What exactly is the role of ERM?

“It is not just about producing reports for the board, ensuring compliance with SOX or other regulations, or raising alarms about potential excessive risks.

Instead, ERM should stimulate conversations to help management make better decisions regarding resource allocation, risk acceptance, and risk rejection. It involves building tools and models, while clearly communicating their limitations, to support better decision-making”.

Risk Managers, reflect on this and ask yourselves: How do you contribute to decision-making? If you aren’t, then you might be fooling yourself if you think you’re supporting your organization in managing risks. Creating colorful heatmaps, churning out quarterly lists of top risks, and performing control assurance is NOT Risk Management.

When a Head of ERM has a background in internal audit, it can sometimes lead to a more compliance-focused approach rather than a strategic one. It’s important for ERM to maintain its distinct role in identifying and managing risks across the organization, rather than just extending internal audit practices. Have you experienced any specific challenges with this in your organization?

What are you doing to support decision making in your organisation? What tools are you using to help your organisation improve their performance and achieve objectives? Are your practices enhancing operational resilience?