Why (and How) You Should Conduct an End of Year Risk Management Review

For most people, this will be a busy time of the year: end-of-year performance reviews, last-minute budget planning, holiday parties, or a final push to achieve their annual goals. All of this adds up to a very busy time when all you want to do is take a break. 

However, there’s one other thing I’m going to suggest you squeeze in before you start next year’s ERM program.

An end-of-year review

This review will neatly tie up everything you did over the past year and get you ready for the next.  And best of all, it’s something you can do in an afternoon.

The time you dedicate to this review will pay dividends in the long run so give yourself until mid-January to get this done but make sure you have wrapped up one year’s program before you move on to the next.  Plus, rather than seeing this as the end of this year’s activity, this is actually the start of next year’s program and you are actually going to be ahead of the game.

Why conduct a review?

Firstly, let’s say what this isn’t.

This isn’t a deep dive into the ERM project plan or an update to the risk assessment. These should all be activities that are part of the normal monthly or quarterly cycle.

Instead, this review is a chance to get an overall sense of the health of the program before you move on.  The review will help you get a sense of what’s been done, what needs to be done and what challenges you need to keep in mind over the next year.

This is a very high-level review and, unlike a lot of risk management activity, this isn’t the time to be the details guy or gal for a couple of reasons.

  • Firstly, you will get sucked into the weeds which will keep you from seeing the big picture.
  • Secondly, you don’t have the time right now for a detailed review.  Staying at a high level stops you from trying to rush something that needs a lot of time.

So avoid the details for a moment and stick to a high-level review.  To help with this, I put together the ‘3x3x3’ approach which is a great way of keeping your review focussed.


The 3x3x3 idea is a very simple way to approach the review.  You are going to consider three areas, identify three key points for each and do this in three hours. By the end of the review you will have:

  • Highlighted three achievements from this year that have helped develop the organization’s ERM maturity
  • Confirmed three goals for next year’s ERM program
  • Identified three challenges or issues that need to be monitored

Three areas, three key points in three hours. Easy.

The Review

There are five simple steps in the review. These help you understand where you are, where you want to go and what might stand in your way.

  • Step 1 – Review the health of the ERM program
  • Step 2 – Consider what’s been achieved in the last year and the lessons learned
  • Step 3 – Review the organization’s objectives and identify your ERM goals
  • Step 4 – Think about what might change what ’normal’ looks like in the next year
  • Step 5 – Summarize your findings and lay out your ‘three threes’

If you want to jump in right away, there’s a worksheet here to get you started.

The Review in Detail

Step 1 – Review the Health of the ERM System

This is a great time to assess the health of your ERM program to act as a baseline for everything else. This review establishes where the ERM program is ‘today’ which will help you identify the progress you have made (step 2) and help identify gaps to fill in the next year (step 3).

Remember, we are only interested in a very high-level review so something like the eleven principles detailed in ISO 31000 is a good place to start.

Step 2 – Consider what’s been Achieved in the Last Year and the Key Lessons Learned

Use the results of step 1 to identify what you achieved this year.  If this isn’t your first review, also use last year’s review as a benchmark for comparison.  Even if your ERM program is relatively new, you should still identify, record and celebrate your achievements. Remember, ERM is an ongoing process so the project never really ends but don’t allow the never-ending to-do list to mask your achievements.

Acknowledging progress helps you track how things are developing but is also important for morale (and sanity) purposes.  Remember that showing progress and the benefits of formal risk management is also an essential step to embed an ERM system in your organization.

Make sure you also identify any key lessons learned from these achievements along with any barriers to success that you have encountered. This will help you reinforce the positives next year and increase your chances of success.

Having looked back, it’s now time to look forward.

Step 3 – Review the Organization’s Objectives and your ERM Goals

Before you look at your ERM goals, ensure that you review the organization’s strategic objectives for the next year. This will ensure that you remain aligned with the organization and keep these objectives in mind while you develop your ERM  goals.

While goal setting, look at the progress that you have made this year. Was there sufficient progress to allow you to move onto these goals? Do any of the lessons learned apply to next year’s goals?  Might your goals need to be adjusted in light of upcoming events (step 4)?

