Building an effective Enterprise Risk Management (ERM) program is rarely smooth. Many organizations start with scattered spreadsheets, inconsistent data, and a program that feels more reactive than strategic. The good news? You don’t have to stumble through the same trial-and-error to reach maturity. In this webinar, Paul Taylor, Sales Executive at Origami Risk and Raina Hathorne, Product Marketing Manager at Origami Risk share five critical lessons risk leaders often learn the hard way — and how you can apply them to strengthen your own program. You’ll learn how to: Identify and empower champions to drive a risk-aware culture. Filter noise from exhaustive risk data to build a meaningful risk register. Move from vague, undocumented risks to thoughtful, measurable insights. Shift from documentation to mitigation. Position your ERM program to build resilience. Whether you’re building your program from scratch or refining an existing approach, this webinar will equip you with practical, hard-earned insights to accelerate your ERM maturity — without the missteps. Hello, everyone. This is Melissa Lentz, the director of continuing education at OCEG. I’d like to welcome you to our webcast today during which we will present five lessons you don’t have to learn the hard way. Building an effective enterprise risk management program is rarely smooth. Many organizations start with scattered spreadsheets, inconsistent data, and a program that feels more reactive than strategic. The good news is you don’t have to stumble through the same trial and error to reach maturity. In this webinar, Paul Taylor, sales executive at Origami Risk, and Raina Hathorne, product marketing manager at Origami Risk, will share five critical lessons risk leaders often learn the hard way and how you can apply them to strengthen your own program. But before we start, I’d like to take a minute to go over a few housekeeping notes. First, regarding continuing education credit. We provide NASPA approved CPE credit to you for participation in live webinars if you have an OCEG All Access Pass or Pro membership, which you can purchase individually or as part of a company team membership. The all access pass includes many benefits in addition to CPE credit for webcasts, such as access to all OCEG resources and on demand education series. So if you don’t already have a pass, I would encourage you to check it out on the OCEG site. If you do have an all access pass and would like a certificate of completion for CPE for this event, please be sure to stay with us for the entire hour and answer at least three of the polls offered today through the polling function in our webinar platform. These are requirements for receiving CPE credit for this event. Please note that certificates of completion for CPE credit are available only for live events. They are not available for viewing archived webinars. Additionally, if you need CPE credit only for OCEG certifications, your webinar attendance will be automatically tracked in your certification dashboard on the OCEG site. You will not need to upload your certificates of completion for OCEG certifications. Second, regarding the slide deck and recording from this webcast. The reminder email you received includes the link to the slide deck for this event. After the webinar, you will receive a follow-up email, which includes the link to the slide deck and the replay, which will be available for about one week. We will also have the recording of this event posted on the OCEG website. Just log in to the site, go to the resources tab, select webinar recordings, and then this webcast. Anyone with an OCEG All Access Pass may view this recording. Third, regarding our audience feedback. Please feel free to submit your questions during our event today. If our presenters do not answer your question during the webinar, they will be able to respond to you via email after the event. Additionally, we value your opinions and encourage you to submit the evaluation offered after the webinar. Fourth, regarding upcoming events and activities. Please watch your email for announcements from OCEG about other upcoming webinars. You can view information about these upcoming webcasts on the OCEG site. So today, we will address the following learning objectives. We will learn how to identify and empower champions to drive a risk aware culture, discover how to filter noise from exhaustive risk data to build a meaningful risk register, discover how to move from vague, undocumented risks to thoughtful, measurable insights, learn how to shift from documentation to mitigation, and learn how to position your program to build resilience. But before we hand over the presentation to our speakers, we’d like to offer our first poll. So if you are interested in receiving CPE credit for this event, please be sure to answer at least three of the polls offered today by responding in the poll panel on your screen. We will email certificates of completion for this webinar in a day or two to all participants who meet all the criteria for CPE credit. The first poll question is, do you have an OCEG all access pass, which is a paid membership that will enable you to receive CPE credit for this event? Your options here are, yes, I have an OCEG all access pass that will enable me to receive a certificate of completion for this event if I attend the entire meeting and answer at least three polls, or no, I do not have an OCEG all access pass, so I understand I will not receive CPE credit for this event. So as you answer this poll, I’d like to hand over the presentation to our speakers to begin our discussion today. Awesome. Thank you so much, Melissa. Hi, everyone, and welcome. I’m Reyna, as Melissa said, product marketing manager here at Origami Risk. Thank you so much for joining us as we cover five lessons you don’t have to learn the hard way. If you’re here, you probably wear many hats. Risk leader, compliance manager, internal