I often find people have varying ideas about 'enterprise risk management' and many managers think it means identifying and treating every risk across an organization. While that sounds nice in theory, the reality of ERM is that we need to understand the organization has a whole. The idea is to understand and manage the risks for the overall organization, not the individual parts.

In explaining (my view of) enterprise risk management over the years, I've evolved this mental model. Hope it helps.

The main concept of the 'rock pool' model of risk is to think of Enterprise Risk Management (ERM) as a tidal rock pool. Some high ground such as rocks we can stand on but with many holes we could twist an ankle in.

Rather than get down in the weeds and look for every little risk (hole) we need to take a topographic view. We can't simply dump a truckload of resources (sand) to level it out to a 'low risk' or at least 'evenly distributed' risk profile. Nor can we hunt down every single vulnerability or risk exposure.

We can however, see where we are overtreating risks (the high spots) and roll some of those rocks (resources) into holes that need filling.

If we have a good topographic understanding of the high and low ground, we can also judiciously spread some bags of sand (money/resources) to fill the gaps.