risk-based-approach-500x349.jpg?width=350During a Department of Defense News briefing in 2002, Donald Rumsfeld encouraged his team to consider their blind spots when making decisions.

To simplify Rumsfeld’s categorizations of knowledge, if a person is able to ask themselves a question, and then answer it, that’s a “known known.” Alternatively, if they can ask the question, but don’t have the answer, they’ve identified a “known unknown.”

The problems risk managers face is the third possibility posed by Rumsfeld. How do you structure your risk management program to expose threats your organization has not even considered?

The risks that pose the greatest impact may not be known by the senior executives that make governance decisions. But, the clues to those risks are often known at the front line, supervisory level of your employee base. In other words, what’s unknown by the decision makers is typically well understood by the employees that face those risks on a day-to-day basis. Unfortunately, nearly all industries experience similar communication failures that result in risks not being elevated to the appropriate level.

When considering your organization’s ability to uncover these “unknown knowns,” there are several metrics that can be used to benchmark the effectiveness of your Enterprise Risk Management program.

First, consider how many individual supervisory level personnel are involved in the risk management or governance program. This varies by industry, but typically represents around 40% of your employee base. Organizations whose engagement metric is less than 5% of total employees are often only speaking with VP or executive-level managers who, as we’ve discussed, may not be aware of what they don’t know. A fully engaged program should include at least 25-30% of the employee base.

Next, you want to consider the avenues available for your employees to voice concerns, and how those concerns are then reported and followed up upon. This amounts to a risk identification and risk assessment exercise, but can be expanded to include complaint and compliance hotlines or incident tracking. Keep in mind that employees who don’t receive concrete feedback on their concerns are unlikely to raise new concerns in the future. You can mitigate this issue in several ways. For example, you might provide updates and notifications throughout the risk prioritization process, or include risk management proficiency as an element of performance reviews.

Enterprise Risk Management is not just a good idea, it’s the law. Since 2010, those firms that fail to detect unknown knowns are now negligent. The necessary risk assessment best practices are widely known but rarely implemented in full.

For guidance on meeting your management team’s obligations in 90 days, download LogicManager’s complimentary eBook: 5 Steps for Better Risk Assessments.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!