There is no denying the popularity of top 10 lists.

Whatever the subject—sports, music, literature, business, you name it—there is likely a top 10 list for it.

Want to know the top 10 scariest animals in the world? There’s a list for that.

Or how about top 10 events from fill-in-the-blank year? You can bet there is a list for that.

There is even a website that claims it posts “three fact-filled top 10 lists” every single day.

It’s easy to understand why top 10 lists are so popular. They are easy to skim through and digest, they can spark robust debate, and they can be downright interesting.

Therefore, it should not come as a surprise that there are a plethora of top 10 lists specific to risk to choose from. Some of these lists are more general in nature, like the World Economic Forum’s annual Global Risks Report or surveys from Protiviti, while others like Aon’s Top Risks Facing Insurance Organizations focus on a specific industry.

While these reports can be great benchmarking tools and share the same attributes as other top 10 lists, what many organizations unfortunately assume is since other people are saying cybersecurity, natural disasters, climate change or regulatory changes are top risks, it must mean that these risks should be on the top risk list of your company.

This fatal error is one reason why close to two-thirds of respondents to the 2024 State of Risk Oversight Report from NC State believe their enterprise risk management processes completely fails to or minimally provides a competitive advantage.

As a risk and strategy consultant for insurance carriers, a common complaint I hear from executives is that this type of list-based risk management simply repeats back what they already know.

Advisor, coach and author Tim Leech echoes this sentiment when he explains:

“…the evidence is clear—risk list ERM was/is a seriously dangerous wrong turn that won’t support what RM should do—help companies on the way forward.”

There are a few reasons why following top risk lists is rife with all kinds of problems, with the simplest answer being that every company is different.

Top risks, and what to do about them, can vary from one company to the next based on factors like:

• Company size (small, medium, large)
• Territory (single state, multi-state, regional, super-regional, national, international)
• Corporate structure (mutual, publicly traded stock, reciprocal)
• Type of business written (personal lines, commercial, small business)
• Work arrangements (fully remote, hybrid, fully in the office)
• How much work is outsourced vs. handled internally

In addition to these “surface-level” differences, it is difficult, really impossible, to prescribe action plans across the board. One company may have absolutely nothing in place and therefore need extensive action plans. Another company may already be doing things to address risks found in the list, so they are not really that big of a deal.

Yet another company may have a higher tolerance or willingness to take risks in certain areas. A company in this bucket will feel like it doesn’t need to do anything, or something very minimal.

But as important as all of these are, there is another reason why following top risk lists can be difficult, if not dangerous, and that is the fact that none of the risks are tied to the company’s strategic objectives or most important value drivers.

Take one risk we see included on just about every top risk list: cybersecurity. I think we would all agree on its importance and both the dangers and cost of a data breach. However, as author and former risk, audit and governance practitioner Norman Marks asked of cyber risk in his book Making Business Sense of Technology Risk,

“[I]s the risk so great for every organization that it should be given a higher priority than other risks by the Board and executive management?

Should they be investing scarce funds in cyber risk management, or in new and disruptive technology, product development, sales capability, manufacturing capability, and so on?”

(emphasis added)

This quote, along with Leech’s insights mentioned earlier, get to the heart of the shortcomings of top risk lists: They are very risk-centric, and while they may be helpful for preventing failure, that is not the path to success in today’s volatile, uncertain, complex, ambiguous (VUCA) world.

It also shows why blindly following and basing decisions on a top 10 list will likely be, in the words of English philosopher, statesman and essayist Francis Bacon, a “remedy worse than the disease.”

Does this mean property/casualty insurance carriers should not concern themselves at all with the idea of top risks?

Not in the least!

It is not as if there are no top risks for a company. It is just that generic reports bear little to no relevance to the company’s true situation. Also, trying to identify every source of risk for the company is just too cumbersome of a task to contemplate.

Instead, the following questions can help your company discover just exactly what its top risks are and where efforts will be the most impactful. The first question to ask is:

1. What risks could keep us from achieving X objective?

As your company develops its goals, you should hopefully know the risks to achieving them. A significant goal coupled with a risk with a high impact and likelihood could really put the goal in jeopardy.

These objectives can include both strategic (i.e., growth and maturity) and business (i.e., day-to-day operations).

Skipping the establishment of this connection will be tantamount to the blind leading the blind, resulting in missed goals, constant chaos and other upheaval.

2. Which of these risks are above the company’s tolerance?

Once a connection to strategic or operational objectives has been established and risks have been identified, the next step is to find out which risks are above the company’s tolerance. If the risk is within the limits that have been set, and the amount of risk the company is willing to take in pursuit of objectives, then it cannot really be considered a top risk.

A true “top risk” will be one that exceeds what has been deemed acceptable by management.

3. What are the cumulative effects of risks linked to a particular objective?

Just because a risk is within a company’s tolerance does not mean it is automatically stricken.

It is possible for a risk to be minor all on its own, but what about when it is coupled with one that is more major? Could a seemingly minor risk trigger a major one downstream?

If so, then the company will want to better understand likelihood of occurrence for the risks to the specific objective. If the likelihood is on the higher end, this objective should be considered “at risk” so as to not create bigger problems down the road.

4. What are the biggest risks across all the objectives? In other words, which objectives are the most at risk?

Hopefully by now the list of top risks has been narrowed down. But leadership should now focus on understanding the objectives that are most at risk. To do so, flip the question to ask, “How confident are we that we can achieve this objective?” If the confidence level is low based on information that has been captured, then those objectives should be prioritized to be addressed.

5. Which of these risks can we control vs. which ones do we need to just monitor?

Even after prioritizing the objectives to be addressed, there may still be many risks to contend with. It is at this point where the ability to control a risk must be factored into the equation.

If it is not within the company’s control, and all that can be done is to monitor and address issues as they come up, should it be considered a top risk?

What if the risk is beyond the company’s tolerance but within the company’s control and there are ideas on risk mitigation? It is time to execute on those risk action plans.

Of course, once mitigations have reduced risks to below the company’s tolerance, then it will most certainly be moved into the monitor bucket to make sure it stays within established thresholds and limits.

With this complete, the company now has its very own top risk list—one that it can work off to deliver real results.

But wait, before unleashing staff or third parties to go forth and conquer, the company has to make sure it has the budget to address these top risks, which is a trip wire many run into. Even if everything else for determining the company’s top risk(s) is done properly, it will not matter if no funds are available for addressing those risks.

Again, top risk lists can be interesting to read and a great way to compare what your company is doing in relation to others. But simply relying on them blindly will do more harm than good.

Connecting risks to the company’s objectives or top value drivers will put risk management on a path toward helping leadership make informed decisions on charting the company’s future.

Are you ready to discover what your company’s true top risks are?