Turning ERM from a Checkbox into a Building Block

Written By Nicole Stinson

If enterprise risk management (ERM) feels like a compliance exercise your organization should do, but never quite gets traction, you’re not alone.

 Why does ERM so often exist on paper, but not in practice? 

I’ve spent most of my career working with public-sector, non-profit, and purpose-driven organizations that genuinely care about good governance and long-term sustainability. And yet, I’ve seen ERM stall more often than succeed.

In this article, I’ll share what ERM should be, where organizations tend to get stuck, and how it can become a practical building block for better, purpose-driven decisions instead of just another box to check.

A bit about me

I’m Nicole Stinson, Founder of Upside ERM Solutions. I’ve worked inside large public organizations and now partner with boards, executives, and leadership teams to help them strengthen strategy, governance, and resilience. My background spans public policy and program development, evaluation, and systems-level planning, which means I’ve seen decisions from multiple vantage points; this includes the realities faced by funders, regulators, and delivery teams. My approach is facilitation-led, pragmatic, and rooted in the belief that risk conversations should help people, not overwhelm them.

ERM as a way of making choices under uncertainty

At its core, ERM is a structured way to talk about uncertainty in relation to what matters most. It’s about understanding what could help or hinder your objectives, and making informed choices in response. This is especially valuable in the context of real constraints like limited funding, capacity, time, and attention.

ERM is not a long risk register, a one-time workshop, or a report that lives on a shelf. When it’s working well, ERM shows up in planning conversations, board discussions, and day-to-day decisions. 

What gets missed 

The most common mistake I see is treating ERM as a technical or compliance exercise. Organizations jump straight to templates, scoring scales, or software before clarifying purpose, appetite, or ownership.

Another misstep is separating ERM from strategy. When risk is discussed in isolation, rather than alongside goals and priorities, it feels abstract and easy to ignore.

Turning checkboxes into building blocks 

The shift happens when ERM is designed to support how decisions are actually made. That means:

  • Starting with purpose, strategy and objectives

  •  Keeping language and tools in line with culture and capacity

  • Focusing on a small number of material risks

  • Making roles and expectations clear

  • Revisiting risks as conditions change

When ERM is embedded this way, it becomes a shared frame for decision-making, not a compliance burden. The checkbox doesn’t disappear; it becomes a step along the way, rather than the endpoint.

Final thought

ERM doesn’t need to be heavy to be effective. When done well, it creates clarity, alignment, and confidence in the face of uncertainty.

If you’d like to discuss ERM, strategic planning, or how risk can better support your organization’s goals, you’re welcome to book a conversation with me.

And if these reflections resonate, I also invite you to join my email community, where I share practical insights on governance, risk, and organizational resilience. I promise no empty jargon and no spam.

  —

Nicole Stinson is the Founder & Principal of Upside ERM Solutions. She helps purpose-driven organizations turn risk management into a strategic enabler through facilitation, coaching, and pragmatic frameworks.

Nicole Stinson