ERM Challenges

At one of our recent Center for Excellence in ERM Summits participants were asked to list their greatest ERM challenge. Their list is below. Perhaps others can learn from their wisdom.

Senior leadership socialization

Integration into the Strategy Formulation process.

Measuring the value of ERM.

Benchmarking the thoroughness of the program.

Applying consistent and/or universally-accepted risk assessment criteria across different business units/contexts.

Building awareness of the integration between ERM and Strategy

Competitor innovation. 

Consistent implementation of new ERM-related policies and procedures

Credit for the work that is done

Customer attrition 

Deepening organizational understanding of risks, and framing such in a way that facilitates Decision making 

Determining the purpose and "value add" of the ERM program and gaining C-Suite level support for ERM initiatives 

Differentiation between ERM level risk and operational risk.

Education on ERM to middle management

Ensuring the business actively monitors risk.

Ensuring underlying assumptions, modeling and forecasts are adequate to meet our short and long-term obligations and regulatory mandates.

Establishing an ERM system

Formalizing ERM throughout the organization. 

Getting involved in strategy setting and decision making.

Getting the attention of staff at all levels of the agency

Keeping the appropriate balance between profitability and growth

Maintaining a regular cadence of engagement - engagement tends to vary by the risk stakeholders

Maintaining Consistency

Moving from an ERM program that has a higher focus on reducing negative outcomes and managing risks to one that is fully integrated with the business and strategies, increasing the range of opportunities linked to performance ... creating, preserving and realizing value.

not enough resources around model, vendor and ops risk functions

Responsiveness from several business units

Risk appetite

Showing or proving how we add value 

siloed risk activities; no CRO

Standardize ERM governance across all regions.  Insert ERM or its principles into the strategic planning process across al regions.

Talent management

Time to work in ERM to decision making process.

Too many silos 

ERM Program Certification? Nah, but your board may ask for something similar.

There is no official certification (that I know of) for ERM at this point. But how would a board know or an ERM leader determine that their ERM process is set up in a way they’d want? There are the obvious signs such as too many surprises, not seeing risks, not correctly assessing, etc. There is also a program review that can be done.

First, some organizations can and do benchmark with other programs to get feedback.

Second, other organizations hire outsiders to review their program and provide feedback.

Third, ERM leaders can do this on their own. An unofficial approach might be:

  • Review your program for all COSO Components

  • Review your program for evidence of all relevant principles (the word relevant) is critical.

  • If your program has evidence of relevant principles, COSO components, and the components interact/work together then you’d unofficially have a good program.


Keep in mind:

  • It can be very valuable to do this.

  • This is unofficial; but if some senator gets mad at U.S. businesses again, they could make this the law (like they did with internal control / SOX).

  • Tread lightly. Choose wisely. Make it an TQM opportunity for improvement thing instead of a do or die ERM thing. It works better, you get to the same place (since this isn’t 100% the law), and management sees it as a positive thing about performance, etc.

  • Finally, if I were a board member I’d ask every ERM leader I know to do this.

Board risk oversight and reputation risk

Great blog here from the Harvard Law School Forum. Those that work with boards should read the entire thing but here's two key paragraphs with my emphasis added:



For as long as Caremark continues to be the law, directors should ensure that they at least meet the Caremark standard in connection with the #MeToo movement and other issues relevant to their businesses, but they should not be too concerned about new liability risks, even in the current environment. Meeting the Caremark standard includes periodically assuring that there is a system for information and problems to come to the board’s attention. The application of the Caremark standard to today’s issues does not require novel efforts.

However, reputational risks for companies and directors, distinct from liability risks, deserve to be highlighted in the current environment. The enterprise risk approach that many companies and boards take should be re-examined to ensure that they are designed so that reputational risk concerns will bubble up to the board. In our experience this adjustment has already happened at many companies.

ERM and High Performance

Some ERM habits of high-performing organizations:

High-performing organizations are:

- more likely to factor risk into decisions than non high-performing companies

- twice as likely as low performers to be involved in decision making up front (instead of afterwards or never) 

- three times more likely to have "engaged" leadership on risk than low-performers


Preliminary data analysis based on the Center for Excellence in ERM at St. John's April 30th ERM Summit- The ERM Journey. Final analysis and white paper is forthcoming.

IMA Releases Updated SMA - Enterprise Risk Management: Tools & Techniques for Effective Implementation

ERM: Tools & Techniques for Effective Implementation has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. This updated report highlights:

* Risk identification techniques

* Analysis of Risk by Drivers

* Risk Assessment Tools, and

* Practical Implementation Considerations. 

IMA Releases Updated SMA - Enterprise Risk Management: Frameworks, Elements, and Integration


Enterprise Risk Management: Frameworks, Elements, and Integration has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. The report includes 

* a review of ERM Frameworks

* ERM Foundational Elements, and

* a section on Integrating ERM into Ongoing Management Activities.

According to the IMA, "SMAs present IMA’s position on best practices in management accounting. These authoritative monographs cover the broad range of issues encountered in practice."

Only 38% are confident that all strategic risks are identified

Recent work at The Center for Excellence in ERM at St. John's University shows that only 38% of ERM executives agree that they are confident that all strategic risks are identified. This work was part of the October 2017 ERM Summit survey. Although the sample is small the results are still quite interesting. Other early highlights show that ERM executives believe that only 19% of the their leaders are very effective at both setting strategy and executing strategy.

April 30 Center for Excellence in ERM Risk Summit

Our next risk summit is all set. The them is the ERM Journey. We'll focus on how PepsiCo, ADP, Estee Lauder, and ConEdison built, grew, sustained, and even today, challenge and assess, their ERM programs for better success. 

