Your monthly dose of insightful Project Management articles

Your monthly dose of Project Management articles.

Centralised or de-centralised risk management in your enterprise?

Enterprise risk management (ERM) can mean a single centralised risk management process, with one central risk register. ERM can also work through de-centralised risk management processes, with many distributed risk registers. Centralising and de-centralising both present serious challenges to the reality of risk management. Here’s a potential solution for de-centralised ERM—and it isn’t standardisation in a central database.

ERM can mean a centralised risk register with a single set of scales for likelihood and consequence. The challenge of the central risk register is getting real and meaningful participation from all managers at all levels. Managers at lower levels will struggle to understand how ‘their’ risks affect enterprise achievement of enterprise objectives. They will also feel excluded with ‘their’ risks are classified as minor, ‘non-key’ or ‘non-strategic’ at the enterprise level. For them, risk management may not be part of management, as they live it. With that massive reservation, centralised ERM can make sense.

ERM can also mean de-centralised risk registers, maintained separately by managers at all levels throughout the enterprise, from the Board or C-suite downward. They may all use different scales for likelihood and consequence. Most enterprises already have multiple separate risk management processes, established at different times for different reasons. The benefit of de-centralised risk management is that risk management is then part of all management. The challenge with de-centralised risk management is pulling all the assessments together for an enterprise view. Setting aside that massive challenge, de-centralised ERM makes a lot of sense.

A popular response to that challenge is to standardise the de-centralised risk registers and scales, perhaps within a corporate database containing all the risks in all the registers.

I don’t believe that response can actually work to build ERM.

First, standardisation hints that lower-level risks might be somehow ‘added together’ to produce total exposures for the enterprise. But standardisation doesn’t provide a valid way to do that, short of complete centralisation. Risks are not data points, like survey responses. They are not data at all: data means ‘things given’. They cannot be counted or added together to produce valid statements about reality.

Second, there is a fundamental problem that affects both centralisation and de-centralisation of risk management. Lower level and specialist managers naturally identify risks with a long and uncertain pathway to effects on enterprise objectives. Lower-level risks are very hard to rate at enterprise level. Standardisation of registers and scales does nothing to solve that problem. You get some help from taking the reasonable worst case for the enterprise effect of each risk event.

I suggest there is a much better response to the challenge of pulling together de-centralised risk assessments for ERM. That response is for managers at each level to understand the implications of risk assessment at lower levels, when assessing risks at their own level. Each level of risk assessment recognises all the lower levels. Each level of risk assessment contributes to an understanding of risk at a higher level. The highest level is the enterprise level.

There is a hierarchy of objectives at each enterprise level. Risk management is about the effects of uncertainty on the objectives at each level.

In that way, every manager is a risk manager, and risk can be consideration in every decision. Each one of them is working with the risks they know and understand. The management hierarchy completes the pathways from low-level events to effects on enterprise objectives, through each layer of risk assessment.

So why not? How do you centralise, de-centralise, or integrate enterprise-wide risk management?

longer version of this article appears within the Clear Lines on Audit and Risk. It digs deeper into fundamental concepts to support each point. I got a lot of help on this topic from Steve Daniels FMS, FIOR, FBCS, CITP, while we were developing an explanation of the Reasonable Worst Case in 2018.


Published at with the consent of the author

Roger Lines

About author

Clear Lines on Audit and Risk

Experienced leader for internal audit, assurance, risk and business continuity. CIA and CISA qualified, with further risk management qualifications from IIA and ISACA.
View all articles