Skip to main content

Five Step Plan for an Enterprise Risk Management (ERM) Program

Enterprise Risk Management (ERM): is a process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of a risk to an organization.  It expands beyond a daily run of the mill operational management! A true ERM program will have its scope expand to strategic, financial, reputational, human resource and business continuity as well as operational and legal risks. Most organizations, as they mature embark on a journey of establishing a robust Enterprise Risk Management (ERM) Program! The 5-step plan outlined here can be used for rolling out any organization-wide change.
Step 1: Organize effort for a successful change
  • Identify your team! Make this group a core part of the ERM work
  • Assess current organizational change saturation and establish a process to address any road blocks
  • Engage the Executive Leadership Team (ELT) for support
  • Have a clear plan of action
  • Ensure that ERM becomes a strategic priority
  • Be flexible when creating an ERM process because it needs to work for your stakeholders! Design with customers and end-users in mind.
Step 2: Establish a framework around risk
  • Customize standard framework to meet your organizational needs
  • ISO 31000 and COSO are good starting points to explore 
  • Capture risks, both prospectively and retrospectively
  • Create a process to link captured risks to strategic planning and organizational decision making
Step 3: Create a profile of top risks
  • Create a process to prioritize top risks in each of your key areas
  • Develop or use organizational risk matrix
  • Use departmental risks to shape organization-wide risk profile of top risks
  • Create a one-page summary for the Board of Directors, CEO and ELT
  • Keep the profile current by reviewing risks on a regular basis

“Top Risks” is the most important list of risks you may ever create! The profile of top risks of an organization allows the CEO and the Executive Leadership Team to focus on the most urgent and burning issues faced by the organization. This may include opportunity waiting to be taped into. These risks usually reside in the red zone of the organizational risk matrix. It allows stakeholders to identify, understand and communicate the significance of the risks for action.
Step 4: Review mitigation plan
  • For each identified Top risk, work out a plan to minimize or mitigate the risks
  • Create infrastructure that supports mitigation plan(s) and promotes actionable environment
  • Keep the plan SMART! (Specific, Measurable, Achievable, Reliable and Timely)
  • Communicate plan(s) and integrate efforts for broader engagement and ERM awareness
Risk mitigation plans, when created using the ERM approach, prevents the organization from falling into the trap of isolated and fragmented risk management. A big part of  ERM program success depends on the effectiveness and execution of mitigation plans for the identified risks. This is the weakest link for most ERM programs for the majority of organizations.
Step 5: Review and take action
  • Make tracking of actions easy and visual
  • Identify gaps or lack of action
  • Set clear accountability structure
  • Empower those who are accountable
  • Coach and support as necessary
  • Ensure that risks remain within defined risk tolerance
Having a plan, which is not actionable is worse than not having a plan at all! The ERM program allows the board and executive team to determine something called “risk tolerance”. It simply means, whether the organization would prefer the status quo or a decision towards reducing the risks. When issues fall above or beyond the risk tolerance, an action is required.


Popular posts from this blog

Selecting Board of Directors: What best practices organizations should adopt when selecting and assessing board of directors!

Selecting Board of Directors: What best practices organizations should adopt when selecting and assessing board of directors!
The Board of Directors are vital for any organization’s good governance. Governance determines how an organization is centered and where it stands. “The Boards of Directors are a group of individuals within an organization that are either elected or appointed as representatives of Shareholders or Owners to establish Corporate Governance and enterprise risk management policies”. (Source: It is given that for an organization to be successful, it should have a Board of Directors (BOD) with a broad mix of skills to oversee the wide range of issues that may arise. The BOD are collectively or in rare cases even individually accountable for your company’s performance, compliance and risk mitigation strategies. Depending on the size of the company and needs, the Board could be limited to just advisory role or fully mandated having the ultimate power a…

Operational Risk Management and Compliance Management in Emergency Department

Client Question Hi,
We recently underwent an Accreditation Canada visit and were cited for not using 2 patient identifiers. The nurse picked up the patient in the ED and she was familiar with the patient and neglected to check her name and DOB. Patient identifiers is something that we have been struggling with for the past two accreditations. We thought we had it all well in hand but it only takes one incident to get cited on failing the ROP. Does anyone have a process or audit tools that are used routinely to audit staff using 2 patient identifiers? Any help would be greatly appreciated. Thank you 
In order to comply with the required organizational practices (ROPs), we first need to have a closer look at it. ROPs in this case are the standards that the organization is being held against and must meet. So lets understand what does the ROP actually require. Following is a statement from one of the ROPs that relate to the question at hand. On an average Accreditation Canada ha…

Turning Reputation Risk into PR Opportunity: Story of AXA - helping world become better place, a world free from tobacco.

It all started with a letter sent by Dr. Bronwyn King to the AXA board of directors. Story of AXA's divestment in tobacco is one of the greatest in modern times highlighting good governance, corporate responsibility and effective reputation risk management. In a stunning financial decision that will make history, AXA decided to divest around 1.8 billion Euro worth of tobacco-industry stocks.

AXA with over 102 million customers in 56 countries and an employee base of 157,000, is one of the world's leading insurance groups. This decision to divest is not very popular among all of its stakeholders and yet AXA's management took this step as they can see the risks and total cost of tobacco industry as it relates to healthcare cost and loss of lives. Taking this decision will make AXA very popular and respectable company among anti-smoking groups. Overall its a huge win for the company and the society at large as we tackle the issue of tobacco addiction.  Kudos to AXA's man…