audit partner, maybe even all of the above. And you’ve probably experienced that moment when your risk program feels a little chaotic. Maybe everything lives in spreadsheets or maybe you’re struggling to get that consistent data from across your business or organization. Our goal today is to help you skip kind of that messy middle with five lessons that we’ve seen again and again with clients that we’ve helped. So we’re gonna go through kind of what to avoid, what to do instead, and how to accelerate towards maturity. I’m joined by Paul who works directly with organizations that are scaling and modernizing their programs. Thanks, Verena. I’m excited to dig into these ideas. Most of the clients I talked to are either launching their first formal program or trying to make sense of what they already have. The lessons we’ll cover today really resonate across both of those situations. Perfect. So let’s jump right into lesson number one, which is don’t start with a risk register. Find your champions first. Lesson one, we think, covers where most programs kind of start off with a stumble. Right out of the gate, they try to start with that risk register. And those of you who have tried to put one of these together from scratch, know that it seems logical. There’s you can’t manage risks without a list of what risks you’re supposed to be managing. Right? But just compiling a list without buy in from the people across your organization, really, that register is likely to just sit untouched. Exactly, Raina. I was I was just talking to a new client who shared that when they were first building out their risk program, they spent weeks creating a two hundred line spreadsheet to be their risk register. They sent it out for review and received back zero responses, not because people didn’t care, but because no one felt ownership among all of these other stakeholders. Exactly. That’s a perfect example. This first step shouldn’t be a spreadsheet. It should be the people. You need champions. And what does a champion look like? These are folks who are naturally curious about risk, who get excited when you talk about process improvements, and who can maybe influence others around them. They probably don’t have risk in their title. Sometimes it’s a plant manager or a finance analyst, who just wants to help make things better. Very true. And when you find these stakeholders who are gonna support you, it helps to give them small wins along the way. One client I’m thinking of, a manufacturing client, started their program by asking all of their champions to identify at least one risk in their area that slowed down productivity. Within weeks, they had stories to share, real improvements, and this caught leadership’s attention and gained their support very fast. Yeah. That early momentum really helps drive that risk culture across the across the board. Once people see risk management as a tool for making their job easier, that’s when a risk program can really start to take off. And we have a few things that we recommend you use to get there. So first, identify three to five champions across different functions of your organization. Give them visibility and a clear role in shaping your enterprise risk management program, and then celebrate and communicate their wins within the program and without, and then use early results to show executives that risk work drives outcomes, not just compliance, which brings us to our second poll. Who are your risk champions? One, and your options are one, we don’t have identified champions yet. Two, a few individuals in a single department, three, a few individuals in different departments, four, we have a formal group or committee, Or five, you’re not sure what your risk champions look like. While you’re answering that, we’re going to jump into lesson number two. Yes. And this next big lesson is all about data. Once you have the engagement that you want, you’ll start receiving a lot of data from audits, incidents, vendors, operations, and many other areas. Without a plan and an organized approach, this can quickly become messy. Different formats, duplicate risks, inconsistent scoring, there’s a lot of ways that this can become difficult. And this is a key place where programs stall. Exactly. Yeah. Data. Everybody wants it. Not everybody knows what to do with all of it. And this one hits home for a lot of risk leaders we talk to. Suddenly, you’ve launched your program and you’re getting inputs from audits and incident reports, vendor questionnaires, operation logs, compliance assessments. It can be really overwhelming. And if everyone is defining risk differently, your data becomes nearly impossible to use. Exactly, Reina. For example, one of our higher ed clients told us they had five different departments sending in each their own risk spreadsheet. Each of these was using a different scale for measuring risks. One of the scales was one to three, one was one to five, one used colors, others had terms such as minor, major. It’s just a really inconsistent picture. And, consequently, they were unable to compare anything across their departments. Yeah. That’s such a common story. I don’t don’t know how many times we’ve heard similar things from our clients. You really can’t compare or prioritize if every department defines things differently. I once worked with a client who had four different scoring scales for risk likelihood. Each one was well loved by its department. You know, you can’t can’t get rid of things that folks love. Right? But when they tried to build heat maps around them, every risk turned red. Not because all the risks were severe, but because the data was like trying to compare apples to oranges. We do have a few suggestions that you can do about it. First, get yourself comparing apples to apples. Establish a shared scoring framework. Define what impact and likelihood mean and publish that across the organization. Create templates for