How ERM is Like Apple Pie

I’m going to do something a little different today…

Instead of going in-depth on one specific topic, the following article takes a more all-encompassing or birds-eye view of ERM.

Knowing companies tend to have a lot of ERM-related activities starting now, it seems like a good time to step back and think about how exactly ERM must, should, and could serve our specific organizations.

The end of summer is approaching, which brings homemade apple pie to mind. So, what better way to ask this question than to use an iconic dessert – apple pie – as an illustration. But never will I say that “ERM is as easy as apple pie!”

What must an apple pie have?

What should an apple pie have?

What could an apple have to make it even better?

See, I told you today’s article was going to be a little different. 😉

Like an apple pie, there are the must-haves, should-haves, and could-haves for ERM. I am going to talk about what those things are, plus give you a list of my resources that explore each of them more in-depth.

Every pie, be it apple or something else, must have a crust and a filling.

Whether it’s homemade, store bought, or from a restaurant, every apple pie must have a crust, because without one, all you will have is a bowl full of cooked apples.

Translating this into ERM – what are those things that must be done?

Must #1: Satisfy regulators. Certain companies, especially financial services and publicly-traded firms, are required to have ERM, document top risks, report these top risks and what’s being done about them, and possibly even conduct capital or scenario modeling.

The articles below dive into some more detail on different regulatory requirements and how they can be met without turning ERM into a strict documentation or bureaucratic exercise.

Must #2: Satisfy credit rating agencies. As we discuss in the articles linked below, major ratings agencies like S&P and A.M. Best are examining how robust a company’s risk management capabilities are before issuing a rating. This rating can impact how much it costs a company to borrow money, if it can borrow any at all. The articles below provide a great summary, but it is likely that rating agencies are paying even closer attention to this than when this was first published.

Must #3: Improve Board risk oversight. Boards are expected, from both a regulatory and general legal or liability perspective, to know, understand, and have an oversight role in risk management, and this expectation only continues to increase over time. In years past, a Board could claim they had no idea the company was engaging in unethical, negligent, or illegal conduct, but no more. In some cases, a Board member can be held personally liable! Check out the following to learn more.

With the must-haves out of the way, we’re now ready to move on to the should-haves of ERM.

When it comes to apple pie, you should have a good filling made with fresh apples.

If you use canned-filling and a pre-made crust, your pie certainly won’t be the best, which is why you should use fresh, tree-ripened apples with made-from-scratch crust according to this guide. It’s even important which apple you choose as this can have huge impacts on the taste of your pie.

Translating this to ERM – there are dozens of things you should do to make your program a valuable partner in managing the company for success. Some of these “should-haves” include but are not limited to:

Should #1: Identifying risks to strategy and having direct involvement in the strategic planning process.

Should #2: Talking to the business using their language and not operating in a silo.

Should #3: Providing information and results in a timely manner.

Should #4: Using system(s) designed for tracking risk information rather than trying to patchwork using Excel or manual processes.

Should #5: Having a “seat at the table” to provide actionable information to the Board, Board committee(s) and executive leaders before a decision is made.

Should #6: Taking more risks in an informed way rather than focusing solely on risk reduction and mitigation.


There are a lot of things you should do when it comes to ERM, but there are SO many things you could do to make it even better.

As for what we could do with our apple pie, this can consist of any toppings like ice cream, Ready-whip, Cool-whip, caramel sauce, or other add-ons like a cherry or another topping.

These aren’t a must or even a should for having a delicious slice of pie but including them can transform a good slice of pie into an irresistible treat.

One interesting thing to point out when it comes to the “coulds” of ERM. In the previous section, there isn’t any mention of cornerstone concepts or formal processes, such as risk identification, assessment, and analysis or prioritization that are based on common risk management standards like ISO 31000 and COSO.

That’s because these are just one of several different ways you could do ERM.

Other informal approaches focusing on robust conversations and facilitating planning sessions, among other things, can provide the needed insights for helping company leaders make informed decisions.

Using data and models to assess risks and opportunities, or quantitative assessment, can provide extremely valuable insights when used properly. Monte Carlo simulation can help leaders understand the probability of reaching a certain goal and therefore have additional assurances that a decision is the right one.

Developing key risk indicators to help the company get ahead of risk(s) before they materialize is another “could” that makes ERM an even more valuable partner in the organization.

ERM could also be integrated into other areas like project and third-party risk management to better ensure goals are met and suppliers are the best fit for the company’s needs.

Below are some of my previous articles that explore these topics in-depth:

As you can hopefully see in comparison to our apple pie, these must-haves, should-haves, and could-haves all build on each other. Your organization can have an ERM program that is simply there to comply with regulations but does nothing else OR a robust ERM program as a vital partner in managing the company for success.

I’m still not saying it’s as easy as apple pie, but just like apple pie, when ERM is done well, it’s very good!

If you’re trying to help executives, the Board, and business units realize more value from ERM, try considering the should-haves and could-haves you can build in to better support your company in the long run.

What other items would you add to our list of must, should, and could? How have you harnessed these to better serve your company?

To share your thoughts and any specific insights, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.

Also, if your ERM program is struggling to move beyond the bare minimum “must-haves” to be a valuable partner in helping the company achieve its goals and build a competitive advantage, please feel free to reach out to me directly to discuss the current state of your program and options for helping you get it to a better place.

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights