Forget about risk registers and risk models. What you really need is a good risk bucket system.
To manage your risks, you need to know:
- Which bucket each risk goes into
- How much is already in each bucket
- How much you want to have in each bucket
Each bucket will have different rules for how it is monitored and managed. About who must pay attention to the new risks going into the bucket. And who makes sure that what was put in each bucket still belongs there.
Defining Your Buckets
Here’s one way to define the five buckets:
- Bucket 5 – Board approval and/or monitoring
This is the collection of risks that could materially affect the company’s survival and future direction. It includes strategic risks, high-severity risks that could threaten the company’s viability, and especially large concentrations of risks. Once the Board has agreed on what it wants in this bucket, they should receive regular management reports and require management to confirm that they are appropriately managing all such the exposures that the company has or is considering.
- Bucket 4 – CEO and top management approval and/or monitoring
These risks are ones that do not rise to the Board level but still require very senior review.
- Bucket 3 – Approved and/or monitored by a business unit head
- Bucket 2 – Approved and/or monitored by supervisors or middle managers
- Bucket 1 – No approval required
The criteria for assigning risks to buckets will vary from company to company. One criterion may be size, another familiarity with the risk. Unexpected volatility, or loss per unit of activity that is much higher than normal for the company, should move the risk to a higher-number bucket.
The funny thing is that absolutely everyone already uses the bucket system. But few have written down the definitions of what goes into each bucket, or monitor the risks systematically.
Monitoring Your Risks
Going from an unconscious five bucket risk management system to a Five Bucket ERM System is straightforward. The company just needs to formalize the assignments, monitor the risks in each bucket regularly, and produce reports showing how much risk is in each bucket at regular intervals.
Here’s an example of how a manufacturer might approach this.
First Pass – Where are the risks approved for acceptance?
- Bucket 5 (Board) – set profitability targets, decide on M&A, identify new territories, approve new products, approve new plants (or decide to discontinue of territories / products / plants)
- Bucket 4 (Top management) – select major suppliers; determine customer relations protocols; select corporate insurance policies; set investment policies; authorize R&D initiatives; approve organic growth plans
- Bucket 3 (Plant managers) – authorize HR policies; approve local suppliers; set cash flow standards; approve plant safety measures (fire control systems, flood barriers, etc.); approve emergency evacuation plans
- Bucket 2 (Supervisors) – approve data security policies; determine theft prevention policy; approve employee health and safety standards; set monthly productivity goals
- Bucket 1 (No approval or review) – Pandemic affecting employees, suppliers, customers
As you do this the first time, check whether you are happy with what is in each bucket – especially with what falls into Bucket 1, the unattended bucket. It can be easy to overlook risks that fall into this bucket because, by definition, no one is approving or monitoring them. So it’s worth spending a bit of time on this one to make sure no important risks have been forgotten. In the example above, only one significant risk is found in Bucket 1, but that may not be the case for every company that does 5 Bucket ERM for the first time.
Next, assess where risk management takes place. You may also find that most things are managed in a lower numbered bucket than the bucket where they are approved. Here’s how that might look for our manufacturing example.
Second Pass – Where are the risks managed after acceptance?
- Bucket 5 (Board) – no risks managed by the Board
- Bucket 4 (Top management) – maintain profitability targets, carry out M&A, implement new territories (or discontinue territories); deal with major suppliers; manage customer relations; execute corporate insurance policies; implement investment policies; conduct R&D; implement organic growth plans
- Bucket 3 (Plant managers) – produce new products (or discontinue old ones), open new plants (or shutter old ones); oversee HR; deal with local suppliers; manage cash flow
- Bucket 2 (Supervisors) – maintain plant safety (fire control systems, flood barriers, etc.); review and practice emergency evacuation plans; monitor data security; maintain monthly productivity goals
- Bucket 1 (Not managed after acceptance) –Pandemic, employee health and safety; theft prevention
The amount of risk that drifts down the org chart may call into question adequacy of resources for risk management. The issue of risk drift, attention, and risk management resource lies at the heart of many major risk blow ups – there was appropriate attention for risk acceptance, but resources were too overburdened at the level where the risk ultimately drifted for management. In the example above, the findings are generally positive, risks seem to mostly be managed in an appropriate bucket. But again, everyone should not expect to necessarily find themselves in that position on the first pass.
An important step in creating a formal Five Bucket ERM System is using the buckets not just to monitor risk, but truly manage risk. That means shifting from activity metrics to risk metrics. It also means identifying the profits – and threats to profit – that are coming from each bucket. It leads to conscious decisions about how much risk can be accepted in each bucket.
But the first step in this transition for everyone is to start to notice the buckets that are already right there in your offices.