I doubt you will find anyone else who breaks ERM into these two components: content and process.
Content includes all the stuff that consultants deliver such as lists of categorized risks, control plans, outstanding actions and colourful heat maps. This content is what I was once told by an EVP is the stuff “I put in a drawer after the meeting and never look at.” (Needless to say hearing this for the first time knocked the wind out of me!)
ERM is just a bunch of stuff that goes into a drawer until you build the process that supports the content. And this is the hard part.
I see the ERM process as a mechanism that provides everyone in the organization with an opportunity to stand on their desks and yell at the top of their lungs that they know where to find their organization’s risks and they should be heard (figuratively speaking!) I always say: the top five executives in any organization do not have a monopoly on all the risk identification in any organization.
Now the trouble with this approach lies in the fact that not all organizations have the sort of culture that promotes this kind of sharing. More often that not, the entry-level AP clerk doesn’t know what to do with their awareness of a risk; they may share it with their supervisor and the information dies right there never to be escalated until something blows up (figuratively or literally) but it is too little too late.
ERM has to create process and, tools and processes that allow the AP clerk to share their awareness of this risk, without fear, and this requires a change in the culture.