10 Tips for Developing an Effective ERM Program

Michael J. Cawley


May 2, 2024

Tips for Developing an ERM Program

Developing an enterprise risk management (ERM) program can be a difficult task, even for experienced risk professionals. While there is no one-size-fits-all approach, the following tips—compiled from decades of challenges faced and lessons learned in risk management—can help organizations achieve their own ERM success.

1. Create a Succinct ERM Mission Statement

As a vital first step toward the establishment of a robust and meaningful ERM program, all companies should consider developing and memorializing a mission statement that explains the primary purpose of ERM. The statement should combine strategy with tactical execution by focusing on actionability instead of empty buzzwords or jargon, and be succinct to encourage understanding, consensus and transparency.

Essentially, the mission statement must tie together the “what” and the “why” of ERM. For example: “Enterprise risk management is the process for identifying, assessing, mitigating and monitoring all enterprise-wide risks that might impair the company’s ability to achieve its strategic business objectives.”

2. Establish a Risk Management Framework

Expanding upon the ERM mission statement, risk professionals should formulate another program cornerstone: the risk management framework (RMF). This is the authoritative manual that “sells” and guides your ERM program.

There are three key distinct components to every successful RMF. In the initial section, set the context for ERM. To get there, take stock of your company's identity and explain why ERM can make a tangible difference by asking the following questions: What does your company do and what are its unique business characteristics and drivers of success? What is the connection to, and reliance upon, risk management? How does the discipline of ERM potentially impact the company’s high-level business goals, such as earnings performance, capital preservation, liquidity maintenance and reputation protection?

The second section of the RMF establishes the foundational elements of ERM by detailing the company's overall cultural model and spelling out the company's identity, what it recognizes and rewards, and the ethical behaviors it expects. Here, the company should also establish the risk governance structure with roles and responsibilities delineated by line of defense. At a very high level, this second section of the RMF should also speak to the concepts of risk appetite and tolerance, the latter reflecting specific pre-defined threshold where appetite is exceeded, triggering notification, assessment and/or corrective action. 

The third section of the RMF addresses the tactical execution of ERM. This process comprises the following elements: 1) identifying risk on an iterative basis, with the net result being your universe of exposures; 2) assessing risk in a consistent and transparent manner, particularly focusing on severity and likelihood; 3) mitigating inherent risk severity and likelihood to an acceptable residual level through well-defined controls; and 4) monitoring risk on an ongoing basis, pinpointing prominent metrics, such as key risk indicators (KRIs), and disseminating reports for both internal and external use. 

3. Connect Your Overall Corporate Culture to Risk Management

Risk culture represents the shared understanding and behavioral attitudes of the company’s employees toward risk-taking and comprises key pillars like governance, training, risk-aligned performance and business conduct. How does your risk culture connect with a company’s overall culture that dictates conducting business with integrity and ethics at all times?

Simply put, a company should strive to cultivate a high-performing environment that is inclusive and equitable at the same time. All employees should feel empowered to do their best and contribute to their fullest potential to advance and thrive in their careers. The overall culture should guide day-to-day decisions and link brand identity with behaviors that are both expected and rewarded.

4. Pinpoint Your Risk Universe

When defining a risk universe, the key point is straightforward: do not miss a single risk. It is also important to allow flexibility such that emerging risks can be readily incorporated, and to sub-categorize or break down the overall universe in a way that makes sense and makes it digestible.

For instance, you might want to consider establishing three core categories at the outset—financial, operational and strategic—as these appear consistently across all risk registers, no matter what industry the company represents. Then you can construct a customized core risk category that reflects the source of your revenue streams (e.g., retail, manufacturing, construction, insurance).

5. Institutionalize a Formal, Automated Risk Register

Full implementation and consistent use of an automated risk register tool is vital to ERM success. Mere spreadsheets will not cut it. The ideal risk register should focus on a small number of key risk attributes (causes, consequences, controls and key risk indicators) and select metrics (severity and likelihood, as well as direction and velocity) that will enable risk assessment and prioritization. It is important to appoint one risk owner per risk to establish accountability from the outset.

