Governance, Risk Management, and Compliance: It Can't Happen to Us—Avoiding Corporate Disaster While Driving Success by Richard M. Steinberg

Is It Really Worth the Effort?

While simple in concept, implementing an ERM process does take time and effort and carries associated costs. But not knowing what risks a company faces is dangerous, and engaging in limited risk-management activities in an undefined or ad hoc manner can lead to unwanted surprises at best, and the kinds of disasters outlined earlier at worst. Imagine driving a car on an unfamiliar back road at night with parking lights only and part of the windshield covered with mud. You know where you want to go, and with all the best intentions you think you know how to get there, but you don't know what's out there that could keep you from arriving timely and safely. The result could be as minor as hitting a pothole and popping a tire or as disastrous as going too fast around a sharp curve and tumbling off a cliff.

Management needs to know what could keep the company from achieving its business objectives, as well as what opportunities can help it get there. On that back road there could be a sign to a new highway that would cut the travel time in half, which the driver could take if only he saw the sign. Another oft-used auto analogy for opportunity goes like this: A key reason a racing car has great brakes is to allow it to go faster. Analogies aside, suffice it to say here that in order to manage risks and seize opportunities, companies need to know what's coming and to act proactively.

Companies continually deal with factors that create uncertainty: globalization, ...