top of page

How we think about ERM

At SERT we work in enterprise risk management (ERM) for some of the world's largest and most complex organizations. And yet, we often find different views on what ERM actually is. The way we often explain is by using the rock pool model.


The rock pool model of ERM offers a simple yet effective way to think about enterprise risk management. Instead of trying to address every single risk within an organization, the focus is on understanding the organization as a whole and managing risks accordingly. The analogy of a tidal rock pool helps to illustrate this concept.

The high ground in the rock pool represents areas where risks are being over-treated. These may be areas where too many resources are being allocated, resulting in inefficiencies and wasted effort. By identifying these areas and shifting resources to areas of lower risk, organizations can improve their risk management strategies and ensure that resources are being allocated effectively.

The holes in the rock pool represent areas where risks are being under-treated. These may be vulnerabilities or exposures that have not been adequately addressed, leaving the organization open to potential threats. By identifying these areas and allocating additional resources, organizations can better manage their risks and reduce their exposure to potential harm.

The use of sand in the rock pool model represents the resources that organizations can allocate to manage their risks. Just as a rock pool requires a certain amount of sand to be added in order to fill in the gaps and create a more even surface, organizations must allocate resources to manage their risks effectively. However, just as adding too much sand to a rock pool can create new risks, over-allocating resources to certain areas of an organization can create inefficiencies and waste.

The key to effective ERM using the rock pool model is to have a good topographic understanding of the high and low ground within an organization. This means identifying areas of high and low risk, as well as understanding how these risks are interconnected. By taking a holistic approach to ERM, organizations can improve their risk management strategies and ensure that resources are being allocated effectively.

Overall, the rock pool model offers a simple yet effective way to think about ERM. Instead of trying to address every single risk within an organization, the focus is on understanding the organization as a whole and managing risks accordingly. By identifying areas of high and low risk, and allocating resources accordingly, organizations can improve their risk management strategies and reduce their exposure to potential harm.



Recent Posts

See All

How to Assess a Risk Management Framework

There are many lousy risk management frameworks loose in the wild. Fortunately there are also a lot of excellent risk frameworks. But how do you tell the difference? To assess a risk management framew

How to Build a Lousy Risk Management Framework

A poor-quality risk management framework is just an incident/accident/catastrophe waiting to happen. It can and will undermine an organization's efforts to manage risks effectively and achieve its obj

Components and Indicators of a Risk Framework

A high-quality risk management framework, aligned with ISO 31000 guidelines, involves a well-structured approach that is integrated into all aspects of an organization. Such a framework is comprehensi

Comments


bottom of page