce a more comprehensive list of risks. For example, a participant may be more comfortable disclosing something on a private survey rather than mentioning it in a workshop or brainstorming session. The ultimate goal of the risk identification process is to understand all possible scenarios that can affect the company.
- Thinking risk identification is a one-and-done activity
Too often, organizations will look at a risk only once and then drop it. Larger organizations may conduct a formal review annually or twice a year, but it’s important to remember that risks are always changing so you should always be looking. Building a culture where everyone in the organizations is thinking about risks on a day-to-day basis is a key component of a successful, value-enhancing ERM program.
Keeping these mistakes in mind when working through the risk identification process will go a long way toward ensuring a successful outcome. This information – and lots more! – is covered in my free eBook: 5 Effective Methods to Identify Risks in Your Organization.
What mistakes or pitfalls have you encountered while identifying risks? How did you adjust and move on?
Feel free to leave a comment below or join the conversation on LinkedIn to share your thoughts.
To learn more about the five best risk identification methods you can use, download 5 Effective Methods to Identify Risks in Your Organization, plus our bonus 1-page chart you can keep with you or pin on the corkboard for quick reference.
Featured image courtesy of “Dashu83” via Freepik.com