Guide to Enterprise Risk Management Implementation

ERM implementation is a continuous process of integrating business strategies designed to mitigate or optimize enterprise risk. This article uses a five-step roadmap to help guide your ERM implementation:

• Step One: Establish the foundation of your ERM strategy to guide the different phases of the ERM implementation process.
• Step Two: Determine the scope of implementation, and assign business functions and ownership to essential stakeholders and project leads. 
• Step Three: Identify and assess risk based on specific criteria.
• Step Four: Mitigate or optimize risk with targeted risk response.
• Step Five: Monitor and report on implementation progress.

The first step in the ERM program implementation process is to determine which type of ERM framework to use. You can develop your own internal ERM framework or choose one of the standardized risk management models to benchmark your ERM program. 

The goal of an ERM framework is to minimize complexity. Examples of existing risk management frameworks include the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and International Organization for Standardization (ISO) 31000:2018 framework. To learn more about these frameworks, including how to obtain risk management certification, see “How to Choose the Right Risk Management Certification.” 

ERM Framework Example

Author James Lam outlines his ERM framework, the Continuous ERM Model, in his book Implementing Enterprise Risk Management. The author combines the strengths of well-known management frameworks into a simplified communication framework based on iterative feedback loops. 

This framework includes four components: governance structure and policies, risk assessment and quantification, risk management, and reporting and monitoring. Using these components, you can address the following questions: 

• Who is responsible? 
• How should you make risk management decisions?
• What decisions optimize risk or return? 
• How do you measure the performance of the ERM program with feedback loops?

The next step is to establish ownership of specific risk management goals, the desired business outcomes, and the manner in which individual stakeholders should respond to issues that arise during ERM implementations. 

Lyle Stewart is a managing director at Infina LLC, which provides IT security, compliance, and risk management services to clients across an array of industries, including ERM implementation reviews. Stewart refers to this step as the “scoping phase.”

Example of Scoping Phase

Stewart recommends establishing a steering committee of key stakeholders from the relevant business units and management in two phases: one steering committee for implementation and one for overseeing the governance structure's continued operations and ability to function. The members of the implementation committee have a specific focus: to manage business functions that fit the scope of the project. The emphasis is on the ERM implementation goals and deliverables for that stage of implementation, not the overall implementation phase. 

The IT governance and risk management framework that Stewart uses at Infina is a flexible, in-house model influenced by the ISACA IT governance framework, Control Objectives for Information Technologies (COBIT). To learn more about this ERM framework and other influential models, see ERM Frameworks and Models article.

In the assessment phase of ERM implementation, you prepare to measure and report on initial progress, as well as set the stage for a follow-up assessment of risk management during subsequent operational phases. 

Lam defines risk assessment as "the process of identifying, evaluating, and prioritizing key risks for specific business objectives." Risk assessment differs by the type of risk, scope of implementation, risk complexity, and implementation goals. Types of enterprise risk include strategic risk, reputational risk, operational risk, legal risk, financial risk (credit, debt, and interest risk), market risk, cybersecurity risk, and IT compliance risk. 

Example of Risk Assessment

Stewart breaks down the assessment stage of ERM implementation into two concepts. 

“First, [figure] out the right risk assessment process for your enterprise business,” says Stewart. “Next, execute the risk assessments for your enterprise on the baseline set of risks that you will be targeting.” 

In this implementation phase, the steering committee creates assessment criteria by comparing current risk exposure and the desired threshold of enterprise risk tolerance to determine optimized risk levels. 

Next, the committee generates risk assessment reports that describe risk events, and they assess probability and business impact. These reports help users assign responsibility to the post-implementation oversight committee and create content for risk management action plans. To learn more about ERM assessment and analysis, see our guide to enterprise risk assessment and analysis.

