ERM heads discuss shifting risk survey strategies to improve risk registers and add more value to the company.
“Every day in the last two years, it feels like I’ve woken up to a new crisis.” That’s how the head of ERM at one multinational described the current risk environment at a recent meeting of NeuGroup for Enterprise Risk Management. Therefore, he added, even though it often feels like swimming upstream, keeping a comprehensive risk register that keeps track of and scores all enterprise-level risks is more important now than ever.
- Nearly everyone in attendance reported efforts to improve risk registers, though members shared different approaches to assemble and sort this data, from bolstering surveys with live interviews to dramatically increasing the number of top risks identified.
- “The last year led us to spend a lot of time injecting strategic thinking into ERM, which didn’t exist before,” one ERM head said. “To keep ERM relevant and add value, we need to understand how we can adapt to a world where the nature of risks changes each year.”
Surveys no longer cut it. A number of members said their companies’ standard risk surveys, which are sent out to hundreds of senior staff members and ask simple, open-ended questions about the risks posed to the company, are outdated.
- For members just starting to improve their risk aggregation processes, the first step is to bolster the broad surveys through in-depth interviews with employees in leadership roles. “The best way to understand the risks facing each team is through unaided, open-ended conversation,” one member said.
- A few members said they have completely abandoned surveys and self-reporting of risks, now relying only on these discussions with key individuals. “Surveys just aren’t great, they don’t provide enough context,” one member said. “We want ERM to be seen as more proactive.”
Let’s get strategic. The buck doesn’t stop at just having these conversations. One ERM leader said the questions his team was asking in risk interviews didn’t dig deep enough and he saw room to add more value. The member, who has a background in corporate strategy, took over the company’s ERM team in January 2021.
- “We certainly made a lot of changes in the questions we ask and the outputs we’re tracking,” he said. “We wanted to add value in strategic risk tracking by asking better questions and driving dialogue.”
- “Let’s say, for example, one of the survey questions is ‘what is a strategic risk for your business?’ People will respond that competitive risks are a big exposure for the business in a strategic sense,” he said.
- All this would mean is that the employee believes there is strategic exposure based on the competition around them. A better way to ask that question, the member said, is: “How do you see the competitive landscape changing in a way that creates exposure to your business?
- “It’s a richer question—instead of asking what is the risk, you’re asking a better question to qualify the nature of that risk in a more purposeful way.”
- This way, the member said, an employee could identify what the competition is doing, what the internal strategy has been in response, and the implications for the business.
- To start asking better questions, the member said to think about the internal and external context. “Meaning: What does an internal environment mean and where is an external environment headed in the context of the mindset of the company.”
Getting granular. One member said that for ERM teams, the path to creating strategic value can actually route through expanding tactical, granular data.
- Her ERM team, which used to identify 25 of the company’s top-level risks, now sorts 12 categories of top risks, each of which have five to 12 components—potentially totaling up to 144 individual risks, six times the previous number.
- For example, previously, the company only identified “Workforce” as a single risk in its top 25. Now, “Human Capital” is one of 12 categories, with components including retention, recruiting, workforce and more.
- “Getting more granular is definitely a trend among ERM teams,” the member said. The expectation for risk management teams is obviously to track enterprise-level risks, but more are now paying more attention to granular data, as well as tactical actions to mitigate these risks.
- “The more ERM enables teams to address immediate or tangible risks, then the more the organization will appreciate your value,” she said.
- “It becomes easier for them to make the association between ERM and strategic value: Risk aggregation is no longer a separate activity. It’s now interactive, and it’s relational.”
