by David Walter – February 8, 2010

The first alpine mountain I ever climbed was Mt. Hood in Oregon, which soars to the amazing height of 11,239 feet. My initial glimpse of the summit was from Timberline Lodge at the foot of the mountain, and I’ll be honest with you—I was terrified by the view. But I was fortunate to have a terrific guide, who walked me through the process of outlining all the risks, evaluating those risks and deciding how to respond to them.

We started by listing our risks: weather, our physical limitations, lack of mental toughness, frostbite, falling, dehydration, etc. Then we discussed how to reduce our risks by bringing extra water, clothing, back-up ropes and so forth. We also talked about avoiding risks by continually checking the ice conditions and weather and turning around if things looked bad. For some risks, like falling off the mountain, we decided that we’d share the load by short-roping (a technique where you tie yourselves together with rope so if one person falls, the other can dig in and prevent a disaster). Finally, we talked about transferring risks by having the guide there. I only had to worry about myself and a few key tasks (keeping warm and staying fueled and hydrated), and my guide would take care of monitoring the weather and bringing the right equipment.

At the conclusion of this conversation, I felt much more at ease and mentally prepared for our ascent. I also had a realization: My guide had just fully utilized the COSO-based risk management methodology of Identify, Evaluate and Respond.

Since this first ascent up Mt. Hood, I’ve used mountain climbing as an analogy for building an enterprise risk management program. For any organization, large or small, you need to identify your risks, prioritize them, and then put together a plan for reducing, transferring, sharing or avoiding your risks, starting with the high-priority ones first.

I’ve often shared my Mt. Hood adventure with customers who are looking to implement a best-practice risk management program but don’t know how to get started. And because I’ve been asked so many times how to get an ERM program off the ground—particularly lately as companies are under increased pressure to solidify their approach to risk management—I decided to document the advice I consistently give in a short impact brief titled “How to Get Started with Enterprise Risk Management,” which you can download free from the Archer web site.

I invite you to read my impact brief and share your comments here on the Archer blog. In particular, I’d like to know your thoughts on the following questions:

What scale do you use to evaluate and prioritize risks? High/Medium/Low or a more complex scale?

How are you showing value to your organization from your risk management processes?

How has technology played a factor in the success of your risk management efforts, specifically around efficiency, ease of use and flexibility for growth?

For those of you planning to attend the Archer GRC Summit in April, I’ll be leading further discussion on the topic of getting started with enterprise risk management. I anticipate a lot of great interaction, and I hope you’ll plan to join us. If you haven’t already registered for the Summit, I encourage you to sign up today on the Archer web site.