We’ve compiled expert tips and resources for implementing enterprise risk management, including best practices and advice on how to overcome common implementation challenges.
Enterprise risk management (ERM) is a management process that scales across large organizations. The goal is to improve strategic decision making for organizations with dynamic business operations that leave them more exposed to various threats and negative consequences.
Implementing an ERM program requires a phased approach, with critical steps and deliverables comprising each phase. The implementation process varies by organization size, project timeline, available resources, and risk optimization goals.
ERM implementation is a continuous process of integrating business strategies designed to mitigate or optimize enterprise risk. This article uses a five-step roadmap to help guide your ERM implementation:
The first step in the ERM program implementation process is to determine which type of ERM framework to use. You can develop your own internal ERM framework or choose one of the standardized risk management models to benchmark your ERM program.
The goal of an ERM framework is to minimize complexity. Examples of existing risk management frameworks include the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and International Organization for Standardization (ISO) 31000:2018 framework. To learn more about these frameworks, including how to obtain risk management certification, see “How to Choose the Right Risk Management Certification.”
ERM Framework Example
Author James Lam outlines his ERM framework, the Continuous ERM Model, in his book Implementing Enterprise Risk Management. The author combines the strengths of well-known management frameworks into a simplified communication framework based on iterative feedback loops.
This framework includes four components: governance structure and policies, risk assessment and quantification, risk management, and reporting and monitoring. Using these components, you can address the following questions:
The next step is to establish ownership of specific risk management goals, the desired business outcomes, and the manner in which individual stakeholders should respond to issues that arise during ERM implementations.
Lyle Stewart is a managing director at Infina LLC, which provides IT security, compliance, and risk management services to clients across an array of industries, including ERM implementation reviews. Stewart refers to this step as the “scoping phase.”
Example of Scoping Phase
Stewart recommends establishing a steering committee of key stakeholders from the relevant business units and management in two phases: one steering committee for implementation and one for overseeing the governance structure's continued operations and ability to function. The members of the implementation committee have a specific focus: to manage business functions that fit the scope of the project. The emphasis is on the ERM implementation goals and deliverables for that stage of implementation, not the overall implementation phase.
The IT governance and risk management framework that Stewart uses at Infina is a flexible, in-house model influenced by the ISACA IT governance framework, Control Objectives for Information Technologies (COBIT). To learn more about this ERM framework and other influential models, see ERM Frameworks and Models article.
In the assessment phase of ERM implementation, you prepare to measure and report on initial progress, as well as set the stage for a follow-up assessment of risk management during subsequent operational phases.
Lam defines risk assessment as "the process of identifying, evaluating, and prioritizing key risks for specific business objectives." Risk assessment differs by the type of risk, scope of implementation, risk complexity, and implementation goals. Types of enterprise risk include strategic risk, reputational risk, operational risk, legal risk, financial risk (credit, debt, and interest risk), market risk, cybersecurity risk, and IT compliance risk.
Example of Risk Assessment
Stewart breaks down the assessment stage of ERM implementation into two concepts.
“First, [figure] out the right risk assessment process for your enterprise business,” says Stewart. “Next, execute the risk assessments for your enterprise on the baseline set of risks that you will be targeting.”
In this implementation phase, the steering committee creates assessment criteria by comparing current risk exposure and the desired threshold of enterprise risk tolerance to determine optimized risk levels.
Next, the committee generates risk assessment reports that describe risk events, and they assess probability and business impact. These reports help users assign responsibility to the post-implementation oversight committee and create content for risk management action plans. To learn more about ERM assessment and analysis, see our guide to enterprise risk assessment and analysis.
ERM Implementation Tools
Risk control self-assessment (RCSA) is a commonly accepted risk assessment method modeled by risk management frameworks like COSO and ISO 3100. Various tools and strategies are available within the RCSA methodology to aid with the assessment phase of ERM implementation, including the following:
This risk register template includes project details at the top and a list of risks with space to assign tracking numbers. Use this template to provide a detailed log of risk ownership, the level of impact and probability, planned actions, and response status. This spreadsheet is designed for you to easily edit and add columns and customization as needed.
