Not Ready for a Full-Blown ERM Program? Consider the Middle Road

You’re presenting your compliance risk assessment to the board. You’ve outlined the top compliance risks, mitigation strategies and key action items. You even have a heat map. Then, a board member raises their hand: “How does this relate to the risk presentation that the CISO just gave? Where do these risks sit in relation to what she presented?” Another board member says: “I’d also like to know how these risks impact our company strategy.” 

You pause. While you know your risks inside and out, you know that each function has been presenting risks in isolation, leaving leadership with a fragmented view. You also know there are certain risk areas that are not covered by any teams. But creating an enterprise risk management (ERM) program is a challenge for a variety of reasons. So what do you do? This is exactly the problem that combined assurance seeks to solve.

Combined assurance is an approach that takes balance into account — balancing the need to manage risk holistically but taking into account always limited resources; balancing the reputation of ERM of being highly processed and complex but keeping rigor to assessing risk and keeping bias at bay.

The need for a holistic risk perspective

The risk landscape is getting more complex. AI is changing business models. More digitization means more cyber threats. Stricter regulations are coming at a fast and furious pace. Climate change is disrupting supply chains, while consumers and regulators demand better environmental practices. Political instability creates uncertainty. And reputations are more fragile than ever: What once seemed like rare risks are now becoming real threats.

Risks today are deeply interconnected. But if teams assess them in silos, leadership is left with blind spots. Even worse, they lose the chance to use risk as a strategic enabler. We end up checking boxes instead of building resilience.

Here’s what it often looks like in reality:

• Compliance maps out regulatory risks.
• Privacy flags data protection issues.
• InfoSec zeroes in on security vulnerabilities.

All valid. But without an integrated approach, no one’s telling the full story. And often, risk management is seen as just another compliance task rather than a strategic capability embedded across the business. Why? For starters, the paradigm that is meant to create an enterprise-level view of risk (ERM) is problematic.

Governance

The ‘So What?’ Problem With Board Risk Reporting

by Jim DeLoach

June 24, 2025

10 modern principles for transforming risk communication from compliance exercise to strategic dialogue in uncertain times

Read moreDetails

The origins and pitfalls of ERM

ERM was supposed to solve the problem. It emerged as a structured approach for organizations to assess and manage risks holistically, moving beyond traditional, siloed risk functions. The concept gained traction in the early 2000s, particularly with the introduction of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, which established principles for identifying, assessing and mitigating risks across an enterprise. The objective of ERM is to align risk management with corporate strategy, ensuring that all functions, from finance and operations to compliance and cybersecurity, work together to address risks in a coordinated manner.

However, despite its theoretical advantages, ERM implementation is often cumbersome, requiring extensive resources, organizational buy-in and cross-functional collaboration that many companies struggle to achieve.

While ERM is designed to offer a comprehensive view of risk, companies frequently encounter significant challenges in its implementation:

• Resource-intensive: Developing a fully operational ERM program requires substantial investment in technology, personnel and processes.
• Siloed implementation: Many organizations attempt to implement ERM in name only, but risk functions continue to operate in isolation, undermining effectiveness. When companies list ERM as one of the risk teams, that’s a red flag.
• Compliance-driven focus: Organizations sometimes treat ERM as a compliance exercise rather than a strategic tool, limiting its ability to support proactive risk management.

OK, the paradigm that is meant to create an enterprise-level view of risk is problematic, so now what?

Combined assurance: A practical alternative

Combined assurance offers an effective middle ground for organizations that lack the maturity or resources for a full ERM program. The concept, first introduced in the 2009 “King III Report on Corporate Governance,” emphasizes aligning various assurance providers, to create a unified risk perspective.

The idea is simple: Coordinate the various assurance providers (compliance, audit, privacy, info security, etc.) to provide a single, coherent view of risk. Teams still do their own work, but they align on methodology, reporting and how risks connect to strategy.

To be clear, there are challenges to this framework. This is an effort that requires significant collaboration across cross-functional teams. It requires alignment on basic questions, such as the methodology used to assess risk, to aligning on how to combine everyone’s top 10 lists into a single list. In other words, it may require risk teams to change some components of their existing methodologies, and it requires each team to think beyond their current silo of risk.

