Guest Column | January 28, 2020

3 Questions To Ask Before Starting An ERM Program

By Matt Kunkel, LogicGate


According to research from Risk Based Security, data breaches were up 33 percent in 2019 compared to 2018. The research firm called 2019 the “worst year on record” for breaches. With companies experiencing an increase in risks and data breaches, it’s no surprise that 88 percent of CEOs think enterprise risk management (ERM) is very or extremely important. However, starting an ERM program can be a difficult and intimidating task for an organization to take on.

According to Investopedia, ERM is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives.

Every organization faces risks. In today’s business climate, it’s not a matter of if your company will face risk (such as a data breach, cyberattack, etc.), but when. ERM helps companies stay one step ahead of the risks that threaten them now and into the future. For those organizations dipping their toes in the ERM pond, I’ll walk through three questions to consider when establishing an ERM program.

What Is The Current State Of The Organization’s GRC Processes?

When starting an ERM program, risk managers should begin by evaluating where the company is today when it comes to its governance, risk management, and compliance (GRC) processes. This is not an easy step and will require managers to take inventory of existing systems, documents, spreadsheets, emails, and even manual approaches. Including stakeholders from all departments at this stage is necessary as some of the inventory could involve ad-hoc strategies and tactics that are known to a limited set of people. During this time of reflection, be sure to interview everyone who has had a hand in the process and try to understand their objectives and perspectives.

In this stage of developing an ERM program, be sure to consider the following:

  • What kind of personally identifiable information (PII) or sensitive data do we handle?
  • How complex are our risks?
  • Do we have a repository of known risks?
  • What is the regulatory landscape of our industry?

By taking the opportunity to fully understand the current state of your organization’s governance, risk, and compliance processes, you’ll be able to make a comprehensive assessment on how to move forward with your ERM program.

Where Does The Organization Want To Go?

Now that you have a sense of what the current state of your organization is, the next step is to articulate what the ideal future looks like. Be specific about how your company would manage its risk and compliance in the projected future state. What tools do you plan to use? Who is involved? While there may be other factors that impact this, it is important to be clear as possible regarding future outcomes.

During this time, you might consider leveraging “SMART” goals, which stands for specific, measurable, achievable, relevant and time bound. While these goals are often used for employee goal setting, it also can be used when establishing an ERM program. These goals should be specific enough to be clearly articulated, quantified, able to be accomplished, relevant to the GRC function, and designed with a deadline in mind.

When developing an ERM program, there is typically an outside influence encouraging the need for putting one in place — such as new vendor contracts or regulations. Whatever these factors may be, they will naturally play an important role as you decide on the future state of your ERM program.

How Do We Get From Our Current State To Where We Want To Go?

With your present state in mind, you can begin identifying where the gaps lie. Where are your current processes falling short? Where are you covered? This step sets the foundation for creating a successful ERM program that will benefit your organization for years to come.

In today’s world, there’s no way to ignore risks. Utilizing legacy systems or relying on manual tracking and spreadsheets will only set your organization up for failure. By incorporating an ERM program into your company’s governance, risk, and compliance processes, you will provide a single source of truth for all employees of the organization to feel comfortable and confident when addressing risks.

About The Author

Matt is the cofounder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time he learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance topics.