Virginia Issues & Answers Cover - Vol. 21, No. 1, Winter 2016-17

By Thomas H. Stanton

Enterprise Risk Management (ERM) frees up the flow of information within an organization to help leaders anticipate and prepare for strategic, “big picture” risks. The author discusses the strengths of ERM compared with other forms of risk management, the types of organizations that ERM can (and cannot) benefit, and the basic steps for implementing ERM.

A disturbing pattern has hit too many companies and government agencies: Everything seems to be going well when suddenly news comes about a serious failure from deep in the organization (depending on the organization, this might involve auto ignition switch failures that prevent airbags from deploying in a crash, or lack of timely federal health services for veterans, or retaliation against a whistle-blower, for example). Public outrage follows swiftly and senior leaders are sent packing in favor of a new team that promises to conduct a full investigation and clean up the mess.

Such incidents come to light with increasing frequency. Both public and private sector organizations and their operations have become more complex—in terms of global reach, organizational structure, processes, and information systems—and thus more vulnerable. Once an incident occurs, it then feeds into the 24-hour news cycle, causing greater reputational harm than ever before.

The Growing Movement for Enterprise Risk Management

Chastened by risks that emerge at unexpected times and in unexpected ways, leaders are increasingly turning to a form of organizational self-defense known as Enterprise Risk Management (ERM). ERM builds on a simple question: Looking at the organization as a whole, what are the risks that could prevent my company or agency from accomplishing its mission?1

The simple question has several implications: (1) ERM looks at large risks, not the many small ones that can distract management and often lead to red tape that further confuses complex processes; (2) ERM looks at risks as they interrelate across the organization (i.e., the “enterprise” in ERM); and (3) major risks to an organization can include the failure to seize opportunities that the organization must seize if it is to adapt to its constantly changing environment.

Perhaps most important, ERM focuses management on the flow of information, up and down the organization, across major organizational units, and with stakeholders. Especially with increased organizational complexity, information seems increasingly to be bottled up at the lower levels of an organization. ERM is a way to free up that flow so that top management gains the information it needs to manage successfully. While ERM can’t ensure that all major risks are addressed in time, experience increasingly shows that it can greatly help.

Strengths of ERM vs. Other Types of Risk Management

ERM has a number of advantages over other forms of risk management. The risks that an organization’s leadership anticipates may not be those that actually bring the enterprise down. The CEO of one large Virginia financial institution explained how his institution avoided losses from subprime mortgages in the Financial Crisis. But after that, he said, the organization was hit by a cyberattack. Then came a flood that wiped out key information systems that had been located in a basement below ground level. The CEO explained that, after dealing with these crises, he instituted a thorough ERM program so that the company had a better chance of detecting and addressing future vulnerabilities that might matter for its success.

ERM also helps to overcome flawed decision-making. Sydney Finkelstein and colleagues at Dartmouth’s Tuck School of Business have found that bad decisions have two components. First, an influential person, such as an agency head or CEO, makes an error of judgment. This can occur for any number of reasons, such as misplaced reliance on a favored subordinate or an effort to “fight the last war.” And second, the organization lacks processes to bring facts to management’s attention to challenge the flawed thinking and expose errors of judgment.2 ERM, with its emphasis on bringing information about major risks to the table early, is a good way to offset this problem.

How ERM Works*

ERM improves an organization’s strategic decision-making by producing a broad range of risk information that goes beyond operational and hazard risks (such as workers compensation, general liability, employment practice liability, professional liability, auto liability, and property) and incorporates strategic, financial, compliance, legal, environmental, reputational, and technology risks. ERM helps officials make better decisions that can make their organizations less vulnerable to failure and better equipped to survive changes in their internal and external environment.

There is a basic six-step approach to developing and implementing an ERM program within an organization:

  1. Risk Identification. Take inventory of all risks in the organization and tie them to the organization’s strategic goals.
  2. Risk Assessment. Determine risk events, their causes, and their potential financial impact on the organization.
  3. Risk Analysis. Examine the interrelationship of risks both within and outside the organization.
  4. Risk Controls. Implement risk controls and risk responses to the risks within the organization.
  5. Monitoring the Program. Track risk information from the ERM program.
  6. Evaluating the Program. Ascertain the ERM program’s strengths and weaknesses in furthering the organization’s strategic goals.