6. Continually Hone Your Risk Rating Scales

Establishing understandable and transparent severity and likelihood rating scales is crucial to foster both risk governance and risk culture. Keep in mind that simple descriptive identifiers (e.g., high, rare) can expose you to potential misinterpretation. Instead, be specific when defining severity and likelihood and modify the definitions as needed.

For example, severity determination can be predicated on a number of different indicators, such as financial impact, brand/reputation, regulatory or strategic. Use whatever indicator lends itself to the risk in question and best resonates with the risk owner.

In terms of likelihood, rating scales should not measure the chance of incurring just any risk event. Rather, it should address the possibility of a significant event as defined in the severity table that you formulate. An “almost certain” rating might anticipate a significant event once every year, while a “rare” rating might project a significant event only once every 50 years. 

7. Establish Material Risk Policies

Risk policies should articulate a company’s general approach to the identification and management of material risks. Policies are high-level approaches to decision-making, include significant discretion, and are often delineated in qualitative terms rather than qualitative measures.

As a rough measure, there should be policies for a dozen or so material risks in your universe. Each risk policy should generally address: 1) the definition of the risk policy in question; 2) the goal of the risk policy; 3) controls that mitigate the risk, itemized by line of defense; 4) roles and responsibilities to manage the risk; 5) risk appetite for the risk in question; and 6) specific risk tolerances and escalation provisions in the event of exceedance.

8. Actively Promote the Embedded Risk Governance Structure

ERM should never be considered a separate service function. Rather, it should be looked at as a discipline consciously embedded in critical decision-making processes throughout the organization. Primary ownership for the daily execution of risk management rests with the business unit, with support from risk-related functions like ERM, compliance or internal audit, as well as risk-related boards and committees.

Risk governance structure is best portrayed in the three lines of defense model, where day-to-day management, control, oversight and independent assurance of risk are assigned to the following groups:

  • First line: business units and supporting functions
  • Second line: all groups responsible for ongoing monitoring and challenging of the design and operation of controls in the first line
  • Third line: entities responsible for independent assurance over the management of risks, including challenging both the first and second lines

9. Set Appetite and Tolerances for All Key Risks

Risk appetite represents the general willingness to assume risk and, in turn, to expose the company and its capital to risk of loss. The establishment and enforcement of consistent, transparent and expected behaviors around risk appetite, conveyed through appetite statements and guidelines, is crucial to the risk management framework.

Drilling down deeper, risk tolerance reflects the specific pre-defined thresholds that exceed the appetite for a specific risk, triggering notification, assessment and/or potential corrective action by management. Key risk indicators (KRIs) are metrics that provide a way to quantify and monitor each risk. Think of them as change-related metrics that act as an early-warning system to help companies effectively monitor, manage and mitigate risks.

10. Connect ERM with Other Risk-Related Disciplines

Once you construct and adhere to a robust risk management framework, there is no risk-related issue that cannot be confronted head-on. Consider the following risk-related areas:

  • Governance, risk and compliance (GRC): This is a subcategory of your risk universe that simply slices and dices a smaller body of risks in a slightly different fashion.
  • Environmental, social and governance (ESG): This is a mixture of operational (e.g., corporate governance) and strategic (e.g., climate risk) exposures, as well as the precepts from your overall cultural model described in the foundational section of your RMF.
  • Diversity, equity, and inclusion (DEI): DEI initiatives are undeniably risk-related in nature and, like ESG, can be viewed through the prism of both the risk register (e.g., operational risks like human resources, talent management/retention and compliance) and, even more importantly, foundational elements contained in your RMF like ethics, culture and governance.

Whether the risk-related challenges are actual risks within your risk universe or principles addressed within your risk management framework, applying the discipline of ERM will still work to address the wide range of risks facing your organization.

Michael J. Cawley is a risk management executive with more than 35 years of experience in the strategic and tactical elements of corporate enterprise risk management. He currently serves as a subject matter expert in an advisory role on ERM best practices for GRC software provider DoubleCheck.