collecting that risk data. Don’t let the departments make their own risk, collection method and then send it into you. You define it. Maybe even it’s a simple online form or a shared spreadsheet is a great is a place where you could get started. But standardizing those inputs early on is really going to be key. And then we recommend that if you can, start with one repository, Whether it’s Origami Risk or another similar solution, it’s essential that you consolidate all of that data into a single source of truth before analyzing it. And tech is a great place where that’s gonna make this easier. And then finally, we recommend that you review this quarterly. I know a lot of folks do an annual review, but if you make data quality checks part of your regular urine cadence as you’re doing things, you won’t you don’t end up playing catch up if there’s a hiccup with adoption of this framework or risk data that you’re putting together. So if you focus, we think if you focus on quality, consistency, finding that common language, once you define how your score, likelihood, and impact, make that universal, and really everything else kinda starts falling in place around that data. That’s a great list, Raina. Very usable bullet points. And really underscores that the solution isn’t more data, it’s better data from the beginning. Have good data with consistent practices for managing the data, and this is where technology can really help. Origami Risk clients find it easy to utilize the shared risk libraries to enforce the standardized scoring frameworks. This is where those templates you mentioned really can come into play and be helpful. So even when multiple teams contribute risks, everything can align automatically. That way leadership can see an apples to apples comparison. Reporting will be consistent across business units. And really important, the progress over time is easier to visualize. All of that instead of chaos. Absolutely. That’s so important, the visualization, getting out of that chaos state, and driving, real value, Which brings us to the next lesson. You might find it surprising that it takes us to lesson three to get to the risk register itself. A lot of programs start here and a lot of programs stop here. And it’s true that a register is needed and it should be the backbone of your risk program, but it’s not just a list of your risks. It’s where your risk data should come together, connect with business objectives, and help you prioritize your program. Yes. I actually remember a finance organization that had what they called the monster spreadsheet. It had hundreds of rows of risks, all updated manually, all types of columns that were being added and just a really inconsistent picture. Consequently, no one ever used it because it was so cumbersome. The attitude was essentially we spend hours maintaining this, but it really doesn’t change anything we do. So it’s also worth mentioning that spreadsheets themselves can be a point of failure in the risk management work as there’s really no support outside of one’s organization, and inaccuracies, as I was describing, often happen. Ouch. Yeah. The goal should not be to have hundreds of risk on a spreadsheet that you spend all of your time updating for sure. It’s understanding the goal should be to understand which of those risks are key and which ones are really driving the needle, as you might say. Yes. Right. It’s essential that the register be kept simple at first. Think of where you’re coming from and realize that there will be steps to improve and reach complexity later. Start with impact and likelihood. Later, the organization can layer in things for risk appetite, key risk indicators as in KRIs, or even visual tools like heat maps or bow tie models as the work becomes more detailed and broader across the organization. The key really is to make it usable, clear, and accurate enough that leadership wants to look at it. It’s really important to take the long view that one’s risk management process will continue to improve over time. An example I’ll share is I had a health care client who turned their risk register into a living dashboard. They started with their top ten risks. They linked each of those to different departments. They provided access to owners, assigned ownership and tasks across the organization. They implemented controls and even patient safety metrics. Suddenly, leadership meetings, they weren’t about what’s wrong, but measuring where we are improving outcomes like visibility to gaps in the progress they knew they needed to make. And so the program grew quickly from there. That kind of visibility is an outcome that builds with time and experience by using a formal process. Exactly. Yeah. That’s exactly the shift that you wanna see. Something small that gets lots of buy in and attention and then grows kind of organically from there. Exactly. To summarize, we would suggest that you start small and prioritize, Documenting, as Paul said, the top ten to fifteen risks first, getting those right, getting the program and the measurement and the buy in around those right, and then growing and expanding from there. Making sure that you’re categorizing clearly. Know, maybe you’re grouping your risks by strategic, operational, financial, or compliance categories. It could be regulations you have to comply with, any kind of thing, but you wanna make sure that you’re really richly categorizing the risks that you’re tracking. And then, of course, I think you want to make sure that those risks are linked to business objectives. This really helps executives make that jump from this is a risk program that lives over here in a corner and see the alignment and relevance to managing and mitigating risks kind of across the board and how it engages and interacts with other pieces of the the, company. And then finally, we we recommend that you visualize your risk. Use, you know, dashboards or heat maps. Make trends obvious