As Risk Managers, we often implement projects such as an Enterprise Risk Management (ERM) Framework. Many projects depend on gathering information from internal and external Subject Matter Experts (SMEs), many of which can be very supportive. However, with a shrinking workforce, those left have a heavier workload. They may have less time and be less willing to participate in what they see as “head office” projects despite the fact that risk management is critical, to the company’s financial, operational, and reputational governance.
With heavy pressure on performance metrics, people's time is precious. People may say that they do not have the time to step away from day-to-day business to identify risks.
Do they have time to suffer a catastrophic business interruption such as a major fire? If not, they should look at their risks and mitigate them in a Risk Register.
This type of event can set a business back months even if it is covered by insurance. The time it takes to do an insurance claim can add a strain to an already busy workload.
Achieving buy-in.
A risk policy should be announced by the President or CEO. This shows that it is considered a priority and that the risks identified will reflect the company’s strategy and objectives.
Encourage buy-in by having an agenda for each meeting so that attendees know how their time will be allocated.
Adhere to deadlines.
Work backwards from final deadline allowing significant time for merging of risks when presenting them from a company wide perspective.
Allow more time for fall meetings as many people are still on summer vacation during the preparation time for fall risk meetings.
Use a method preferred by each particular person’s style. If they prefer to meet at the end of the day and work with hard copy (if not working remotely)- accommodate this.
Follow up emails with phone calls if there is a lack of response. Realize that emails can be missed.
Encourage high quality work.
Check feedback on the risk register. Has each risk been reviewed (not just high and extreme risks)? Is the person responsible for the risk still with the company? Follow up with a phone call and an offer to do one sample risk over the phone or online.
Presenting the risk register in a SharePoint environment provides an opportunity for many qualified users to see risk mitigations, thus raising the bar.
If you’ve struggled with these issues or need a consultant to teach you how to develop your own risk register, contact Laura Dickson at DTD Management.