Skip to main content

Five Step Plan for an Enterprise Risk Management (ERM) Program

Enterprise Risk Management (ERM): is a process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of a risk to an organization.  It expands beyond a daily run of the mill operational management! A true ERM program will have its scope expand to strategic, financial, reputational, human resource and business continuity as well as operational and legal risks. Most organizations, as they mature embark on a journey of establishing a robust Enterprise Risk Management (ERM) Program! The 5-step plan outlined here can be used for rolling out any organization-wide change.
Step 1: Organize effort for a successful change
  • Identify your team! Make this group a core part of the ERM work
  • Assess current organizational change saturation and establish a process to address any road blocks
  • Engage the Executive Leadership Team (ELT) for support
  • Have a clear plan of action
  • Ensure that ERM becomes a strategic priority
  • Be flexible when creating an ERM process because it needs to work for your stakeholders! Design with customers and end-users in mind.
Step 2: Establish a framework around risk
  • Customize standard framework to meet your organizational needs
  • ISO 31000 and COSO are good starting points to explore 
  • Capture risks, both prospectively and retrospectively
  • Create a process to link captured risks to strategic planning and organizational decision making
Step 3: Create a profile of top risks
  • Create a process to prioritize top risks in each of your key areas
  • Develop or use organizational risk matrix
  • Use departmental risks to shape organization-wide risk profile of top risks
  • Create a one-page summary for the Board of Directors, CEO and ELT
  • Keep the profile current by reviewing risks on a regular basis

“Top Risks” is the most important list of risks you may ever create! The profile of top risks of an organization allows the CEO and the Executive Leadership Team to focus on the most urgent and burning issues faced by the organization. This may include opportunity waiting to be taped into. These risks usually reside in the red zone of the organizational risk matrix. It allows stakeholders to identify, understand and communicate the significance of the risks for action.
Step 4: Review mitigation plan
  • For each identified Top risk, work out a plan to minimize or mitigate the risks
  • Create infrastructure that supports mitigation plan(s) and promotes actionable environment
  • Keep the plan SMART! (Specific, Measurable, Achievable, Reliable and Timely)
  • Communicate plan(s) and integrate efforts for broader engagement and ERM awareness
Risk mitigation plans, when created using the ERM approach, prevents the organization from falling into the trap of isolated and fragmented risk management. A big part of  ERM program success depends on the effectiveness and execution of mitigation plans for the identified risks. This is the weakest link for most ERM programs for the majority of organizations.
Step 5: Review and take action
  • Make tracking of actions easy and visual
  • Identify gaps or lack of action
  • Set clear accountability structure
  • Empower those who are accountable
  • Coach and support as necessary
  • Ensure that risks remain within defined risk tolerance
Having a plan, which is not actionable is worse than not having a plan at all! The ERM program allows the board and executive team to determine something called “risk tolerance”. It simply means, whether the organization would prefer the status quo or a decision towards reducing the risks. When issues fall above or beyond the risk tolerance, an action is required.


Popular posts from this blog

How to benefit from a Fishbone or Ishikawa Diagram for Root Cause Analysis

What is root cause analysis?Root cause analysis is a structured process that helps healthcare, manufacturing and service sector managers and leaders in identifying contributing factors or causes of an accident, error, problem, event or occurrence. An accident, error, problem, event or occurrence are usually a result of a system rather than an individual mistakes. Understanding the system itself and contributing factors or causes of a system failure can help in preventing recurrences. Actions that are taken to address system failure helps in sustaining the improvements or corrective actions. What is a fishbone or ishikawa diagram? Each and every outcome or effect is an end result of actions taken/omitted or in general causes/ A cause and effect diagram representing this relationship between cause and effect is called a called a fishbone or ishikawa diagram. A fishbone diagram is a visual way to represent cause and effect. It is a more structured approach for brainstorming causes of a pro…
Risk Assessment is a process that provides the required information to decision makers on the uncertainties in relation to specific goals or objectives. Conducting risk assessments helps organizations in managing uncertainties. Typically risk assessment process consists of two key tasks. First, to identify risks and second, to analyze the identified risks.

The effect of risk can be either positive or negative. The negative effect comes from not meeting goals or objectives. The positive effect comes from meeting or exceeding set goals.

Key goal of risk assessment is to inform management at all levels of the risks faced by the organization and how those risks affect the organization's ability to meet objectives, as well as to identify potential risk treatment options.

When assessing risks, the risk manager should be mindful of overall risk appetite and risk tolerance.

Risk Appetite is defined as the total exposed amount that an organization wishes to undertake on the basis of risk-…

Essential elements of ERM

Essential elements of ERM

Create your own and tailored #ERM #framework with ease! We have worked hard to incorporate changes from #COSO and #ISO #31000 so that you can benefit without having to invest a lot of time and resources. 

Email us at for more details.