for those folks who aren’t, you know, ingrained and rich, in risk every during every part of their day. Make it obvious at a glance for them by using those kind of color codes and things along those those lines. Yes. And, Raina, I think that brings us to our third poll. It sure does. Yes. So poll question number three is what does your risk register look like? Option one here is we don’t have one yet. Number two is we have a basic list or a spreadsheet. Number three is we have a structured register with categories and scoring. Number four is we have a mature system driven register with reporting. And number five is for folks who are unsure of what their register looks like. And while you guys are putting in your answer here, really excited to see kind of where folks, land on this one. Paul’s gonna take us into our lesson number four. Thank you. And we’ll come back to those results later perhaps. So lesson four, don’t stop at the register. The idea being that the risk register and programs can plateau. Once you have some momentum and you’re doing those early steps that we talked about as far as having buy in and ownership and support across the organization, you’ve taken some steps to assign controls and tasks to other folks, realize that you want to continue to build your register. You want to continue to refine and work with the scoring. But sometimes it can sit there at that point and just becomes a reporting tool instead of a management tool. Right. Exactly, Paul. I mean, how many programs have we seen that have just been sitting there, you know, in a spreadsheet or in a solution with no action, no accountability? Too many. I would agree. So the documentation is very necessary, but it’s not the finish line. I I will share. One of the challenges we always have with new customers, and this really happens no matter where their starting point is having them adopt the program that they want. And so it’s really important to realize that a continued effort at adoption and overcoming some of the internal inertia is really important. Then the real power comes in committing to having this new process adopted and making a part of the organization’s culture. This is a great outcome when you’re able to link your risk to owners, have people managing and assisting with controls, actions, addressing findings, and there’s some accountability as part of the goal. A further step is sharing that accountability across multiple stakeholders. Too often, we see customers who see that the risk team is managing this and assume that it will be managed by them. Sharing this accountability is really where customers can create an effective risk management program. This type of accountability can change an organization’s culture if you think about the things I’ve described and really have a new way of doing mature risk management. Exactly. Yeah. I you might say that’s the turning point from documented risks to managed risks. Very true. So an example here is one of our largest retail clients told me they saw this turning point when they had assigned each risk to an owner outside of the risk team. And they went from struggling to update the risk register once a year to now having a broad array of risk owners, different timelines, and specific mitigation steps that were applicable to these different business units and owners so that the register is consistently managed throughout the year. This really shifted the conversation for them to tracking progress and talking about opportunities for improvement in each of those different areas. Their solution provided the visibility to each of these risk owners and, in many respects, help those business units manage up to their own executive team. Yeah. I remember that story. That’s a great one. We often find ourselves focusing solely on preventing risks that we kind of completely forget about the other side of a risk management program, which is the opportunities that we can see if we do take certain risks. Agreed. That is a good success story. It really heights excuse me, highlights that without broad ownership and accountability, then risk management could be everyone’s job, but then maybe no one’s job. Yeah. Exactly. So to summarize, we might say there are a few steps that we would advise you take to help avoid that trap. One, I think we could all pull out of here is assign ownership to every risk. Make someone, some individual accountable for mitigation and management of that risk. Link risk to controls and action plans. Make that direct path from issue to mitigation to result very, easy to follow. Make sure that you are tracking and measuring those risks using status updates or dashboards to show movement over time. And don’t aim for perfection. I think that is something we see often often, you know. Folks are aiming for getting every risk into their register. They’re aiming to get everything scored and, you know, the aim really should be for progress. A sixty percent implemented control is way better than a perfectly documented control on just a piece of paper. And that brings us to our last lesson, which is the one that we see organizations and, you know, companies and everyone out there is really talking about what they, what these what we are aspiring to do, which is, gain resilience. You know, real we see mature programs, they aren’t just tracking risks. They’re predicting and preparing for what’s next. Yes. For example, I was speaking with one of our logistics clients just recently, and they shared that before using a system, they really didn’t realize how interconnected their risks actually were. They were constantly fighting seemingly random fires. But now with the visibility they had acquired into their full risk network, they can map those connections. They can dig deeper into those. They can respond proactively. And maybe one day soon catch a disruption before it even starts. Yeah. That’s that’s the real promise of resilience, that