Internal controls work is where many encounters their first risk workshop. During planning, ’Risk’ usually shows up as an unexpected and annoying guest at an otherwise pleasant event. A plan to manage the guest has to be developed, but how do you get the best out of your risk workshop and turn it into a positive process?
To help your organisation, we have collected our best tips for how to make your risk workshop a success!
Gather a relevant group
A risk workshop is collective work. It is a good idea to gather a broad and cross-unit, cross-functional group to bring different perspectives on risks regarding the business to the table. A common mistake is to delegate the whole task to one individual to ’fix internal control’.
Another idea is to organise groups for the workshop based on area of responsibility in relation to:
- Overarching risks – Top level leadership team/C-suite
- Business-specific risks – Local leadership teams/leadership forums
- Process-specific risks – Process owner together with local leadership representatives and process users.
Keep the focus
To be successful in the analysis it should be clear what the point of departure is. Mixing high and low rarely results in meaningful risk analysis. Limit the scope and focus on the areas chosen for the risk workshop.
Think ’WHAT could go wrong?’ To find the ’good’ and relevant risks requires more than just stating something could go wrong. A common mistake is to identify, interpret, and express risks as something that has gone wrong rather than focusing on the cause of it happening.
Find the Cause
Instead, try to describe WHAT could go wrong. This reduces the likelihood of it happening again and builds the pre-conditions of good continuous controls.
- Don’t focus on just consequence: ’There are errors in the books’.
- Focus on causes: ’Payments are being made for unattested goods or services to fraudulent providers’
This way, you capture the risk in a more defined way and the whole organisation gets a better picture of how it is to be mitigated.
Differentiate between risks and issues/problems
A common problem is a lack of separation between risks and issues/problems. This can skew the risk workshop analysis.
Issues/problems are known quantities, things that need to be handled today. ‘The house is on fire’ is a problem, not a risk.
Risks are uncertainties and potential issues/problems that may need management in the future – and that we would like to avoid if possible. ‘Naked flame candles left lit in the office may cause fires’ is a risk – a potential problem.
If issues/problems nevertheless come up during the workshop, you can document these in a separate issue register and let the leadership team handle these in their normal workflow.
All risks identified in the course of the session should be divided into:
- A list of risks that need to be actively managed
- A list of risks that can/should be accepted ’as is’
It’s important to remember that the risk analysis is a prioritisation exercise to understand what questions are the most important to focus on. It can therefore be good to compare and assess risks in relation to each other as well.
The work doesn’t stop there! The most important thing is how you and your business carry the risk work forward and manage the risks, primarily through continuous process controls and clear improvement actions.
Tip! Assign a clear owner per priority risk who is responsible for coordination, tracking, and reporting on that risk.
Use an external and engaged moderator
By using a moderator, the whole group get a better overview and you avoid the classic pitfall of ’the highest paid in the room decides’. The moderator is responsible for managing the risk workshop and documenting the results. They don’t need to know the business, that’s the job of the participants, but they can question and challenge the participants!
The moderator documents the risks and their rating (impact and likelihood) on a whiteboard or, even better, in a dedicated system. Om there are complex discussion that threaten to take up too much time, the moderator can park these and handle them on a separate occasion.
Finally – don’t forget what a risk analysis is for
The risk analysis helps you focus on the most important risks to your business. Simply stating everything that could go wrong is not enough, it must result in a clear plan for how controls will be strengthened and who is responsible for carrying it out. No organisation, except maybe Apple, has infinite resources and many risks will have to be accepted without direct mitigation, which is fine.
It is better to have fewer improvements that actually happen than a long list of wishes that never get worked on.
Are you interested in a more detailed description of how to digitalise your GRC process? Check out our guide “Your guide to streamlining internal controls”. You can download it on the link below!