ERM & Risk Resilience Operations.
Enterprise risk, operational resilience, and business continuity. Operationalized as a portfolio input, not compliance overhead.
Some organizations have outgrown a compliance-led approach to risk. They need to operationalize it — to turn risk into a portfolio input that informs capital allocation, program prioritization, and board-level decisions in real time. We build the operating model that lets enterprise risk management actually run, rather than producing a document that sits on a shelf.
This practice covers the full enterprise risk surface: traditional ERM design and operationalization, operational resilience under regulatory pressure, business continuity and disaster recovery, and third-party and concentration risk. We monitor and advise on the disclosure regimes that have moved risk from a back-office concern to a board-level one (CSRD, ISSB IFRS S2, the SEC climate rule, California SB 253 and SB 261), and where clients require it, we provide informed counsel on operationalizing them. Climate is not a practice we lead with. Risk operations is.
This practice draws on deep credentials across insurance and risk, cyber and information security, and program execution. Every practitioner holds the relevant professional certifications in their domain. It also draws on something less common in this category: senior practitioners with direct experience designing and operating risk functions inside live, high-stakes environments. That perspective informs how we design programs that have to perform when tested, not just programs that look defensible on paper.
- ERM design & operationalization. Build or rebuild the enterprise risk management function so it produces decision-grade inputs to leadership and the board, not after-the-fact reporting.
- Standing enterprise risk advisor. Operate as an embedded enterprise risk function for PE-backed and publicly traded organizations. Quarterly governance reporting, carrier relationship management, emerging risk monitoring, and board-level risk communication. Not a one-time assessment. An ongoing risk governance capability.
- Operational resilience. Design, test, and operationalize resilience programs against current regulatory expectations, including impact tolerance setting and severe-but-plausible scenario testing.
- Business continuity & DR. Modernize BCM and DR programs that have drifted out of sync with the actual technology and operating estate they're meant to protect.
- Third-party & concentration risk. Assess and operationalize controls around vendor concentration, critical-supplier exposure, and the resilience implications of an increasingly outsourced enterprise.
- Crisis governance & tabletop exercises. Stand up or stress-test the executive and board-level decision-making structures that have to operate under crisis conditions. Designed to produce decisions, not status updates.
- Climate disclosure advisory. Informed advisory on CSRD, ISSB IFRS S2, the SEC climate rule, and California SB 253/SB 261 frameworks. We monitor the regulatory environment and advise on operationalization where clients require it.