How to Explain ERM to Executives in 15 Minutes or Less

Executives and boards know risk management is critical. That doesn’t always mean they’re eager to talk about ERM with their Internal Audit and Risk teams. 

Some think they have it handled and assume you’ll just overcomplicate the process. Others hear “ERM” as “They’re only going to tell me everything I CAN’T do.” Others have had bad experiences, or have no experience.

Executive consultant, professional speaker, corporate trainer, and long-time Internal Audit leader Linh Truong has faced these challenges many times, and she’s developed a proven formula for overcoming them: Simple language and graphics that make a compelling case for ERM in a context executives readily understand — all in around 15 minutes. Her approach can inspire yours.     

THE BIG QUESTION: How Do You Engage Executives in ERM?

This question came up during a recent Internal Audit Collective roundtable. Many Internal Audit and ERM leaders struggle to get executives and boards bought into the ERM process.  

This is a high-stakes problem, because their participation is essential for:

• Improving decision-making (weighing opportunities vs. threats)
• Improving resilience, including risk ownership/accountability and a risk-aware culture
• Breaking down silos to increase knowledge-sharing and integration
• Enabling more effective risk responses
• Aligning ERM with strategy

THE BIG TAKEAWAY: Whether you’re facing eyerolls, deprioritization, or outright dismissal, none of these attitudes create a solid foundation for ERM. These business leaders need an education (or re-education) on what ERM is, how it works, and why it’s essential.

THE MISSION: Get Executives Onboard, Talking, and Collaborating

Create a brief but polished presentation you can use for onboarding, annual organization-wide lunch-and-learns, or as an ERM “reintroduction” in board or executive meetings.

Deliver your key messages in under 15 minutes, using simple terms that get naysayers onboard, engaged, and focused on strengthening ERM.

THE FRAMEWORK: 7 Key ERM Lessons in 15 Minutes

Lesson 1: Define ERM in the Simplest Terms Possible

You can’t assume everyone defines ERM the same way. 

That’s why Linh’s presentation kicks off with a slide showing COSO’s ERM definition: 

“The culture, capabilities, and practices integrated with strategy-setting and its performance that organizations rely on to manage risk in creating, preserving, and realizing value.”

It’s a fine definition. But to untrained ears, it can sound like consultant-speak. 

That’s why Linh’s slide builds to include her simplified definition:

“ERM is how an organization identifies all the possible things (good and bad) that could happen as we execute our strategy so that we can be prepared to respond in a way that optimizes our outcomes.”

Linh’s definition:

• Explains ERM in clear, pragmatic terms. ERM helps organizations look at risk so they can be more prepared for whatever’s next. Who doesn’t want that?
• Ties ERM to strategy. ERM isn’t an add-on or special project. It’s integrated with strategy.
• Acknowledges that risks can be both “good” and “bad,” proving you know that (1) every action introduces risk and (2) some risks are worth taking. 

Lesson 2: Reframe ERM Not as Risk Avoidance, But as “Finding the Sweet Spot”

Linh’s next slide recognizes risk as an integral part of doing business. The COSO graphic she uses reflects that:

• No organization can avoid risk-taking entirely. That would mean doing nothing, ever.
• Organizations should avoid excessive risk-taking, which can leave them without sufficient capacity to absorb the impact of potential risk events. 
• The goal is finding the “sweet spot” between the two, optimizing risk-taking to increase value. 

**ERM is the method organizations use to agree on and track the location of the sweet spot.** 

Simple but ingenious.

Lesson 3: Clarify Roles and Responsibilities

ERM works best when there’s no grey area about who’s responsible for what. 

Otherwise, executives may expect Internal Audit or ERM team members to perform critical duties for which they’re responsible (e.g., risk mitigation). 

That’s why Linh’s next slides succinctly spell out all parties’ ERM-related roles and responsibilities.

The critical message is that the board, management, Internal Audit, and the ERM team have distinct roles/responsibilities — and that at the end of the day, management establishes risk appetites/thresholds and owns risk management/mitigation. 

Lesson 4: Spotlight “What’s In it for Them”

Sure, some executives may be managing their risks just fine — within their silos. 

But that’s not how risk works. Today’s risks connect and overlap, their impacts rippling across the enterprise. 

That’s why Linh stresses this key message: Risk doesn’t exist in silos. ERM pulls it all together. 

Risk management is most effective when everyone agrees on the top risks, helping them prioritize and combine efforts, share information, and allocate resources. 

Highlight relevant benefits for your organization, such as:

• Increased range of possible actions (considering positive/negative aspects)
• Improved ability to identify and respond to risks entity-wide 
• No surprises or missed opportunities
• Improved enterprise resilience

Lesson 5: Define Key Terms

Reaching a common understanding is easier if everyone’s speaking the same language. 

Linh shares five definitions that help make risk conversations more productive:

1. Gross/inherent risk — the risk before controls
2. Residual/net risk — the risk after controls
3. Risk appetite vs. risk tolerance — Linh frames appetite as “How much risk are we willing to live with, and what’s the number beyond which we can’t accept more?” and risk tolerance as “When do we start to worry?”
4. Enterprise risk assessment vs. the ERM process, concepts often conflated
5. Key risk indicators (KRIs), a critical concept deserving a deeper dive

Lesson 6: Highlight the Difference Between KRIs and KPIs

Linh’s uber-brief primer: 

• KPIs measure outcomes
• KRIs measure what drives the KPIs
• KRIs enable you to manage the underlying risks (not just their outcomes) by helping you track the chain of risks

During Linh’s time working in oil and gas, she found a great graphic depicting how unsafe acts build to near misses, accidents, and ultimately death. 

The company’s risk tolerance was zero deaths, so reducing risk required managing down the pyramid and tracking KRIs at each level.

Linh still uses this graphic — in any industry — because it very quickly helps executives understand why KRIs are critical.

Lesson 7: Set Expectations for a Strategic, Ongoing Process 

ERM starts and ends with strategy. It should be embedded in day-to-day operations.

Linh’s timeline slide renders this message simply but powerfully, laying out a year-long ERM timeline with four key touchpoints:

• January — Board Strategy Retreat to discuss key initiatives and strategic goals for the next 12–18 months
• April — Engage Stakeholders, meeting with C-Suite and other leaders to identify/understand their risks and mitigation plans
• June — Develop Audit Plan, incorporating strategic risks, mitigation plan (processes), and audit risk assessment; re-engage with C-Suite 
• September — Board Approval of strategic plan, operational/capital budget, and audit plan/budget

WHY THIS WORKS: You’re Speaking Their Language

Executives and boards need to quickly understand how ERM impacts and benefits them — “what’s in it for them.” They also need reassurance that they’ll remain in the driver’s seat on key decisions.

By using straightforward terms that tie ERM to tangible business benefits and align with leaders’ own strategic risks and objectives, Linh’s framework positions ERM as a collaborative, constructive, ongoing discussion that enhances business strategy, value, and performance. 

Those are the words they want to hear.

THE LAST WORD: You Can’t Do It Without Them

As COSO’s ERM Integrated Framework reinforces, effective ERM must be aligned with business performance, strategy, and risk appetite. 

You can’t do that unless your leaders are onboard. 

So, when you’re making your case for ERM, resist those ten-dollar words auditors love. Instead, use language that executives and boards readily understand to help them understand what’s in it for them. 

Changing your approach really may change their attitudes.

‍