Our recent webinar, From process to outcomes: How to make risk management an enabler, clearly hit home. The feedback was strong, and so were the questions.
We’ve pulled together the key questions from the session, with straightforward answers from David Tattam and Michael Howell. Some have been shortened or reworded to keep things clear and protect anonymity, but the challenges and practical insights are unchanged.
If you missed the webinar, you can watch it on demand now. It’s packed with real-world advice for anyone who’s ready to cut the admin and make risk management drive real results.
Watch the webinar now:
Questions
Q1: If incident management addresses 'triggered bowties', does this mean it is a corrective control?
Q4: Do you have an example of taxonomy structured to link with objectives?
Q7: Do you have any suggestions on how to build valuable lead indicators?
Q16: Is there a way to connect the development of taxonomies to risk maturity of an organization?
Q1: If incident management addresses 'triggered bowties', does this mean it is a corrective control?
This was likely in response to my comment that ‘incidents are risk bow ties that have happened’. i.e. They’ve travelled from causes all the way through to impacts. I would not consider incident management to be a control; it’s a risk management process. We define reactive/corrective controls as those that reduce the impact after it has happened. Depending on the findings of a root cause analysis, it might cause an improvement to failed controls or plugging control gaps.
Q2: From experience within incident management, near misses and trend analysis are focused on, but they are scared to identify anything 'systemic' in fear of regulator intervention.
That is unfortunate – while regulatory scrutiny might be inevitable, it may also result in ongoing repeated incidents (even if individually below certain thresholds) that are also not in the organizations best interests! It might also embed a culture where people perceive that the underlying issues are not being dealt with adequately, resulting in negative culture and all of its downstream effects.
Q3: How can KPIs be used to manage strategic risks? How can KPIs be used to inform how well strategic risks are being managed?
I’ll answer with both KPIs and KRIs.
KPIs are measures of success, or the specific objective you have. You might have defined a strategy, and then set some measurable goals. KPIs can be applied here, though you may need to consider how they will apply. If you have a growth target, you might break it down into clear quarterly or monthly targets as KPIs. Sometimes strategic goals are a bit ‘lumpier’ – let’s say entering into a new geographic market. That might be a multi-year affair, and six months in it may be difficult to tell if you are going to hit the target or not.
This is where KRIs come in. They can be aligned to risks that would affect your strategy. If we continue the example of a new geographic market, you might track KRIs related to potential changes in the regulatory or licencing environment that could affect your introduction. Exchange rates or price volatility of local commodities might be a factor. They might not guarantee whether you will or won’t achieve the strategic objective, but they provide indicators (with appropriate thresholds) on how likely you are to achieve the strategic objective, and whether you need to pivot or make adjustments.
We explore in more depth applying KRIs to strategic risk in our Strategic and project risk management Academy course.
Q4: Do you have an example of taxonomy structured to link with objectives? Keen to see an example of a taxonomy built and linked to objectives.
These may have been asked before we highlighted the challenges with linking objectives to a risk taxonomy. Primarily because almost every type of risk will have an effect on nearly objective in some manner. The key is to show stakeholders (objective owners) the key information on the material risks to their objectives. This can involve selecting the most relevant risks related to an objective, so that material shifts in risk assessments or risk metrics can be surfaced to those stakeholders more easily and cut through the noise.
Q5: Our organization is considering removing 'corrective' as a control type. Is this counterintuitive towards what you are talking about today?
While counterintuitive based on our standard methodology, presumably there is a reason that has triggered that discussion. We prefer the three main categories of preventive, detective and corrective/reactive to explain what they do and how they modify risk at different stages of the lifecycle. We further break down detective controls into early detective (reduce likelihood) and late detective (reduce impact).
You may have alternatives that work, that perhaps focuses just on reducing likelihood for one category and reducing impact for another. We usually separate late detective controls from corrective, as the former reduces the impact before it is finally felt, where corrective controls reverse some of the impact after it is felt.
Q6: What stakeholders want may not always be what they need. What suggestions would you have to better stakeholder buy-in?
This was likely in response to asking stakeholders what they want when engaging with specific risk processes. Bring conversation back to how it helps them achieve their objectives. If they ask for something else (process to be done a certain way, reporting delivered in a certain format etc), ask them why they want that, and how they think it will help. Maybe you can reframe your solution in a way that better meets their needs.
Q7: Do you have any suggestions on how to build valuable lead indicators?
We find mapping out bow ties to be a great way to help identify those leading indicators. Look for causes or interim events that would give you early warning signals that you can act on, and set metrics based on those. We have an Academy course dedicated to risk metrics and KRIs.
Q8: I’d love to learn more practical tools as I work in local government that is very compliance-focused, which normally means outcomes or objectives are secondary and often vague.
I assume the local government has objectives that are articulated, such as how they serve the community. The trick is to demonstrate how your processes serve those objectives (or maybe if they don’t, take a critical look at how they could be better aligned).
In terms of practical tools, you can head over to our knowledge hub for a range of eBooks, guides and on-demand webinars, and Protecht Academy for practical training for yourself or for your organization. We embed this practical knowledge into how we build our Protecht ERM system.
Q9: My thinking is that an essential tool is an annual program of actions to ensure target outcome, i.e. what actions are to be done in each month of the year. Agree?
