We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

How to Uncover Risk with Enterprise Risk Management

Vote 0 Votes
creating a risk-based process with Enterprise Risk Management

During a Department of Defense News briefing in 2002, Donald Rumsfeld encouraged his team to consider their blind spots when making decisions.

To simplify Rumsfeld's categorizations of knowledge, if a person is able to ask themselves a question, and then answer it, that's a "known known." Alternatively, if they can ask the question, but don't have the answer, they've identified a "known unknown."

The problems risk managers face is the third possibility posed by Rumsfeld. How do you structure your risk management program to expose threats your organization has not even considered?

The risks that pose the greatest impact may not be known by the senior executives that make governance decisions. But, the clues to those risks are often known at the front line, supervisory level of your employee base. In other words, what's unknown by the decision makers is typically well understood by the employees that face those risks on a day-to-day basis. Unfortunately, nearly all industries experience similar communication failures that result in risks not being elevated to the appropriate level.

When considering your organization's ability to uncover these "unknown knowns," there are several metrics that can be used to benchmark the effectiveness of your Enterprise Risk Management program.

First, consider how many individual supervisory level personnel are involved in the risk management or governance program. This varies by industry, but typically represents around 40% of your employee base. Organizations whose engagement metric is less than 5% of total employees are often only speaking with VP or executive-level managers who, as we've discussed, may not be aware of what they don't know. A fully engaged program should include at least 25-30% of the employee base.

Next, you want to consider the avenues available for your employees to voice concerns, and how those concerns are then reported and followed up upon. This amounts to a risk identification and risk assessment exercise, but can be expanded to include complaint and compliance hotlines or incident tracking. Keep in mind that employees who don't receive concrete feedback on their concerns are unlikely to raise new concerns in the future. You can mitigate this issue in several ways. For example, you might provide updates and notifications throughout the risk prioritization process, or include risk management proficiency as an element of performance reviews.

Enterprise Risk Management is not just a good idea, it's the law. Since 2010, those firms that fail to detect unknown knowns are now negligent. The necessary risk assessment best practices are widely known but rarely implemented in full.


For guidance on meeting your management team's obligations in 90 days, download LogicManager's complimentary eBook: 5 Steps for Better Risk Assessments.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the author of the RIMS Risk Maturity Model for Enterprise Risk Management and CEO of LogicManager, the recognized leader of enterprise risk management solutions. LogicManager provides an integrated, intuitive software-as-a-service platform that helps companies make better decisions through risk intelligence for more effective corporate governance, risk and compliance management.

Recently Commented On

Monthly Archives