Risk workshops are an indispensable part of an effective enterprise risk management program. They are a powerful tool for engaging decision-makers in the risk management process and for building a more mature, transparent, risk-aware culture.
According to Rob Quail, renowned ERM expert, author, and frequent Risk@Work speaker, risk workshops are about having conversations and setting priorities. They bring key decision makers to the table in a structured platform to discuss the risk landscape, identify strengths and gaps in readiness, apply analytical thinking, and make decisions. Risk workshops provide a safe place to ask questions, get answers, have open discussions, and witness the decisions made. They are the best way to get decision-makers to incorporate risk thinking into daily activities.
Preparing for a Risk Workshop
Having a sponsor is essential for a successful risk workshop. The sponsor is the person who is accountable for the risk and has authority to make decisions related to tolerability and actions to be taken. The sponsor identifies objectives, decides on the agenda, brings risk criteria forward, asks probing questions of the group, and assigns actions. The sponsor must be in the room for the entire workshop to witness the discussion, ask questions, test assumptions, and make decisions on how to move forward. At the end, the sponsor shares the conclusions of the workshop with leadership and other stakeholders.
Other essential elements include:
Objectives. Why are you having the risk workshop? What problem are you trying to address? One way to identify objectives is with a matrix. The matrix can help you pinpoint whether the workshop should focus mostly on making decisions about the risks – or more on learning about the risks. Also consider whether your focus is broad or narrow. A broad focus explores strategic risks, while a narrow focus zeros in on specific risks, making heavy use of data to evaluate risks and adequacy of the mitigants.
Agenda. What risks are you going to talk about? The sponsor may want to solicit input from participants either prior to or at the start of the risk workshop, but it is ultimately the responsibility of the sponsor to decide what gets discussed. Along with the agenda, you may need to provide participants with some background information and/or data. If so, keep it highly structured and simple.
Risk criteria. What are you going to do about these risks? How will you measure your risks? What is tolerable? Risk criteria are the main instrument to slow down and unpack thinking to overcome individual and collective biases and establish linkage between an individual’s risk judgements and the overall goals of the organization. They also provide a consistent way to evaluate whether the controls in place are comprehensive given the scope of the risk and the probability of the risk occurring within a set timeframe. They should be calibrated to allow for consistent risk assessment and judgement of tolerability of risks across the organization.
Facilitators. Ideally, a workshop should have two facilitators. One directs traffic and the other records what is said. Facilitators have authority over the process. They manage the agenda, summarize viewpoints, and monitor time. They do not express opinions, editorialize, or pass judgment.
Facility. Holding your workshop off site offers a neutral environment and keeps participants from going back to their desks during a break. Conducting a workshop virtually is discouraged but may be needed to accommodate people who can’t attend in person.
Equipment. Use an anonymous voting tool, such as voting keypads, to gauge participant opinions and increase engagement. The voting results stimulate discussion and help minimize group think.
It’s helpful to have two screens in the room. One screen is used to track agenda items and display voting results. The second screen is for presenting relevant documents and/or displaying the discussion taking place as recorded by a facilitator.
“I will not do a risk workshop without anonymous voting,” says Quail. “It ensures that everybody individually participates. It is efficient. Within five seconds you know what everybody thinks about this risk, and you can use that to guide the discussion.”
People. Plan to invite between eight and 18 people to your workshop. This allows for full representation of those knowledgeable about the organization’s risks, while still being a manageable group.
Time. Four hours is optimal to keep the group focused and on track. Longer than that can be exhausting, and engagement starts to dwindle. With proper planning, you should be able to discuss one risk in 20 to 30 minutes. So, in a four-hour workshop, you can likely cover eight to 12 risks. Double the time needed for each risk if the workshop is virtual.
Five Steps for a Successful Risk Workshop
“Instead of telling someone how to do risk management with a stack of slides, [in a risk workshop] we take a real business problem with real decisions that have to be made and go through it together,” Quail explains. “They learn about ERM by doing it.”
The goal of a risk workshop is not necessarily to come to a consensus on each topic. Rather, the purpose is to provide the sponsor with enough insight and information to make decisions and move ahead. Here are five steps to evaluate each risk on the agenda:
- Understand the risk. Ask participants to describe scenarios of how a risk might play out. You may end up with up to a dozen variations. This will give you a broad range of what the risk might look like and help build a collective understanding of the risk. All the facts will be on the table, which makes the ensuing discussion much more productive. “The advantage of using scenarios over, say, writing a definition is that it’s much more fun and engaging,” says Quail.
- Measure the risk. Discuss the impact the risk might have across the organization. Could the risk affect finances, reputation, employees, customers, and other stakeholders? Ask participants to vote anonymously on the worst possible outcome of the threat based on the established risk criteria. Start the discussion by asking an outlier to explain the rationale behind his/her vote. The idea is to spark conversation and debate. Then take a second vote and see how participants changed their minds. Again, the goal is not to come to agreement; it is to provide the sponsor with enough insight to make decisions.
- Examine the strength of controls. Do you have plans, policies, actions, and indicators in place? This step focuses on existing controls, as well as their strengths and weaknesses. Direct the conversation toward such issues as risk accountability, available resources, coordination, and monitoring of controls. The facilitator can probe using the control models as a point of reference to make sure you have a complete view of what the controls look like and where gaps could be. Participants again vote anonymously on the effectiveness of controls.
- Assess the probability of occurrence. Ask participants how likely they believe it is that the risk will occur in, say, the next five years, then have them vote on a scale of probability. While the estimates of the likelihood of each risk are simply each participant’s best guess (which may not be very accurate in the absolute sense), the value is the group’s estimation of the relative probability of one risk occurring compared to others.
- Decide if this risk is tolerable. Once the facilitator summarizes the key points raised in the discussion, the sponsor can decide if the risk is tolerable based on current controls or if steps need to be taken to better manage the risk. The sponsor will then assign any necessary actions to be taken. The final step is to prepare a report for other executives and stakeholders.
At the end of the risk workshop, participants will have a greater understanding of risks and how they interact with each other. And the sponsor will have the insight needed to make wise decisions.
Quail emphasizes that risk workshops are not just for C-suites or boards. “The beauty of doing risk workshops is that it sells people on the value of ERM. If you want ERM to last, you must get deeper down in the organization and find ways to inject it into the way decision-makers operate at all levels of the company.”