How to increase engagement with strategic risk assessments

Please note that this post is primarily aimed at risk management practitioners but could be used by others who are trying to find ways to increase engagement with their processes.

Strategic risk assessments are meant to be used to identify, assess and track risks to achieving the organisation’s key strategies, often included in a strategic plan. Sounds like a worthwhile exercise, right?

Well, in my many years of risk advisory experience, I’ve seen a lot of such assessments conducted more as a way of ‘ticking a box’ once a year rather than something that was actively used and revisited throughout the year.

I am speaking from my own past mistakes and based on what I’ve seen my clients struggle with. My aim is to show you how you can simplify things and increase engagement. ‘Less work for better results’ is certainly my motto!

Simplify risk register presentation.

Less is more when it comes to risk registers. I mean, there is no law that says you have to have 30 columns in your risk register or that you have to present the information in a particular way. Yes, there is a standard out there, but it’s only a recommended guideline.

Risk register presentation should reflect the organisation’s risk maturity and information needs. So, instead of starting with something complex or advanced, go back to the basics and think about what executives really need to know to manage risks to corporate performance.

Essentially, for each risk, they need to know:

  • What is the risk?

  • Why is this a problem for us or how could it impact the organisation?

  • How likely is it?

  • What are we doing to mitigate it?

  • Is that enough or should we do more to address it?

The less columns (or rows) you can achieve this with, the easier it will be for executives to follow.

And if for some reason you do need to have an elaborate spreadsheet supporting the assessment, try to come up with a dashboard-style cover sheet or a report that summarises the key messages or, better yet, that includes an analysis of the assessment results.

Don’t include too many risks.

Have I mentioned that less is more?

Jokes aside, continuing on the theme of simplifying things for better engagement, having a shorter list of highly relevant risks will be much easier to pay attention to. I find that somewhere between five and ten strategic risks is easiest to engage with.

But does this mean you shouldn’t have 11 or 12 risks? Of course not, but do monitor how this is impacting engagement. Perhaps some risks are time-sensitive and can be removed once they’re no longer significant enough to be continuously monitored by the executive team. (Pandemic response, anyone?)

If your strategic risk register includes 30 risks, consider whether some of them are similar and can be rolled up into a smaller number of risk areas or categories.

Also, consider if some of the risks are more operational and can be monitored at the divisional level. If yes, they can be removed from the strategic risk register and moved into the division’s operational risk register. The division can always escalate the risk to the executive team via regular reporting if things worsen.

Another common thing I’ve seen is strategic risk registers including everything that could possibly go wrong or things that are ‘a good idea to monitor’. Risk ratings can help you address this. The first things that could go are risks that are inherently low risks. They don’t require a lot of extra effort in terms of mitigation and therefore don’t need to be actively monitored.

If you’re still left with a long list, consider risks that are residually low (i.e. low after mitigation is applied) and then not presenting them to the executive team every time.

Focus on the conversations.

This one is the most important but is most often ignored. It is particularly significant for keeping the executive team’s focus on the register and leveraging the momentum created at the initial risk workshop (or through other methods used to develop the register).

Obviously, the first thing to do is to follow the first two tips and make the register relevant and easy to comprehend. But no matter how lovely your risk register is, you’re not going to get executives and risk owners to engage with it if you’re not out talking to them and reminding them of its importance.

But shouldn’t executives already be focusing on this, you ask? Technically, yes, but we live in the real world, in which executives are bombarded by a million things each day.

So, with that in mind, when it’s time to update the assessment, don’t email the register to risk owners and just expect them to insert their comments or make the necessary changes. Instead, make a time to discuss their assigned risks and capture their input during the meeting. (Done and done!)

Not only is this a more efficient and effective approach for both parties (just think of the time you’ll save not having to follow up a million times) but you’ll also be building rapport with risk owners and improving  your knowledge of the underlying issues. And both will make the update easier next time.

Another thing to try is to embed risk reporting into something that already exists, instead of creating an additional document that will feel like more work to readers. Perhaps there is a performance report they already regularly review into which you could insert a summary of the risks.

Basically, make it easier for yourself and others.

Thanks for taking the time to read the post.