Lean team, bigger impact: three ways to optimise risk resourcing and planning

5 min read
Oct 30, 2023

Even at large multinational organisations, the group-level ERM function is often relatively small and may still have a wide remit of responsibility: how do you leverage a limited number of risk resources to add the most value to the company, engage the business, and make a genuine impact?

 The solution for risk leaders in our network typically boils down to a combination of two things: planning and prioritisation.

New benchmark: Optimising resources for the greatest impact
Request to see the full benchmark.
Find out more

In response to the priority of a Risk Leadership Network member, we've recently been facilitating collaborations between risk leaders at different organisations with small centralised teams to share their approaches to building and maintaining an efficient risk team. Below are just a few highlights from those conversations.

1. Develop a risk calendar: three common approaches


Source: Optimising resources for the greatest impact, bespoke benchmark from Risk Leadership Network

Most risk leaders, irrespective of the size or sector of their organisation, do use a risk calendar to provide varying degrees of structure to their risk activities:

  1. Annual plan

    Usually, risk calendars take the form of an annual plan that follows the structure of the company's financial year and is typically based around key reporting milestones - for example, quarterly reporting to the board and audit committee (ARC), as well as preparation for the risk section of the company's annual report.

  2. Rolling plan

    Some of the practitioners in our network have a plan with a 12-month horizon - not unlike an annual plan - but this is a rolling plan, which has no specific endpoint and is reviewed (and updated) on a more consistent basis (e.g. once a quarter).

  3. Longer-term strategic roadmap layered on top of annual plan

    In some cases, risk leaders layer a longer-term strategic roadmap on top of their annual plan; while the annual plan is more tactical and short-term in focus, ensuring key requirements are met, the strategic roadmap focuses on long-term maturity growth and strategic initiatives (typically to a time horizon of three to give years).

So, given what we know about how a risk leader may organise their "risk calendar", what might a typical example of these calendars look like?

Example risk calendar with key
Source: Optimising resources for the greatest impact, bespoke benchmark from Risk Leadership Network

  • Half the organisations we spoke to, as part of our recent benchmark, report to the board on a quarterly basis, while 75% report to the audit and risk committee (ARC) every quarter.
  • Meetings with the executive committee tend to be a bit more regular: a quarter of risk teams meet with the executive committee every month.
  • Ahead of their quarterly risk reporting, some companies also hold smaller, one-to-one meetings with senior leaders to brief them on what will be included and provide any important context or background information.

These are highlights from the bespoke solution we provided to a Risk Leadership Network member's priority:

Member priority risk calendars (1)

See more bespoke solutions to the priorities of CROs and heads of risk in our case studies.

2. Prioritise risk activities by identifying key business drivers

On the subject of priorities, what is driving risk activity at organisations?

For risk leaders putting together their calendar, or reviewing it to assess whether there are any gaps (i.e. important activities missing), a key part of this prioritisation is identifying both the top-down and bottom-up influences on their risk activity and using this to decide what is most important. 

Below we've captured some of these key drivers CROs ahead as part of our recent benchmark.

Top-down drivers:

  • If senior executives are placing less emphasis on routine reporting this may give the risk team a greater amount of flexibility to pursue initiatives that support the business' strategic development and its ability to achieve longer-term objectives.
  • If there is pressure being placed on the risk team to find ways to add value to the business, with an emphasis on becoming a "revenue-generating" centre rather than a cost centre, one solution could be to save risk owners' time and boost efficiency by making it easier for them to report their risks - for instance, by implementing an intuitive GRC system.
  • If senior leaders are asking for help to make better-informed strategic decisions, risk teams could invest time into developing a more efficient data-collection process (possibly with the assistance of a system or tool), so that useful information can be fed to the top of the organisation.

Bottom up drivers:

  • If you want people to embed risk into their day-to-day conversations and processes, as opposed to only talking about risks at specific meetings or forums, hold workshops and risk awareness sessions with the goal of making people feel more accountable for risk and comfortable with speaking about their risks openly.
  • Encourage a more proactive, less reactive attitude to risk management: give risk owners confidence to escalate risks as they identify them, rather than waiting for them to materialise - this will place less pressure on the risk team to ensure risks are being managed correctly in the business.

3. Do more with less

With the typical ERM function counting between two and five FTEs on average (based on figures in our recent risk operating model benchmark), risk leaders in the network have also reflected on how they are optimising their limited resources to make the biggest impact. Here are a few of the tips they shared with each other (and which they have explored in more detail during recent member meetings):

By managing risk calendars, identifying key business drivers  and effectively prioritising workload, risk leaders in our network are able to add value to their organisation, even with a small team.

This high-level overview of the insights shared by our members at recent bespoke meetings and benchmarks is a small taster of the in-depth discussions and practical advice that was shared by risk leaders on this subject of risk calendars and prioritisation of workload in lean teams.

All the collaborations that we facilitate are in direct response to specific priority of one of our members.

Find out more about how we work with our members in response to their priorities, or book a discovery call to confidential discuss solutions for a specific challenge you're facing.

Get new posts by email