In terms of allocation of resources (both people and budget), it can make sense to have a formal work plan. However, I would challenge whether that is dynamic enough in a shifting world. You may need to balance both – having some dedicated resources but adapting to indicators and evolving risks. Actions often develop in response to analysing incidents, metrics outside of tolerance, or controls assurance identifying weaknesses.
Action management in Protecht ERM is flexible, and can be linked to other components of your risk management program. We also have scheduling tools to issue periodic activities, such as control tests or regular security activities for cyber teams, data collection for Key Risk Indicators, automated issue of compliance attestations, and more.
Q10: WHS, and in fact most risk, has both an impact and an opportunity: a positive workplace culture and environment is both safe from harms and highly productive.
Certainly, poorly managed risks in isolation on a repeated basis can also have flow-on effects on factors like broader culture and morale, with the flipside as you suggest resulting in improved culture and performance.
We covered some of the challenges in operationalising upside risk in a recent blog.
Q11: Any tips on aggregation mechanisms while climbing the risk pyramid? Templates, recipes, checklists etc would be helpful.
The top of the pyramid is objectives, which is the recommended layer to aggregate to. In order to do this, you can link each of those layers. This might include:
- Defining objectives
- Defining a risk taxonomy
- Linking key risks from the taxonomy to specific objectives
- Risk assessments conducted aligned with the risk taxonomy
- Aggregating data from the risk assessments through that linkage to the objectives.
- Developing and aligning key performance indicators and key risk indicators to both objectives and specific risks.
The type of aggregation may depend on the specific approach, but we prefer key risk indicators as a more objective measure.
Q12: How do I get line managers who have been assigned incidents to investigate to have a sense of urgency in investigating and closing off these incidents? Some of our open incidents are as old as 3-4yrs old/overdue.
This sounds like a cultural problem. You may need to find an operational champion, ideally equivalent to the CEO or COO to drive this type of action. If they might be contributing to the cultural problem, then you have a real challenge on your hands.
What you want to focus on is the value you believe this will drive. Ask the critical question (either rhetorically to yourself or to them directly) why aren’t they doing it? What are the contributing factors? This might be enlightening. On the flipside, try and find the value in the activity itself, and show those stakeholders how it benefits the organization and them.
Sidenote: Maybe you can see it is beneficial to the organization as a whole, but they may not be incentivised as individuals. If they are under pressure to perform or produce results and this doesn’t contribute to that, you may need to address that first.
Q13: Where does technology risk sit? I presume operational risk, but I guess the risk dimensions are organization-specific.
Good question! Using our risk/reward pyramid, you might capture it as both. Technology is used to support existing operations, and gives rise to operational risk. But you may also have strategic projects to implement major technological change.
Q14: Risk aggregation was mentioned: it seemed that one of the report slides had group risks for each material risk category and they would be assessed based on the underlying business risks?
Yes, the risk categories represent the aggregation of individual risk assessments which might be assessed across the organization, such as where the same risk may be different across different business units. We didn’t explore it in the webinar, but further drill-down is available to assess trends and more detailed analysis of each material risk type.
Q15: Interested in KRIs vs risk appetite measures: can they be the same? If not, why not, if so, why?
We typically recommend that risk appetite categories be supported by KRIs or metrics. Qualitative alone can lead to disagreement about what activities are within appetite if clear boundaries are not defined. KRIs can align directly to risk appetite, but KRIs can also be developed for more granular risk in the organization.
Q16: Is there a way to connect the development of taxonomies to risk maturity of an organization?
Interesting question. I would say all other things being equal, an organization with a taxonomy is of higher maturity. But all things are not always equal! An organization without a taxonomy could have a higher overall maturity based on other mature processes and culture. However, I would say that taxonomies are foundational and influence the development or potential effectiveness of other processes.
Q17: What is the best approach to working with a stakeholder to define their business area objectives in a way that will then enable effective risk management?
The simplest answer is to ask. If you want to add structure, you might (and probably should) link these to broader organizational objectives that may have been set at higher levels of the organization.
You can also bridge performance expectations to objectives if they are vaguely expressed. Find out what they are being measured on, and the identify why that type and level of performance is important to the organization. A potential benefit of this exercise is that you might identify mismatches, prompting alignment.
Q18: How do you sell the value of risk management to executives? The outcomes method is very useful, but difficult when you're not part of the strategy, or when the strategic goals are not well defined.
In an ideal world strategy setting and risk management go hand in hand, however it’s not uncommon for risk and risk management to be considered afterward. The key to the conversation is to show how the risk management activities you propose are aimed at helping them achieve that strategy or even ensuring that they choose an appropriate one.
Q19: I would be very interested to see what we can do to bring AI into this, especially how we can embed it more deeply.
We are releasing AI-powered features later this year. Absolutely. We are investing in our Protecht ERM system to not only maximise efficiency, but also to gain insights. Our AI will be focused on helping all users with expert guidance, navigate the system, and complete tasks, and helping risk managers gain actionable insights through trend analysis.
Something to keep in mind is that for some, existing formalities may need to be observed. For example, committee meetings may need information in certain formats that might need to be provided in ‘hard copy’ days in advance. We might see pockets of mismatch where insights can be delivered in real time but structures dictate using out of date information.
.
Conclusions and next steps for your organization
Risk management shouldn’t be a box-ticking exercise. If your risk program feels more like filling out forms than improving performance, it’s time to change that.
Catch the full webinar for practical strategies to refocus your approach, get buy-in, and show the value of risk management where it matters.
Watch the webinar on demand:
