Previously we discussed the three lines of defense approach to enterprise risk management (ERM). Now it is time to consider the challenges in implementing such an approach. If all the risks of an organization are to be aggregated, then there must be a common risk approach to make this possible. Such an approach must create a common language, sometimes referred to as the risk taxonomy, so that all participants have an understanding of key concepts, especially risk, and have processes that promote a unifying approach. The architect of the process is the Chief Risk Officer (CRO) in discussion with the C-Suite executives and the board. So, you need a focal point and architect, typically a CRO or in smaller organizations a financial officer, or other oversight function executive, familiar with risk management.

THE STRATEGY-RISK-GOVERNANCE PROCESS

For many people, process and process requirements send a shudder down the spine. Process is often seen as onerous, constraining, and time consuming. Others see good, well-designed process as critical to providing steady, repeatable operations and to freeing up time to deal with areas requiring more attention. We see good process as an enabler of organization performance. Figure 5.1 illustrates a strong strategy-risk-governance process and was shown in the Preface as Figure P.2.¹ As previously noted, this approach begins ...