Implementation is a process of drills, exercises and scenario testing to instill crisis management into the DNA of the enterprise.  It is accomplished by collaboration of one or more teams that devise the response steps to a crisis.

Enterprise Risk Management (ERM) by itself is academic.  (for more click on “Inspiration ERM” page on this website).  The “rub” comes with practical implementation.  We have helped our clients with this by following the general principals of “Risk Identification” and “Mitigation” below along with hands-on effective work teams.


Implementation of :

our approach and our discussion below does not include core business risk, examples of which might be unrecognized change in market landscape or poor market timing.


Risk Identification (RI):

What is a risk?  It’s a condition or cause that gives rise to an action or event that has a negative result or consequence.  This table illustrates a few generic business examples:

1) Causes —-> Inadequate Segregation of Duties Lack of Management Supervision
2) Events —–> Internal Fraud Environmental Contamination
3) Consequences —> Funds Loss Restitution and cleanup
others …

In a very general sense we formulate a strategy for managing risk in the face of much uncertainty and prepare for the future by linking current moves to future outcomes.  In the table above; to predict consequences and the affect on the enterprise.

It’s not critical to exactly predict the future, instead imagine multiple futures in creative ways – not what to think but how to think of these multiple futures.

For our clients we convene Key Knowledge Holders (KKH’s) and managers:

  • To flesh out the Portfolio of risks including operation, infrastructure, malpractice and/or errors and omissions, human factors, regulatory, business disruption (à la COVID-19), financial, cyber and brand to name a few
    • Determine 3-4 likely events with the most significant consequences by
    • Prioritizing the causes – low frequency high impact might be rule of thumb
  • To collaborate on work teams to aggregate the institutional intellectual capital
  • Quantify the enterprise’s risk tolerance and Utility of Risk: expected return on investment of risk management expenses.  Note the “low hanging fruit”, i.e. smaller investment – bigger impact.

Once the portfolio of risks are identified the practical challenge is to single out those 3-4 most significant. We don’t recommend trying to identify every risk.  People and enterprises end up with too much data and become frozen with indecision.

Work teams of KKH’s and leaders have multiple conversations, 1-on-1 and in groups to get some measure of agreement on the 3-4 most significant.

This is where our gray hairs from decades of experience ad value.  First we whittle the team down to the minimum number of most essential individuals.  Next our finesse, tack, intuition, mentoring, mediation and technical expertise is brought to bear to get the most reasonable level of agreement on the most significant risks.  Perfection is unattainable but worth chasing.

Then we can move on to mitigation.


To link current moves to future outcomes we assist with Scenario Planning including exercises, workouts & table top drills to play out the 3-4 likely events described above.  We help imagine how people and the enterprise react to each crisis.  An old over-simplified example of these exercises is a fire drill.  In our experience this helps

  • overcome the fear and emotions that run high in a crises
  • participants (KKH’s and leaders):
    • formulate ideas and speculation on the risk consequences i.e. what might go wrong
    • plan steps that reduce the impact on the enterprise
    • out line all the ingredients of communications, crisis management, emergency plans to name a few, for the business recovery

The preceding 3 bullets include following through on each of the 3-4 imagined events.

We describe the imagined chain of events and knock-on effects that result from each.  This is done by work team participants analyzing the series and paths of developments and their dependencies that result from each initial event.  Participants discuss actions without necessarily implementing them and throughout the sessions each imagined event further unfolds driven by the suggestions of the participants.  The participants experience how to access, decide, engage and communicate during a crisis.

This is followed by imagining how each path could be modified to reduce the disruption of the business.  Lastly – with our gray hairs – we get agreement on and implement work team suggested risk reduction modifications that have a reasonable reduction in risk for the investment of time, energy and money.

Sometimes simple mitigation occurs somewhat naturally.  It’s human nature that when possible we make small easy fixes that reduce risk without much deliberation or fan fare.

Mitigation includes:

  • Avoid, reduce and/or eliminate the risk through education, training including drills, operational changes and investment in loss prevention apparatus.
  • Pre-event strategy to align people, process and technology
  • Develop post-event strategy for resilience, business continuity and crisis management

The key to the last element of mitigation above is inculcating into the culture an attitude that risk management is a part of every job description.  This is much more realistic than overly detailed written plans (as is often required by our competitors) which are typically forgotten at the time of the crisis.  Such plans often become irrelevant the moment they are finalized because of enterprise change.  It’s much more useful and efficient to consolidate written relevant workout team debriefing notes into the outline of the ERM.  This can be done to satisfy all regulators if needed.