Identifying risks to objectives has been a great approach for several years. There are extensions to this approach that are important to think about.
1. Consider identifying risks in major decisions. If ERM adds value and does this by improving decisions (we have empirical evidence to support this) then ERM should be applied to new decisions and not just historical decisions and the related (already set) objectives. Those are still good places to identify risk but more can be done. Other places to consider risk identification include: large transactions, large contracts, new initiatives (think Wells Fargo), technologies, new business models (e.g. Uber or Chipotle), and strategy. The point is to identify the risk earlier, up front, instead of later when the objectives are written. This may require the ERM team to become more visible and more involved up front.
2. Don't wait for objectives. In our recent FEI research report, companies that were in fast-moving industries do not wait for objectives to be written down. They listen to the CEO to identify the strategies and objectives. Waiting until a workshop or quarterly assessment can be too late in some industries.