Why Spreadsheets are a Risk to Your Risk Program
Spreadsheets don't lead to improving the likelihood of desired business outcomes.
Risk voting is an easy and powerful way to increase executive engagement in your ERM program and generate more value
A common criticism of risk workshops is that they are prone to groupthink and other social dynamics that distort risk ratings. This has caused some to question the value of workshops and to view them merely as educational exercises. We think this view sells workshops short. We have seen through hundreds of successful risk votes how they can help to unlock the value of workshops in a few important ways.
First, risk votes help reduce groupthink, to generate more accurate risk ratings and stimulate more meaningful discussions regarding risks and controls. Second, executives who have voted on risks feel a higher sense of ownership and engagement in the process. Executives enter risk voting workshops as consumers of risk data and leave them as engaged and active participants in the ERM program.
A risk vote is an exercise that allows multiple individuals to vote on what they believe the rating values should be on key attributes of risks, including inherent risk, control effectiveness, residual risk, velocity etc. Votes can be anonymous or transparent. They can be run in live workshops, or staged over time with geographically dispersed participants, executed through email-based votes that stay open for several days.
There are many approaches to executing risk votes, from using inexpensive tools such as Survey Monkey, PowerPoint and Excel, to more sophisticated risk software that provides mobile-based risk voting functionality integrated directly into ERM processes. For the purpose of this article, we have used illustrations from our Essential ERM software system, but the process and tips apply to other approaches, even including manual voting sessions. Note that you can do everything in this article without ERM software, it will just take more effort.
The first step is to clarify for yourself and others what you wish to accomplish with your risk voting
workshop. Do you simply want to familiarize and engage stakeholders in the ERM process or do you expect to generate risk scores and priorities? How many risks do you hope to get through? What will you do with the information you gather in the session i.e. what will come next? Answering these questions will help you to ensure you have the right audience, to determine how much time you require, and to create your workshop plan. It will also allow you to set expectations and create reasonable targets.
For example, if your goal is to educate participants on the risk program and get them comfortable with risk voting so they can complete votes by email later, you can plan for a shorter meeting and have an in-depth discussion on a small number of sample risks. If instead, you want to have executives vote on scores for your top 10 risks (or more), you will need to build a plan that streamlines the presentation of risks and limits dialogue in order to move everyone quickly through the voting process. Don’t expect to keep executives engaged for much more than 90-120 minutes.
If this your first voting session, we recommend that you keep your objectives modest and ensure you leave plenty of time at the end of your workshop for the “so what” discussion. This is what executives value most and risk voting workshops often fail when then run over time and miss out on this valuable dialogue. Your first objective should be to have the session be seen as a productive and worthwhile activity that executives will be happy to do again in the future.
Workshops are not a good setting to generate your initial list of risks. Your participants are likely busy executives who will appreciate it if you have done pre-work to identify and document key risks for discussion. A good workshop will still help identify additional risks for consideration, but starting with a blank sheet of paper is generally not a good idea. If you do not already have an active risk register and risk priorities set by the board, then we suggest starting by identifying your strategic objectives.
Then go to the managers and executives responsible for each objective and ask them to consider what could go wrong to negatively (or positively) impact the objective’s achievement. This approach will allow you to focus in on the risks and opportunities that will have the biggest business impact. Another common approach is to ask department leaders to identify key risks in their area. If using this approach, we encourage you to also ask department leaders to identify their key objectives and map them to the risks, so you have business context and priority for the risks identified.
In addition to identifying risks, we recommend having subject matter experts perform an initial risk rating of likelihood, impact and control effectiveness. This process will result in a list of risks which may look like the sample below, ideally linked to categories, affected business areas and related strategic objectives.
As a further method to documenting risks in advance, we strongly recommend using the risk bow tie model. Risk bow ties are diagrams that help business managers to visualize a risk event, along with its root causes, consequences and risk mitigations. Risk bow ties get their name from the shape that is created by their diagrams. An example from the Essential ERM system is provided below and manual document templates are available here.
Executives and managers find bow tie diagrams helpful because they communicate risk information in a single easy-to-understand picture. Bow tie diagrams easily display multiple scenarios together and help highlight the difference between proactive and reactive risk management steps.
Once you have identified and documented your risks, we suggest you prioritize them based on their relevance to your strategic objectives. This will help you to ensure you start with and focus the most time on the risks that will have the most business relevance to your audience. An example of risks aligned to objectives in the Essential ERM system is provided below but you can create a more simple mapping on a spreadsheet-based risk register with some extra work.
