The “Next Frontier” of Enterprise Risk Management – From Compliance to Strategy

Is this really the next frontier of the enterprise risk management process’ role within the organization?

Or is the future now?

When it comes to seeing what the future holds, you need to know the history. The same applies to enterprise risk management (ERM), which has an interesting history. In fact, this history is nicely written in a Workiva white paper titled “Next Frontier: Performance-Based Continuous ERM” (available for free download).

Evolution of the Enterprise Risk Management Process: A Short Summary

ERM started in the early 1990s with an initial focus on financial risks. A lot of financial institutions continue to concentrate on the financial risks, since it deals with well-known areas such as market risk and credit risk. After several dramatic accounting fraud cases in the early 2000s, operational risks  started being considered, with a focus on accounting processes, process controls, and proper disclosures.

The culmination of events over a 20-year span prompted regulatory action in the form of Sarbanes-Oxley Act of 2002 (for publicly-registered companies) and Basel II (for the banking industry).

And then late 2007 witnessed the global financial crisis, and the “world of risk management fundamentally changed.”  Regulations became more demanding of companies, forcing them to increase capital and liquidity, curb their risk-taking activities, and tighten internal controls.  Banks have new regulations set by the Federal Reserve and the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among other things, elevated risk oversight and risk governance to the board level.

Not to be left behind, the insurance industry saw many states adopt the Own Risk and Solvency Assessment model act, which requires scenario analysis to determine ongoing financial solvency requirements based on individual company risk profiles.

Unfortunately, by this point, many consider risk management either a compliance activity or a way to support decisions to avoid risk during tough economic times.

Views of ERM: The Present and Futureenterprise risk management process

The white paper states that the “next frontier” of ERM is to help create shareholder value.  Next frontier? It is here where my views of ERM differ from the authors of the Workiva white paper.  Personally, this is the way that I have always thought of ERM – adding and protecting value, not helping companies simply “check” the box on risk management.

As an enterprise risk management professional, I want to help companies proactively and constantly identify what could potentially face them, prepare for the future, and assist decision-making by providing leadership with actionable information.

Now, I will say that I agree with all seven key attributes of ERM for it to be continuous and based on data.  Those attributes are:

enterprise risk management process key attributes

When it comes to strategic risk management (Attribute #2), it is important to note that “strategy and ERM should be integrated to support the development, execution, and performance monitoring of corporate and business-unit strategies.”

Yes, you read that correctly; the enterprise risk management process in general, and strategic risk management in particular, should occur at both the corporate and business-unit level.

Many fail to recognize this critical fact – events in a particular business unit can impact the whole organization.

Samsung’s recent issues with the Galaxy Note7 literally exploding is a great example.  Samsung, as an enterprise, has TVs, computers, mobile devices, appliances, and more.  But after the issues with the exploding Note7, most people think about the negative reactions from the company instead of praising the company for its computers or TVs.

Oh, risk appetite…what a misunderstood and misapplied term.  Many companies have no idea what to do with it or how to use it for decision-making.  Step #2 in my article on designing the governance structure of an ERM program goes into detail about risk appetite and risk tolerance.  In it, I also describe two of my key mantras and themes you will see me mention regularly: adaptable and actionable.

For ERM to be effective and add value, companies should have ERM at the table for business decisions.  ERM is not about saying “no” to ideas; ERM professionals should focus on finding ways to increase the chances of a positive outcome and be prepared for any decisions that need to be made as a result.  Check out my blog post “Wait a Second – You Mean We Can Have Positive Risks Too?” for more information on this topic.

To further the integration across the three assurance methods, risk assessment results and related analytics information for the biggest risks should be provided to internal audit to support their risk-based auditing program.

Did you read that the enterprise risk management process should be continuous?  Yes, you are correct. It should be ongoing, throughout the year, providing up-to-date information to the information users.  No semi-annual risk review sessions.  Leadership, business units and ERM should be walking hand-in-hand throughout the year, identifying risks, keeping assessments current, and monitoring the performance of strategy execution.

ERM process continuous

All this continuous activity means no monthly reports.  No quarterly reports.  No (gasp!) annual reports.  

Instead, provide an interactive dashboard, which should be updated as quickly as the information is available and vetted.  Now I am not going to push for any specific ERM software vendor; goodness knows there are several good ones out there.  But most, if not all, have interactive dashboards for different ways to provide risk information.  After all, it is not about reporting, it is about communicating.

Speaking of communicating, all enterprise risk management programs should be soliciting honest feedback on performance and process, so that the program (and its team members) can continuously improve and evolve.

This is a lot of information to take in, especially if your ERM program is still in the compliance mode.

Do you need some help in taking your enterprise risk management process and program to the “next frontier” – from a “check off the list” compliance action to an integral part of protecting and enhancing value for your organization?  I can help!

Click here to learn more about my background, continue browsing to learn more, or contact me today.

Featured image courtesy of


Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More