The Value of ERM

March 2021 / 2 minutes of reading

Over the past few weeks I’ve read a lot of discussions on ERM and the value of heat maps, approaches for tackling cyber-risk, the importance of understanding third-party exposures, the use of risk in decision-making, amongst others. Yet, the one discussion that seems to be missing is how ERM is actually going to help an organization perform better. Organizations embark on the ERM journey with some expectation of the value that ERM can deliver. Over time those views may change, and hopefully the approaches they use evolve with those changes. Yet, too often, the journey gets overly focused on improving ERM processes and specific risk mitigations without putting those considerations in context of the overall benefits ERM.

My views on the benefits of ERM are clearly spelled out in the COSO ERM Framework 1 . I have set out ten questions below that can help bring some understanding of the benefits your ERM program is delivering today.

Does your organization…

  • Link risk management to business performance (e.g., not just objectives but actual or expected performance)?
  • Use risk management at a time when decisions are being made?
  • Consider all reasonable possibilities—both positive and negative aspects of risk?
  • Consider how risk can originate in one part of the organization but affect a different part of the organization?
  • Link specific controls to risk to provide confidence that all risks as being managed?
  • Consider variability in performance expectations?
  • Use risk information to decide on how best to allocate resources, whether those resources are people, budget, time, etc?
  • Use risk registers/risk listings as a way to ensure that all risks have been allocated to specific individuals and are being managed?
  • Apply risk management with a focus on being more resilient to pending disruption?

Use risk management to drive innovation?

For most, two or three of these questions will resonate more than others. Understanding these questions will help you answer two important questions:

  1. What benefits is ERM delivering to my organization today?
  2. What benefits does ERM need to deliver in the future to help us succeed?

1 See https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf for details.