Launching New ERM Effort

Spotted on the Internet this weekend: is looking for a program manager to join a newly formed enterprise risk management team—which means, of course, that Amazon has a newly formed ERM team. That’s news to me.

The job description says Amazon wants to create a new, centralized ERM function that acts as an adviser and backstop for its many business units. The business units still compile their own risk assessments and manage compliance themselves (nice nod to the Three Lines of Defense model of risk assurance there), while the ERM team validates those risk assessments, helps with risk ranking, and performs gap analysis to see what might have fallen through the cracks.

This particular job is for a “change management program manager,” with lots of experience in communicating change management efforts, too—which suggests to me that this really is a new effort, where Amazon wants to make sure business units know what they’re supposed to do and don’t start running their own ERM programs that aren’t according to plan.

The ideal candidate should have experience in OFAC and other international regulatory compliance fields (no surprise, given that Amazon ships anything anywhere), and lots of experience with change management and communications. The job is in Seattle.

Trying to unravel the ethics, compliance, and risk functions at Amazon is as confusing as finding your way through the maze in Westworld. The company has no chief ethics & compliance officer that I know of, although it does employ numerous ethics & compliance professionals at the staff level. Besides, the risks themselves are incredibly diverse: everything from payments and anti-money laundering, to export control restrictions, to the huge privacy and data security risks in its Amazon Web Services division. To put one person in charge of all that is a big ask.

The ERM program managers I can find on LinkedIn (I won’t name them here, but you can find them easily enough) mostly seem to trace their roots to earlier SOX compliance experience at Amazon. Several also seem to have transitioned into their ERM roles starting in late 2015.

I don’t know whether their ERM programs are part of this ERM program, or are separate efforts. Amazon is such a sprawling company that I may be barking up totally unrelated trees here.

If anyone at Amazon wants to tell me the story discreetly, drop me a line at [email protected]. I’m sincere in my curiosity here; I bet implementing ERM at Amazon would be fascinating challenge.


Leave a Comment

You must be logged in to post a comment.