When it comes to implementing a successful ERM program, sometimes learning what not to do is just as important as learning what to do. StrategicRISK spoke with one of Taiwan’s most experienced risk managers, Jeff Yeo, to get his tips and tricks on ERM.

Starting an ERM Programme in any organisation is never easy. 


Many have embarked on this initiative, with some organisations having long started and have reached a certain level of maturity level. There are nonetheless even more organisations who have finally realised the importance and essence of such a programme and are in the preparation and planning stage on how to start one.

Success or failure for ERM lies in managing (or avoiding) some of the pitfalls listed below.

1. Failure to get the buy-ins from the senior management

The failure to get buy-ins from senior management would inevitably create an uphill task for even the most experienced risk manager. Likelihood of failure would be high. If senior management is not supportive, chances are that endorsement from them would not be given.

Having said that, if a manager within a company is tasked with developing an ERM initiative, some form of buy-ins must have already been established.

2. Failure to understand the culture of the company

This is one of the most common pitfalls faced by risk practitioners. Different folks different strokes, as the saying goes. Based on ‘reflexes’, risk managers would be tempted to replicate their successes in other organisations to a new organisation. But what succeeded in one organisation, may not succeed in a new environment.

ERM plans need to be tailored to each organisation. How things were being done at your previous organisation may not equate to how things are being done here. This is the cultural aspect of an organisation.

The timeline for the ERM initiative and most importantly, how it is going to be executed would very much dependent on the culture that is prevalent within the organisation. Managing this risk is important to the success of the organisation.

3. Failure to engage the influencers and those at the working levels

The “R” in ERM is ultimately about relationships. One of the roles of a risk manager is that of a conduit between senior management and those at the operational level. The identification and close relationships with influencers within the organisation will help you to get the necessary buy-ins at both the strategic level and operational level with the ultimate goal of value-adding to existing processes.

This would create success stories and further arouse further interests in ERM, especially in an organsation with a fundamentally weak risk culture. You have to create value before buy-ins can be materialised.

Risk Managers create success stories together with stakeholders. Through creating, we build relationships. Buy-ins come about thereafter. In order to become a success story, risk managers have to work in collaboration with stakeholders to operationalise ERM.

4. Playing the roles of an auditor/ internal policeman

A risk manager is NOT an auditor. Neither is he or she an internal policeman.

From my personal experience, many of the stakeholders that I have worked with in the past regarded me and my colleagues as managers playing the roles of auditors in a fault-finding mission. Oneparticular example comes to my mind. In one role, colleagues told us blatantly to go back to our Internal Auditor colleagues to get the information as they have already furnished “us” with that info and not to bother them anymore.

This incident prompted me to sit down and rethink and reimagine how best a risk manager can be of value in addressing their concerns and challenges they are facing.

This brings me to the concept of the three lines of defence. Simply put, the first line of defence being the stakeholders themselves. The second line is us as risk managers and the last line, the auditors and regulators.

Risk Managers are ultimately a layer of safety net in the event that issues or items pertaining to the departments/divisions fall through the cracks either due to the lack of robustness of the controls or plain human oversights before the final line is breached.

We can achieve this through (i) understanding the logic behind their methodology (ii) understanding their processes and (iii) analysing their data. These three steps would help us as risk managers to ascertain how effective and robust the controls and mitigating measures are.

5. Failure to set the right expectations. ERM is not the mother of all solutions

ERM cannot and will never be the fix-all solutions. ERM is there to complement and strengthen the existing controls and measures that have already been put in place. To a large extent, organisations are already practicing or have some form of risk management activities in the conduct of their daily business operations. It is about identifying and proactively addressing risks and opportunities. At the end of the day, the end goal is to protect and create value for their stakeholders.

ERM can never solve problems alone. Problems have to be solved collectively by leveraging on the expertise and domain knowledge of all stakeholders. ERM helps to make this more defined, systematic and more established by cascading its efforts down to all business units within the organisation.

6. Failure to leverage on consultants

At a certain stage of the ERM journey, engagement of consultant certainly does have its merits. The total avoidance of consultants may not be a good option as no matter how well versed a risk manager is in the delivery of an ERM initiative, a consultant can and should be involved in bringing the latest trends and developments in the industry and benchmarking studies with similar market competitors.

All these should be seen as value-adding to the existing ERM efforts. The engagement also serves as a check and balance as to whether the journey is on the right track.

For an organisation that is first starting out, a consultant would be of a great help in the framing of a suitable ERM programme in the initial phase and help to engage its senior management and key stakeholders to understand what is required before its risk manager can take over the baton from the consultant, thereby starting the next lap of its ERM journey.

Ultimately, the success of any ERM programme starts with the right buy-ins.

In a fast pace and dynamic environment of today, a risk-driven business model is the business model in our journey to transform any organisation into a risk intelligent one.

It is about having a good blend of “Yang” (阳) and “Yin”(阴) of ERM. “Yang” (阳) being the processes, which are consistent, systematic and predictable. “Yin”(阴) being the relationships with the stakeholders and senior management, which are complex, fluid and unpredictable.

Getting buy-ins starts with a Copernican revolution.

Copernicus was a Renaissance-era mathematician and astronomer who formulated a model of the universe that placed the Sun rather than the Earth at the center of the universe.

People generally are skeptical of risk management. Likewise, the first step of getting buy-ins starts with the discovery that risk management is not at the centre of the “business processes universe”. Not in the eyes of these stakeholders, at least.

We need to see the world through their eyes. We do not have to like what we see or agree with it, but we must first understand their perspectives. Only when we understand their view of the “universe” can we hope to change it.

Jeffrey Yeo works as a risk practitioner with a global financial institution in Taiwan