If you are performing risks with a manual survey building tool (e.g. Survey Monkey or something similar), you will need to prepare them in advance - in fact this will be a significant part of the work preparing for your workshop. If you are using an ERM tool with integrated voting functionality, it is also a good idea to configure the votes in advance. Creating a vote in the Essential ERM system may only take a minute or two, but you still don’t want to be trying to do it live in a voting workshop with a dozen or more executives tapping the desk while they wait for you to launch the vote.
When preparing votes, you have a few key decisions to make. How much information do you want to share with voters? What will you ask them to vote on? Will you vote on one risk at a time or multiple. The answers to these questions will depend on what you are looking to accomplish in the session. For example, if you are voting in a live workshop session with a manageable number of risks (i.e. 10 or less), we suggest having a short discussion of each risk (perhaps with its bow tie diagram projected on screen) and then execute the vote for that particular risk before moving to the next one. This will be easiest for participants to follow and will ensure they are appropriately considering each risk (as opposed to quickly voting on several risks at once).
For clients using the Essential ERM system, you will also have to decide if voters will access the votes through the email that the system sends them, or by directly navigating to the erm.vote website and using the unique PIN for each vote. Many clients will activate votes in advance of the voting session, so they are ready to go immediately, and will print the vote PINs and bow tie diagrams in advance for voters to have in front of them in the voting session.
This step is a must. Run a mock voting session with some of your peers to work out any kinks andrefine your workshop plan. This will allow you to iron out any technical wrinkles (e.g. wireless connectivity) and to see how long it takes to get through each risk.
When kicking off your workshop, take participants through your objectives and share the ground rules for the session. For example, you should communicate how long the discussion will be for each risk and how you will manage it when discussion is running over. You should walk through the full agenda and voting process and also let participants know when there will be a hard stop on voting to allow for your wrap up discussion at the end. For example, you may find that you don’t have enough time to get through all risks in the session, so plan for how you will handle this (e.g. have participants vote on remaining risks later by email).
Based on your planned approach, walk voters through the first risk (usually discussing the bow tie diagram, affected strategic objectives and business areas) and then ask participants to vote on the first risk.
It is customary to give participants 2-3 minutes to complete each vote. For the first vote, plan for a little more time and have someone available to walk the room to answer any questions that voters may have. Once voting is complete, review the results with the group. Your vote will show you what the average ratings are for each risk and also how closely aligned the voters were with each other.
If you are not keeping the vote confidential, a good practice is to ask outlier voters to speak for a moment about why they voted the way they did. Their perspectives may cause others to reconsider their votes. You may then choose to let voters confidentially update their answers. Finally, if the results of the vote differ from the existing scoring for your risks, you may choose to modify the actual risk score in the vote to align more closely with the vote.
Once you have successfully completed your first vote, complete the process for your remaining risks. We recommend that you hold off any detailed discussion on action plans and next steps on risks until you have completed all votes. The exception to this would be if you have reached the cut off time you set out for your final discussion. At this point, it is best to stop voting and complete voting for the final risks following the session (voters can complete them through email from their offices and presumably you have already done the highest priority risks first). By holding discussion to the end, you can look at all vote results together in context and focus discussion on the most important issues (risks that affect key objectives, risks in need of further mitigations etc.).
We find that an objective-based view is a good approach for reviewing and discussing voting results at the end of your session. A heat map report filtered for a strategic objective or vote can be a useful way to view vote results. Some ERM systems like Essential ERM allow you toggle dates to see how risk scores have changed before and after votes. At this point, the final step is to create action plans for any important opportunities or risks with unacceptably high residual risk scores (e.g. are further mitigations needed, who will take responsibility for them and when etc.).
Some ERM software like Essential ERM can then automate reminders and follow up requests for action plan owners. At the close of your session, it is also a good idea to discuss and secure agreement on next steps in the ERM program with participants e.g. what comes next, how often update reporting will be provided, future votes etc.
And just like that, you will have completed your first risk vote, gathering important insight into risk priorities, scoring, needed actions, additional risks to consider and more. You will also have likely increased the engagement of your executive team in the ERM process now that they see how risk management can aid with the achievement of strategic objectives and planning to meet disruptive challenges and opportunities in the market.
While many of the steps above were geared towards a live workshop vote, they can be easily adjusted for distributed votes conducted through email over several hours or days. Successful hybrid approaches include running live voting sessions through web conferencing, with voters in distributed locations accessing votes through email invitations.
Please let us know if have any questions or comments. We’d love to help and we always appreciate feedback.
Finally, we are pleased to offer a free 14-day trial of the Essential ERM system including the integrated voting functionality described in this article. Click below to sign up now and try automated voting for yourself today!
Spreadsheets don't lead to improving the likelihood of desired business outcomes.