Implementing an Enterprise Risk Management (ERM) program can look like an impossibly complex task, but with the right approach, the complexity becomes manageable and you can accomplish your goals with confidence.

The benefits of an ERM program are many. So much so, that new ERM programs are starting every day. Unfortunately, many of those will suffer multiple starts and stops as they try to figure out exactly how to accomplish the task. Too many will fail completely and never get off the ground.

It doesn’t have to be that way.

In this article, you’ll discover three steps to building an enterprise risk management program. Demonstrate your competence by getting the right start.

What are some common ERM components?

The first step is to understand some of the basic components of Enterprise Risk Management. Armed with this information, you’ll be able to match the right components with the goals of your program.

  • Enterprise Risk Assessment (ERA). This is the most common activity that comes to mind when people think about a risk management program that spans the enterprise. It encompasses a broad risk identification process, risk prioritization, risk analysis, and risk decision making. This is almost always a top-down exercise, meaning it involves senior management, but it can (and should) occasionally be a bottoms-up exercise, starting with front line employees and their supervisors and managers. The enterprise risk assessment often results in a list of “top-ten” risks faced by your organization.

  • Emerging Risks. This is a process of identifying and tracking risks that are on the horizon. They don’t directly affect or concern the organization right now, and they may never. However, at some point in time, they may be important risks of immediate concern. Rather than wait until they are immediate concerns, the emerging risk process prepares the organization, so it isn’t caught off-guard with surprises.

  • Key Risk Indicators (KRI). Key Risk Indicators are measures designed to provide early warning of changing risk levels. A set of risk indicators can be combined to create a risk index. The use of key risk indicators and risk indices not only provide early warning, they represent current levels of risk within a risk category and they can validate changing risk levels based on management controls and strategic direction. A key risk indicator program is a way to continuously monitor an organizations’ key risks, and to report that information on a regular basis.

  • Risk Appetite. Defined as the type and quantity of risk that the organization is willing to accept in pursuit of value, risk appetite is an important concept. It represents the balance between risk and reward. Often, it’s nothing more than an elegant statement. It’s listed as a separate component because it can be rather challenging to implement a risk appetite that’s useful to management and meaningful to the board.

  • Strategic Risk Assessments. This is fully integrating ERM with the strategy management process. It starts with understanding the risks related to strategic objectives and it includes the assessment of various alternatives. The importance of integrating risk and strategy cannot be over emphasized.

  • Ad Hoc Risk Assessments. Proactively identifying risks via an Enterprise Risk Assessment is a valuable exercise, but risks will appear continuously. Many of them will need to be assessed. Assessing risks as they appear will become a regular activity of your ERM program.

  • ERM Foundations. The foundational elements of any ERM program. This includes the risk management policy, roles and responsibilities, the establishment of a risk management committee, terms and definitions, identified ERM goals, and an ERM plan. This represents the authority to act, and the parameters by which you will act.

What’s the right implementation sequence?

Since you can’t implement all the components of ERM simultaneously, nor would you want to, you simply need to find the right sequence. In fact, it’s even simpler than that. You need to decide which component to implement second. That’s because there’s an obvious choice of which component to implement first.

The first component to implement is ERM Foundations. This is primarily administrative controls and governance, such as the following:

  • Risk Management Policy

  • Risk Management Committee

  • Roles and Responsibilities

  • Terms & Definitions

  • ERM purpose and goals

  • ERM Framework

With your ERM Foundations in place, you can execute ERM activities, such as identifying and assessing risk. You do not want to do this in reverse order. E.g. Identify risk, then establish a risk policy later.

So, the bigger question is, “what should you implement second?”.

The best indicator of this question can usually be found in your ERM Purpose and Goals, which is something you should document in the ERM Foundations component. Review that information and see if it points you to a component that would address any immediate needs.

Typically, and organization will conduct an Enterprise Risk Assessment or implement Key Risk Indicators. Here are some pros and cons of each to consider.

Enterprise Risk Assessment:


  • Addresses current concerns and the top risks of the organization

  • Creates a repeatable risk assessment process


  • Rarely covers all your relevant risk categories sufficiently

  • Does not provide for reporting risk trends over time

Key Risk Indicators


  • Easy to grasp, repeatable reporting for your board and executive team

  • Covers all risk categories sufficiently

  • Provides for risk trending over time and therefore the current direction of risk


  • Not designed to produce a thorough risk assessment of any key concerns

Your decision may boil down to this. If you have one or more big concerns, the Enterprise Risk Assessment can address those. If you want broad coverage and good reporting for management and the board, the Key Risk Indicators will address those.

What about timing?

A common approach is to implement ERM Foundations and either an ERA or the KRIs in the first year. In year two, you can add the other component (KRI or ERA) to what you built in year one. By this time, you’ll have a great handle on your ERM program, and you can continue to add other components to round out the management of risk.

How to get started

At this point you know the various components of an ERM Program, and an idea of the right sequence to implement them in. But, how do you get started?

The two paths you can take are to go it alone or enlist some outside expertise.

To go it alone, you’ll have to invest time into learning Enterprise Risk Management and building the tools and templates, processes and procedures.

Start with your ERM foundation. Determine the motivation behind building your ERM program. Why are you charged with doing this now? What are the goals of your ERM program? You’ll want to document this in either the risk policy, and or the risk management committee charter. To assist with this, establish your risk management committee early on and solicit their input.

Work your way through the various pieces of ERM foundations, then move on to your first risk management activity, which as discussed above, is usually Key Risk Indicators or an Enterprise Risk Assessment. Again, you’ll have to invest time into research and learning.

To accelerate your learning and the implementation of your program, it’s wise to take the second path and enlist outside help from a trusted advisor. A trusted advisor will provide continuous guidance, training, processes with tools and templates, drastically reducing the time required to get results.

This is RGS Business Advisors’s business model. We help organizations build their ERM program by providing you with guidance, training and tools. Contact us to learn more. See our consulting services.

What about starting with software? It’s an enticing offer to simply install software and go from there. We don’t recommend it. There are too many disadvantages of starting with software:

  • Software does not address any of the foundational elements of ERM. You’ll still need to do this manually.

  • Software dictates your process and forces you to do ERM a certain way.

  • It’s expensive, and many software implementations are abandoned within a few years

We recommend that you run your ERM program with manual processes, using standard MS Office productivity software (Word, Excel, etc.). Do this for the first 3 years to learn and adapt as you go. By year 3 or 4, you’ll have a well-functioning ERM program, and you can decide what parts you want to automate with software after you’ve gained 3+ years of experience.


Remember when implementing ERM seemed like an impossibly complex task? No Longer! Now you know the common components of ERM, the right sequence to implement them in, and how to get started.

Take the accelerated path to learning and implementing ERM. You’ll enjoy greater success and have peace of mind. Contact us to learn more about your options.

Want to avoid some common ERM mistakes? Read our guide, “Three Common ERM Mistakes You Want to Avoid”