Skip to main content

Five Step Plan for an Enterprise Risk Management (ERM) Program

Enterprise Risk Management (ERM): is a process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of a risk to an organization.  It expands beyond a daily run of the mill operational management! A true ERM program will have its scope expand to strategic, financial, reputational, human resource and business continuity as well as operational and legal risks. Most organizations, as they mature embark on a journey of establishing a robust Enterprise Risk Management (ERM) Program! The 5-step plan outlined here can be used for rolling out any organization-wide change.
Step 1: Organize effort for a successful change
  • Identify your team! Make this group a core part of the ERM work
  • Assess current organizational change saturation and establish a process to address any road blocks
  • Engage the Executive Leadership Team (ELT) for support
  • Have a clear plan of action
  • Ensure that ERM becomes a strategic priority
  • Be flexible when creating an ERM process because it needs to work for your stakeholders! Design with customers and end-users in mind.
Step 2: Establish a framework around risk
  • Customize standard framework to meet your organizational needs
  • ISO 31000 and COSO are good starting points to explore 
  • Capture risks, both prospectively and retrospectively
  • Create a process to link captured risks to strategic planning and organizational decision making
Step 3: Create a profile of top risks
  • Create a process to prioritize top risks in each of your key areas
  • Develop or use organizational risk matrix
  • Use departmental risks to shape organization-wide risk profile of top risks
  • Create a one-page summary for the Board of Directors, CEO and ELT
  • Keep the profile current by reviewing risks on a regular basis

“Top Risks” is the most important list of risks you may ever create! The profile of top risks of an organization allows the CEO and the Executive Leadership Team to focus on the most urgent and burning issues faced by the organization. This may include opportunity waiting to be taped into. These risks usually reside in the red zone of the organizational risk matrix. It allows stakeholders to identify, understand and communicate the significance of the risks for action.
Step 4: Review mitigation plan
  • For each identified Top risk, work out a plan to minimize or mitigate the risks
  • Create infrastructure that supports mitigation plan(s) and promotes actionable environment
  • Keep the plan SMART! (Specific, Measurable, Achievable, Reliable and Timely)
  • Communicate plan(s) and integrate efforts for broader engagement and ERM awareness
Risk mitigation plans, when created using the ERM approach, prevents the organization from falling into the trap of isolated and fragmented risk management. A big part of  ERM program success depends on the effectiveness and execution of mitigation plans for the identified risks. This is the weakest link for most ERM programs for the majority of organizations.
Step 5: Review and take action
  • Make tracking of actions easy and visual
  • Identify gaps or lack of action
  • Set clear accountability structure
  • Empower those who are accountable
  • Coach and support as necessary
  • Ensure that risks remain within defined risk tolerance
Having a plan, which is not actionable is worse than not having a plan at all! The ERM program allows the board and executive team to determine something called “risk tolerance”. It simply means, whether the organization would prefer the status quo or a decision towards reducing the risks. When issues fall above or beyond the risk tolerance, an action is required.


Popular posts from this blog

How to benefit from a Fishbone or Ishikawa Diagram for Root Cause Analysis

What is root cause analysis?Root cause analysis is a structured process that helps healthcare, manufacturing and service sector managers and leaders in identifying contributing factors or causes of an accident, error, problem, event or occurrence. An accident, error, problem, event or occurrence are usually a result of a system rather than an individual mistakes. Understanding the system itself and contributing factors or causes of a system failure can help in preventing recurrences. Actions that are taken to address system failure helps in sustaining the improvements or corrective actions. What is a fishbone or ishikawa diagram? Each and every outcome or effect is an end result of actions taken/omitted or in general causes/ A cause and effect diagram representing this relationship between cause and effect is called a called a fishbone or ishikawa diagram. A fishbone diagram is a visual way to represent cause and effect. It is a more structured approach for brainstorming causes of a pro…

Operational Risk Management and Compliance Management in Emergency Department

Client Question Hi,
We recently underwent an Accreditation Canada visit and were cited for not using 2 patient identifiers. The nurse picked up the patient in the ED and she was familiar with the patient and neglected to check her name and DOB. Patient identifiers is something that we have been struggling with for the past two accreditations. We thought we had it all well in hand but it only takes one incident to get cited on failing the ROP. Does anyone have a process or audit tools that are used routinely to audit staff using 2 patient identifiers? Any help would be greatly appreciated. Thank you 
In order to comply with the required organizational practices (ROPs), we first need to have a closer look at it. ROPs in this case are the standards that the organization is being held against and must meet. So lets understand what does the ROP actually require. Following is a statement from one of the ROPs that relate to the question at hand. On an average Accreditation Canada ha…

Essential elements of ERM

Essential elements of ERM

Create your own and tailored #ERM #framework with ease! We have worked hard to incorporate changes from #COSO and #ISO #31000 so that you can benefit without having to invest a lot of time and resources. 

Email us at for more details.