How to conduct a risk workshop

The steps Humana takes to align business units with its ERM strategies

Humana is a company of 50,000 people, so assessing and addressing all the risks that each segment of the company encounters is no easy feat.

For years, Humana, a multibillion-dollar player in managed health care and health insurance, had a top-down approach to risk. But a few years ago, the company decided it wanted to manage risk from the bottom up as well. It needed more voices to make sure its risk strategies weren’t solely the view of those in the executive suite.

“As we were doing audit engagements and having conversations with the businesses, we realized the businesses had a very valuable perspective that isn’t necessarily transparent up to the top of the organization,” said Jennifer McCallister, a consulting leader in Humana’s internal audit consulting group.

So the internal audit department, which facilitates Humana’s enterprise risk management (ERM) program in concert with the executive-populated Enterprise Risk Management Committee, decided to hold risk workshops with the business units. Leadership across the company is accountable and responsible for the risk management process, and the workshops are just one of the tools available. The workshop is one part of a five-step process designed to tease out risks and give the business unit’s members a better understanding of exactly what risk is, how it can hamper business-unit objectives, and how it relates to the company’s ERM strategies (see the sidebar “Three Top Benefits of Conducting Risk Workshops”).

Humana has been conducting the workshops since 2009, with slight tweaks along the way. Hundreds of workshops have been done by the internal audit department. This article breaks down Humana’s five-step process.


This phase is initiated, in general, by a call from a specific business area. Maybe there’s a new vice president who wants to gauge the sentiment about risk in the department.

McCallister said support and tone at the top are critical to the effectiveness of the workshop and that, in general, the messages about the workshop come from the department heads, not the internal audit department. The reason is simple: Employees are far more likely to listen to instructions from their leader than from someone in another department, likely someone they’ve never met.

This phase requires gaining support from leadership to use the workshop approach and tools to identify and assess risks. “We’re engaging folks that maybe aren’t traditionally approached by internal audit,” McCallister said. “It’s not us saying, ‘We’re coming in and we’re doing this.’ It’s us offering to help provide the business with tools and techniques to identify and assess risks, so it’s essential that we have buy-in from the top.”


The VP is briefed on the company’s approach to ERM and given an overview of the workshop process. The leader also gets a chance to provide perspective on department strategy and objectives and to point out risks. “We ask them, ‘Do you have any key risks that are top of mind? Is there anything that’s giving you heartburn?’ ” McCallister said.

This phase was one of the tweaks to the workshop process about six months in. Previously, the VP took part in the risk discussion (Phase 4) at the same time as the employees. This was not always ideal, as the internal audit team noticed employees tended to be more candid without their leader in the room.

“We wanted to foster an environment where employees could openly share their perspectives on risk, so we decided to get the leader’s perspective first and give the option to participate in the workshop,” McCallister said. “Most times, the leader is good with having the risk discussion first. This phase helps us to understand risk from that leader’s perspective and helps to provide context for the workshop.”


Employees receive from their VP a document that gives an overview of Humana’s ERM strategy and expectations for the workshop itself, as well as definitions of a few key terms, such as “mitigation” and “controls.”

In the same email, they receive a link to an online survey. They have about two weeks to complete the survey, which takes 10–15 minutes. The survey starts with the same four statements for everyone (see the sidebar “Risk Culture Measures”).

Then, the questions become more open-ended. Employees are asked about the department’s top financial, strategic, compliance, and operational risks. The survey can be tailored to ask specific questions about the department.

The internal audit team then analyzes the survey results. They group open-ended comments into categories, a process McCallister calls “affinitizing,” and then try to translate the voice of the survey respondents into risk statements.


The workshop itself takes, on average, half a day, but it can take longer depending on the scope and number of people attending. During this phase, internal audit continues the conversation with the members of the business area, this time with old-fashioned, in-person conversation and not an email or online survey.

First is yet another introduction to Humana’s ERM approach and how it ties in with that business area. Then internal audit goes over the survey results, both for the risk culture statement responses and the open-ended survey questions. If the answers show any pressing concerns, internal audit facilitates conversations to address those during this phase.

Workshop participants then discuss with facilitators the business unit’s primary objectives and goals. Once these are identified, workshop participants are prompted to consider the objectives and goals as they progress through the workshop. Then risk statements that were formulated by internal audit based on the survey results are shared with the group. The statements are discussed in detail and altered as needed based on the advice of the workshop participants. The process relies on the conversations about the best way to phrase a risk statement so that it makes sense and is relevant to the department, not just to the person who mentioned the risk in the survey.

“We will ask, ‘What does this mean to you?’ ” McCallister said. “Sometimes, we hear, ‘I have no idea.’ Or ‘I see where you’re going, but it’s not quite right.’ We make sure everyone’s comfortable with the wording of each risk statement.”

Then the workshop participants are asked if any risks have been left out. “We use a risk framework as a brainstorming tool,” McCallister said. “We ask participants to review the framework as a way to make sure they’ve considered all types of risks.”

Once all the risks have been compiled, they are ranked and prioritized. Humana uses a grid similar to other companies’ heat maps, but it has one key difference. The X-axis is for “impact”—the farther out, the greater the potential impact. But the Y-axis doesn’t measure the likelihood that the risk will occur. Instead, its measure is “how well managed” the risk is—the farther out, the worse the risk is managed.

