Many organizations will spend considerable effort developing a detailed list of mitigations. They have developed a list of risks, assessed the impact and likelihood of each risk, and then worked diligently to detail all of the mitigations. But the focus is entirely on effort.
A few months back, I was talking with the director of an organization. He had patiently listened as management had gone through the risks, ratings, and mitigations. After they had finished, he asked a very simple question “What will the risk profile be the next time we meet?” The question caught management off-guard. They had never considered that aspect. The key point of his question was that he wanted to know the outcome of those mitigations. He wanted to know if the company was doing enough. If they spent all that effort, and then the ratings just stayed the same, were they focused on the right mitigation? If the ratings were going to take a deep dive, were they spending too much effort in one area. Could they perhaps be spending that time better elsewhere? For him, it was the outcome that mattered – not the effort.
He brings up a very valuable aspect that is too often overlooked in ERM. A mentor of mine always impressed on me the “what” of risk management. He constantly implored on me that risk management was about two simple questions: What is the risk going to impact, and what will happen if that risk does occur. Answer those two questions and you should have a very good understanding of the importance of the risk on objectives and why that risk is so important.
Risk to What?
So What?
In recent years, this has expanded to ask the question of “Now What?” This is intended to draw out those understandings of mitigations. If the risk is significant, now what are we doing about it. Unfortunately, this sometimes brings up that dreaded laundry list of every mitigation that management can think of.
The question the director was asking is a new spin on “what”. Regardless of whether you think of this as a different focus on “So what” or a new question of “Then What? the key questions here how an organization can start to separate the difference between effort and outcome.
Some ERM teams will be very reluctant to make such a prediction. Those that won’t, or can’t, will stay in the lane of just asking management what they see as key risks and report that. They aren’t bringing any new thinking to that table. It’s time for ERM teams understand the “So What?”