confidence in decision making, that catching things before they spiral out of control. You know, when your program begins to mature, the focus shifts from managing individual risks or putting out individual fires to managing your organization’s response capacity. You know, how can we or could we respond to these risks? How can we mitigate them? You’re talking about the big picture instead of the individual instances and individual disruptions. We see that, you know, kind of as the mark of a resilient organization. Not one that is avoiding challenges, but one that can absorb and adapt to them. We have a few points of guidance to help you move in that direction. First, mature programs move beyond mitigation. You see that there on the screen. We know that mitigation is important, but it’s only part of the journey. So kinda like we’ve talked about in the lessons ahead of this one, mature programs move beyond simply checking off action plans and start focusing on how the organization learns from risk events. You know, instead of asking, did we fix it? You’re asking, what do we learn and how can we strengthen our response time our response for next time? You’re not even and you’re not getting to a point where you think that you can prevent every risk, right? But you’re learning from them, adapting and responding to those as well. These resilient programs are embedding continuous monitoring and reporting. The second part is really about moving away from static annual reviews to a near real time awareness of what risks are out there. We think when you embed continuous monitoring, you start to see trends before they turn into problems, Whether it’s control performance, risk exposure, or compliance gaps, that kind of visibility lets you take action early and confidently. One story we love to tell here at Origami is about a client who implemented our program and they were measuring their cyber security results. So you know that phishing test that you get sent and your, your IT team is on the backside of that, seeing how many people clicked on that link when they weren’t supposed to. Right? Well, this company is pulling those results, whether it’s, you know, sixty percent passed or eighty percent passed or whatever it is. And, they’re seeing that monitoring being very important as they evaluate their cybersecurity risks because we’ve all heard it, it’s usually the human in the situation that that causes those problems, at least as they get started. The third piece here is scenario planning. Resilient organizations, they don’t just document risks, they test them. So Paul talked earlier about bow tie modeling, that’s one way to do it, but running simulations or what if exercises can help you see and map how disruptions ripple throughout your business. Those plans can really help inform business continuity plans. And whether you’re looking at measuring a cyber incident, a supply chain interruption, or a regulatory shift, scenario planning really helps build confidence in everyone who’s involved in the preparedness that your organization has, before something happens. And then our final point here is resilience is the proof point of success as far as most executives we’ve worked with are concerned. Right? The day to day putting out of fires is great, they expect that, but when you can get to that proof of showing that the cycles are being broken before they get to the fire, that’s really powerful stuff. It’s tangible evidence that your program isn’t just about compliance, it’s about strengthening performance, protecting reputation, enabling better decisions, aligning with those business strategy and objectives. We think so overall, what we’re trying to say I think is when your risk data and your controls and your insights are all connected, your organization becomes more adaptable and your leadership gains the trust that your program is driving lasting value, which I’ll just leave that there. I think that’s a really powerful statement and bring up our final poll here, which is, of course, would you like to learn more about origami risk? Yes. Please connect me with your team. Maybe later, you can send me some resources or no. Thank you. I’m just here for the content. No matter what you choose, we hope that you walk away from today with something really valuable. And thank you to everyone. We really appreciate your time. Whether you’re ready to explore solutions or just gathering ideas, we will we’re here and happy to talk. While you’re putting that in, I’m gonna hand it over to Paul. Thank you, Raina. I’m looking forward to connecting with some of you. And before we jump into the q and a, let’s just have a quick recap of the five key lessons. Number one, start with ownership and champions. Get the buy in and participation from as much of your organization as you can. Number two, find a way to standardize your data early. I’ll add, keep in mind that this can change over time. But once you have a standard, everyone is playing from the same sheet of music. Number three, build a risk register that connects to your strategy. Number four, make ownership and action mandatory. This is really a key to having a change in the culture and the participation where you have broad ownership and it’s not just the risk team doing all the work. And last, number five, focus on resilience as the true north, a risk management program that really provides guidance and a place that the organization can rely upon to help manage future plans and proactive risk management. Yeah. Exactly. An maturity isn’t an overnight project. It’s not even a one time project as you pointed out, Paul. All these things evolve and change as the market and regulations in your organization change. It’s a journey. And we hope that with these five lessons, maybe you can skip over some of the hardest parts. Just remember to start small, get your momentum going, and build from there, and we think that you will find some success. Okay. If