What Is an Enterprise Risk Management Process?
Enterprise risk management (ERM) is a management process that scales across large organizations. The goal is to improve strategic decision making for organizations with dynamic business operations that leave them more exposed to various threats and negative consequences.
How to Implement Enterprise Risk Management
Implementing an ERM program requires a phased approach, with critical steps and deliverables comprising each phase. The implementation process varies by organization size, project timeline, available resources, and risk optimization goals.
ERM Roadmap: Five Steps to Enterprise Risk Management Process
ERM implementation is a continuous process of integrating business strategies designed to mitigate or optimize enterprise risk. This article uses a five-step roadmap to help guide your ERM implementation:
- Step One: Establish the foundation of your ERM strategy to guide the different phases of the ERM implementation process.
- Step Two: Determine the scope of implementation, and assign business functions and ownership to essential stakeholders and project leads.
- Step Three: Identify and assess risk based on specific criteria.
- Step Four: Mitigate or optimize risk with targeted risk response.
- Step Five: Monitor and report on implementation progress.
Step One: Develop ERM Foundation
The first step in the ERM program implementation process is to determine which type of ERM framework to use. You can develop your own internal ERM framework or choose one of the standardized risk management models to benchmark your ERM program.
The goal of an ERM framework is to minimize complexity. Examples of existing risk management frameworks include the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and International Organization for Standardization (ISO) 31000:2018 framework. To learn more about these frameworks, including how to obtain risk management certification, see “How to Choose the Right Risk Management Certification.”
ERM Framework Example
Author James Lam outlines his ERM framework, the Continuous ERM Model, in his book Implementing Enterprise Risk Management. The author combines the strengths of well-known management frameworks into a simplified communication framework based on iterative feedback loops.
This framework includes four components: governance structure and policies, risk assessment and quantification, risk management, and reporting and monitoring. Using these components, you can address the following questions:
- Who is responsible?
- How should you make risk management decisions?
- What decisions optimize risk or return?
- How do you measure the performance of the ERM program with feedback loops?
Step Two: Identify Stakeholders
The next step is to establish ownership of specific risk management goals, the desired business outcomes, and the manner in which individual stakeholders should respond to issues that arise during ERM implementations.
Lyle Stewart is a managing director at Infina LLC, which provides IT security, compliance, and risk management services to clients across an array of industries, including ERM implementation reviews. Stewart refers to this step as the “scoping phase.”
Example of Scoping Phase
Stewart recommends establishing a steering committee of key stakeholders from the relevant business units and management in two phases: one steering committee for implementation and one for overseeing the governance structure's continued operations and ability to function. The members of the implementation committee have a specific focus: to manage business functions that fit the scope of the project. The emphasis is on the ERM implementation goals and deliverables for that stage of implementation, not the overall implementation phase.
The IT governance and risk management framework that Stewart uses at Infina is a flexible, in-house model influenced by the ISACA IT governance framework, Control Objectives for Information Technologies (COBIT). To learn more about this ERM framework and other influential models, see ERM Frameworks and Models article.
Step Three: Identify and Assess Risk
In the assessment phase of ERM implementation, you prepare to measure and report on initial progress, as well as set the stage for a follow-up assessment of risk management during subsequent operational phases.
Lam defines risk assessment as "the process of identifying, evaluating, and prioritizing key risks for specific business objectives." Risk assessment differs by the type of risk, scope of implementation, risk complexity, and implementation goals. Types of enterprise risk include strategic risk, reputational risk, operational risk, legal risk, financial risk (credit, debt, and interest risk), market risk, cybersecurity risk, and IT compliance risk.
Example of Risk Assessment
Stewart breaks down the assessment stage of ERM implementation into two concepts.
“First, [figure] out the right risk assessment process for your enterprise business,” says Stewart. “Next, execute the risk assessments for your enterprise on the baseline set of risks that you will be targeting.”
In this implementation phase, the steering committee creates assessment criteria by comparing current risk exposure and the desired threshold of enterprise risk tolerance to determine optimized risk levels.
Next, the committee generates risk assessment reports that describe risk events, and they assess probability and business impact. These reports help users assign responsibility to the post-implementation oversight committee and create content for risk management action plans. To learn more about ERM assessment and analysis, see our guide to enterprise risk assessment and analysis.
