In both my experience and according to a white paper from PwC, a common ERM challenge is how an annual risk review becomes a check-the-box activity.
It shouldn’t be this way…
Regardless of the reasons, everyone from executives all the way down to entry-level managers and employees have enough “bureaucratic” burdens as it is.
An ERM program that falls into this trap runs the real risk of stagnating and eventually becoming irrelevant, which of course is the worst case scenario. What you want is an ERM program that engages stakeholders and helps them make risk-informed decisions.
Too often though, executives and other participants in the ERM process are given a list of identified risks at or around the same time each year. They will look at assessment results and any mitigation activities and then call it a day…
It’s not hard to see how this can eventually become just another exercise in futility.
3 ways to avoid the check-the-box trap in your risk review
Fortunately, the recurring nature of enterprise risk management doesn’t have to be something participants have to roll their eyes at.
Below are three strategies you can employ to ensure your organization’s risk review is engaging and ultimately valuable for participants.
- Consider the “context” of risk
There are several questions to consider when thinking about the context of risk. Some examples include:
- Is the risk part of the organization’s strategy, or is it connected to a business unit or project?
- How has the operating environment changed?
- Has the company expanded its offerings of products and/or services?
- Has the company moved into new markets or withdrawn from certain markets?
- Are there any new regulations that need to be factored into your risk review?
- Are there any new competitors that could pose a threat to achieving objectives?
- Have there been any leadership changes in your organization? What are the positive and negative risks to these changes?
- How have processes changed? Is there anything that’s being done differently since your last risk review?
- Is there any new technology that could be a positive or negative risk to the organization?
Of course, this is just a sample list of questions when considering the context of risk…there undoubtedly will be others specific to your organization.
Also, diving deeper into the characteristics of risk through questions like these is one way to prioritize and time the frequency of your risk review. I plan to delve more into this in a future article…
- Mix up your methods for the risk review and bring in outside perspectives
If the same method for your risk review is being used over and over again, participants will eventually become bored with the process and just want to get it over with.
To avoid the fatigue of doing the same thing over and over again, mix it up.
If you had one-on-one interviews with executives to discuss risks to the long-term strategy, get everyone together for a workshop. Or, if you used a survey with middle managers and their staff to examine operational risks, pick a two or three key players and interview them. Doing so may uncover additional details that may not get covered in a general survey.
Another way to mix things up is to bring in outside perspective, which could uncover additional details. And by outside, I don’t necessarily mean someone from outside the company…it could simply be someone from another division that may be able to offer useful perspective during the risk review.
The key here is to avoid the monotony of doing the same thing over and over again. We all know how exciting it is to fill out the same tax forms year after year. Avoid this dilemma by changing up your methods…
- Don’t have your risk review at the same time each year
At the first of each year, all of us roll our collective eyes at the fact that we have to complete our 1040 and submit it to the IRS (…if you’re in the U.S.). There are countless other recurring tasks that happen at the same time each year. Risk reviews at your organization don’t have to be the same way.
If you held a risk review in June for example, consider delaying it until September next year, especially if it isn’t a high impact or high velocity risk.
Also, and this is important, ERM shouldn’t be considered an annual exercise. The real goal of ERM is to create a culture where everyone from the CEO all the way down to entry-level workers factor risk into their decision making. I’m not saying every decision has to go through the formal identification and assessment process, but shifting the culture to consider risk in decisions is a key part of a mature, value-enhancing ERM program.
Having your risk reviews and ERM process fall into the check-the-box trap is something that can sneak up on you if you’re not careful.
Have participants in your risk reviews come to see them as a “check-the-box” activity? If so, have you been able get things back on track?
I’m interested to hear your thoughts on this important topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
And if you’re struggling to maintain engagement in your ERM process and risk review, please don’t hesitate to contact me!