So why don’t most Enterprise Risk Management system work? Simply, they don’t “manage” risk, they just record it. Manage is a verb not a noun. It is activity not an item. Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.
Enterprise Compliance Today
My book providing the best of parts of my 2013 webinar series... plus an addendum with nuts-and-bolts guidance is now available thru Amazon.com.
There appears to be a growing view that Risk does not need to be aggregated to have an effective ERM. I believe this is due to a combination of the rush of inadequate software products on the market and the infiltration of Q.A. mentality into ERM.
Without aggregation, ERM loses any meaning and purpose. (see Why Aggregate Risk in ERM) So if accepting the need to aggregate risk, both from business units to group and between diverse natures of risk, how do you aggregate risks?