Time to assess your ERM spending

With risks becoming more intertwined, there’s seemingly no shortage of ways for companies to lose large sums of money.

So investing in enterprise risk management to help prevent or manage the catastrophic risks lurking in the shadows must be a no-brainer. But of course it isn’t. After all, risk management doesn’t directly generate profit—it identifies losses that may or may not happen and uses finite company resources to protect against them.

Making a financial case for an ERM program, then, isn’t so easy, even if you’re the CFO advocating for ERM to the board, CEO, or the rest of the C-suite. And if you’re the CFO weighing an allocation for ERM, well, that can be difficult, too, if you’re focused on the wrong measures.

Making it real. ERM leaders or other advocates must quantify the risks they’re tracking to show any tangible results from managing them, according to a panel of experts who spoke at Riskworld in early May.

Jason Venner, solution sales director at GRC software developer Diligent, recommended linking ERM programs to a handful of specific metrics that show the program’s financial return.

“Your ERM program, you can then say, has these three, or four, or five things that we’re tracking…to ensure that that outcome is happening,” he said.

For example, a company with medical malpractice risks can track changes in insurance premiums, rates, and costs as a way of monitoring how well it’s managing that risk. “Make it real to the board members,” Venner said.

Kelly Novak, assistant chief audit executive at The New York Times Co., said her team adds “materiality thresholds to each of our enterprise risks.” Because they quantified what’s considered a high-impact risk and the likelihood of it happening, “the lightbulbs have gone off a little bit more” with the folks who measure results in dollars and cents, she said.

“It resonates a little bit more when you start adding these materiality thresholds, and you align with them across the senior team,” Novak said.

Large exposures. Michael Levy, CEO of the internal audit and risk advisory firm Cherry Hill Advisory, said that organizations need to make certain assumptions—such as assigning a dollar figure to a risk exposure—when enumerating their ERM program’s benefits. Levy advised that business leaders be “transparent and clear about the taxonomy and methodology you’re using to quantify” risk exposure.

Those dollar figures attached to large exposures can cause some indigestion for finance chiefs and the board. “The CFO may not like the numbers, because some of the exposures are catastrophically large,” he added.

It’s not hard to find those “catastrophically large” risks in the wild. In February, utility company Edison International reported a roughly $1 billion impact (so far) from the 2025 Los Angeles-area wildfires. Jaguar Land Rover reported a roughly $736 million loss following a crippling cyberattack, which cost the UK economy overall an estimated $2.55 billion as of last October.

Long-term view. CFOs can sometimes be the impediment to effective ERM. (Are you blushing?) Levy said that when he led ERM at another organization (he did not specify the company), his CFO focused only on “actual savings” and not “potential savings.”

That thinking exemplifies why enterprise risk management must be a joint effort across the C-suite, Levy argued.

“That’s sometimes where the bigger executive team comes into play, because CFOs tend to be very focused on the financials,” he told the audience. “That is part of why the ERM program is bigger than the office of the CFO, at the end of the day.”