Employees rate impact on a three-point scale: high, medium, and low. They have three choices about how a risk is being managed: well, somewhat, or not at all.

Those risks are then plotted on a risk map, and specifically designed voting software orders the risks by impact and level of management. Then they are prioritized by employee input. Risk 1 is compared to Risk 2, and employees are asked, “Which one is riskier?” The riskier of the two is then compared to Risk 3 and so on.

It’s possible that the risks in the top right of the risk map (those that have the highest impact and the lowest level of management) are not the top priority. McCallister said this is because the mitigation of a less serious risk can lead to the mitigation of the so-called top risks.

“Think about the concept of low-hanging fruit,” she said. “If the optimization of a less severe risk requires fewer resources and has a positive impact on one or more of the higher-rated risks, the business will often prioritize those efforts over a risk that requires more resources.”


The goal is to have a final report two weeks after the workshop. But that report’s first draft is in the hands of the business unit leader two days after the workshop.

“The report is used by management to circle back and look at their strategy,” McCallister said. “They want to know if there are risks in this report that are not a part of their strategy. It can also be used by internal audit to see if there’s some risk we want to check on.”

Internal audit also compares the results of each workshop with those of others and applies the results to the company’s overall risk framework. The data can begin to show whether the same types of risks keep popping up across the company.

The process has resulted in two specific risks—ones that Humana declined to disclose, but that came up regularly in workshops—being proposed to the ERM committee to be added to the list of top enterprise risks.

Risk Culture Measures

In the survey before any risk workshop, Humana asks its employees to respond to four statements relating to risk culture. No matter the department, all employees are asked to rate the same four statements on a Likert scale (strongly agree, agree, neutral, disagree, strongly disagree), along with the option to answer “I don’t know.”

The four statements are:

  1. I feel comfortable with my ability to identify and assess risks that may materially impact my business segment.
  2. Management has provided a framework (common language and methodology) with which I can evaluate risks and controls in my part of the business.
  3. I periodically identify key risks in my area of responsibility and communicate them to my leader.
  4. The leadership team I am a part of fosters an open and collaborative discussion around risk.

“This helps us to trend risk culture across the organization,” said Jennifer McCallister, a consulting leader in Humana’s internal audit consulting group. “Are there pockets of the company that don’t like to talk about risk or are not encouraged to talk about risk?”

Three Top Benefits of Conducting Risk Workshops

The process got people more conversant about risk. Jennifer McCallister, consulting leader in Humana’s internal audit consulting group, didn’t want to diminish the value of the final report on each business unit’s risk workshop, but she believes the workshop itself is vital. “Most of the value that the participants are identifying is through having the conversations, getting people in a room, and understanding different perspectives, so that they can come to consensus on where a certain risk falls in relation to their business area but also in relation to the enterprise,” McCallister said.

The process led to the creation of risk ambassadors. McCallister said that internal audit’s phone rings more now because workshop participants are sharing their experience with others. The “ambassadors” are also used as a backup if a business unit’s leader is skeptical about the value of the workshop process. “If they have concerns, I encourage them to contact someone who has already done a workshop,” she said. “Once they go through the workshop, they have a better understanding of risk and what its impact is.”

The process can be duplicated for recently acquired entities. Humana has made numerous acquisitions over the years and is likely to continue to look for growth opportunities. The workshop process can help a soon-to-be subsidiary become more easily integrated with Humana. The process can help both sides understand the other’s risk environment and give the subsidiary a chance to leverage some of Humana’s risk-assessment tools.


Humana had top-down risk management practices in place, but it wanted a bottom-up approach as well. The company thought it could spread the word about risk through a series of risk workshops.

The first phase of the process is to gain buy-in from executives. The messages about the reasons for the workshops and instructions on how to start the process are sent by department leaders, not internal audit.

Phases 2 and 3 involve educating both the department heads and the managers who will take part. A survey is used to gauge the department’s risk culture.

Phase 4 is the workshop itself. This involves a series of conversations with the survey participants, leading to the creation of department-specific risk statements, as well as ranking and prioritizing the department’s risks.

The final phase is a report that sums up the department’s top risks. The benefits of the workshop go beyond that one document. The process has made many in the company more conversant about risk management.

Neil Amato is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at or 919-402-2187.


Insider article

How Weak Are Your Firm’s Internal Controls? Corporate Finance Insider, Oct. 6, 2011

Sign up for the AICPA’s Insider e-newsletters and view back issues at


  • Case Studies on Enterprise Risk Management Implementation (#PCG1202E, ebook)
  • Risk Management Strategies for a Turbulent Economy (#029886PDF, on-demand online access)

For more information or to make a purchase or register, go to or call the Institute at 888-777-7077.



Enterprise Risk Management Initiative, Poole College of Management, North Carolina State University,


Where to find August’s flipbook issue

The Journal of Accountancy is now completely digital. 





Better decision-making with data analytics

Data analytics has become a hot topic, but many organizations have not yet managed to understand its potential, let alone put it to work. This report will take a deep-dive on how to best introduce or enhance the use of data in decision-making.