.png)
In the latest episode of SRA Watchtower's Risk Intel Podcast, Dan Bailey and Eric Bonnell shared their experiences as Chief Risk Officers (CROs) in navigating the complexities of enterprise risk management. Their candid discussion covered frameworks, tools, and strategies to achieve integrated risk management while aligning with organizational objectives. Below are five key takeaways from their insightful conversation.
Dan and Eric stressed that risk management cannot thrive in silos. They argued that integration between the second and third lines of defense is fundamental to achieving a cohesive approach to risk. Rather than treating these functions as isolated entities, organizations should foster a collaborative environment where insights are shared, and processes are aligned.
“Independent does not mean isolated,” Dan emphasized. “Second line can have a partnership with the third line. Audit isn’t off in their perch with binoculars—it’s about collaboration and understanding expectations.”
This integrated approach amplifies the ability to identify risks early and address them proactively. It also brings underrepresented areas, such as control self-assessments or third-party risk, into broader risk discussions. By aligning these processes, organizations can create a comprehensive risk profile that resonates across all levels, including senior management and the board.
A recurring theme in the discussion was the critical need for a well-defined framework before adopting tools or technologies. According to Eric, many organizations fall into the trap of starting with a tool and then attempting to build a framework around it. This can lead to inefficiencies and tools that fail to meet the organization's specific needs.
“If you start with the tool, you risk fitting a square peg into a round hole,” Eric cautioned. “Frameworks guide how tools should function, not the other way around.”
Building a strong framework involves establishing a clear taxonomy for risk, identifying key processes, and understanding the organization’s risk appetite. Tools should then align with and enhance these elements, not dictate them. When frameworks come first, organizations can select technologies that genuinely support their risk management goals and regulatory requirements.
One of the most challenging aspects of risk management is communicating complex information in a way that resonates with stakeholders. Dan and Eric highlighted the importance of storytelling in translating data into actionable insights. Effective storytelling ensures that risk managers are not just presenting numbers but framing them within the organization’s broader context.
“I need a way to tell the story: Here’s our risk, here’s our appetite, and here’s where we are,” Eric explained. “With a good system, I can spend more time explaining the ‘why’ behind the data instead of manually compiling it.”
This approach transforms risk reporting from a static exercise into a strategic conversation. By leveraging dashboards and visualizations, risk managers can communicate risks more effectively to boards and committees, enabling them to make informed decisions that align with the organization’s objectives.
While advanced features are essential for risk managers, tools must also be accessible to first-line users who may not have a deep understanding of risk concepts. Dan emphasized the importance of intuitive design in ensuring adoption and engagement across the organization.
“You’re asking people to think in a way they don’t normally think,” Dan said. “If the system isn’t easy to use, they’ll stop using it.”
To address this challenge, tools should simplify complex concepts such as inherent and residual risk, making them more approachable. For example, demonstrating how control maturity impacts risk levels can help users see the tangible benefits of their actions. Intuitive systems foster greater participation, ensuring the entire organization contributes to a unified risk management strategy.
Dan and Eric agreed that tools built by subject matter experts are far more effective than those developed without a deep understanding of risk management challenges. Tools designed with expertise at their core align more naturally with frameworks and workflows, reducing the need for customization and increasing their long-term value.
“If the software isn’t built by subject matter experts, it doesn’t allow for the maturity of risk management,” Eric noted. “Vendors often focus on features and functions instead of addressing the real use case.”
Organizations should prioritize tools that solve specific problems rather than being drawn to flashy features. This approach not only streamlines implementation but also ensures that the tool evolves alongside the organization’s risk management maturity, supporting growth and adaptation over time.
The episode concluded with a teaser for future discussions on AI’s role in risk management. As tools and technologies evolve, leveraging AI could unlock new possibilities for identifying, assessing, and mitigating risks.
This conversation is a must-listen for risk professionals navigating today’s interconnected landscape. By focusing on integration, frameworks, storytelling, and user-friendly tools, organizations can achieve a more effective and holistic approach to enterprise risk management.
%20(600%20%C3%97%20350%20px)%20(1).png)
.png)
%20(350%20%C3%97%20400%20px)%20(1000%20%C3%97%20800%20px)%20(2).png)