Every organization with a GRC program has a risk framework. Most of them are not actually using it. COSO ERM, ISO 31000, NIST RMF — take your pick. The framework is rarely the problem. The problem is implementation: risk assessments conducted by consultants who leave after 90 days, risk registers owned by nobody with authority to do anything about them, and residual risk accepted by people who do not understand what they are signing.

Risk Management as a Management Discipline

Risk management done well is a management discipline, not a compliance exercise. It changes how leaders make decisions. A CIO who understands the quantified financial exposure of their top five unmitigated risks makes different capital allocation decisions than one operating without that analysis. The purpose of an ERM program is to make that analysis available, credible, and timely — delivered in business terms that connect to the P&L, not in technical language that only the security team understands.

Where Most Programs Break Down

The Four Most Common Failure Points

  • Risk identification that is too narrow — organizations catalog IT risks and miss operational, third-party, and strategic risks where the real exposure often lives.
  • Likelihood and impact ratings that are guesses — without quantitative models or historical data, risk ratings become negotiated opinions rather than defensible assessments.
  • Remediation that is permanently unfunded — risk registers identify findings that never get resourced because they were never connected to the budget process.
  • No feedback loop on control effectiveness — if no one verifies whether last year’s mitigations actually reduced risk, the program is not learning from its own data.

A Practitioner’s Starting Point

When beginning an ERM engagement, the first step is mapping every risk to a business process and an owner — not an IT system and a security team. Ownership needs to sit with the person accountable for the business outcome. Once that mapping exists, risk conversations stop being about vulnerabilities and start being about continuity, liability, and competitive position. That shift in framing is when executives and boards start paying attention — and when the program starts producing decisions rather than documents.

Risk management is not finished when the register is published. It is finished when the register changes what the organization decides to fund, prioritize, and accept. If the register has no effect on decisions, it is documentation, not management.