you haven’t already, please make sure to drop any questions into the Q and A box that you might have. If we don’t get to yours today, we’ll be sure to follow-up via email. But let’s jump over to our q and a slide and get started with this one that I saw come in earlier. What is the best way to get executive buy in if leadership doesn’t see the value of a risk program? Which is a great question and definitely one of the challenges that I’ve seen regularly with customers. I’m gonna digress for a moment from the question and just add a thought that this is something to work on early in the process of looking for a solution that you need to have support in other areas of the organization, not just from a budget standpoint, but are they gonna participate? This even goes back to our initial lesson or our initial idea about starting with ownership. But I’ll also say more specific to the question, make sure the risks being managed and the work being done is relevant to the business. When you can tie your risks to business call goals, such as going into a new market, what is our growth and what are we doing to support that growth? What things are affecting profitability? Certainly, profitability itself is the goal of every business, but there are things one can do in an organization to mitigate risks, look ahead, try and see around the corner for risks that might affect their profitability. And certainly reputation, risk to that reputation should be part of this and is definitely relevant to the business. These are many of the things that executive teams care about. So especially when risk management supports the strategy and not just compliance, that is one way to demonstrate relevance to the executive team, to manage up to them in the reporting process and really have their buy in. Yeah. Great answer, Pawel. I just wanted to add to that. If you noticed on our lesson one slide, we kind of broke down what does a good risk champion look like, and we said, you know, they’re not always an executive. And while that’s true, I definitely wanna make sure to kinda circle back to that and say they absolutely can be an executive. They can even be, you know, your risk executive. We just wanted to make sure you guys wanna, you know, focus so laser in on getting folks, you know, from the top level of the organization that we miss the value that those, folks who live day to day in our the operations and on the floor of our company, what they can bring to a risk program. But definitely don’t, don’t avoid getting that executive to be your risk champion. That can go a long, long way for getting executive buy in into your program. Yeah. Awesome. It looks like we’ve got another question here. They asked, how do you filter noise from I think they’re talking about data here when everyone thinks that their risks are the most critical risks in the organization? Yeah. Good question. Paul, you wanna start this one? Yeah. And, actually, I can understand that concern. You started off spending time building ownership, asking people to participate, even assigning them tasks and maybe other things that the organization is doing to ensure that they actually do participate. It would be natural for all of them to feel that now that they are involved and expanding their own time that their risks are critical. However, if that is the case, you really start to reduce the importance of them across the board. And everyone knows that because we’re managing towards something doesn’t necessarily mean that it’s as important as some of the other things that are going on. And also over time, something that is critical may not necessarily stop being critical, but we try to show the risk. Or we found a way to assume the risk, or we’ve done other things in our mitigation plan such that we can sleep better at night knowing even if this happens, yes, it’s critical to the business, we have a plan in place. So to that end, building a consistent scoring criteria, having a consistent way of measuring and understanding any gaps between goals really makes this easier. We’re hopeful that once a plan like that is adopted, it can take the emotion out of what people are dealing with measuring these risks and really replace it with data. Yeah, Paul. And I think, that’s a really great point that critical the definition and what that encompasses can be really different at every stage of maturity of your program. I just would add to that that it’s really important to make sure that you’re you’re talking to these folks, you know. Talk to them about why they think this risk is critical, you know. What criteria are they using? Maybe they’re seeing things that you’re not seeing, from your perspective, and maybe that could shift what you define as critical. Or you could help them see the broader picture. You know, maybe they’re looking at their department, and this is super critical for them. But in the grand scheme of the organization, either it’s well mitigated and therefore, you know, doesn’t have a strong or as wide of an impact as other things or, you know, maybe it’s just not well documented, but this person who’s been managing this critical risk in their part of the organization just needs to do some more of that communication to get that understanding, whichever direction it ends up going. Yeah. Perfect. Let’s see. What is the minimum viable risk register for a small team? So I think they’re asking, like, what does like, where do you get started, for a small team? Paul, I know we talked about this one, but do you wanna kind of maybe share a little bit more, maybe an example of how, we’ve seen this again? Yeah. Happy to. In in fact, if I may, I wanna take that question and edit it just a little bit to read or state what’s the minimum viable risk register for any team. The reason being, we’re assuming you’re coming from an area that the organization was not happy with or that your team in particular was not happy with. And we want