Goals should stretch you and the risk management team but goals also need to be achievable and realistic. Don’t set yourself and your team unrealistic targets for the next year but ensure that your goals help support the organization’s overall objectives.

(There’s a useful article on S.M.A.R.T. goal setting with links to other resources here.)

Step 4 – Think about what could Change what ’Normal’ looks like Next Year

Ok, now it’s time to get out your crystal ball and start forecasting the future…

Don’t worry, we aren’t trying to predict the future.  We are just trying to identify some of the ‘known knowns’ and ‘known unknowns’ that could cause issues in the next year.

Known Knowns

The dates of many events such as team vacations, an office relocation or corporate restructuring will be known in advance. These are ‘known knowns’.  Importantly, the likely effects will also be known in advance so although these events can disrupt your program, you just need to plan for these in advance.

Known Unknowns

There are also events where the timing is known in advance but the effects are unknown. These are ‘known unknowns’.  Elections, changes to senior leadership or the resolution of a court case all may be on a timetable that is known well in advance but the outcomes are unknown.  Be prepared for the results of these events to have an effect on your activities and plan accordingly.  Schedule strategy and plan reviews for after the outcome of these events and delay any major strategic decisions until the effects are clear.

Categorize these events as macro, organizational or personal / team and put together a simple calendar. Again, you aren’t doing any detailed planning but this gives you a sense of what you should be looking out for in the next year and helps schedule activity around periods of disruption.

Here’s a simple example of a calendar broken down into quarters:

End of year forecast calendar example

At a glance, this immediately shows us that the risk management team will be busy in Q1 helping manage the ERM elements of the annual report. In Q2, the Southern Africa and European teams will be busy or unavailable and there will be uncertainty about new financial regulations and compliance.  You know it’s always difficult to tie down US team members in late Q4 plus the election adds some more uncertainty around this period. However, Q2 looks like a good time to schedule big pieces of work and there is also a decent amount of time to respond to any regulatory changes following their release in late August.

Now you have a neat, short summary of what the year ahead looks like to help with planning, scheduling and horizon scanning.

Now that we have gathered all of our information, it’s time to wrap everything up in the final step.

Step 5 – Summarize your Findings and Lay out your ‘Three Threes’

Now, consolidate everything you did in steps 1 – 4 and write out your ‘three threes’.  As a reminder, these are:

  • Three achievements from this year that have helped develop the organization’s ERM maturity
  • Three goals for next year’s ERM program
  • Three challenges or issues that need to be monitored

This gives you a simple record of where you were, what you did and where you are going, with the review of the ERM system acting as a baseline for reference.  This will give you a good sense of the state of the ERM program at year’s end and what the next 12 months should look like.

When you’re ready, get the worksheet here.

Getting it Done

This review shouldn’t take more than a morning or afternoon but still, it’s a busy time of year.  However, you don’t have to do all of this in one session.  For example:

  • If you are a solo risk manager, set aside 20 minutes each day to tackle steps 1 – 4. At the end of the week, take an hour to review everything and complete step 5
  • If you have a team, give each team member one item to work on in their own time.  Bring everyone together as a team for 90 minutes where you spend the first hour reviewing steps 1 – 4 and use the last half hour to complete step 5 together.

Whatever your situation, I’m sure you can find three hours by the middle of January to get this done.  Even if you can’t take on the review today, schedule some time in January right now to make sure this doesn’t slip your mind.

Remember that the time you invest wrapping up this year will pay dividends when you start work on next year’s program.

That’s it!

So that’s the 3x3x3 model.  Now you have:

  • A summary of the results of the system review (step 1)
  • Three achievements from this year that have helped develop the organization’s ERM maturity (step 2)
  • Three goals for next year’s ERM program (step 3)
  • Three challenges or issues that need to be monitored (Step 4)

It shouldn’t take more than three hours.  Book in the time to do this by the middle of January and you will have a solid start for next year’s program.

What do you think? Leave a Reply