Steps to implement a combined assurance program

Map out assurance teams

First you’ll have to identify all functions involved in risk assessment and assurance. Defining this can present surprising challenges sometimes. Yes, Information security, privacy and internal audit are some obvious choices. But what about physical security teams? Trust and safety? When I was at a social media company, the trust and safety team had a very similar risk assessment process to assess T&S risks but would not be normally considered a traditional risk team (especially since most companies do not have a T&S team).

Another option here is a phased-in approach; start with three or four of the obvious teams, and then add others as the process gels.

Define roles and responsibilities

Establish clear accountability to prevent overlaps and ensure collaboration. There are a lot of areas where a single risk can be owned by multiple risk teams. Document which risk areas are “owned” primarily by which teams and identifying secondary ownership teams. In addition, document what is the role of the risk team versus the role of the business.

I used the quotes “ownership” above because this itself is an area of debate. Is the risk owner the individual that is accountable for managing the risk appropriately or the team that is responsible for managing the assessment and mitigation activities? That will depend on the culture and risk maturity of your organization.

Align risk assessments across functions 

Create a single methodology and process for jointly assessing and ranking risks. Some teams use a 4×4, some use a 5×5 and some may use neither and instead go by their intuition (yikes!). At a minimum, start with agreeing you’ll use a combination of likelihood and impact. You may also want to add velocity as a factor at some point. The point here is to align on what constitutes high risk vs. low risk and how fast it is moving. And that means defining what is low probability vs. high probability and low impact vs. high impact. This enables you to compare apples to apples.

This also means aligning on the process to assess risks. Some teams focus on deploying questionnaires and relying little on interviews, while for others, it’s the opposite. Some launch the assessment every year with a quarterly update process, and others may launch every two years. Coming to agreement allows for consistency. It also enables efficiency.  How many of the same leaders are subject to risk interviews by different risk teams? If multiple risk teams could participate in the risk interview with a leader or assess the responses of a single questionnaire that certainly would be welcome by the business.

The most important part of the risk assessment — no matter the team — is assessment of the control suite. Identifying all controls to mitigate the risk and determining whether they are effective is crucial because it creates objectivity in what can be a subjective process. Testing controls is challenging but the most effective process to truly understand how well your risks are mitigated.

Develop an integrated risk reporting framework 

Standardize risk reporting to ensure that all teams contribute to a single, comprehensive risk report and dashboard. Don’t wait until Q4 to “get aligned.” Use quarterly and mid-year checkpoints to assess risk posture, refresh assessments and align on response plans.

By far, the most challenging part of the exercise: ensuring all teams put on an enterprise-level perspective to come up with an enterprise-level list of top risks. Theoretically, this shouldn’t be challenging, there are definitions for high risk and low risk, you’ve identified controls and have tested them to understand which are effective. But this is the time when observations, trends and emerging risks come into the discussion. And these are murky areas that are more qualitative than quantitative.

It’s also the part of the process that requires caution to ensure assorted biases such as availability bias or anchoring, the loudest voice in the room, do not creep in. Structured dialogue and strong facilitation can help mitigate this. And again, solid control testing and trend analysis can ground the discussion in evidence.

Report to senior leadership as one voice

Present integrated risk insights to executives and the board, providing a holistic view of the organization’s risk landscape. This means there is a unified presentation that connects the dots across risk domains — cyber, compliance, ESG, privacy, product — so leadership isn’t getting a piecemeal view but a clear, consolidated picture of what matters and why.

That requires upstream coordination: Risk owners should align on key messages, use a common language (no alphabet soup) and agree on thresholds that matter at the enterprise level. Practical steps include aligning quarterly reporting cadences, using shared dashboards or scorecards and agreeing ahead of time on what triggers an escalation. One team might see a blip; across teams, it might look like a pattern.

When presenting, skip the siloed updates; don’t walk the board through five separate risk lists. Instead, use scenarios, trends and visuals that show how risks interact and where the organization should focus. But make sure each function is ready to go deep if asked. If leadership wants to drill into privacy, ESG or cyber, the right people need to be in the room with a consistent story and supporting data. Unified doesn’t mean watered-down; it means connected and ready.

Conclusion

Organizations may not always be ready for a full-fledged ERM program, but that does not mean they should accept fragmented risk management as the status quo. Combined assurance isn’t about reinventing the wheel. It’s about getting the people who are already working on risk to work together in a smarter, more strategic way. It won’t solve every problem overnight, but by leveraging this method, companies can take a meaningful step toward mature risk management. And when the board asks, “How does this risk tie to strategy?” or “What’s the overall risk picture?” — you’ll be ready to answer without hesitation.