ERM Implementation Tools
Risk control self-assessment (RCSA) is a commonly accepted risk assessment method modeled by risk management frameworks like COSO and ISO 3100. Various tools and strategies are available within the RCSA methodology to aid with the assessment phase of ERM implementation, including the following:
- Implementation Dashboard: A collaborative dashboard is an important collaboration tool. The dashboard integrates data across business units and provides a single source for reporting risk assessment criteria, communicating progress, and monitoring ERM implementation performance.
- Risk Audits: The risk audit report is essential for developing self-assessment criteria. It involves identifying risks that are detrimental to the organization, examining risk thresholds, and documenting the root cause of different enterprise risk types.
- Stochastic Risk Models: Stochastic risk modeling is a tool to help forecast the probability of various risk outcomes under different conditions, using random variables. Stochastic risk models present data and predict outcomes that account for unpredictability or randomness, rather than cause and effect. These models are popular with assessing financial risk and optimizing investments.
- Workshops and Interviews: Risk assessment workshops involve interviewing stakeholders within the scope of ERM implementation to identify, evaluate, and prioritize the organization's top risks. These workshops confirm business objectives, as well as regulatory and policy requirements, from subject matter experts close to the risk and business unit. Surveys are an alternative approach to live interviews.
- Risk Visualization: A risk assessment matrix helps you visualize the likelihood of risk occurrence and the severity of impact. Risk heat maps use ERM implementation objectives and risk assessment criteria to help you visualize the organization's most pressing threats. Bell curve charts serve as an aggregate of risk profiles and are a simple tool for establishing a vector of risk probabilities and outcomes to represent risk profiles in the aggregate.
Risk Register Template
This risk register template includes project details at the top and a list of risks with space to assign tracking numbers. Use this template to provide a detailed log of risk ownership, the level of impact and probability, planned actions, and response status. This spreadsheet is designed for you to easily edit and add columns and customization as needed.
Download Risk Register Template
Step Four: Risk Response and Mitigation
Risk response involves examining risk assessment reports and responding with mitigation strategies to reduce or enhance risk opportunities, depending on ERM implementation goals. You can also create risk action plans to track existing threats and determine new threats.
This step aims to prioritize the top risks established in previous implementation phases and determine how to address that risk. The failure to execute risk action plans and integrate risk management practices into daily business operations compromises the value of the ERM implementation program and exposes the organization to unforeseen threats.
Example of Risk Mitigation
Stewart believes the mitigation stage of implementation is about systematically resolving risk that you identified in the previous assessment phase.
He characterizes the questions as such: “We've identified the risks; how are we addressing the risks?’” he says. “‘What controls and procedures have we currently established that address the risks that we've identified?’”
In the event that you don’t have specific ERM procedures and controls in place to mitigate identified risks, Stewart recommends closing that gap quickly. Otherwise, new risk emerges. There is no control in place for identified threats.
“The idea [of the mitigation process] is to bring those prime risks under control and manage them,” he says.
ERM Implementation Action Plan Template
Use this action plan template to manage and communicate risk mitigation response and details about proposed actions for a specific risk. This simple PDF template is designed to help you organize resources; designate ownership; establish controls; and document, report on, and monitor activities.
Download ERM Implementation Action Plan Template
Step Five: Measure and Inform
Measure and report risk management actions and the overall risk environment to determine the effectiveness of your ERM program. The results can help inform your decisions on managing internal and external threats, as well as changes to enterprise environments.
The information you receive from continuous feedback loops, integrated dashboard tracking, executed action plans, and workshops informs current risk management processes and can help you establish future business objectives.
“Measurement is about determining your metrics,” says Stewart. “[It’s] what you use to benchmark against [and] to demonstrate how establishing a governance structure and our frameworks prevents exposure to unnecessary risks.”
He frames this stage of ERM implementation around the importance of communication.
“You have to have awareness and visibility around where your risks occur, and then make sure that they are known,” he says. “The biggest challenge is when you have a risk that nobody is aware of.”
When organizations fail to consistently measure and share the results of functional risk management efforts, they run the chance of creating inconsistent predictions for worst-case risk scenarios. This outcome leads to inaccurate risk probability and severity analysis.
“You’re informing everybody who's involved of what your risks are, what your mitigation processes and procedures are, to ensure that you're driving compliance,” says Stewart. “People might be unaware of the importance of a certain risk management activity or function.”
He views the informing stage of implementation as a holistic ERM process — a top-to-bottom and bottom-to-top feedback loop that informs different stakeholders within the scope of that implementation stage.
