STRIVE July 2017 | Page 28
The Trouble with ERM
By Erin Sedor
Enterprise Risk Management.
It is a not-so-sexy phrase too often bandied-about the
upper echelons of management with little appreciation for the
true meaning of the term, and quite frankly, little desire to
pursue any comprehension beyond the ability to say “Yes! We
do ERM!”
While I’ve enjoyed many a Dilbert© cartoon on the sub-
ject, the fact of the matter is that ERM is as much about strate-
gy as it is risk management, and can be a game-changer easily
within the grasp of the even the most modest operations.
The secret is understanding that ERM is a discipline, not
a function, that requires integration across strategy, risk and
resilience programs traditionally built and operated in silos.
Unfortunately, while most best-practice models, standards
and frameworks point to this interoperability, none of them
spell out how to make it happen.
And that, my friend, is the trouble with ERM.
When I first entered the world of risk management, I was
incredibly frustrated at the lack of clarity in the voluminous
materials that existed on the subject. Being a typical corpo-
rate manager pressed with too much work and not enough
resources, I was looking for step-by-step manuals. I was naïve,
and I came to learn that al ong with the science, there is an art
...Stable organizations are proactive and
nimble. They seize upon growth or quality
opportunities because they have the time
to look for them, they have the resources
to pursue them, and they know how to
execute their plans successfully.
28 July 2017
to designing, implementing and sustaining broad organiza-
tional programs such as risk management, strategic planning
and business continuity.
Integrating said programs is yet another basket of worms,
primarily because different departments are comfortable in
their own silos. However, if you look at the entity as a whole
and consider the type and timeliness of information its leaders
need to create success, you will see clearly the foundation for
building integrated programs that cross functional silos and
allow a vertical flow of information. If you aggregate this data
in a meaningful way and add C-Suite expertise and experi-
ence, you will have an environment for strategy development,
balanced risk-taking, and leveraged opportunities.
This scenario, which would give the organization an
incredible advantage over their competitors, cannot be ac-
complished with a traditional risk management program. It
requires an ERM discipline.
Organizations seeking to establish and mature into a true
ERM capability can find the process daunting. There is a myr-
iad of frameworks, theories and best practice standards based
on industry, business model and public/private/non-profit
sector. The risk management process itself is straightforward.
Identify, evaluate, assess and treat risk. What is not so clear is
how to successfully operationalize such a program in a way
that creates synergy across the organization.
I know what you’re thinking:
“We need to be selling, building, designing for and serv-
ing customers! That’s where the value is! That’s what keeps us
in business!”
You are right, until your controller unwittingly sends a
half-million dollars to a cyber thief posing as your CFO with
valid email credentials and various other identification sourc-
es because the pesky security upgrade project was just not a