How does one re-organize an ERM system/ process of a large conglomerate? The question relates to an enterprise with multiple business lines that has local risk management functions at the respective businesses, an enterprise-wide group internal controls and risk management team, and an enterprise-wide internal audit team.

Hello, I have written the following paper on this subject:

Title: The Reorganization of an ERM for a Corporation in Motion: An Agile Framework for Federated Structures
Xavier Thomas, PhD Candidate

Abstract
This paper aims to propose a comprehensive process and set of best practices for reorganizing an Enterprise Risk Management (ERM) framework within a "corporation in motion"—an enterprise characterized by high dynamism, such as rapid growth, digital transformation, or frequent M&A activity. It specifically addresses the inherent complexities of a federated organizational structure, where multiple business divisions (BUs) maintain their own risk management functions, operating in parallel with a centralized, top-down Group Internal Control and Risk Management team and a separate, enterprise-wide Internal Audit team. The traditional, static "Three Lines of Defense" (3LOD) model often fails in this environment, creating silos, duplication of effort, and reactive compliance. This paper argues for its reorganization into an Agile Risk Operating Model that redefines these three functions not as rigid "lines," but as a dynamic, collaborative, and forward-looking ecosystem focused on value protection and creation. We present a five-step reorganization process and a set of best practices designed to foster agility, clarity, and strategic alignment, ensuring the ERM framework functions as a strategic enabler rather than a bureaucratic hurdle.

1. Introduction
The modern corporation is in a state of perpetual motion. Driven by technological disruption, shifting geopolitical landscapes, and evolving market demands, static business models—and the static risk management frameworks designed to protect them—are no longer viable. For large, complex enterprises with multiple business divisions, this challenge is amplified. These organizations often operate a federated risk model where individual BUs manage their own risks, while a central "Group" team attempts to impose enterprise-wide control and an "Audit" team provides retrospective assurance.

This federated structure frequently leads to significant friction and ineffectiveness:

Gaps & Overlaps: The BU risk functions (the First Line) and the Group Risk team (the Second Line) often perform redundant activities or, worse, leave critical emerging risks unaddressed.

Strategic Misalignment: BU risk teams may focus excessively on local operational risks, losing sight of the enterprise-wide strategic risks that the Group team is tracking.

"Us vs. Them" Culture: A compliance-driven, top-down approach from the Group team can create antagonism, leading BUs to view risk management as a "check-the-box" exercise that stifles innovation.

Reactive Posture: Internal Audit (the Third Line) often reports on control failures months after the fact, providing little forward-looking value to a business that is moving at high speed.

This paper provides a blueprint for reorganizing this disjointed structure. The goal is to transform the ERM function from a fragmented, defensive model into an integrated, agile ecosystem that supports strategic decision-making in a corporation "in motion."

2. The Reorganization Process: A Five-Step Approach
Reorganizing a federated ERM framework requires a structured, top-down mandate and bottom-up engagement. The following five-step process is proposed:

Step 1: Diagnostic and Mandate
Before any change can occur, a clear mandate must be secured from the Board of Directors and executive leadership (C-Suite). This phase involves:

Current State Assessment: Perform a candid assessment of the existing ERM framework. This includes interviewing stakeholders across all three "lines" (BU Risk, Group Risk, Audit) and key business leaders. The goal is to identify specific pain points, redundancies, gaps, and cultural barriers.

Define the "Case for Change": Clearly articulate why the reorganization is necessary. Link the ERM framework's failings to tangible business issues (e.g., slow decision-making, unexpected losses, missed strategic opportunities).

Establish a Guiding Coalition: Create a steering committee with executive sponsorship, including leaders from the BUs, Group Risk, Audit, and strategic functions.

Step 2: Define the "To-Be" Agile Operating Model
This is the core design phase. Instead of just redrawing an organizational chart, the focus is on defining interactions and accountabilities.

Clarify Roles: Explicitly redefine the three lines (see Best Practices below).

Design Information Flows: Map out how risk information will be collected from BUs, aggregated by the Group team, and used in strategic decisions. This includes defining the data, systems, and communication channels.

Develop the Governance Charter: Draft a new ERM policy and charter that outlines the new model, its purpose, and the specific responsibilities of each entity (BU Risk, Group Risk, Audit, and business management).

Step 3: Redefine and Cascade the Risk Appetite
A "corporation in motion" must be empowered to take risks, not just avoid them.

Establish an Enterprise Risk Appetite Statement (RAS): The Group team, in collaboration with the C-Suite, must define the types and amount of risk the enterprise is willing to accept to achieve its strategic objectives.

Cascade and Translate: The BU risk teams are responsible for translating this high-level RAS into practical, quantitative, and qualitative risk tolerances and limits for their specific business operations. This ensures BU-level decisions align with group-wide strategy.

Step 4: Implement Enabling Technology
An agile model is impossible without a common technology backbone.

Select a GRC Platform: Implement a single Governance, Risk, and Compliance (GRC) or Integrated Risk Management (IRM) system. This "single source of truth" is non-negotiable.

