ERM New Year’s Resolutions



Ok, honestly I hate resolutions, I really do. Gyms love them, I hate them. The last resolution I made was not to make any more resolutions. Ironically, I’m going to break that resolution.

The fact is that enterprise risk management is finally being adopted at a fantastic rate. Businesses are realizing that a holistic approach to identifying, assessing and managing key risks in order to maximize return on equity is an incredibly good management technique. But while managing risk is certainly not new, managing it in a complete and comprehensive way is still very much an evolving process.

So, as the intrepid risk manager, you established a risk framework, you documented your risk taxonomy, you developed good risk and control self-assessments (RCSAs), you built a basic executive dashboard with your “Top 10,” you identified a handful of KRI’s and you more or less have gotten institutional buy-in. Excellent. But you also know that there is so much more to do and so many more program elements that need to be added or improved.

Therefore, I submit for your review a list of 2012 ERM Resolutions for your consideration. Face it, you’re not going to do all of these this year, but maybe you can do half or two-thirds? That’s ok. Every little improvement you make strengthens your organization’s ability to manage risk more effectively, and that’s a very good thing.

  1. RESOLVE to get better at documenting assumptions – You have your department list, your function list, your threat list, your process list and your internal controls list. Fantastic. Now go back to those processes and work with the business area to go even farther in documenting their base assumptions. Why do they feel that the threat is real? What was their rationale for assessing the potential impact? Why exactly do they believe they have mitigated 90% of the risk? What is their understanding of their residual risk? Are they being realistic? Are they being honest? Assumptions are built on a foundation of both truth and lies (intentional or otherwise). Your job is to help them discover truth.
  2. RESOLVE to build more end-to-end process maps – Yes, they are a ton of work. Yes, they are frustrating to build and don’t always seem particularly useful at first. But neither were world maps until somebody decided to start making them and now we can’t live without them. End-to-end process maps are great for training, for documenting assumptions, for identifying boundary risks and for connecting the dots between functional areas. Get the business areas started and just accept that it will take you a year (or more) to get them done.
  3. RESOLVE to break down more silos – Risk management is all about breaking down barriers in communication. If you have operational silos, use the end-to-end process maps and related assumption documentation to educate people about the other parts of the process and how their work affects them. If the silo is in the risk disciplines, help educate people about other types of risk and the related boundary issues. Either way, building this kind of awareness is very healthy for the program and for the company.

To continue reading this article please use the following link:


Comments are closed.