*Originally published in Government Finance Review, June 2012

Lessons from the Financial Crisis

ERM distinguishes organizations that successfully navigated the Financial Crisis from those that failed. Important lessons from the crisis include that (1) there often are warning signs of serious problems, (2) not all warnings are well-founded, but investigating is less costly than ignoring them, and (3) a process of constructive dialogue, in which those seeking to move forward and those concerned about risks have a mutually respectful exchange of views, is essential so that top management understands the risk-reward tradeoffs of major decisions. While successful firms each had their own business strategies, they shared a common dedication to ensuring that risk-related information went to the appropriate decision-makers in the company so that important warnings were addressed. The unsuccessful firms seemed to share a common disregard of important warning signs of serious risk3. These lessons can be applied to public sector organizations as well as private firms.

“The operative question for ERM at a time of budget constraints becomes: ‘As our organization refocuses its mission to operate with a significantly reduced budget, what are the major risks that could prevent us from accomplishing our mission and objectives?’”

Implementing ERM

As John Fraser, a leader in ERM practice and scholarship, explains, ERM can be understood as consisting of two fundamental processes that he calls “conversations” and “prioritization.” In the “conversations” phase, the organization’s risk staff use interviews and workshops to facilitate the flow of risk information, both up the hierarchy and across the organization. Reporting of major risks (traditional “bad news”) becomes the way a company or agency does business, rather than an act of personal courage by an employee. Once major risks have been identified, the “prioritization” phase of ERM allows top management to convene in a process of constructive dialogue to prioritize risks according to their likelihood and potential severity. With this information at hand, the public sector leader or CEO can decide how to allocate the organization’s scarce resources to address the identified risks4.

Not all organizations are ready for ERM. Painful experience shows that support from the top is essential for ERM to succeed. Leaders must encourage the flow of information that allows conversations and prioritization to work. They must ensure that feedback is heard and incorporated, as appropriate, into decisions and remedial actions. And the agency head or CEO may need to protect the risk function, possibly from powerful unit heads who may prefer to insulate their turf from outside scrutiny.

An especially important role for the agency head or CEO is to weld top managers into an effective management team willing to consider risk from an enterprise-wide perspective and not just from the perspective of their own part of the organization. Agencies or companies consisting of powerful and largely independent subordinate units simply are not ready for ERM. Instead, the organization’s leader can seek to encourage and support development of ERM in each of the subordinate units, to the extent that managers of those units can be joined into a strong management team. Then, instead of struggling against powerful independent unit heads, the Chief Risk Officer function can assist those leaders with resources and information to create effective ERM within the subordinate organizations.

ERM Helps UC System Improve Credit Rating and Save Millions in Borrowing Costs

By Kristina L. Narvaez

Like other public and private entities, the University of California (UC) relies on borrowing to accomplish many aspects of its mission. In December 2005, the UC system shifted away from traditional risk management and adopted a new ERM framework taking a broader, enterprise-wide approach to identifying and managing a variety of risks—including strategic, financial, compliance, legal, environmental, reputational, and technology risks. Adopting ERM enabled the UC system to improve its strategic decision-making, reduce borrowing costs, and free up resources to carry out its mission of teaching, research, and public service.

UC adopted a system-wide ERM information system to allow efficient sharing of risk information across ten different campuses, five medical centers, and three national laboratories with different ways of defining and classifying their data. After collecting the risk information with the ERM system, UC is better able to help its business units identify risk, implement risk controls, and select responses that align with the university’s mission. ERM data analysis led the university to shift $20 million of annual self-insurance premiums to more appropriate uses. In 2010, Standard & Poor’s recognized UC’s ERM program as a credit strength, raising its credit rating. This higher rating lowered the interest rate the university pays on its debt by .1 percent, representing more than $10 million in savings from 2005 to 2012.

Kristina L. Narvaez is President of ERM Strategies, LLC. The author of numerous articles on ERM, she co-edited the book Implementing Enterprise Risk Management: Case Studies and Best Practices. She can be reached at

A particularly difficult issue concerns third-party relationships. In the private sector, companies often outsource critical functions to other companies or organizations. In government, an agency’s mission may depend on third parties that the agency must deal with by law. These include financial companies for most federal credit programs or specialized intermediaries such as grantees for health research that government might fund. Third parties also include ubiquitous contractors that assist both private and public organizations to carry out their missions5. While often helpful or even essential, reliance on third parties creates special problems for ERM: Organizations need to encourage and even require the flow of risk-related information from their contractors and other third parties to try to protect against unpleasant major surprises.

