Making Sense of ERM Standards in a Volatile and Dynamic Environment

When we are new to something, our natural tendency is to seek out well-established, reputable sources for guidance.

As a yummy example, once upon a time, I decided I wanted to make my own homemade chocolate chip cookies. My first step was to refer to the recipe on the back of the bag of Nestle-brand chocolate chips. While this recipe was helpful in making delicious cookies, it was just a start.

When I began my ERM journey, my first step was to check out established standards like ISO 31000, COSO, and others. After much deliberation, we ended up settling on the AS/NZS 4360 ERM Standard because it seemed like a good fit for the quasi-governmental, nonprofit organization I was working for at the time.

But like so many others…

We soon learned that ERM standards, especially at the time, did not help us identify and assess enterprise risks to better inform OUR ORGANIZATION’s decisions.

Like my chocolate chip cookie recipe, I soon learned that ERM standards were just a start. When it comes to my cookies, the recipe as written was sufficient, but I felt the cookies could be better. In order to make them even more ooey, gooey, I would add mini-chocolate chips, melt the butter in the microwave, and use premium ingredients like organically grown sugar and flour.

This story shares a few similarities to my experience as a budding ERM practitioner at Florida’s property insurance carrier of last resort.

Now I want to make clear that we were using older ERM standards that have since been revised. As explained in this previous article on ISO 31000, the original standards were very process-oriented and not focused so much on decision-making. They were, and many would argue still are, too cumbersome, labor-intensive and documentation heavy to be incorporated into decision-making.

The standards provide very explicit instructions as to what you should do but would not provide guidance on any adjustments to make based on your company or situation…ERM standards (…even the latest versions) attempt to make a one-size-fits-all approach work for everyone.

As Alexei Sidorenko explains in this webinar comparing the latest versions of ISO 31000 vs COSO, ERM standards outline a very traditional risk process, when in reality, there is a “different sequence of events” when making decisions.

As I eventually learned at my former employer and have carried forward with me into my ERM consulting career, developing a company’s risk process takes experimentation, much like manufacturing a new product.

Also, simply copying and pasting the terminology these standards use would lead to a lot of confusion.

In order to use ERM standards effectively, you have to begin with the end in mind.

It’s a natural impulse to go in guns blazing; believe me, I know. You’re excited about the possibilities of ERM that you simply pull a standard off the shelf and get to building a framework and process for your organization.

However, if you do not take the time to consider the end-game, your efforts will likely go down in flames, which is why it’s so important that you and your company’s leaders should be crystal clear on the outcomes you are hoping to achieve.

And this is not just outcomes for the company’s goals and objectives, but for the ERM process itself.

Once you are clear on this, you can then examine different ERM standards. There are elements within each ERM standard that may be helpful in understanding specific areas you should be looking at. As Julian Talbot explains:

Having a consistent (and internationally recognized) framework means that when it comes to prioritizing resources, the executive team should be able to compare any two or more risks to see where the resources are best applied.

To add to Julian’s remarks, ERM standards can provide insight into which topics to cover, but these may occur in a different order than it does in the standard.

Unlike other consultants, I don’t choose a standard and make my client fit the standard. In many cases, when we need a standard, we use elements from each if it makes sense for the organization I’m working with. The lesson here – don’t assume you can’t mix and match. If it makes sense and works for your organization, then go for it!

Also, ERM standards can help you sketch out a rough framework for your organization, similar to an architect sketching out a rough draft for a project. Nothing is permanent or set in stone, it’s just a start. It helps to at least get something down on paper and then go from there.

Contrary to what many will say, ERM standards are not the end all be all of understanding threats and opportunities to achieving strategic objectives. However, they can be useful if they are approached with caution and with the understanding that not all elements of a particular standard will apply to your specific situation.

Has your organization experienced roadblocks when using ERM standards? Did you have to re-start from scratch?

Many practitioners I speak with or read about struggle with how to make ERM standards work for their organization’s needs. To share your thoughts, please feel free to leave a comment below or join the conversation on LinkedIn.

And if your organization is struggling to better understand risks and their impact on goals and objectives, please don’t hesitate to reach out to me to discuss your specific situation today!

Featured image courtesy of Oscar Chevillard via

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More