Speak Their Language to Win Board Support for ERM

▼ Summary
– Greg Young argues that boards fund Enterprise Risk Management (ERM) when it is shown to improve business decisions, not just governance.
– The approach involves learning what the board values—such as cost savings, compliance, resilience, or growth—and communicating in that language.
– Young describes turning ERM into a decision system that ties risk to revenue, capital allocation, and concentration.
– He recommends using metrics boards grasp, like third-party blast radius and dwell time, while being honest about data freshness and confidence.
– The ultimate goal is a single, combined view of risk that represents the entire business.
To win board approval for Enterprise Risk Management (ERM) , stop talking about governance and start speaking the language of business value. That’s the central argument from Greg Young, VP of Cybersecurity and Corporate Development at TrendAI, who draws on nearly 40 years in the field to explain how to build an ERM program that executives will actually fund.
Young, who has served as a CISO and spent 14 years as a Gartner analyst, insists that boards open their wallets when they see how risk intelligence drives better business decisions. No one writes a check just for improved governance. The real sell is showing how risk data can directly influence revenue, capital allocation, and strategic concentration.
The first step is understanding what your board actually values. Is it cost savings, compliance, resilience, or growth? Once you know that currency, you can tailor your message. Young advocates turning ERM into a decision-making system that ties risk exposure to tangible business outcomes. He points to metrics that resonate with board members, such as third-party blast radius and dwell time, because these numbers translate directly into operational and financial impact.
Honesty is critical. Young stresses the importance of being upfront about data freshness and confidence levels. Boards respect transparency more than polished but misleading reports. The ultimate goal is a single, unified view of risk that reflects the entire enterprise, not just siloed IT or compliance concerns. When risk is presented as a business tool rather than a bureaucratic exercise, securing board support becomes a matter of speaking their language.
(Source: Help Net Security)




