The report, published by Ernst & Young, discusses four major themes in the practical application of ERM oversight. The first topic they addressed was engaging management in the task of risk management. This theme permeated the rest of their discussions on the governance of risk management, identifying and prioritizing key risks, and ERM in action.

Engaging Management in the Task of Risk Management

The committee agreed that CEO involvement and buy-in was the priority to establishing effective enterprise wide risk management. They cited that CEOs were not taking the lead on this initiative for several reasons. The committee observed that top management didn’t fully understand the concepts behind ERM, it seemed like an undertaking involving a change in culture, could not quantify the results, and felt they didn’t receive a tangible return on investment.

Comments made by the committee included “You can have all the systems and procedures in the world, but without senior management buy-in, it’s worthless.” They shared best practices on achieving active involvement from the CEO and identified some concrete practices:

  • Evaluate and compensate the CEO based on ERM’s success
  • Provide specific examples of instances in which ERM succeeded
  • Do not let the ERM label get in the way
  • Use ERM as a developmental opportunity
  • Require the CEO’s commitment to ERM
  • Hire a CEO who views ERM as a priority


They illustrated examples and why each best practice was effective.

Governance of ERM

Members discussed the responsibility put on the audit committee to oversee ERM practices. While they debated whether this was the proper committee for the task, they all agreed on the importance of top management creating and implementing the ERM framework. Members had various examples of why it was essential to have the CEO driving the implementation, and not the oversight board.

Identifying and prioritizing risks

As members discussed experiences with risk identification, they again cited the importance of a top down approach enforced by senior management. The ERM system must reach across an entire organization and prioritize according to broad corporate objectives, not individual business entity’s risk appetites. The committee listed many best practices for corporate-wide risk assessment including: aggregating and discussing individual business unit’s listed risks, external consultants, and taking a broad risk and assessing the effect as it moved through the enterprise. There was concern over how management was implementing ERM currently. The network cited top management only assessing risks in the 10-K, and about instances of major changes that had not been identified by an in-place ERM system.

ERM in Action and Conclusions

The members agree that effective ERM is an ongoing process, but they have already seen much progress. A continued focus on a broad, top-down approach driven by senior leadership will lead to more effective ERM systems. The audit committee board can use tactics to maintain oversight and discuss key risks such as board dinners with management and interviews with business unit leaders.

The committee emphasized the importance of top management to implement an effective ERM system. The CEO must continually use risk assessment in strategizing, and keep analyzing and updating the processes in place. It is top management and the oversight committee’s responsibility to ensure ERM is not a stand-alone process and must be continually updated.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-05-01