Enterprise Risk Management Over a Decade

Witnessing the Trends

It can be difficult to identify when a trend begins—but before you know it, it can change the world forever. Many of us can remember the trend of mobile phones slowly pushing out the need for telephone landlines, or the emergence of television streaming services pivoting the world away from VCRs and DVDs. Modern trends such as driverless cars and drone deliveries haven’t quite inhabited our daily lives yet, but their trajectory shows a steady progression.

Another modern trend taking precedence is Enterprise Risk Management (ERM). Throughout the past decade, ERM has evolved and adapted to the changing needs of organizations, and the previous Renaissance decade of ERM practices is giving way to a Transformation period that will be based on information integration.

ERM Trends Over the Past 5 Years

To adequately predict where the Transformation period of ERM practices will take us next, we must acknowledge how certain events in the marketplace shape the value ERM brings to an organization.

Chief Risk Officer (CRO)

The first marketplace event is the rise and acceptance of the CRO in the executive suite. Many organizations hired their first CRO from an internal management team comprising of executives leading audit, compliance, information technology (IT), operations, or credit sectors. This first generation of CROs had to quickly implement best practices to ensure the safety of the organization, as risks were constantly changing and rapidly emerging. Now, organizations might be looking to hire second or third generation risk officers, as the requirements and expectations of the role have grown and the capabilities of the CROs are more recognized.

ERM Maturity Models

The second event was the emergence of ERM maturity models, along with an understanding that ERM program capabilities needed to be expanded regardless of an organization’s size. Early ERM models focused on consolidating existing risk management functions to benefit areas such as information security, physical security, business continuity, compliance, Bank Secrecy Act (BSA) considerations, and vendor management. Many threats are related to the same events, so there was an opportunity to evaluate both operation and market risks together. These expanded ERM capabilities make sure previously unrecognized threats aren’t left to individual executive oversight. Instead, all executives and Board members participate in a holistic discussion of impact losses and strategic initiatives.


The third event was the acknowledgement that organizations had to be prepared to switch risk priorities quickly and effectively. The COVID-19 pandemic brought a wave of unprecedented challenges to organizations around the world, and forced many to reprioritize risks related to remote working, product development, communications, and security. What was once considered a non-starter (such as a remote working model) had to be promptly and safely implemented to ensure continuity. Although these new procedures were used as temporary remediation strategies, we expect the trend to continue after the pandemic. To prepare for threats on the horizon, organizations must consider adverse events that were once believed to be unlikely (like a pandemic). Preparing for these seemingly implausible scenarios will allow for enhanced response procedures, better mitigation strategies, and sustainable operations.

The success of organizations over the next five years will depend on their ability to master these three ERM trends.

Paving the Road Ahead

High Risk Threats

One of the first foundational building blocks for ERM frameworks today is the prioritization of high risk threats. High risk threats have the potential to impact capital, allowing moderate and low risk threats to be absorbed through annual earnings, and encouraging a more threat-based approach to capital risk assessments and capital planning. Individual threats don’t occur in isolation, and the practice of analyzing credit or liquidity risk using a top-down approach will be insufficient to properly manage risk and safeguard the organization.

Risk Monitoring

The second risk management trend paving the road ahead is the elevation of risk monitoring to an equal level of oversight as control testing. The Gramm-Leach-Bliley Act and the Sarbanes-Oxley (SOX) Act brought significant focus to the controls over private information and financial reporting. It was previously believed that if controls were designed properly and operating effectively, then large losses would be prevented. This is still true, but now organizations know that combining forward-looking risk monitoring activities with strong controls to manage business practices increases the early identification of potential losses. During the next five years, enhanced programs will be developed and funded to ensure risk monitoring is prioritized equally among executive teams and Boards.


The third observed trend contributing to the future of ERM is the cost of risk management. To understand what drives risk management costs and decrease them, an organization must first measure those costs. For example, community-based financial organizations likely spend 0.2% to 0.3% of assets on risk management. Since these expenditures are mostly non-interest expenses, any reduction positively impacts net income. If your organization relies solely on deregulation initiatives to relieve the compliance and risk management burdens, then you may be the last of your competitive peers to experience the benefit.

In order to gain a transparent view of your costs and develop an enhanced risk-based resource strategy, an organization must challenge the existing beliefs of how to keep an organization safe, and pivot their strategies to enhance their overall security posture.


As the Renaissance of ERM ends and a new Transformation period emerges, the innovative risk management practices we try today will swiftly develop into best practices. The economic expansion we’ve enjoyed may continue, but cracks in our management practices will appear. Although we can’t predict the exact timing of these changes, the trajectory is clear. As an organization preparing for the next decade of risks, ask yourself: What in your ERM program would you change now knowing that important business and economic fluctuations are right around the corner?