How Jigsaw Puzzles Can Explain ERM

I have something to share. I am serious about jigsaw puzzles. However, I am not someone who tackles the holiday puzzle or that 200-piece beach scene on a dreary weather day. I am someone who spends time sorting pieces by color, hunting for the border pieces, and convincing myself that a missing blue piece must be somewhere because there is no way the manufacturer forgot to include it. Over the years, I have completed hundreds of puzzles featuring landscapes, city skylines, and Paris at night.

What I did not expect was that my years of puzzling would teach me (and now you) something about enterprise risk management. The more puzzles I complete, the more I realize that there is a direct correlation between puzzles and how organizations can view and build their respective ERM processes. The fact is that the ‘ERM’ pieces are all there. The challenge is figuring out how they fit together. Puzzles are a perfect metaphor for ERM, and here is why.

Lesson #1: Start With the Picture. Whenever I scatter a thousand puzzle pieces onto the table to get started, the first thing I look at is the box. Why? Because I need to know what I am trying to put together. The box picture gives me that strategy or roadmap.

There are times when organizations approach risk management before they have clearly connected risks to strategic initiatives. Risk discussions become disconnected from governance and leadership decision-making. As internal auditors, we witness this. Risks are identified and documented, yet stakeholders find it difficult to explain how those risks connect to what the organization is trying to accomplish.

If you do not know what the completed picture should look like in ERM, it is hard to figure out how the pieces align together.

Lesson #2: Find the Border Pieces. We as experienced puzzlers start with the edge pieces. The border creates the structure and gives shape to what we do next. Governance plays the same role in ERM. Effective oversight helps organizations understand the value that board members and leaders place on overall risk management. They ask the right questions and demonstrate a commitment to building and maintaining a risk-aware culture.

Without the proper foundation, ERM efforts become fragmented and progress slows down.

Lesson #3: Sort Before You Build. One of my favorite parts of puzzling is sorting. Colors in one pile; patterns into another. This allows for clarity. The same discipline applies to ERM.

Organizations generate much information about risks, controls, objectives, compliance requirements, and performance measures. Trying to process everything at once is overwhelming.

This is where internal auditors provide tremendous value. We help organize this complexity. We identify patterns. We connect information that may otherwise remain disconnected and not observed. In many ways, auditors are professional puzzle sorters.

Lesson #4: Accept That it Takes Time. This can be a hard lesson for organizations to learn. Nobody expects to finish a 2,000-piece puzzle in 30 minutes. Yet organizations expect immediate buy-in, culture change, risk ownership, and results. Unfortunately, this is not how ERM works.

Building the ERM process along with risk awareness takes time. The entire operation evolves when ERM is within the ‘DNA’ of the organization. Cultures mature as people understand the importance of their ERM roles. The most successful ERM programs I have seen were not created through one workshop or one risk assessment. Instead, they were built through consistent and sustained commitment. Piece by piece.

Lesson #5: Pay Attention to the Missing Pieces. Every puzzler knows this feeling. You get to the end and discover something is missing. A piece fell on the floor or the dog got to it first. In organizations, missing pieces are hard to spot due to assumptions not made, risks that people are afraid of acknowledging, or communication gaps between departments.

We as internal auditors identify those missing pieces because we spend the time examining how processes, risks, and controls align. Our value is helping people recognize the pieces that are overlooked — what I call the blind spots.

The Bigger Picture

The longer I work in ERM, the more I see its tailored value proposition. ERM is about understanding the picture where the risks come together. Governance, strategy, compliance, internal controls, cybersecurity, finance, culture, and audit are all pieces of a larger puzzle. Viewed individually, they may not tell us much. Viewed together, they reveal something far more valuable. They reveal how an organization succeeds.

The next time you hear someone say they do not understand ERM, consider this puzzle metaphor. The goal is not to see ERM as disparate pieces. The goal is to see the full picture that the ERM puzzle pieces create for us.

Elena Yearly is a presenter at The IIA's GRC 2026 Conference, which takes place Aug. 17-19 in San Diego, Calif. and virtually.