Integrate Data: The platform must allow BU risk teams to input their risk assessments, control tests, and incident data locally. The Group Risk team then uses the same platform to aggregate this data, run analytics, and generate enterprise-level reports for leadership.

Step 5: Embed, Monitor, and Iterate
Reorganization is not a one-time project; it is the starting point for a new culture.

Train and Communicate: Launch a comprehensive training and communication campaign to ensure everyone—from the front-line operators to the Board—understands the new model, their role within it, and the "WIFM" (What's In It For Me).

Focus on Culture: The Group Risk team must shift its mindset from "policing" to "partnering." They must actively work to build trust and demonstrate value to the BUs.

Establish Feedback Loops: Create formal mechanisms (e.g., quarterly risk forums) where BUs, Group Risk, and Audit can discuss what is working, what is not, and how to adapt the framework to new business challenges.

3. Best Practices for the Reorganized, Federated ERM
The success of the reorganization hinges on adopting a new philosophy. The traditional "Three Lines of Defense" model is rebranded as the "Three Lines of Value" model.

Best Practice 1: Redefine the Three Lines for Agility
First Line (The BUs & their Risk Teams): Risk Owners and Partners.

Role: The business units themselves own the risks they take. The embedded BU risk management functions are not a second line; they are "Line 1.5" business partners.

Mandate: Their primary job is to help the BU achieve its objectives safely. They provide expert advice, facilitate risk assessments (e.g., RCSAs), and help design and implement effective controls. They are the first line of expertise, not just defense.

Second Line (The Group ERM & Control Team): Enablers and Specialists.

Role: This team is a lean Center of Excellence (CoE), not a risk-processing factory.

Mandate: They enable the First Line by providing the tools, methodologies, and framework (e.g., the GRC system, the risk appetite). They challenge the First Line's assumptions and assessments. They aggregate BU-level data to identify enterprise-wide risk concentrations and emerging trends. They own specialized risk areas (e.g., treasury risk, enterprise-wide compliance) that do not sit in a single BU.

Third Line (The Enterprise-Wide Internal Audit Team): Assurance and Foresight.

Role: Independent, objective assurance providers.

Mandate: Their primary role remains providing independent assurance to the Board on the effectiveness of the First and Second lines. In a "corporation in motion," their role must expand to include forward-looking advisory. They should be auditing the agility of the risk framework itself and providing foresight on emerging risks and control needs before they result in a loss.

Best Practice 2: Establish Dynamic, Integrated Governance
The three lines must not operate in silos. They must be connected by a "connective tissue" of dynamic governance.

The "Three Lines Forum": Establish a formal, standing committee (e.g., quarterly) co-chaired by the heads of Group Risk and Internal Audit. The BU risk leaders must attend. This is not a reporting session; it is a working session to de-conflict work, share findings, and identify emerging risks.

RACI Clarity: Use a detailed Responsibility, Accountability, Consulted, and Informed (RACI) matrix to eliminate ambiguity. For example, for "Cybersecurity Risk":

Accountable: Business Unit Head (owns the risk to their P&L).

Responsible: BU Risk Team & BU CISO (implements controls).

Consulted: Group Risk (provides framework), Internal Audit (provides advice on control design).

Informed: Group C-Suite, Board.

Best Practice 3: Link Risk to Strategy and Performance
ERM reorganization will fail if it is seen as purely a compliance function.

Integrate with Strategic Planning: The Group ERM team must have a seat at the table during the annual strategic planning process. The risk-reward trade-offs of new initiatives (e.g., entering a new market, launching a new product) must be explicitly debated using the risk appetite.

Embed in Performance: Link performance metrics and compensation for BU leaders to their effective management of risk, not just their financial results. This provides the "teeth" to make the First Line truly own their risk.

4. Infographic: The Agile Risk Operating Model
Below is a description of an infographic visualizing the reorganized framework, replacing the static, linear 3LOD model with a dynamic, cyclical one.

Title: The Agile Risk Operating Model

Core (Center of the graphic):

"Business Strategy & Objectives"

This is the "motion" of the corporation. Everything the ERM framework does must relate back to enabling this strategy.

Three Concentric, Interactive Rings (moving from inside out):

Ring 1: "The Business" (First Line / Line 1.5)

Label: Own & Manage

Key Entities: Business Units, Operations, Embedded BU Risk Teams.

Key Activities: Identify & assess risk, implement controls, business-partnering, execute strategy, report risk incidents.

Arrow: A two-way arrow connects this ring to the center ("Strategy").

Ring 2: "Group Risk & Control" (Second Line)

Label: Enable & Challenge (Center of Excellence)

Key Entities: Group ERM, Compliance, Information Security.

Key Activities: Set framework & policy, define risk appetite, aggregate risk, provide expert analysis, challenge BU assumptions, report to leadership.

Arrows: Two-way arrows connect this ring to Ring 1 (showing support and challenge) and to the Board (showing reporting).

Ring 3: "Internal Audit" (Third Line)

Label: Assure & Advise (Independent Foresight)

Key Entities: Enterprise-Wide Internal Audit.

Key Activities: Provide independent assurance on Ring 1 & 2 effectiveness, audit high-risk areas, advise on emerging risks, report to Audit Committee.

