When no one owns the risk all the way through, it doesn't matter how good the analysis is. Many of the organisations we meet at Stratsys don't lack risk insight. What they lack is the ability to turn risk insight into action.
Significant resources are often invested in processes, controls and follow-up to strengthen risk work. But the work loses momentum before it leads to clear results. Risk work looks active, yet has little real impact on the business. That easily creates a false sense of control.
The problem today is rarely a lack of risk insight. What matters is the ability to translate risks into decisions, priorities and execution.
– Identifying and describing risks doesn't automatically mean the work moves forward. The hard part is making sure someone drives the issue all the way through, says Christopher Läns, GRC expert at Stratsys.
Christopher Läns, GRC Lead, Stratsys
Operational grip on risk
Without operational grip, the result is often extensive documentation, with no clear link to ownership, decisions and change. Operational grip means:
- Clear ownership from identified risk to executed action.
- Controls that influence priorities and ways of working in the business.
- Actions tied to governance and decision-making, not separate action plans.
- Follow-up that leads to prioritisation, decisions and change.
- A coherent structure where risks, ownership and actions connect.
Risks are identified, but get stuck in handovers
Risks often get stuck between functions because no one drives them to action and execution. Responsibility is split across different parts of the process, without anyone holding the mandate to drive change. Ownership becomes formal rather than operational.
Controls are defined, but don't steer the business
The same pattern appears in control work. Many organisations have extensive control structures that are followed up in separate processes and reported in their own flows.
– Many organisations are good at defining controls. The hard part is making controls actually steer ways of working and priorities. Otherwise they risk staying in documentation and follow-up, says Christopher.
Controls used only to demonstrate compliance are documentation, not governance. Treating internal control as a checkbox exercise creates more administration without real steering - if controls don't influence decisions and ways of working, they're no proof of operational control either.
Actions are followed up, but don't drive change
There is rarely a shortage of activities in risk work. Actions are defined, action plans are drawn up and new initiatives are launched continuously across the organisation. Many actions are followed up without making any real impact - often because the same underlying risks are handled in multiple parallel tracks.
We meet organisations running extensive action work without a clear link to priorities, ownership and decisions in day-to-day operations. Actions get stuck in action plans, meeting notes and status reports instead of becoming part of how the business is governed. It becomes unclear who is driving the work, what decisions are needed, and what the actions are leading to. The change doesn't happen.
– Many organisations have plenty of actions and activities running. But if they're not linked to the business's priorities and decisions, it's hard to create lasting effect. The work then lives in parallel with governance instead of being part of it, says Christopher.
The consequence is that the organisation works harder without seeing what it leads to. That's why many feel that risk work keeps growing in scope without the business experiencing greater control or clearer direction.
Follow-up doesn't lead to decisions
Many organisations today follow up large volumes of risk and control information. Follow-up that doesn't lead to decisions becomes a way of describing the work rather than driving it forward.
– What matters is what happens after the information is presented. Follow-up needs to lead to clear decisions or changed priorities, says Christopher.
The consequence is that governance loses its impact. This is where many organisations lose their operational grip. If follow-up doesn't influence priorities, governance can look mature on paper but lack real-world impact.
When the work grows without delivering results
Risk work quickly becomes administrative when the organisation measures activity instead of results. The workload grows, but the link to change weakens.
– Many organisations work intensively on risk, but struggle to show what decisions or changes it has led to. The risk is that the organisation ends up measuring activity instead of results, says Christopher.
This is also why risk work is sometimes experienced as heavy and administrative in the business. The work fills up with follow-up, reporting and new initiatives, without the organisation clearly seeing how it affects ways of working, priorities or decisions.
Operational grip to drive change
Risk work that doesn't influence decisions is administrative activity, not governance. It doesn't matter how extensive the documentation is. Without a coherent operational grip, risk work risks becoming activity rather than real change.
What has your risk work actually changed? Who drives the work all the way from identified risk to decision? And which actions have led to real impact?
If you can't answer that, you're probably not lacking risk insight. You're lacking operational grip.
