Why A Strong Governance Foundation is Vital to Successful ERM

When first speaking to an organization about ERM, executives know they have a problem, but they usually don’t know what it is, much less how to fix it. All they know is ERM is a possible solution. But before jumping in, I often find trouble spots that need to be addressed first.

If they are not, the house of cards of will ultimately fall.

This reason is why one of the first things I ask about is what governance and internal policies they currently have in place.

In a presentation at the Fall 2019 ERM Roundtable at NC State, Sam Chari, Global Head of Risk Management at Experian, explains how a “…strong governance framework” is one of the top 5 components of a successful ERM endeavor.

At a high level, corporate governance can be defined as:

…the system of rules, practices, and process by which a firm is directed and controlled.

In one of my first articles on the blog, I discuss governance in the context of launching an ERM program and how not having a clear framework will make it impossible to translate top risks at the enterprise level into strategy and day-to-day operations.

Before reaching the point to have ERM, organizations must first have the appropriate corporate policies and procedures in place…

To support an ERM framework and realize success in your efforts, there must first be a structure in place to ensure processes are managed appropriately and are efficient and effective…there must be good corporate governance without it being too stifling or bureaucratic.

For example, in a recent conversation with an organization experiencing rapid growth, I was astounded to learn they only had a few policies around human resources in place. There were no policies for how employees are reimbursed for expenses, no vendor management policies, and most striking, no strategic plan or even a budget. If executives wanted to know who they were paying for a particular service, they only way to find out was to ask the accounting department!

This company has a vague idea of the things it wants to do in the years ahead and that ERM can help.

When the company was smaller with only a handful of employees, it could get away with not having formal governance processes in place. However, with its explosive growth in the last couple of years, it is getting much harder to manage things on a case-by-case basis.

All of these things combined into the pain points that they are experiencing.

Now, I am glad that they want to have ERM and see the value of it. So to get them to that point, my first engagement with this company is helping them develop the foundation that we can then build on to have a successful ERM program.

Why ERM will fail if governance issues are not addressed.

If your organization jumps right into ERM without laying this foundation, the effort will ultimately fail for a variety of reasons. Some of these include:

  • If there is no strategic plan, it will be impossible to know how risks are affecting the success of the organization because there will be no objectives to link the risks to.
  • If roles and responsibilities are not clearly defined, there will be no way to hold executives and managers accountable.
  • If there is no clear communication method between different areas and layers within the organization, information will be siloed, and it will be impossible to know how risk and opportunities fit into the bigger picture. This silo effect is a key difference between traditional risk management and ERM.

If you’ve been reading my blog for any length of time, you should hopefully understand the ultimate purpose of ERM isn’t to minimize risk but to ensure the organization is taking the right amount of risks in pursuit of its strategic objectives.

Or as thought leaders like Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives, successful ERM is not about avoiding harm or satisfying regulators, but rather:

…about understanding what might happen and acting to increase the extent and likelihood of success.

But if you don’t have objectives and policies and procedures in place to guide the pursuit of these objectives, how can you assess risks to achieving them? How can you do scenario analysis, modeling, or a Monte Carlo simulation?

Although materials you read here or elsewhere discuss these and similar techniques and concepts, the truth is there are much more rudimentary things that must be in place before your organization is ready to embark on this journey.

Have you attempted to have an ERM program without a strong governance framework in place?

It seems this topic doesn’t receive the attention it deserves. The idea for today’s article is based on some of my experience as an ERM consultant – many of the companies I work with, including the one referenced above, have several foundational issues to address before moving into true ERM.

To share your perspective and experience, please leave a comment below or join the conversation on LinkedIn.

And if your organization is unsure about the source of your challenges and would like an outside perspective, contact me today to discuss your situation and discover what foundational pieces may need addressing to ensure a successful ERM endeavor.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More