to reach a point, taking the long view, that we are very happy with that. It can be difficult for a team of any size to dive into either transferring all the risks they’re working with or coming up with a list without realizing that let’s start small. Let’s walk before we try to run figuratively. So to that end, we recommend that you start with maybe just ten or a dozen of the well documented risks that you already know about. We actually recommend this across the board such that each risk is assigned an owner, a category, a score. This goes back to some of the lessons that we talked about. When you’re starting with ownership and champions, this can apply whether or not you have an existing solution that you’re trying to improve or you’re coming from that monster spreadsheet that we talked about. So don’t try to do too much at once. Make sure you’re getting buy in from the rest of the ownership, the champions that are helping with. You’re standardizing your data. Imagine trying to standardize your data across a very large list of risks versus managing it on a smaller basis with some that are easy to handle as one. Then you begin to build your risk register. You connect those to strategy. You’re signing ownership. You have tasks, findings that people are dealing with. So now you are at a point where you have a good subset of your risks or perhaps all you could think of initially and you have a process for them. Now we start adding more risks because we have ownership, we have other groups, we perhaps have leadership involved because we’ve made it relevant. We’re able to continue to grow that list and make all those part of the process. Beyond that, again, we’re taking the long view. We’re gonna continue to add risks and layer on. So whether you’re a small team or a large team, you have a manageable process for handling each of those as they come up. You’re gonna build it from those points. Yeah. Yeah. Great recap there, Paul. This brings to mind a a client story from a while back, but I think it’s still still pretty it fits really well into this this question here. So we had they weren’t actually a small team. Were they were one of the bigger teams that we actually work with. They had several people on their team and then people ingrained into kind of each business unit of the company. And they were like, where do we get started? You know? They had risk registers kind of in all these areas that these different business unit risk leaders were managing and maintaining. And then, you know, they would bring all of that data together for their annual risk review that they had to take up to, you know, their executive team and their board. And they spent months looking at the data, seeing how they could compare, you know, this five point system to this three point system. Right? And when they, you know, wanted to move away from this and get into a a solution, they’re like, we’ve gotta do this differently. We can’t have this same problem continue to live, and we can’t continue to spend months just getting the data in order and organized to bring up to leadership. So what they did is they took those business unit leaders and they talked about the different scores and categorizations that folks were using. And they found that a lot of folks were actually using similar scores or at least similar thinking, and they just kind of translated it from there. And then when they rolled out the system, they put one business unit in at a time. So they started, you know, first with, you know, one business unit, their risk register, they got them up and going, got them to a point where they were managing their risks well within the solution, and then they rolled out to the second business unit and so forth and so on. And really by not trying to, what it’s the saying, not trying to eat the whole elephant, right? You take one bite at a time, I think that was a really great example of how, you know, starting small and growing really works for any size company and is probably, you know, at least our recommendation of how you get started on that. Any other thoughts on that one, Paul, or are we good for the next one? Let’s move along. Awesome. Okay. Oh, I love this question. Yeah. So we mentioned, I think, in one of the lessons that, you know, technology can make this whole process easier. And they’re asking, like, in what specific ways does technology make, this whole process? I think they’re getting at, like, the maturity of a risk program. How does it make it easier? Sure. Well, at a at a basic level, technology is gonna connect your data. It’s going to provide connections between a siloed business so that a broad view of risk management is happening across the business. We hope you reach a point where your scoring becomes automated and consistent and really helps teams see trends faster. But I would also say that some part of the answer to this question goes back to something I spoke to earlier in the presentation where organizations are trying to figure out how do we really adopt a process. We know we need it. We have some inertia to overcome. So how do we get to that point where we’re happy that we’ve adopted adopted the technology? And I’m going to relate back to some of the steps we said that when you have a process in place with ownership across the organization where you know your outcomes, you’re looking for automation, you’re working to streamline what’s happening in your risk management process, you have the visibility that you want, You have the reporting so that you can manage up so that everyone in the organization who participates knows what’s happening. That’s how the technology is going to make things much easier. And there’s also one other aspect to it, not just easier, is going to make it more accurate. One of the things that I try to emphasize through working with customers is the fact that having a solution in place doesn’t always excuse me. Besides the fact that it can