To simplify Rumsfeld’s categorizations of knowledge, if a person is able to ask themselves a question, and then answer it, that’s a “known known.” Alternatively, if they can ask the question, but don’t have the answer, they’ve identified a “known unknown.”
The problems risk managers face is the third possibility posed by Rumsfeld. How do you structure your risk management program to expose threats your organization has not even considered?
The risks that pose the greatest impact may not be known by the senior executives that make governance decisions. But, the clues to those risks are often known at the front line, supervisory level of your employee base. In other words, what’s unknown by the decision makers is typically well understood by the employees that face those risks on a day-to-day basis. Unfortunately, nearly all industries experience similar communication failures that result in risks not being elevated to the appropriate level.
When considering your organization’s ability to uncover these “unknown knowns,” there are several metrics that can be used to benchmark the effectiveness of your Enterprise Risk Management program.
First, consider how many individual supervisory level personnel are involved in the risk management or governance program. This varies by industry, but typically represents around 40% of your employee base. Organizations whose engagement metric is less than 5% of total employees are often only speaking with VP or executive-level managers who, as we’ve discussed, may not be aware of what they don’t know. A fully engaged program should include at least 25-30% of the employee base.
Next, you want to consider the avenues available for your employees to voice concerns, and how those concerns are then reported and followed up upon. This amounts to a risk identification and risk assessment exercise, but can be expanded to include complaint and compliance hotlines or incident tracking. Keep in mind that employees who don’t receive concrete feedback on their concerns are unlikely to raise new concerns in the future. You can mitigate this issue in several ways. For example, you might provide updates and notifications throughout the risk prioritization process, or include risk management proficiency as an element of performance reviews.
Enterprise Risk Management is not just a good idea, it’s the law. Since 2010, those firms that fail to detect unknown knowns are now negligent. The necessary risk assessment best practices are widely known but rarely implemented in full.
For guidance on meeting your management team’s obligations in 90 days, download LogicManager’s complimentary eBook: 5 Steps for Better Risk Assessments.