How often do you survey your organization for new, emerging risks? My company currently does quarterly surveys and I am contemplating dropping it down to 2x/year. Appreciate the insights!

2.9k views12 Comments

Sort by:

Director - Enterprise Risk Manager in Insurance (except health)a day ago

We started out aiming for quarterly but that seemed too often. 2 - 3 times per year is sufficient. Our minimum is twice per year.

Vice President, Head of Internal Audit in Finance (non-banking)7 days ago

The inherent risk of a specific business unit versus the entire organization really depends on your perspective. Additionally, it’s helpful to understand the context: who are you sending these surveys to?

My experience suggests this is quite dynamic, especially with current events constantly changing the landscape. These risk assessments should be ongoing, so formal surveys aren’t always necessary to understand an organization’s risk profile at a specific time. However, a formal quarterly update is generally a good idea, given the rapid pace of change in the industry and beyond. It would be difficult to justify doing less.

VP of Engineering7 days ago

We do an annual review of the overall program risks, with monthly review to determine if there is a change in the status. If a risk is identified as emerging or new it can be added. Likewise, if I risk is realized or obsolete, it is addressed with the execution of mitigation plan or removed.

Director of Finance7 days ago

Twice annually, mapping speed of onset and time period for expected realisation.

Director of Other in Hardware7 days ago

We dropped from quarterly to 2x/year beginning in 2026 to better distinguish emerging risks vs. risks from the annual Enterprise Risk Assessment.

Content you might like

How do you think AI will disrupt business across industries? Add to my list: 1. Content creation 2. Photos and video production 3. Basic coding and debugging 4. Strategic analysis to be highly complimented

I'm keen to understand what other companies name their 'infrastructure and operations' department. A recent change has led to a team merge, and the team themselves aren't enthralled by the department name, Infrastructure & Operations. Team responsibilities include: Enterprise technology (Cloud compute, collaboration tools, Operations and Service Desk) Development experience (Cloud hosting, code mgt, deployment pipelines, APis etc)

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.41%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.22%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).6%

View Results

In 2022 we see the lowest levels of women in the labor force since the 1980s. Which of the following words best describes how you feel about that?

Angry9%

Frustrated37%

Guilty13%

Happy3%

Indifferent10%

Motivated to change it16%

Nervous2%

Sad4%

Upset2%

Other (please share in comments)2%