In this episode of SRA Watchtower's Risk Intel Podcast, Dan Bailey and Eric Bonnell came back on the show to share their experiences leading Enterprise Risk Management (ERM) for a financial institution and how they navigated the complexities around building an ERM program. Their candid discussion covered frameworks, tools, and strategies to achieve integrated risk management while aligning with organizational objectives. Below are five key takeaways from their insightful conversation.
Dan and Eric stressed that risk management cannot thrive in silos. They argued that integration between the second and third lines of defense is fundamental to achieving a cohesive approach to risk. Rather than treating these functions as isolated entities, organizations should foster a collaborative environment where insights are shared, and processes are aligned.
“Independent does not mean isolated,” Dan emphasized. “Second line can have a partnership with the third line. Audit isn’t off in their perch with binoculars—it’s about collaboration and understanding expectations.”
This integrated approach amplifies the ability to identify risks early and address them proactively. It also brings underrepresented areas, such as risk and control self-assessments (RCSA) or third-party risk, into broader risk discussions. By aligning these processes, organizations can create a comprehensive risk profile that resonates across all levels, including senior management and the board.
A recurring theme in the discussion was the critical need for a well-defined risk framework before adopting tools or technologies. According to Eric, many organizations fall into the trap of starting with a tool and then attempting to build a framework around it. This can lead to inefficiencies and tools that fail to meet the organization's specific needs.
“If you start with the tool, you risk fitting a square peg into a round hole,” Eric cautioned. “Frameworks guide how tools should function, not the other way around.”
Building a strong framework involves establishing a clear taxonomy for risk, identifying key processes, and understanding the organization’s risk appetite. Tools should then align with and enhance these elements, not dictate them. When frameworks come first, organizations can select technologies like Watchtower for example, that genuinely support their risk management goals and regulatory requirements.
One of the most challenging aspects of risk management is communicating complex information in a way that resonates with stakeholders. Dan and Eric highlighted the importance of storytelling in translating data into actionable insights. Effective storytelling ensures that risk managers are not just presenting numbers but framing them within the organization’s broader context.
“I need a way to tell the story: Here’s our risk, here’s our appetite, and here’s where we are,” Eric explained. “With a good risk platform system, I can spend more time explaining the ‘why’ behind the data instead of manually compiling it.”
This approach transforms risk reporting from a static exercise into a strategic conversation. By leveraging dashboards and visualizations, risk managers can communicate risks more effectively to boards and committees, enabling them to make informed decisions that align with the organization’s objectives.
While advanced features are essential for risk managers, tools must also be accessible to first-line users who may not have a deep understanding of risk concepts. Dan emphasized the importance of intuitive design in ensuring adoption and engagement across the organization.
“You’re asking people to think in a way they don’t normally think,” Dan said. “If the system isn’t easy to use, they’ll stop using it.”
To address this challenge, tools should simplify complex concepts such as inherent and residual risk, making them more approachable. For example, demonstrating how control maturity impacts risk levels can help users see the tangible benefits of their actions. Intuitive systems foster greater participation, ensuring the entire organization contributes to a unified risk management strategy.
Dan and Eric agreed that tools built by subject matter experts are far more effective than those developed without a deep understanding of risk management challenges. Tools designed with expertise at their core align more naturally with frameworks and workflows, reducing the need for customization and increasing their long-term value.
“If the software isn’t built by subject matter experts, it doesn’t allow for the maturity of risk management,” Eric noted. “Vendors often focus on features and functions instead of addressing the real use case.”
Organizations should prioritize tools that solve specific problems rather than being drawn to flashy features. This approach not only streamlines implementation but also ensures that the tool evolves alongside the organization’s risk management maturity, supporting growth and adaptation over time.
The episode concluded with a teaser for future discussions on AI’s role in risk management. As tools and technologies evolve, leveraging AI could unlock new possibilities for identifying, assessing, and mitigating risks. This conversation is a must-listen for risk professionals navigating today’s interconnected landscape. By focusing on integration, frameworks, storytelling, and user-friendly tools, organizations can achieve a more effective and holistic approach to enterprise risk management.
To learn how Watchtower - The Holistic Risk Intelligence Platform was built by risk subject matter experts and can support the advancement of your risk program, please schedule time to connect with us.
Dan Bailey, Managing Director of Certified Risk Partners – a risk management advisory-consulting-implementation firm.
Dan has been actively involved in the risk management and IT industries for 25+ years. Dan has achieved and maintains multiple industry-related certifications. He also serves in a Board/Executive advisory capacity with the University of Texas at Dallas and DRJ. www.certifiedriskpartners.com or email him at dan@certifiedriskpartners.com
Eric Bonnell, SVP, Director of Enterprise Risk Management
Bonnell joined First Financial from a $21 billion bank, where he was instrumental in developing their enterprise risk management framework (ERM) as they matured over the $10B asset-size regulatory threshold and beyond. He has also served in a number of other operational and risk management-related roles within the financial services and insurance industries that bring valuable experience. Eric is a native of New York, where he earned a Bachelor of Arts in Computer Science from Manhattan College and a Master of Science in Computer Information Systems from Iona College. He graduated from the ABA’s Stonier Graduate School of Banking and Wharton Leadership Program at the University of Pennsylvania. He holds the designations of Certified Information Privacy Professional (CIPP/US), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Security Professional (CISSP).