Featured Product
This Week in Quality Digest Live
Risk Management Features
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure
Steven I. Azizi
Take these steps to protect your employees and your company
Oliver Laasch
There’s unlikely to be a point of general stability anytime soon
Gleb Tsipursky
You shouldn’t trust your gut as a decision-maker: Here’s why.
NIST examines disinfection methods that could be critical in the future if PPE supply is low

More Features

Risk Management News
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel
A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses
NordLocker study discloses industries at a heightened risk of ransomware attacks, with manufacturers taking a troubling second place

More News

Risk Management

Six Missteps on the Way to Sustainable Risk Management

And how to avoid them

Published: Monday, June 22, 2015 - 17:15

The key challenge for risk professionals is no longer how to establish an enterprise risk management (ERM) program, but how to sustain its effectiveness. Often, ERM programs get off to a great start but soon lose their momentum because of certain missteps that occur.

Misstep 1: Assuming that the relevance of ERM is obvious

As risk professionals, we think that everyone understands the importance of ERM, but that isn’t always the case. Many employees ask, “Why should I invest my time in this? What’s in it for me?” Or, “I don’t need a structured ERM program because we already manage our risks well.”

It’s important to keep communicating about the key business benefits of ERM in a language that everyone understands:
Leads to fewer big surprises: Although an ERM program might not completely eliminate risks, it can put in place a structured process that minimizes the impact and likelihood of big surprises.
Strengthens strategic decision making: If stakeholders don’t understand the risks facing them as they make key decisions, they might actually create new risks.
Enables better resource allocation: Organizations can’t manage every risk all at once. ERM programs help highlight top risks areas where maximum resources need to be invested.
Protects the board: Because the board is responsible for risk management, it needs to be assured that the organization has robust ERM processes.
Draws top-level attention to big issues: ERM can help drive the big issues to the top of the organization so they get the attention they deserve.
Meets stakeholder requirements: ERM isn’t just an option but rather a mandate in highly regulated industries such as financial services.
Helps adapt and respond to change: As risks and business processes change, ERM programs help organizations adapt in a structured and streamlined manner.

When organizations understand the value of their ERM program, it becomes easier to get executive buy-in, acquire sufficient resources, and minimize workforce resistance to change.

Misstep 2: Deficiencies in risk assessments

Although most organizations have a structured risk assessment process, it doesn’t always provide an accurate picture of enterprise risk.

Some best practices include talking to frontline employees—they’re the ones most aware of the risks in the organization. Also conduct surveys, workshops, or face-to-face interviews to glean key risk insights from the workforce.

Develop a formal risk nomenclature, but don’t try to define every single risk. Instead, focus on the major risk areas, and then develop definitions. Ensure that they’re relevant not to just one or two business functions, but to the entire organization.

Create a broad range of risk assessment criteria that are applicable across functions. For example, instead of asking employees to calculate risk impact only in dollars, get them to think about risk in terms of customer satisfaction, employee safety, response, and non-compliance. This way, each employee can evaluate risk in a way that is relevant to their business function.

Also, remember that risks interact with each other in multiple ways. Identify those risks that influence or drive other risks, and address them in a prioritized manner.

Misstep 3: The ERM framework doesn’t reflect the organization’s unique characteristics

Risk professionals often employ a cookie-cutter approach to using a risk management framework such as ISO 31000 or the COSO ERM framework. They implement the framework as it is, without considering the unique aspects of their organizations. As a result, they end up with too many unnecessary or irrelevant framework elements that aren’t responsive to their organizational needs.

That’s why it’s important to first identify the unique attributes of the organization, and then map them to a risk management framework. As an example, in the chart below, one of the unique attributes of the organization is a diverse workforce. To facilitate a cohesive risk approach across this workforce, we mark “Cultural Initiatives” as a strong focus (green). Similarly, to build a harmonized understanding of risk, we emphasize a “Common Risk Language” (yellow).

Figure 1: Organizational characteristics analysis. Click here for larger image.

Charts like these help organizations tailor their risk management framework to respond to and reflect the company’s unique characteristics.

Misstep 4: Insufficient focus on the existing risk culture

Risk culture is essentially about how people behave and deal with risks when no one is looking. It is most influenced by leadership—the tone at the top, organizational values and beliefs, incentives, power, and trust in supervisors.

With that in mind, the goal should be to create a risk culture where everyone is consciously committed to doing the right thing. First, understand the existing culture through surveys and interviews. Identify gaps such as a lack of trust in leadership, or inadequate training on risk controls. Then, influence a positive risk culture. For instance, ensure that people have the freedom to safely speak up about their risks and concerns. Also, adapt established culture-focused frameworks such as ISO 31000 or the COSO ERM framework, but make sure that they fit into the organization’s unique risk culture.