“Reporting of major risks (traditional ‘bad news’) becomes the way a company or agency does business, rather than an act of personal courage by an employee.”

Integrating ERM with other Management Processes

Finally, to be effective, ERM must integrate with the organization’s strategic planning and budget processes, personnel reviews, its decision-making processes, and—ultimately—its culture. Achieving this level of ERM implementation can be a multi-year process.

ERM is cost-effective. The risk function can be kept small; it only needs to provide staff support for “conversations” and “prioritization” and for top management’s risk-based decisions where to allocate scarce resources. The task of risk management itself, however, belongs to the leaders of the organization and each of its business units. An integral part of their successful leadership is to manage risk; the risk function merely assists in facilitating the flow of information so that the enterprise can make good decisions and avoid unknown major risks.

Organizations in both the public and private sectors face continuing budget pressures, and here ERM and the emphasis on conversations and prioritization become critical. The operative question for ERM at a time of budget constraints becomes: “As our organization refocuses its mission to operate with a significantly reduced budget, what are the major risks that could prevent us from accomplishing our mission and objectives?” This becomes an invitation for organizations to rethink their core missions and processes deliberately, rather than blindly trying to “do more with less.”

ERM in Action: Edmonton, Alberta, Canada

By Ken Baker

Since adopting an official ERM policy in 2016, elected leadership and staff of the City of Edmonton (pop. approx. 900,000) have worked to build a culture and mindset of risk-awareness in decision making. Whether approving a new professional hockey arena or simply updating a policy, Edmonton staff are learning to be aware of risk, assess it, report it, and manage it throughout the life of a project. Todd Wyman, Acting Executive Director of Drainage Services, noted that while his department has done risk assessments on construction projects for some time, the strategic risk component of ERM provides for deeper discussion. “Strategic, by nature, means big-picture thinking, broader-ranging, far-reaching ideas. And it does help us within that conversation around, ’If we don’t do this, this may happen, so let’s think about that a bit more.’ And it broadens your horizon in terms of opportunity to go down a path that you may not initially have thought of.”

Ken Baker is the Corporate Manager for Enterprise Risk Management for the City of Edmonton.

The good news about ERM is that good risk management is part of good management more generally. Improving the flow of information can improve an organization’s decision-making and performance every day, and not just to help avoid a crisis.


  1. The Association for Federal Enterprise Risk Management (AFERM) defines ERM as “… a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision making and supports the achievement of an organization’s mission, goals, and objectives.” More information about AFERM and ERM resources can be found at
  2. Sydney Finkelstein, et al., Think Again: Why Good leaders Make Bad Decisions, Harvard Business Press, 2008.
  3. Thomas H. Stanton, Why Some Firms Thrive While Others Fail: Governance and Management Lessons from the Crisis, Oxford University Press, 2012.
  4. John Fraser, “Building Enterprise Risk Management into Agency Processes and Culture,” chapter 9 in Thomas H. Stanton and Douglas W. Webster, eds., Managing Risk and Performance: A Guide for Government Decision Makers, John Wiley & Sons, 2014.
  5. Lester M. Salamon, ed., The Tools of Government: A Guide to the New Governance, Oxford University Press, 2002.

Author Biography:

Thomas H. Stanton teaches at Johns Hopkins University. He is a Past-President of the Association for Federal Enterprise Risk Management (AFERM) and a Fellow of the National Academy of Public Administration. He has helped to write or edit numerous books including Making Government Manageable (Johns Hopkins, 2004), Meeting the Challenge of 9/11: Blueprints for Effective Government (M.E. Sharpe, 2006) and Managing Risk and Performance: A Guide for Government Decision Makers (Wiley, 2014). He wrote Why Some Firms Thrive While Others Fail: Governance and Management Lessons from the Crisis (Oxford, 2012), based on service at the Financial Crisis Inquiry Commission. Mr. Stanton holds degrees from the University of California at Davis, Yale University, and the Harvard Law School.

Print This Post Print This Post