An Enterprise Risk Management Program is NOT One-size Fits All

Designing an ERM program involves a lot of experimentation based on your company’s leadership, culture and operations

The board and/or executives have decided to establish an enterprise risk management (ERM) program.  You have been given the responsibility of designing an ERM program for your organization and have established that they are in it for the long-haul.  But where do you start?

There are so many resources (books, articles, webinars) out there, but you are having problems making heads or tails of it.  Much of it sounds like theory or textbook, but how do you know what will work for your organization?

As you read through the multitude of resources, including this article on governance documents, you question and second-guess yourself about so many areas, including:

  • how to engage with people,
  • the ways to identify risk,
  • how to assess the risks,
  • the best way to report risks to executives, and
  • how frequently to talk to people across your company.

“The theory and ideas floating around  sound great on paper, but will they work for me?”

You don’t want your ERM program to be one of those stories:  the program that dies a painful death or is just a check-the-box task.

You know the company – the personalities of the executives, the hectic (or not so hectic) schedules, how people prefer to communicate, and the operations of the company.  Wanting to get it right the first time likely means you are over-preparing.  Just like studying for an exam, there is such a thing as over-preparation or over-planning.

Designing an ERM program is like an experiment – you have to be mentally and emotionally ready to try things that may not work and make adjustments to get the best fit for your company.

designing an ERM program

As you are working to design the program, take a look around the organization to see what other activities related to risk-management are already being done.  Avoid the duplicative efforts.  Identify what is working (and not working) in those processes, and use that information to your advantage!

Ensure you are designing  an ERM program that fits  your organization

Use your knowledge of the organization to your advantage.  Use your network of people across the organization to understand some of the undercurrents.  Get people with influence across the company to buy-in and heartily support the idea of ERM.

Set the expectations from the very beginning, even before you start actually doing risk management.  Make sure to include these points in your messaging and conversations:

  • ERM is a long-term commitment, so don’t expect quick results.
  • Some activities will be experimental, and feedback is requested and appreciated.
  • ERM takes time if it is going to be done right…BUT it can provide so much value!
  • It is not a red-tape activity, not meant to create a bureaucracy, and not to be duplicative.

You and the program will succeed.  Just put on your lab coat, make sure you are ready to adapt on the fly, and get to it.

And remember, if you experience a hiccup or two along the way, a program can have a “reset” time – like discussed in this post – and emerge victorious!

What areas worried you when designing an ERM program and how did you overcome them?

I would love to hear from you.  Please share your thoughts in the comment field below, or join the conversation on LinkedIn.

Do you want someone to guide you through the process?  Are you struggling to get your risk management initiative off the ground or back on track? Contact me to discuss your program today, or continue browsing for more information.

Meme image courtesy of “Toeytoey” via

, ,

Related Posts

3 Comments. Leave new

  • Hi Carol, I couldn’t agree more with what you’ve written. I was caught off-guard one day when the CEO told me that I would be in charge of starting an ERM program and by the way, I was also going to lead the Internal Audit effort. Talk about starting from scratch,. That was seven years ago and now I can actually articulate what the basic tenants are of ERM. Getting buy-in from Senior Management is extremely valuable and getting the Board updated periodically is essential. ERM software isn’t the answer but can be useful in working through the initial effort required to initiate the program. I’ve been involved in starting ERM in two rather large credit unions in California and made my share of starts and stops along the way.

    • Hi, Mike. Thanks for your comment. (My apologies for the delay for responding here, although I know we were communicating offline!)

      I am glad that your experiences can validate what I wrote. Sounds like you were definitely given a major activity (or two…), but you had the opportunity to tailor both of the programs to the credit union and its needs and culture. Every organization is different, and their ERM program should reflect that different-ness.

      Thanks again, Mike.

  • […] However, an ERM framework is not one-size-fits-all. […]


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.