Misstep 5: Inadequate or complex risk reporting to the board

Because the board has limited time to look through risk reports, risk professionals are often unsure about what to report, how often, and in how much detail. If they include too much information, particularly during the early days of their ERM program, the board is likely either to gloss over the data, or get stuck in the details.

The key is to ensure that risk reporting is relevant, crisp, and uncluttered. Customize risk reports to meet the needs of the board. Focus on the top risks, and provide just a snippet of information regarding the current status of risks. Also, instead of going into the details of risk mitigation, simply identify the risk owner. If the board knows the owner, and is convinced about his effectiveness, they will usually buy into the risk mitigation process.

Misstep 6: Failure to embed risk management into existing processes

Developing new processes just for ERM can create resentment among employees who are already stretched to capacity. A better approach would be to incorporate ERM into existing business processes. For example, if a risk budget must be drawn up, simply include it in existing budget planning processes. Similarly, if the risk culture needs to be enhanced, then include risk-adjusted performance incentives into existing compensation plans. In such cases, you could use metrics that drive behavior that is consistent with the desired risk culture. An example of a metric could be “keeps team informed on current risks, and encourages risk identification and communication among direct reports.”

How technology can help sustain an ERM program

Technology can serve as a strong foundation for enterprisewide risk and control management activities. Here’s how it can help:
Improves consistency in risk information: A centralized ERM application helps implement a common risk and control library where all organizational risks can be neatly classified and categorized for complete transparency. It also helps create a single, consistent risk taxonomy to simplify risk correlation, analysis, and communication.
Enhances risk management efficiency, minimizes duplication of effort: Many organizations use ERM applications to streamline and automate their risk management processes. This approach minimizes redundancies, and saves resources and effort. No longer do multiple business units have to waste time evaluating the same risks and controls. Instead, a single function performs the evaluation and shares the results with everyone.
Strengthens risk visibility: Using an integrated risk management application helps in mapping risks (e.g., IT risks, operational risks) to each other, and to standards and regulations, controls, business units, processes, product lines, and performance goals. This tightly knit data model provides a complete, cohesive view into the risk universe, and helps stakeholders easily identify areas of concern and opportunity.
Enables informed decision making: ERM applications equipped with risk analytics can automatically harness risk intelligence from across business functions, and embed these data into decision making. This way, stakeholders get all the insights they need at their fingertips to understand the organization’s risk profile, determine high-risk areas, and develop action plans. Powerful dashboards, charts, and risk “heat” maps can provide real-time risk information, helping users identify trends, perform what-if scenario analyses, and monitor key risk indicators.
Facilitates a risk-aware culture: ERM applications often support a federated approach to risk management—i.e., one in which risk priorities and policies are communicated top-down. Meanwhile, each business unit has the flexibility to manage its own risk and controls, while simultaneously, all risk data are automatically rolled up to the top of the organization for analysis. Some ERM applications also facilitate cross-functional collaboration and information-sharing, thereby enhancing the value of risk data.

The key aspects of a sustainable ERM program

Focus on leadership: The leadership team establishes well-defined risk management roles and responsibilities, a common risk language, and risk tolerance levels that are closely aligned with business strategies.
Integration: Instead of working in risk siloes, business functions collaborate and share risk information with each other.
Emphasis on culture: A risk-aware culture exists right from the CEO and board level down to the bottom of the enterprise.
Change management: As risks, business strategies, and markets change and evolve, so does the risk management program.


Continuing market shifts, as well as changes in business models and regulations, have made it essential for organizations to have a strong, agile, and sustainable ERM program. Proactive companies that have effectively adopted such a program are well positioned to capitalize on change, and effectively balance business risks and opportunities.


About The Authors

Marc Dominus’s picture

Marc Dominus

Marc Dominus is the Enterprise Risk Management (ERM) Solution Leader for Crowe. His responsibilities in this role include coordinating the design and delivery of Crowes ERM services and products as well as directing Crowes innovation initiatives in this area. His experience includes over 20 years of providing risk management consulting services. His areas of expertise include ERM framework specification and implementation, enterprise risk assessment (ERA), professional training, executive strategic workshop facilitation, risk culture enablement and change management guidance.

Douglas Montgomery’s picture

Douglas Montgomery

Douglas Montgomery is a seasoned professional with over 20 years of proven success in the areas of program portfolio management, operational excellence, and governance, risk and compliance with extensive international experience in M&A, high-growth, high-risk and other transformational environments. He was nominated, and finalist, for a Malcolm-Baldridge award for the development of mass customization techniques for manufacturing and distribution environments. At MetricStream, he was responsible for leading and driving GRC solution implementations at customer sites, liaise with product management to identify enhancements in product functionality and usability, and develop enhanced GRC solution delivery capabilities.