The Four “Ms” of Enterprise Risk Assessments

In Lewis Carroll’s 1865 novel, Alice’s Adventures in Wonderful, the following infamous exchange between Alice and the Cheshire Cat occurs:

“Would you tell me, please, which way I ought to go from here?”

“That depends a good deal on where you want to get to,” said the Cat.

“I don’t much care where –” said Alice.

“Then it doesn’t matter which way you go,” said the Cat.

“– so long as I get somewhere,” Alice added as an explanation.

“Oh, you’re sure to do that,” said the Cat, “if you only walk long enough.”

The same might be said of Enterprise Risk Assessments. What you assess and where your ERA takes you depends on what you want to discover in the ERA process. Completing that assessment so that it achieves something of meaning requires consideration of key elements. We’ve boiled our considerations down to four “Ms”:


The best ERA provides meaningful insights into how your institution approaches Enterprise Risk Management (“ERM”) or how it manages ERM. There are numerous ways to achieve ERM, so the ERA must present the management approach and how that approach is logical given the capacity and risk of the institution.


The best ERA takes the approach of the institution and analyzes it against the environmental risk factors it faces. The environmental consideration should incorporate all departments of the institution and include the core seven risk categories:

  • Strategic
  • Credit
  • Interest Rate
  • Liquidity
  • Transaction
  • Compliance
  • Reputation


The best ERA provides a combined quantified measurement of risk as well as qualifications of that risk. It presents both level and trending factors to allow key decisions regarding strategies and risk mitigation.


The best ERA isn’t about a bunch of checkboxes. It must be more. After all, you don’t do the best strategic plan to complete an exercise for the regulators. No, the best ERA works as the most important tool in the institution’s ERM efforts. It guides and directs the institution to constantly improve.
When these core elements are in place, the institution will know that it is going places. It will have a powerful document that says, “We’re here, we’re going there, these are the risk factors, and this is what we’re doing to offset them.”
Now that is getting somewhere.