What are Organizations’ True Barriers to Implementing ERM?

My posts for this month (May 2019) have focused on results from the 2019 State of Risk Oversight report from NC State.

Each of these posts (see here and here) not only reported survey results but also included additional commentary based on my experience. Up to this point, I had no reason to challenge anything in the report.

However, the last section entitled “Addressing Barriers to Enhanced Risk Oversight” caught my attention.

Despite progress on the identification, assessment, and management of risks on a macro level, very few organizations consider their ERM processes to be “mature” or “robust.” Participants were asked what was preventing them from implementing ERM in a more formal, systematic way.

The following table from the report is a summary what respondents described as a “barrier” or “significant barrier.”

As you can see, organizations claim competing priorities, insufficient resources, and lack of perceived value as the top three barriers to implementing ERM. According to the report, the order of these barriers is consistent with years past and the proportion of organizations claiming these as barriers are pretty uniform across all respondent categories (…except for nonprofits).

Each of these top three barriers are really circular in nature…

Although the report lists these barriers as distinct reasons preventing the implementation of ERM, they are in fact closely related and “circular.”

If there is a lack of perceived value, other priorities in the organization will take precedent over ERM, and executives will not provide sufficient resources for developing processes for identifying risks and opportunities to strategic objectives.

If there are insufficient resources to implement ERM, executives will not see the value and therefore prioritize other initiatives over ERM.

I agree that competing priorities, which is the #1 barrier, is the logical starting place of this cycle and leads to insufficient resources and lack of perceived value respectively.

I will also argue that the lack of resources barrier can be overcome. Most sources you come across about implementing ERM talk about the “full-blown” version with a formal governance structure, a dedicated team, a formalized process, and more. But it is possible to have ERM on a budget because these things are not a requirement for many organizations. It is quite possible to realize the value of ERM without spending a ton of money.

In the end, the biggest barrier to implementing ERM is the will to get started…

While I do appreciate the observations of the State of Risk Oversight report and find it valuable in understanding the current state of ERM, I must respectfully disagree with what organizations are saying are their barriers to implementing ERM.

For starters, these results don’t match results from a survey sent to my readers a few months ago where a majority of respondents explained that leadership tone at the top and executive buy-in (or lack thereof) were their biggest challenge and frustration to implementing ERM.

Let’s consider an analogy that many of us struggle with personally ─ eating healthy and working out ─ to dig deeper into this issue.

We all want the benefits of a good diet and regular exercise, but when the rubber meets the road, many of us cast it aside, saying we can’t make time for it or don’t have enough money. There’s no magic to it – you just have to commit to taking the time to prepare healthy meals and doing physical activity, be it at a gym or wherever.

Sound familiar? The excuses always come down to resources and priorities.

The same is true for ERM in my opinion, which is one tool for enhancing the management of an organization.

It can be a hard sell to management for a variety of reasons, with the top three being:

1.    It can be difficult to have hard numbers to show management how ERM will help the organization achieve its goals.

The fact is executives’ number one focus is achieving the goals they and the Board have established for the organization. Therefore, justifications for ERM must be made specific to them, and not a blanket statements such as “…ERM is a tool for identifying risks and opportunities to achieving strategic objectives.”

2.   ERM is not like project management where organizations have a standard guide in the form of the Project Management Book of Knowledge (PMBOK) to refer to.

While there are standards like ISO 31000 and COSO that provide general guidance on the elements of ERM, having a standard guide for ERM just isn’t possible for a variety of reasons, including organization culture, needs, executive personalities and more.

3.   ERM has an incremental ramp up, making it difficult to point to a big value-add event and say, “this would or wouldn’t have happened without ERM.”

Unlike project management or other standardized management tools where things can be put in place pretty quickly, it is impossible to have all of the elements of an effective ERM program in place within 3 months, 6 months, or even a year.

Like exercise and eating healthy, you don’t see results by doing it for a week then quitting. But if you stick with it over time, you will start noticing a change in your appearance, how you feel, and more.

Are you struggling to prove the value of ERM to your leadership?

Do your executives want the benefits of ERM without taking the steps they need to?

I’m interested to hear your thoughts on what you think are barriers to implementing ERM. Feel free to leave a comment below or join the conversation on LinkedIn.

And if you are struggling to develop a case for why your organization should develop an ERM process to identify risks and opportunities to strategic objectives, contact me to discuss your specific situation today!


Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More