Former British Prime Minister Winston Churchill seemed to have a problem with democracy. He famously said, "Democ­racy is the worst form of government, except for all those other forms that have been tried." Greek philosopher Plato agreed, putting democracy near the bottom of his list of five types of government (aristocracy, timocracy, oligarchy, democracy and tyranny).

Most people agree that democracy is a good thing, but does it relate to our professional lives? More specifically, is it possible to develop a democratic approach to enterprise risk management (ERM)?

One key characteristic of democratic systems is decentralization. This has been evident in government structures and policies since the 19th century, and it has also influenced the business world as a strategy for developing organizations and procedures.

Is the same true of ERM? Many people view ERM as a centralizing function in an organization, enforcing a single "right way" to do risk management, and collecting and combining risk information to present to senior leaders in support of their overall management of the business.

What would "Democratic ERM" look like? We should expect it to be characterized by decentralization, in the following ways:


ERM usually involves a central risk department with responsibility for overseeing risk management across the organization, perhaps with a chief risk officer in command. But this centralized approach can lead to nonrealistic outputs if the ERM function becomes detached from the rest of the organisation.

Instead, everyone across the whole organization should have responsibility for managing risk in their areas of responsibility. Risk practitioners should also be in place throughout the organization to provide support and guidance to project, operational and functional teams.

This more decentralized approach to managing risk is a feature of Democratic ERM, and it will ensure that risk is managed at the right level, closest to where it affects the organization.


Risk is defined in relation to objectives. Decentralization leads to the top-down development of a coherent hierarchy of objectives at multiple levels throughout the business, with lower-level objectives aligned to the strategic objectives of the overall organization. It is then possible to manage risk at each level, linking risks to the objectives at that level.

Democratic ERM coordinates the various levels of risk management, ensuring that common standards are applied, escalating risks as required. An ERM approach that only considers strategic objectives is more like dictatorship than democracy.


It is appropriate for overall risk policies and standards to be set at ERM level, to be followed by the whole organization. But Democratic ERM allows lower levels of organization the freedom to develop their own specific risk procedures, with flexibility to tailor the risk approach within the overall minimum requirements set by ERM.

Risk management is not "one size fits all."


The same is true for the risk infrastructure across the organization. Effective risk management does not require a single risk tool to be used for all purposes, although it might be efficient in some circumstances.

Democratic ERM allows different risk tools to be used for different purposes, as long as they are used consistently and properly integrated.

Centralization is not an inevitable feature of ERM. A decentralized approach can be much more effective. To promote Democratic ERM within the organization, the ERM function should:

  • Coordinate, support and encourage the efforts of others who are taking responsibility to manage risk at their own level in the business
  • Ensure that all identified risks relate to specific objectives that are aligned with overall strategic objectives
  • Set minimum standards for risk procedures, and allow the risk approach to be tailored to meet the specific needs of different parts of the organization
  • Provide consistency in risk information by managing interfaces across risk tools

If Churchill or Plato knew about Democratic ERM, they might have had something positive to say about it.