Download Risk Register Template
Risk response involves examining risk assessment reports and responding with mitigation strategies to reduce or enhance risk opportunities, depending on ERM implementation goals. You can also create risk action plans to track existing threats and determine new threats.
This step aims to prioritize the top risks established in previous implementation phases and determine how to address that risk. The failure to execute risk action plans and integrate risk management practices into daily business operations compromises the value of the ERM implementation program and exposes the organization to unforeseen threats.
Example of Risk Mitigation
Stewart believes the mitigation stage of implementation is about systematically resolving risk that you identified in the previous assessment phase.
He characterizes the questions as such: “We've identified the risks; how are we addressing the risks?’” he says. “‘What controls and procedures have we currently established that address the risks that we've identified?’”
In the event that you don’t have specific ERM procedures and controls in place to mitigate identified risks, Stewart recommends closing that gap quickly. Otherwise, new risk emerges. There is no control in place for identified threats.
“The idea [of the mitigation process] is to bring those prime risks under control and manage them,” he says.
Use this action plan template to manage and communicate risk mitigation response and details about proposed actions for a specific risk. This simple PDF template is designed to help you organize resources; designate ownership; establish controls; and document, report on, and monitor activities.
Download ERM Implementation Action Plan Template
Measure and report risk management actions and the overall risk environment to determine the effectiveness of your ERM program. The results can help inform your decisions on managing internal and external threats, as well as changes to enterprise environments.
The information you receive from continuous feedback loops, integrated dashboard tracking, executed action plans, and workshops informs current risk management processes and can help you establish future business objectives.
“Measurement is about determining your metrics,” says Stewart. “[It’s] what you use to benchmark against [and] to demonstrate how establishing a governance structure and our frameworks prevents exposure to unnecessary risks.”
He frames this stage of ERM implementation around the importance of communication.
“You have to have awareness and visibility around where your risks occur, and then make sure that they are known,” he says. “The biggest challenge is when you have a risk that nobody is aware of.”
When organizations fail to consistently measure and share the results of functional risk management efforts, they run the chance of creating inconsistent predictions for worst-case risk scenarios. This outcome leads to inaccurate risk probability and severity analysis.
“You’re informing everybody who's involved of what your risks are, what your mitigation processes and procedures are, to ensure that you're driving compliance,” says Stewart. “People might be unaware of the importance of a certain risk management activity or function.”
He views the informing stage of implementation as a holistic ERM process — a top-to-bottom and bottom-to-top feedback loop that informs different stakeholders within the scope of that implementation stage.
One example is reporting the risk profile of the enterprise and operational risks up to executive management. In the other direction, the top leadership loops in individuals closest to the technology and day-to-day business processes. The goal is to create awareness of the specific risks associated with their business functions so that they operate in a manner that minimizes threats and optimizes for risk.
ERM implementation programs come with common hurdles and obstacles that prevent organizations from realizing risk management benefits. The way organizations handle these challenges determines the effectiveness of risk management — and the larger impact on business objectives.
This section provides best practices gleaned from risk management experts, including the importance of change management and feedback loops, as well as how to measure ERM implementation progress at each phase.
To learn more risk management strategies and find templates for ERM implementations, read “Free Risk Management Plan Templates.”
“What works for one client is not going to work for the next,” says Stewart. “Before I build out procedures and policies, I need to evaluate the current culture on the ground and how the organization operates.
“I would have two different sets of risk assessment registers for each of these management levels,” says Stewart. “They are related, just two different scales of risk assessment overview.”
Stewart differentiates the type of feedback based on scoped roles and management levels. Risks differ between the executive or director level and lower management levels, as people on the ground deal directly with enterprise technology risk.
“The idea of that measurement is, ‘What are the metrics we use to benchmark ourselves, to demonstrate how establishing governance structure and frameworks prevents exposure to unnecessary risks?’” he explains.
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.
These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.