Guest speakers include:

Byron Stephen and Diane LaCosta, ADP

Rich Muzikar, Long Island Power Authority and formerly Con Edison and Zack Wolff (Con Edison)

Denise Treacy, PepsiCo.

Frank Fronzo, Estee Lauder

ERM and Culture—Time to Step It Up?

Organizations looking to step up and improve ERM might want to consider "culture." The new COSO ERM Framework highlights and emphasizes the link between culture and ERM in the following ways:

• There are 124 mentions of the word "culture" in the ERM framework.

• The first Component is called "Governance and Culture."

• Principle 3 is called "Defines Desired Culture."

• Principle 20 is called "Reports on Risk, Culture, and Performance."

Quick Ideas for Getting Ready to Answer Board and Management Questions about the ERM-Culture Connection:

— Find your resources to dig deeper on culture. For example, read the NACD Blue Ribbon Commission on Culture as a Corporate Asset. I'm still a fan of our Risk Challenge Culture study we did for the IMA and ACCA. The IIA has a lot of good material too. 

— Read Principle 3 and 20 and determine how your organization compares to the Principle. Does your board and management define the desired culture? Is culture embraced by all personnel? Do you know the factors that drive culture in your organization? Do you know how culture is influencing your ability to identify risks or properly assess risks? Is risk an afterthought to strategy and other big decisions? Do you have escalation policies? Do you have a risk aware culture (this will most likely require training employees and management on ERM)?


Why Does ERM Add Value?

Our research (which won an award) is published in the Spring 2012 Management Accounting Quarterly, Vol 13, No 3. The implications from that empirical paper state:

"The results suggest that an ERM framework and an ERM implementation can help companies improve performance by enabling executives to manage the company better. From a practical standpoint, companies ask how ERM adds value. Our results show that value comes from implementing the process, which then enables the company to make better decisions. Given that implementing the components takes time, compa- nies should be patient with finding immediate value. "



Does ERM Add Value?

Yes! Of course it does! If you need academic evidence to confirm the obvious... here it is. 


Farrell and Gallagher's peer reviewed empirical paper in one of the highest ranked risk journals has the following abstract. See the full paper in the Journal of Risk and Insurance, September 2015, Volume 82, Issue 3, pages 625-657. 



Enterprise Risk Management (ERM) is the discipline by which enterprises monitor, analyze, and control risks from across the enterprise, with the goal of identifying underlying correlations and thus optimizing the risk-taking behavior in a portfolio context. This study analyzes the valuation implications of ERM Maturity. We use data from the industry leading Risk and Insurance Management Society Risk Maturity Model over the period from 2006 to 2011, which scores firms on a five-point maturity scale. Our results suggest that firms that have reached mature levels of ERM are exhibiting a higher firm value, as measured by Tobin's Q. We find a statistically significant positive relation to the magnitude of 25 percent. Upon decomposition of the maturity score, we find that the most important aspects of ERM from a valuation perspective relate to the level of top–down executive engagement and the resultant cascade of ERM culture throughout the firm. Firms that have successfully integrated the ERM process into both their strategic activities and everyday practices display superior ability in uncovering risk dependencies and correlations across the entire enterprise and as a consequence enhanced value when undertaking the ERM maturity journey ceteris paribus.

Oversight of Corporate Culture Webcast


Center for Audit Quality

Published on Dec 23, 2017

Sound corporate culture is a cornerstone of fraud deterrence and detection. This December 2017 webcast, hosted by the Anti-Fraud Collaboration, highlights leading practices on assessing and strengthening a company’s corporate culture. Hear from an expert panel, who share actionable recommendations that organizations can implement to deter fraud and misconduct. The panel also addresses oversight responsibilities of audit committee members, company management, and internal auditors. Expanding on insights contained in a 2017 National Association of Corporate Directors Blue Ribbon Commission report, Culture as a Corporate Asset, the webcast covers how culture impacts strategy, risk, and performance.



Mark Carawan Citigroup Chief Compliance Officer

Cindy Fornelli (Moderator) Center for Audit Quality Executive Director

Brenda J. Gaines Tenet Healthcare Corp. Audit Committee Chair

Gilly Lord PwC Head of Regulatory Affairs and Audit Strategy & Transformation

Paul L. Walker St. John’s University Schiro/Zurich Chair in Enterprise Risk Management


Watch the video replay of this webcast using the following link: 


ERM and Reputational Risk in Higher Ed: More Talk Than Action

Today’s uncertain environment poses constant threats to the most valuable asset of colleges and universities--their reputation. Taking action to identify risks that could impact your institution’s reputation, and finding ways to prevent or mitigate those risks, is essential to long-term sustainability. A recent study by United Educators and the Center for Excellence in ERM at St. John's University provides insights into reputation risk in higher education and provides separate toolkits

Sources of Emerging Risks

A recent Risk Summit by the Center for Excellence in ERM at St. John's University focused on how to review noise and emerging risks.  Numerous tools and methods were also discussed, as well as the sources of risk. 

To best identify noise and emerging risks a wide variety of sources should be used. The sources mentioned included:

Operational incidents

RSS feeds

Political timelines and stories

Where startups and angel investors are focusing


Industry reports

Customer complaints

Social Media

Academic studies

New implementations

Published risk surveys

NGO agendas

Customer satisfaction surveys and metrics

Annual plans 

Internal risk assessments

Macroeconomic news

Strategic plans

Employee feedback



Industry conferences

Client input

Regulator and competitor actions

Value shifts appearing in the market