One example is reporting the risk profile of the enterprise and operational risks up to executive management. In the other direction, the top leadership loops in individuals closest to the technology and day-to-day business processes. The goal is to create awareness of the specific risks associated with their business functions so that they operate in a manner that minimizes threats and optimizes for risk.
Common ERM Implementation Challenges
ERM implementation programs come with common hurdles and obstacles that prevent organizations from realizing risk management benefits. The way organizations handle these challenges determines the effectiveness of risk management — and the larger impact on business objectives.
- Culture Shock: The biggest challenge to successful ERM implementation is managing the culture change. If key management personnel aren't accustomed to the type of oversight, coordination, and execution required for effective risk management, they can hinder implementation progress. Stewart believes it can help to co-develop ERM process, procedure, and governance models with people on the ground, outside of senior management. This frontline ownership of the creative process carries over to effective post-implementation ERM operations.
- Poor Execution: Executing risk action plans to completion and reporting results to the ERM steering committee is essential to successful implementation. Stewart provides guidance to his clients throughout the ERM implementation with recommendations, best practices, and advice on how to avoid common pitfalls.
- Inadequate Tolerance: Risk tolerance aligns the organization’s appetite for risk. You can establish tolerance levels with a risk appetite statement (RAS), a document that addresses the fundamental risk management strategy for business operations. By failing to quantify risk tolerance with metrics that align with ERM implementation objectives, you prevent feedback and further compromise the readiness of business units to manage risk appetite.
- Lack of Awareness: In Stewart's experience, executive-level buy-in is essential for the success of ERM implementation. Suppose the implementation process lacks awareness and participation from senior leadership or executive board members. In that case, the likelihood of successful ERM operations decreases drastically.
- Insufficient Data: Without data to establish assessment criteria, execute risk action plans, and measure results, successful implementation is impossible. ERM dashboards and collaboration software help team members discover, communicate, and analyze data critical to identifying and managing risk. Stewart recommends that his clients develop their ERM maturity with governance, risk, and compliance (GRC) software solutions. This technology aids in the projects' coordination and visibility by providing a framework for process efficiency, data management, and advanced reporting.
Best Practices for Implementing ERM
This section provides best practices gleaned from risk management experts, including the importance of change management and feedback loops, as well as how to measure ERM implementation progress at each phase.
To learn more risk management strategies and find templates for ERM implementations, read “Free Risk Management Plan Templates.”
- Identify Risk Culture: In Stewart’s experience working with organizations that have little risk governance or oversight, the culture shift required to implement an established risk governance program can be challenging. He believes that a flexible approach is best when evaluating a client's risk culture.
“What works for one client is not going to work for the next,” says Stewart. “Before I build out procedures and policies, I need to evaluate the current culture on the ground and how the organization operates.
“You get pushback from individuals now that you're trying to establish some level of oversight, consistent process, and uniformity,” he continues. “We need to come to an agreement on a specific operating pattern to make sure that a governance framework sticks.”
- Encourage Feedback: Identify each stakeholders’ roles and responsibilities at every phase of implementation, and define a common risk language that encourages continuous feedback. Involve management from every business unit and executive management and board members — identify their current risk appetite and what's important to each management and leadership level (using risk assessment surveys or interviews). Establish continuous feedback loops to prioritize risk management communication in every business unit for specific business objectives.
“I would have two different sets of risk assessment registers for each of these management levels,” says Stewart. “They are related, just two different scales of risk assessment overview.”
Stewart differentiates the type of feedback based on scoped roles and management levels. Risks differ between the executive or director level and lower management levels, as people on the ground deal directly with enterprise technology risk.
“Higher levels of management look at what's going to hurt the enterprise business and cause missed revenue targets for the year, or what's going to double the budget,” says Stewart. “If security breaches means spending all of the time flooding holes and fighting off cyber attacks, as opposed to driving more value-add, figure out exactly what the risks are and what's driving those issues.”
- Measure Progress: Stewart believes one of the biggest challenges to risk management culture is a lack of awareness because people can't take actions to mitigate risks until they are made aware of the areas of exposure. Measure and report on the progress of an ERM program to build awareness and gain visibility into the existence of hazards.
“The idea of that measurement is, ‘What are the metrics we use to benchmark ourselves, to demonstrate how establishing governance structure and frameworks prevents exposure to unnecessary risks?’” he explains.
Establishing benchmark metrics and measuring progress does more than provide a performance review of ERM implementation steps. It helps the organization respond to new risks that arise and anticipate new areas of opportunity to improve risk exposure.
Empower Your Teams to Successfully Manage Risks with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.
These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.