The textbook ERM stack will sink a 200-person company. Here's the minimum viable risk function for the stage — and what to defer.
May 2026 · 6 minute read · ERM · Mid-market
The standard ERM playbook — risk taxonomy, appetite statements, KRIs, board-reporting cadence, second-line independence — was designed for institutions with hundreds of risk staff and dedicated GRC budget. Drop that playbook on a 200-person company and you'll consume so much management bandwidth that the business will hate you and the program will die in year two. Here's what to build first instead.
Not a register, not a heatmap with 47 risks. One page. Top 10–12 risks the executive team thinks could materially derail the company in the next 12 months, named owner per risk, current mitigation status. Reviewed quarterly by the executive team, presented annually to the board. This artifact does 80% of what a "real" ERM program does, at 5% of the cost.
Whenever something material breaks — outage, breach, near-miss, customer impact, vendor failure — run a 60-minute blameless review within a week. Document what happened, what worked, what didn't, and one change. Most $50M-revenue companies don't do this consistently. The companies that do mature faster than any consulting framework can deliver.
A spreadsheet works. Critical vendors (data flows in, financial dependency, can't operate without), name, contract end date, SOC 2 status if applicable, named internal owner. This is your TPRM program at this stage. Add monitoring sophistication when you have actual vendor-induced incidents to learn from.
You don't need it yet. Anyone who tells you otherwise is selling you the platform. Defer until you have so many manual touches that the platform pays for itself in time saved — typically $80M+ revenue or 500+ employees, whichever comes first.
Risk should be on the executive team's standing agenda — 15 minutes monthly. A separate committee duplicates governance overhead. When you grow into needing one (typically when the board adds an external risk-committee director), you'll know.
At $50M revenue, the CRO function lives across the CFO, COO, and CTO. Hire when you have either regulatory pressure (specific industry, specific stage) or when one of your existing executives is materially overloaded by the risk portion of their role. Hiring too early creates a function that hasn't earned its mandate.
ERM maturity is a function of organizational complexity, not company size in dollars. A 200-person fintech with a banking license needs more than a 200-person SaaS. A $200M revenue services firm with three product lines needs less than a $50M biotech with one. Build for your complexity, not for the framework.
— Drawn from mid-market ERM rollouts across financial services, healthcare tech, and SaaS.
60-minute conversation, no sales pitch. We'll tell you honestly what to build.