Since the 2007-2008 financial crisis, many ERM implementations have been oriented around answering three questions: Do we know what our key risks are? Do we know how they’re being managed? How do we know? While seeking these answers is a useful exercise, is it enough? Yes, companies have made progress, but more needs to be done.

This issue discusses key questions organizations should ask themselves when implementing ERM, outlines critical aspects of ERM as COSO envisions it and offers three keys Protiviti experts suggest companies focus on to advance ERM within the organization.