How often do you survey your organization for new, emerging risks? My company currently does quarterly surveys and I am contemplating dropping it down to 2x/year. Appreciate the insights!

We currently have a continuous risk reporting mechanism within our security department, complemented by a dedicated security chat that includes the DPO, CIO, and the entire IT leadership team. This allows for real-time escalation and discussion of emerging risks. In addition, we conduct a quarterly review where we assess accepted risks, reported cases, and incidents, and provide updates to the Board of Directors.
Given this continuous monitoring setup, we are considering reducing formal surveys from quarterly to twice a year, as the ongoing dialogue and reporting channels already ensure timely identification and management of new risks.

Twice annually, though in the current geopolitical climate we are currently reviewing the cadence and format for 2026

“Great question! Quarterly surveys can definitely give a strong pulse on emerging risks, but I’ve seen many organizations succeed with twice-a-year assessments as long as they complement them with ongoing monitoring and open communication channels. Reducing the frequency could actually improve response quality and reduce survey fatigue, as long as other feedback loops stay active. Curious to hear what others have found effective!

We have an emerging risks committee that is scheduled to meet quarterly but usually ends up twice per year. The committee maintains an emerging risks inventory that is provided to our ERM committee.

We currently do a formal ERM risk assessment annually however through business conversations, it's an ongoing risk discussion, as risks emerge, we evaluate impact to the company and adjust our Top/Watch ERM list if necessary.