Arrows: An arrow originates from this ring, pointing at the entire model (Rings 1, 2, and the Center), signifying its independent oversight of the whole system. A separate arrow points directly to the Board/Audit Committee.

Outer Layer (Surrounding the entire graphic):

"Governance & Culture"

This layer binds the entire model together. It contains the key elements: Board & C-Suite Oversight, Common GRC Technology, and A Shared Culture of Risk Accountability.

Key visual cue: The "lines" between the rings are dotted and permeable, with two-way arrows flowing between all of them, illustrating continuous communication and collaboration, not rigid hand-offs.

5. Conclusion
Reorganizing an ERM framework in a dynamic, federated corporation is a profound cultural and operational undertaking. It is a shift away from the "cost of doing business" to a "component of strategic value." By moving from a static "Three Lines of Defense" to an Agile Risk Operating Model, the organization can clarify accountability, break down silos, and harness the collective expertise of its BU, Group, and Audit teams.

The successful reorganization redefines the relationship between these three critical groups: the BU risk teams become valued partners to the business, the Group risk team becomes a strategic enabler and Center of Excellence, and Internal Audit provides value-added foresight. This integrated ecosystem, powered by common technology and a shared culture, allows the "corporation in motion" to not only defend itself but to move faster, take smarter risks, and seize strategic opportunities with confidence.

Contact me for additional information.
Xavier

The core challenge in a multi-business conglomerate is reconciling the Group's need for a single view of risk with the local mandates for specific regulatory compliance. Our proven approach resolves this by implementing a centralized, cross-mapped framework that standardizes controls while accommodating localized requirements. The following can be accomplished with Risk Cognizance IRM (Integrated Risk Management) https://www.gartner.com/reviews/market/grc-tools-for-assurance-leaders/vendor/risk-cognizance/product/risk-cognizance

1. Establish the Foundational Control Framework
Our first priority is standardization. We move beyond fragmented local control sets by establishing a single, robust Group Control Baseline.

Determine Universal Requirements: We begin by aggregating all mandatory compliance requirements across all business lines, focusing heavily on IT and security mandates (e.g., NIST, ISO 27001, or industry-specific regulations).

Select a Master Framework: We adopt a recognized standard (like ISO 31000 or the NIST Risk Management Framework) as the Master Control Framework. This provides the foundational, high-quality structure and rigor needed to address most core technology and operational risks.

Map and Customize: We customize this master framework into a Group Control Catalog. Every control is now defined once at the Group level, but cross-mapped to all relevant compliance obligations (e.g., a "Patch Management" control maps simultaneously to ISO 27001, a specific local regulatory rule, and the internal operations policy).

2. Implement Integrated Risk Management (IRM) via Technology
Leveraging your expertise, the next critical step is deploying a technology solution that enables this single-framework model.

Risk Cognizance IRM System: We implement an Integrated Risk Management (IRM) system, utilizing its core cross-mapping capability. This system serves as the Single Pane of Glass for the entire conglomerate.

Efficiency of Evidence: Because controls are defined and tested once but cover multiple compliance requirements, the management of evidence and controls becomes highly efficient. A single successful control test (e.g., verifying access controls) automatically provides evidence for all linked compliance requirements (e.g., PCI-DSS, local privacy laws, and general security policy).

Addressing Specific Needs (e.g., PCI): For highly specific regulatory needs, such as PCI-DSS for e-commerce BUs, the IRM system tags the relevant business lines and automatically incorporates the additional, targeted controls into their assigned control set, all while remaining managed within the overarching Group framework.

3. Strategy for Governance and Reporting
This standardized, technology-enabled approach fundamentally reorganizes risk governance:

Centralized Reporting: The Group Internal Controls & Risk Management team now aggregates all risk and control data efficiently, providing clear, consistent, and evidence-backed reporting on the conglomerate's risk posture.

Increased Oversight: This efficiency frees up the Group team's time to focus on challenging high-impact risks and providing strategic advice, moving away from manual data collection.

This is superior because it maximizes efficiency by testing once to satisfy multiple requirements, directly supporting the Board's need for a coherent, enterprise-wide view of risk. While a multi-tenant separation is feasible for highly siloed or legally distinct entities, it significantly increases compliance workload and dilutes the benefit of managing risk as one enterprise.

Organizing ERM processes and governance that includes the Business Lines is a difficult but required step here. Business Lines love to retain control of governance processes locally but will have to be brought along in terms of the needs of the Enterprise. I do think 1-1 time with BL risk owners in advance of convening ERP governance boards is key to the success of the entire effort. "Stakeholder Analysis" to use a well-worn term is vital to inclusion here.

ERM "old school" is shifting to an IRM (Integrated Risk Management) approach, with more engagement & visibility across risk functional leaders. IRM is becoming the umbrella to manage enterprise risks and within IRM several risk-based programs are developed in line with Company's objectives. The three lines of defense continues to be a pivotal component to ensure that no risk is left unattended. Finally, the IRM concept is showing an added value to the business, specially when the Business Strategy is involved from the risk perspective. Food for thought!.