While many organizations do risk workshops and surveys to identify risks, stories of major risk mistakes keep making the headlines. A couple of points to keep in mind:
- If your organization is in a rapidly changing environment, yearly risk assessments are not much help. In a fast environment, waiting till the CEO writes something down in a strategic plan is probably too late to do a risk assessment. During our research, one organization recently shared that they closely follow the CEO's comments and speeches because these are signals of the current and future strategy. It is critical to help the executive team and board navigate the risks and uncertainty around that strategy.
- Boards and ERM leaders should consider the source/inputs to the ERM map, register, etc. How did that list of risks get determined? How broad was the search? Have potential risks from the business model, value proposition, value chain, macro environment, changing competition, etc. been considered?