ERM Implementation Tools

Risk control self-assessment (RCSA) is a commonly accepted risk assessment method modeled by risk management frameworks like COSO and ISO 3100. Various tools and strategies are available within the RCSA methodology to aid with the assessment phase of ERM implementation, including the following: 

• Implementation Dashboard: A collaborative dashboard is an important collaboration tool. The dashboard integrates data across business units and provides a single source for reporting risk assessment criteria, communicating progress, and monitoring ERM implementation performance.
• Risk Audits: The risk audit report is essential for developing self-assessment criteria. It involves identifying risks that are detrimental to the organization, examining risk thresholds, and documenting the root cause of different enterprise risk types.  
• Stochastic Risk Models: Stochastic risk modeling is a tool to help forecast the probability of various risk outcomes under different conditions, using random variables. Stochastic risk models present data and predict outcomes that account for unpredictability or randomness, rather than cause and effect. These models are popular with assessing financial risk and optimizing investments. 
• Workshops and Interviews: Risk assessment workshops involve interviewing stakeholders within the scope of ERM implementation to identify, evaluate, and prioritize the organization's top risks. These workshops confirm business objectives, as well as regulatory and policy requirements, from subject matter experts close to the risk and business unit. Surveys are an alternative approach to live interviews.
• Risk Visualization: A risk assessment matrix helps you visualize the likelihood of risk occurrence and the severity of impact. Risk heat maps use ERM implementation objectives and risk assessment criteria to help you visualize the organization's most pressing threats. Bell curve charts serve as an aggregate of risk profiles and are a simple tool for establishing a vector of risk probabilities and outcomes to represent risk profiles in the aggregate.

This risk register template includes project details at the top and a list of risks with space to assign tracking numbers. Use this template to provide a detailed log of risk ownership, the level of impact and probability, planned actions, and response status. This spreadsheet is designed for you to easily edit and add columns and customization as needed. 

Download Risk Register Template 

Excel | Word | PDF | Smartsheet

Risk response involves examining risk assessment reports and responding with mitigation strategies to reduce or enhance risk opportunities, depending on ERM implementation goals. You can also create risk action plans to track existing threats and determine new threats. 

This step aims to prioritize the top risks established in previous implementation phases and determine how to address that risk. The failure to execute risk action plans and integrate risk management practices into daily business operations compromises the value of the ERM implementation program and exposes the organization to unforeseen threats.

Example of Risk Mitigation

Stewart believes the mitigation stage of implementation is about systematically resolving risk that you identified in the previous assessment phase. 

He characterizes the questions as such: “We've identified the risks; how are we addressing the risks?’” he says. “‘What controls and procedures have we currently established that address the risks that we've identified?’” 

In the event that you don’t have specific ERM procedures and controls in place to mitigate identified risks, Stewart recommends closing that gap quickly. Otherwise, new risk emerges. There is no control in place for identified threats. 

“The idea [of the mitigation process] is to bring those prime risks under control and manage them,” he says.

Use this action plan template to manage and communicate risk mitigation response and details about proposed actions for a specific risk. This simple PDF template is designed to help you organize resources; designate ownership; establish controls; and document, report on, and monitor activities. 

Download ERM Implementation Action Plan Template

Excel | Word | PDF | Smartsheet

Measure and report risk management actions and the overall risk environment to determine the effectiveness of your ERM program. The results can help inform your decisions on managing internal and external threats, as well as changes to enterprise environments. 

The information you receive from continuous feedback loops, integrated dashboard tracking, executed action plans, and workshops informs current risk management processes and can help you establish future business objectives. 

“Measurement is about determining your metrics,” says Stewart. “[It’s] what you use to benchmark against [and] to demonstrate how establishing a governance structure and our frameworks prevents exposure to unnecessary risks.”

He frames this stage of ERM implementation around the importance of communication. 

“You have to have awareness and visibility around where your risks occur, and then make sure that they are known,” he says. “The biggest challenge is when you have a risk that nobody is aware of.” 

When organizations fail to consistently measure and share the results of functional risk management efforts, they run the chance of creating inconsistent predictions for worst-case risk scenarios. This outcome leads to inaccurate risk probability and severity analysis. 

“You’re informing everybody who's involved of what your risks are, what your mitigation processes and procedures are, to ensure that you're driving compliance,” says Stewart. “People might be unaware of the importance of a certain risk management activity or function.”

He views the informing stage of implementation as a holistic ERM process — a top-to-bottom and bottom-to-top feedback loop that informs different stakeholders within the scope of that implementation stage.

One example is reporting the risk profile of the enterprise and operational risks up to executive management. In the other direction, the top leadership loops in individuals closest to the technology and day-to-day business processes. The goal is to create awareness of the specific risks associated with their business functions so that they operate in a manner that minimizes threats and optimizes for risk.