Updating your Risk Register
It is quite easy for an ERM program to become irrelevant. All it takes is for it to stay the same for several years. After just a few years, you will find that you risk management processes are focused upon the issues of several years ago. You may be missing new wrinkles to your risks and also repeating mitigation exercises that are no longer effective or needed.
That is because the risk environment is constantly changing. Some risks are become more dangerous while for others the danger is receding. No firm anywhere has an unlimited budget for risk management. So to remain effective, you need to constantly reshuffle priorities.
One place where that reshuffling is very much needed is in the risk register. That is a hard message to sell. Risk Identification is seen by most as the first baby step in initiating and ERM program. How could a well developed, sophisticated ERM program need to go back to the first baby step.
But we do need to go back and somehow get people to seriously re-evaluate the Risks on the Risk Register. That is because risk management is fundamentally a cycle rather than a a one way development process. We are all brainwashed that constant growth and steady improvement is the fundamental nature of human enterprise. For risk management to really work, we need that cycle model where we go back and do all of the same steps as last year all over again.
One way to freshen up the process of reviewing the risk register is to bring in outside information. The link below provides some good outside information that you can use to stimulate your own review.
Willis Re took the top 15 risks from a dozen insurer risk registers and combined them to get 50+ unique risks. Then over 100 insurer executives and risk management staff helped to rank those 50 risks.
We took a list of over 50 risks commonly found on insurer risk registers, and asked, “Which risks present the most danger to your firm in 2017?”
Take a look. How does the resulting ranking look compared to your risk register? Do any of the top 10 risks show up as middling priority in your program? Are any of the bottom ten risks near the top of your priority ranking? So your review can focus on a discussion of the most significant deviations between your ranking and the ranking from the link above. You need to convince yourself that you have good reasons for different priorities or change your priorities.