This guest article first appeared HERE
Are you or someone you know the type of person who likes to say ‘yes’ to most invitations or requests?
For those who fit this description, the end result of this mindset is often exhaustion, burnout, and even illness at times. On an emotional level, this kind of ‘people pleasing’ can create feelings of resentment, anxiety, and even an erosion of your self-identity.
There are dozens of quotes expressing this reality, all of which can be summed up as:
“When you try to be everything to everyone, you accomplish being nothing to anyone.”
This principle applies in a variety of areas, including ERM.
We’ve said it many times in the past – it’s simply not possible to effectively monitor and manage every risk and objective.
Not only do you end up in a situation illustrated by the quote above, ERM’s reputation as a valuable decision-making tool will suffer or even be destroyed.
In light of this reality, how should companies develop action plans for objectives and risks?
Before getting into actual action plans and what they include, let’s first set the stage.
As we repeat often, all ERM activities should trace or link back to an objective.
Whether developed through a formal planning process or not, every large, small, and in-between organization is going to have objectives – what you want to accomplish – and risks to those objectives.
After all, that’s why organizations exist – to achieve objectives, which can be broken down into two categories:
A key component of setting an objective is setting success metrics, and subsequently, identifying thresholds and limits. This ‘threshold’ is a more commonly understood term than risk tolerance, but it essentially means a point where business leaders should be worried and begin taking action.
The limit, or risk capacity in ERM jargon, is what you don’t want to reach because then it will be too late.
A good example is revenue.
Let’s say the company has an objective to increase revenue by 20% over the next year. Metrics are set up with a target for how much revenue to expect each month or quarter. The business will shoulder the bulk of the responsibility of monitoring these revenues.
A threshold of 10% below the target can be established, because the company’s inability to achieve that much during the timeframe can indicate some sort of problem. At this time, the business, with ERM and others supporting, should begin investigating why.
Once a root cause of this trend has been identified, an action plan for addressing the lackluster revenues (…or robust if they’re breaking upper thresholds) can be developed.
Notice that the action plan is only developed once the threshold is broken or extremely close to being breached AND after the root cause has been identified. The information regarding the root cause is critical because otherwise, you don’t know what you should address in the action plan.
Also – and this is very important! – don’t assume that previously identified risks to the objective are the culprit.
That’s because the trend causing the shortfall or breach could be driven by something that wasn’t identified as a risk, which is one of the main reasons why action plans for objectives should only be developed when it’s clear the thresholds are being breached.
In addition to identifying thresholds, companies should also be identifying risk(s) that could prevent them from achieving the objective.
There will be metrics too that ERM and risk owners will monitor after an in-depth analysis process that prioritize the risks. In this case, the metrics are known as key risk indicators.
Action plans for risks should be based on the response option the company has chosen. This includes:
This brings us to a final, important point for developing action plans for risks.
To prevent the burnout and other issues mentioned in the intro action plans should only be developed for risks to mission-critical and strategic objectives (a/k/a top risks).
Again, creating action plans for every risk in the organization will simply spread everyone too thin and lead to things falling through the cracks, which is never good.
Regardless of whether it’s for a top-level objective or a risk, every action plan will include the following attributes – a description, related outcomes, components addressed, dependencies, all followed by specific action steps.
Below is a screenshot of a sample template of an action plan.
To recap, there are two areas for which a company should develop an action plan – one for top-level objectives and the other for risks connected to mission-critical or strategic objectives.
The former should only be developed once pre-determined thresholds have been breached, or it’s clear they will be, while the latter can be developed ahead of time based on a pre-determined risk response.
Having a plan, or otherwise helping risk owners and executives develop and adhere to one, is crucial for ensuring your company can stay ahead of any hindrances to achieving key objectives.
Taking the approach outlined above strikes the right balance between covering the essentials while avoiding the burnout that can end up creating even more obstacles to the company achieving its goals.
Does your company develop action plans for objectives and risks or do you simply address issues as they arise?
To share your thoughts and help others improve their action plans for objectives and risks, join the conversation on LinkedIn.
And finally, if your company keeps encountering road blocks or is otherwise not achieving its goals and is struggling to know how to proceed, reach out to me to schedule a time to discuss your specific situation and potential paths for helping you get unstuck.