When practitioners, consultants and academics discuss leading organizational risk management practices, they hone in on people, processes and supporting technology. As major risk management failures in recent years have illustrated, mastering these three dimensions is necessary but not sufficient.
Effective enterprise risk management (ERM) — or any discreet risk management process — hinges on other dimensions as well, including organizational culture, behavior, ethics and change management … all the squishy, human stuff that defies convenient categorization in COSO cubes and other traditional risk management frameworks.