certainly be a mature process, it’s gonna reduce their actual risk in addition to the individual risks that they’re managing. But to the organization as a whole, you now have an accurate, consistent program, which inherently reduce the risk in the organization by itself. So technology is really gonna allow you to shift your whole perspective from reactive, disorganized, to a very proactive position. Yeah. I love that. And, I mean, I think we’re maybe a little biased being a technology company, but I think that’s a great great insight there to that question. So oh, this is an age old question. How I love that you guys are just dropping questions right and left today. Thank you so much. How do you demonstrate ROI or return on investment from your program? Sure. This is very important. Every organization is looking to adopt software or other things that they believe their organization needs has to get budget, has to justify it. So everyone’s always looking for a return on investment. And so what we think is gonna be really valuable is to track the tangible outcomes that come from a program like this. You have fewer incidents. You have less time spent dealing with those incidents. This can often lead to reduced costs, faster responses, and essentially the line from here to there may sometimes be hard to quantify, but you’re able to draw those lines very clearly. You’re able to demonstrate elsewhere in the organization the benefits of this. As I mentioned earlier, having a solution in place, having a consistent mature process can mitigate and reduce the organization’s risk across the board. One small example would be a lot of folks that we work with have to adhere to regulatory things, or they have a cyber insurance provider who is demanding or imposing expectations on them. When you have a mature program, your time spent dealing with those, perhaps even your cyber insurance itself might be reduced. And so just having that accuracy with a mature solution can remove a lot of uncertainty from the business. Definitely don’t underestimate the strategic value of better decisions as well when you’re managing these risks. For example, when the organization takes the risk of acquiring a new brand, moving into a new market, dealing with new regulatory expectations, you need to plan ahead for the risks involved with that. And often the question is, well, how did that pay off? We would say that measuring the impact of problems that were resolved or even avoided or that you had a plan for transferring that risk is where that ROI comes in. And the credit shared by managing an important decision in this way can really be valuable to everyone. Yeah. I love that answer. I think a lot of times we we struggle to say, you know, how do we demonstrate ROI? But I think that was really well put, Paul. I’ll leave that one that one there. I think we’ve got just about enough time for one more question. I really like this one, actually. They say, have you seen more success with buy in from kind of a bottom up approach or from a top down approach? What do you think about that one, Paul? I honestly, I’m gonna have a hard time saying which one is more valuable because organizations are so different. I have had customers whose risk team or risk committee has come to us and said, our c level, our CEO himself, herself wants this done. And that is a great situation because, you know, you have the buy in from the top down. You know you’re gonna have the budget, but it also involves scrutiny from that level that can add some pressure to the evaluation process and to the justification which solution you’re going to do. So it’s valuable to have that top down support, but it can make for a situation where you really have some great interaction between us, for example, as a solution provider and that team because they have specific marching orders. Now going the other way, from the bottom up, this is something I I don’t wanna repeat myself too much, but I’ve spoken to a few times in that building consensus in the organization, building buy in is the way we see a lot of this happening. There’s going to be some work that needs to be done. There’s a change that’s gonna happen by implementing a solution. So when you have a plan in place for how you’re going to achieve that buy in, you’re going to, if I may say, follow the road map that we’ve laid out today, we think you’re gonna have a greater chance of being able to justify. My experience is that whoever we’re working with, at some point, they’re gonna sit across the desk from someone in finance or someone who has the buying and budget authority, and they’re gonna need a way to say, here’s why this is important. I hope today we’ve given you a good road map for how to do that and how to feel good about the answers that you’re providing and the plan that you’re gonna have long term. Yeah. Thank you, Paul. I agree. I think, you know, the sweet spot is really when you have both sides of that, question in play, top down and bottom up. You know, you’ve got the visible support at the top. You’ve got active engagement in your business units. And then as you’ve pointed to our road map here, we hope that that can help as well. And I think, yeah, just doing a quick time check. We are we are there, so we are gonna call that good on q and a. And, that brings us to the end of our time. Thank you so much for joining us today. We hope these lessons can give you, you know, a head start so you can build a stronger, smarter risk management program without learning the hard way. Great. Thank you so much, Paul and Rayna, for joining us today to share five critical lessons that risk leaders often learn the hard way and how they can be applied to strengthen any program. And to our audience, we’d love to have you join us for other upcoming OCEG webinars. Please watch out for emails from OCEG regarding these future events. This concludes our webcast today. Thank you all for joining us.