By Melanie Lockwood Herman
One of the most common risk management tools is a detailed list or inventory of ‘threats’ facing an organization. Many risk leaders refer to their ever-expanding, sometimes colossal spreadsheet as a “risk register.” During our 25 years of guiding risk teams through risk analysis, we’ve discovered that risk inventories and registers are often an unfortunate waste of time. And at their worst, risk registers are a dangerous sinkhole from which an earnest risk team never emerges.
Dangerous and Messy
The first dangerous premise behind an inventory or risk register is the belief that jotting down threats, worries, or concerns is somehow ‘managing’ risks. Another problematic supposition is that scoring risks (based on wild guesses by an insular team asked to predict likelihood and impact) is the best way to prioritize risk action.
As assiduous effort is applied to the register construction project, it grows longer, wider, and less useful. Additional columns are added, making the register impossible to print. When a plethora of ‘activities’ is added, the font size is often reduced, making the register impossible to read. But worse, as the register grows, it loses any semblance of being a plan or call to action. Filled with notations about ‘owners,’ nonsensical scores, and endless lists of activities, they convey busywork instead of top priorities or intended results.
Unprintable, unreadable, and uninspired, the risk register becomes something that risk champions are shackled to rather than a North Star that guides teams to a purposeful destination. Successful risk teams, programs, and functions focus on a handful of initiatives that will make a real difference.
OKRs and Action Plans
If you want to make one meaningful change to your risk management program in 2021, resolve to dispense with inventories and registers in favor of OKRs or a Risk Action Plan. While these are certainly not the only practical alternatives to the risk register, both are worth considering!
OKRs—Objectives and Key Results—were the brainchild of Andy Grove. Grove was a Hungarian-born American businessman, engineer, and author who served as President, then CEO, and finally Chairman of the Board of Intuit, before his retirement in 2005. Using OKRs is a way to inject purpose and measurable results into your risk program.
A second alternative to the risk register is a Risk Action Plan—a printable, readable document—that explains the mission, specific goals, and measurable or time-bound priorities of the risk team this year. The Risk Plan could also include a forecast or sneak peek of future risk priorities, a visual our team sometimes calls a Risk Maturity Model.
An objective is what you are trying to achieve. In the book Measure What Matters, John Doer writes that “By definition, objectives are significant, concrete, action oriented, and (ideally) inspirational.”
What is the fundamental purpose or objective of your risk program this year?
- Create a risk-aware frame for decision making that supports the expansion of our service area by 50%.
- Provide an environment where every employee and every client feels safe and supported as they serve, learn, and grow.
Key results are specific, measurable, time-bound, realistic, and aggressive. They describe how you will get to the objective. Key results are either met or not met. In organizations with a large risk function or department, there may be multiple objectives per quarter or half-year, with key results that cascade from each objective.
Below are examples of OKRs for two hypothetical nonprofit risk teams.
#1 – Growth Anxiety: ABC Nonprofit
Fewer than 25% of ABC Nonprofit’s team members believe that the organization is poised and capable of expanding its service area by 50% safely and effectively. Top worries include the inability to adequately staff programs and challenges developing lasting relationships with funders in the new service expansion areas.
Create a risk-aware frame for decision making that supports the expansion of our service area by 50%.
- By March 1, survey internal stakeholders to assess readiness/confidence to grow and unearth the fundamental reasons the team is pessimistic and worried about growth.
- By April 1, design a tool, such as question prompts, that teams can use to identify and reflect on risk prior to making decisions.
- By May 1, begin implementation of one initiative responsive to each central area of worry or concern.
- By June 1, test the decision-frame with 2 functional teams; measure comfort with the decision before and after using the tool.
- By June 15, train every team in the agency to use the decision-making tool.
- By September 1, achieve a 50-point improvement in the ‘readiness/confidence to grow’ score from our staff-wide survey (75% or more indicate we are poised and capable of proceeding with the growth plan).
#2 – Accidents and Injuries on the Rise: PDQ Nonprofit
During the past three years, accidents/injuries, lost work time, and turnover have increased at PDQ. Additionally, the latest engagement survey shows declining morale and engagement.
Identify the root causes for an increase in accidents/injuries, lost work time, and turnover to inspire action to reverse the trend in all three areas.
- By March 31, complete root cause analysis exercises for every accident occurring during the past year resulting in lost work time or a change in employment status.
- By June 30, conduct exit interviews with 75% of all employees who have left PDQ in the last 6 months and every employee leaving in the next 6 months. Compile the results to identify the top 3 reasons people leave. Identify 3 practical strategies to reduce turnover risk.
- By June 30, design and implement incentives for reporting ‘incidents’ and ‘near misses’ to the risk team and increase report submission by 25%.
- Interview team members in the two teams with the highest—and lowest—accident/injuries during the past 3 years to identify specific, practical ideas to reduce accidents by 25% in one year.
- Administer an employee engagement survey with 90% participation revealing an uptick of 10% or more in engagement compared to last quarter.
Break Free, Focus, and Eliminate Static
As Peter Drucker observed, “Without an action plan, the executive becomes a prisoner of events. And without check-ins to reexamine the plan as events unfold, the executive has no way of knowing which events really matter and which are only noise.”
Below is an example of a Risk Action Plan for a hypothetical nonprofit.
Risk Action Plan for Noble Nonprofit
WHO: The risk function at Noble consists of a full-time Risk Manager and a committee of staff volunteers called the Risk Task Force. Every staff member at Noble brings the risk function to life by sharing their creative ideas, expertise, and first-hand experience delivering client services or providing back-office support.
WHAT: The purpose of the risk function is to inspire and support the bold action necessary to achieve our mission.
HOW: During 2021, the top 4 priorities of the risk function are:
- Clarifying the distinctions between ‘risk management’ and ‘risk oversight’ to help teams with these responsibilities focus and complement their efforts. Activities include publishing new charters for both teams and using the charters as a guide for meeting agendas and reports no later than April 1.
- Completing the rigorous review of our insurance portfolio and oversight practices by May 31 to ensure that our commercial coverages align with our risk financing goals and the service we receive from insurance advisors fully meets our needs. This priority may require that we consider bids from competing brokers and/or changes in our portfolio structure.
- Designing a new Board Risk Dashboard by August 31. Activities include: previewing the Dashboard with the Audit Committee and developing generative question prompts to support engagement during risk briefings. The intent of the Dashboard is to show high-level goals, progress, and opportunities to support the Board’s risk oversight role.
- Transforming our Incident Reporting and Tracking capabilities. During the months ahead, the risk team will research alternatives to incident reporting, identify weaknesses in our current process, and implement substantive changes to increase reporting incidents and near misses to inspire evolutions in training, policy, and supervision practices.
Action is at the heart of these two methods for reimagining your risk practice. We urge you to start focusing on what your team can do about risks to bold decisions and actions and how to measure your results and progress. To do so, you need to stop throwing proverbial darts at targets for likelihood and probability and stop wishing and hoping that your risk register will inspire action and confidence. Give yourself—and your risk team—permission to step back and focus on an overarching purpose and a short list of meaningful, achievable key results or impacts that will make a difference to your mission this year.