How does one re-organize an ERM system/ process of a large conglomerate? The question relates to an enterprise with multiple business lines that has local risk management functions at the respective businesses, an enterprise-wide group internal controls and risk management team, and an enterprise-wide internal audit team.
Sort by:
Organizing ERM processes and governance that includes the Business Lines is a difficult but required step here. Business Lines love to retain control of governance processes locally but will have to be brought along in terms of the needs of the Enterprise. I do think 1-1 time with BL risk owners in advance of convening ERP governance boards is key to the success of the entire effort. "Stakeholder Analysis" to use a well-worn term is vital to inclusion here.
ERM "old school" is shifting to an IRM (Integrated Risk Management) approach, with more engagement & visibility across risk functional leaders. IRM is becoming the umbrella to manage enterprise risks and within IRM several risk-based programs are developed in line with Company's objectives. The three lines of defense continues to be a pivotal component to ensure that no risk is left unattended. Finally, the IRM concept is showing an added value to the business, specially when the Business Strategy is involved from the risk perspective. Food for thought!.
The core challenge in a multi-business conglomerate is reconciling the Group's need for a single view of risk with the local mandates for specific regulatory compliance. Our proven approach resolves this by implementing a centralized, cross-mapped framework that standardizes controls while accommodating localized requirements. The following can be accomplished with Risk Cognizance IRM (Integrated Risk Management) https://www.gartner.com/reviews/market/grc-tools-for-assurance-leaders/vendor/risk-cognizance/product/risk-cognizance
1. Establish the Foundational Control Framework
Our first priority is standardization. We move beyond fragmented local control sets by establishing a single, robust Group Control Baseline.
Determine Universal Requirements: We begin by aggregating all mandatory compliance requirements across all business lines, focusing heavily on IT and security mandates (e.g., NIST, ISO 27001, or industry-specific regulations).
Select a Master Framework: We adopt a recognized standard (like ISO 31000 or the NIST Risk Management Framework) as the Master Control Framework. This provides the foundational, high-quality structure and rigor needed to address most core technology and operational risks.
Map and Customize: We customize this master framework into a Group Control Catalog. Every control is now defined once at the Group level, but cross-mapped to all relevant compliance obligations (e.g., a "Patch Management" control maps simultaneously to ISO 27001, a specific local regulatory rule, and the internal operations policy).
2. Implement Integrated Risk Management (IRM) via Technology
Leveraging your expertise, the next critical step is deploying a technology solution that enables this single-framework model.
Risk Cognizance IRM System: We implement an Integrated Risk Management (IRM) system, utilizing its core cross-mapping capability. This system serves as the Single Pane of Glass for the entire conglomerate.
Efficiency of Evidence: Because controls are defined and tested once but cover multiple compliance requirements, the management of evidence and controls becomes highly efficient. A single successful control test (e.g., verifying access controls) automatically provides evidence for all linked compliance requirements (e.g., PCI-DSS, local privacy laws, and general security policy).
Addressing Specific Needs (e.g., PCI): For highly specific regulatory needs, such as PCI-DSS for e-commerce BUs, the IRM system tags the relevant business lines and automatically incorporates the additional, targeted controls into their assigned control set, all while remaining managed within the overarching Group framework.
3. Strategy for Governance and Reporting
This standardized, technology-enabled approach fundamentally reorganizes risk governance:
Centralized Reporting: The Group Internal Controls & Risk Management team now aggregates all risk and control data efficiently, providing clear, consistent, and evidence-backed reporting on the conglomerate's risk posture.
Increased Oversight: This efficiency frees up the Group team's time to focus on challenging high-impact risks and providing strategic advice, moving away from manual data collection.
This is superior because it maximizes efficiency by testing once to satisfy multiple requirements, directly supporting the Board's need for a coherent, enterprise-wide view of risk. While a multi-tenant separation is feasible for highly siloed or legally distinct entities, it significantly increases compliance workload and dilutes the benefit of managing risk as one enterprise.