Turn your box ticking risk register into the CEO’s essential tool in 3 steps
There is consensus across business leaders and risk experts that risk management techniques are falling short resulting in a systemic ticking of the box which we all know serve little value in terms of keeping anyone out of jail, making better decisions, or reducing risk exposures.
While the box is ticked, there remains unease given the regular news stream of failing businesses, job losses and shamed CEOs.
Some experts believe we need to get rid of the subjective risk registers and simplistic frameworks in favour of advanced quantitative techniques. I prefer not to throw the baby out with the bathwater and offer a pragmatic approach recognising many (dare I say most) businesses have heaps of data and at the same time, not much data at all.
I don’t believe all the risk experts at ISO, COSO, professional bodies and regulators that have created simple risk frameworks, encouraging accountability and culture are completely wrong. After all, risk is about future uncertainty.
Efforts to model the precise risk behaviours, shape of the distribution curve to standard deviations of confidence levels is definitely worth exploring in specific data rich applications such as product quality, drilling decisions in mining exploration, and financial risks.
When thinking about the suite of board level risks across complex organisations even in those same sectors, in most cases, the models don’t prevent them from happening, don’t help us understand people, controls, decisions and actions needed to make the difference in the business.
I prefer to start from what most organisations currently have and be reminded that the risk register process already benefit from the fact it is independent of the core business, contains prioritised information that cuts across silos, include accountable owners, actions and updates, encourages people to think broadly and from a different perspective. There are great benefits and insightful dialogue derived from existing risk techniques, thinking about the downside, scenario planning, combinations of risk, root cause analysis, horizon scanning, black swans (unlikely but catastrophic risks), thinking about controls and developing actions to improve are all useful lenses that offer a great deal of business value.
The challenge is in keeping the process alive, seeking out useful insights and using this to drive positive change in behaviours, systems and see improved outcomes.
I propose 3 simple changes that will turn your modest risk register into a highly relevant strategic board agenda setting tool and CEO dashboard essential for senior leaders to manage and run the business.
- 1) Recognise the risk assessment scoring is for prioritisation
Most organisations are complex and face hundreds of risks and the risk assessment scoring process gives us a quick and simple method to narrow down and focus on the top 10(ish) risks. Take note for organisations, committees and leaders who review 40 risks or more in one document.The risks below the top 10 are not ignored, but they should be managed at the right level and escalated by exception. This is why larger or complex businesses have a hierarchy of risk registers often aligned to the top-level organisation chart.In order to compare and prioritise, we need all the risks to be assessed against a consistent but broad set of impact and likelihood definitions which are sometimes visualised on a two dimensional heatmap.Some risk experts will highlight there are different perspectives and we should make sure we’re comparing apples to apples. This is why many introduce inherent (or gross) risk which is the unmitigated pure level (Imagine burglary rate in your neighbourhood), now imagine buying a dog, security gate and CCTV system, with these controls in place, you would hope the chance of burglary of your home is lower than the average in your neighbourhood so this becomes the residual or net risk level.We need to be mindful that the net assessment assumes that the controls actually work as they should do, which is not necessarily true and where audit teams might focus on testing the effectiveness of these controls particularly in areas where the gross and net risks have reduced the most.If this risk level still feels high, then you might decide to take additional actions. The future risk level after the actions are delivered or where we want to get to is called Target risk.Despite this jargon, it’s important to recognise the risk assessment scoring is a quick and subjective exercise which serves to prioritise and focus management attention. Due to the often broad bucket definitions of impact and likelihood, and the fact the scores are subjective – reducing from a High to a Medium is not necessarily the end game, it just tells us the relative priority compared to all the other risk topics on the board agenda.
- 2) Introduce data to performance manage the key risks
Would it surprise anyone to assert most senior business people focus on the numbers?The only numbers in typical risk registers are the risk assessment scores which we already suggested are subjective scores used for prioritisation.What gets measured, gets managed. Having identified and prioritised the key risks in the business (i.e. the CEO priorities), we recommend bringing performance metrics to the risks. How do we measure it? How do we know we’re winning? These are sometimes called key risk indicators (KRIs). Apply SMART performance management techniques to the risk and transform the value of the risk register.Whilst the risks are the same, managing the numbers makes these topics highly interesting, and dynamic. The performance data transforms a potentially theoretical risk process into a critical source of management information where the scope cuts across the entire business but honed onto the top priorities. We see who owns them and the actions being taken. Now not only do we track the completion of the actions, we are able to monitor the affect of the actions.The risk trends and commentary are backed by data. The level of transparency is sometimes shocking, some leaders may resist the change but to truly manage the risks and the business, these metrics are paramount.Some risks will have gaps or quality issues in the data. This is to be expected and may shape the central discussion, should we take actions to improve data quality or just work on controls and actions without monitoring their true affect or shall we leave the status quo? The decisions are not easy but at the very least, they will be proactive and conscious decisions. The outcome is a true picture of how we are performance managing our key risk.With the top priorities of the business, including owners, actions and performance metrics held in one place, this really becomes the definitive CEO dashboard.
- 3) So What? Provide an executive summary for each risk.Risk registers already have quite a few fields, adding performance metrics and data is a sensible next step but makes the risk register spreadsheet even wider, more daunting and inappropriate for board level reporting.Senior executives prefer more concise narrative summary of the latest developments on the risk, actions and metrics especially when reviewing across 10(ish) risk areas.One additional field to add to the risk register is an Executive Summary.Risk owners are also busy senior leaders, to make things easier, try distributing the content to different action owners, control owners, key risk indicator owners. This way more people are collaborating and engaged in the risk management process, they can see how their roles contribute to the risk exposures in the business and the culture of accountability and risk awareness is expanded.This middle-up approach requires all the contributors to be updating their element of the risk and the risk owners are asked to review progress and updates from the team and provide an overall executive summary view including reflecting on the inputs from the team. In this way, the risk owner is receiving and reviewing management information rather than just providing their inputs to onward reporting.The Executive Summaries can be easily extracted for each risk to create a board level summary report that addresses the full scope and progress of the risks.
Even though we are suggesting to focus on 10(ish) risks, there is quite a lot of content being compiled and the management or coordination effort must be recognised especially since it is being further embedded.
I noticed in many organisations, they would have quarterly CEO reports which tended to be multi slide powerpoint documents with essentially the same information without the structure, prioritisation, clarity of owners, actions or due dates.
The risk register used in this way can help the CEO see how the business is running in a prioritise, structured and consistent format combining business/risk context, action progress, controls and incident information, and performance metrics – its everything they need to run the business and can save teams of people running around every quarter pulling slides together.
I’ve used this approach for many years but rather then a traditional risk register I’ve turned the fields into a form pictured here and available for download below
Having facilitated the update of this template in many organisations, I also knew how fiddly the formatting can get, especially with the data in various formats.
GOAT Risk™ was built based on this template, but is flexible to match any risk framework or methodology. This is an easy to use solution that can give any risk register a boost. It has been build based on modern saas principles in the Microsoft cloud. Try for free, and available at super low subscription cost.
Download Risk Details Template
Find out more about GOAT Risk™