Gartner Blog Network


10 Critical Elements of a Successful Risk Management Program

by John A. Wheeler  |  January 17, 2014  |  5 Comments

The pressure to build and sustain a successful risk management program is rapidly increasing. Just this week, major U.S. financial institutions were given notice by the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) that they must prepare to meet a new set of risk management standards and guidelines. According to the OCC’s news release, the proposed guidelines set forth the minimum standards for the design and implementation of an institution’s risk governance framework and provide minimum standards for oversight of that framework by the board of directors.

Central to these new guidelines is the need for a solid blueprint for success. Gartner has identified 10 critical elements that companies must address to integrate their enterprise risk management (ERM) framework with their governance, risk and compliance (GRC) technologies to create a risk-aware culture within the business. The following 10 elements (or what we call the “10 A’s”) and related questions form the basis of our ERM/GRC Blueprint.

  1. Appetite – How much risk are we willing to accept to achieve our strategic goals?
  2. Aggregation – How do we understand and articulate our total risk exposure in relation to a given strategic objective?
  3. Assessment – What is our current level of inherent and residual risk related to our strategic goals?
  4. Analytics – How can we model risk events that will have a material impact our business operations?
  5. Applications – What technology is required to enable collaboration and communication of risk- and compliance-related information to support business performance and decision making?
  6. Architecture – How are GRC applications, automated and manual controls, risk monitoring, and risk and compliance reporting incorporated into enterprise architecture?
  7. Assurance – What policies, processes and controls are required to meet strategic objectives, as well as legal and regulatory mandates?
  8. Accountability – How do we reinforce the ownership of risk and control within the enterprise?
  9. Action – How can we ensure that employees act in the best interests of the company and within established risk tolerances?
  10. Achievement – What risk metrics are required, and how are they linked to performance metrics to ensure the desired business outcome?

Click here to read our latest research and learn more about how you can utilize ERM/GRC Blueprint and the 10 A’s to improve your risk management program.

Gartner ERM GRC Blueprint

Category: enterprise-risk-management  grc  risk-management  

Tags: enterprise-risk-management-2  erm  gartner  grc  risk-management  

John Wheeler
Research Director
4 years at Gartner
25 years IT Industry

John A. Wheeler is a Research Director with responsibility for covering risk management and executive leadership topics. His areas of specialty include enterprise risk management, internal audit, corporate governance and IT/operational risk. Follow him on Twitter @JohnAWheeler Read Full Bio


Thoughts on 10 Critical Elements of a Successful Risk Management Program


  1. Great post! A lot of this has become rather relevant to my business recently. Thanks for the thoughts!

  2. […] right to privacy. (Concerned customers may want to work with their cloud providers to develop a risk management framework and set of controls for data […]

  3. Fabulous, what a webpage it is! This blog gives helpful facts to us,
    keep it up.

  4. Good day! This post couldn’t be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this write-up to him. Pretty sure he will have a good read. Thanks for sharing!

  5. リ【到着後レビューで素敵なプレゼント】



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.