7 Key elements of an Enterprise Risk Management Program.

This paper gives a summary of all the key elements that make up Enterprise Risk Management. Enterprise risk management ("ERM" ) is the process of planning, organizing, leading, and controlling the activities of an organization to minimize the effects of risk on an organization's capital and earnings, reputation and shareholder value. The benefit of Enterprise Risk Management is that it aligns organization, people, processes and infrastructure, provides a benchmark for risk/reward, aids risk visibility to operational activities and for the more mature benefit,  a competitive advantage.


Risk management must function in the context of business strategy and the first step in this integration is for the organization to determine its goals and objectives. Typical organizational strategic objectives would include market share, earnings stability/growth, investor returns, regulatory standing and capital conservation.

From there, the institution assesses the risk implied in that strategy implementation and determines the level of risk, it is willing to assume in executing that strategy, given its internal risk capacity, existing risk profile, vision, mission and capability. Regardless of a specific business strategy, an institution is exposed to the following financial, strategic and operational risks:

  • Credit/Market/Operational

  • Liquidity

  • Technology

  • Strategic/Reputation/Business

  • Compliance/Legal/Regulatory

  • Insurance/Environmental

  • Capital

Note that this should not be a static risk list and should be updated to incorporate the identification of new and emerging risks.


Risk direction is defined by the risk appetite which in turn is defined as “the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns).” A risk appetite statement is the critical link that combines strategy setting, business plans, capital and risk. It reflects the entity’s risk management philosophy and influences the culture and operating style. Considerations affecting the risk appetite, include the following: existing risk profile, attitudes towards risk, risk capacity and risk tolerances.

The risk appetite statement is developed by management with Board review and is translated into a written form. The overall risk appetite uses broad risk statements and then is expressed for each major class of organizational objective and for the different categories of risk. An effective risk appetite statement needs to be stated precisely enough so it can be communicated, operationalized and aid decision making. More importantly It needs to be broken down into specific operating metrics so that it can be monitored.

The risk appetite is converted into operating/tactical metrics known as risk tolerances which reflect the application of risk appetite to specific objectives. and then the risk tolerances are further distilled into risk thresholds. The key here is moving from a low measurement of quantification i.e. risk appetite to a high measure of granularity i.e. a threshold. The risk appetite is converted into High-level Enterprise KPI's (Key Performance Indicators) which are defined, acceptable and operationalized, with risk appetite and tolerances established for capital, earnings, credit worthiness, reputation and shareholder returns.

Once the risk appetite is set, it needs to be embedded, and then continuously monitored and revised. As strategies and objectives change, it should provide a further discussion of risk appetite.


The statement of risk appetite is conveyed through culture, governance and policies. These three factors help an organization manage and oversee its risk-taking activities. A strong risk culture set from the top, augmented by comprehensively laid out roles and responsibilities, with collective centralized decision making and clear escalation protocols is a must for successful implementation. Strong well thought out risk management principals, ownership and culture training help promote, reinforce and maintain this strong risk culture. Evidence of this strong risk culture would be seen in open communication, both top down and bottom up in decision making and conflict resolution.  Enterprise means that no area of the organization is excluded , it includes all operating and support area both in terms of engagement, training and support.

An important instrument in this implementation is the risk management policy which sends an intent by the organization of its commitment to its risk appetite to all stakeholders. The policy states its purpose, application, objectives and policy components including the risk management framework. The policy must be written in a common terminology as this will facilitate clear communication with all stakeholders.


It’s all about the data but more importantly the correct data. The risk data and delivery must be robust and  to scale,  so that the information collected, integrated, analyzed, can be translated into cohesive, credible narrative and reports.


The internal control environment is one of the most important tools helping senior management reduce the level of inherent risk to an acceptable level known as Residual risk. Residual risk is defined as the level of inherent risks reduced by internal controls. Building an effective internal control environment allows management to control what can be controlled. The system of internal controls incorporates culture, governance, controls, and scenario planning. The system of internal controls can be further supplemented by risk management techniques such as Strategies, Policies, Limits, Guidelines Process, Standards, Diversification and Model measurement.


Measurement and evaluation determines which risks are significant, both individually and collectively and where to invest time, energy, and effort in response. Various risk management techniques and tools will be used to measure and quantify the risks on both an aggregate and portfolio level. In my experience the most important tool is an open mind, 80% of all material risks are strategic  and or operational in nature.To accomplish the goal of measurement and evaluation, an organization may adopt a risk impact rating based on a simple model of color rating (green, yellow, and red), number 1, 2, 3 or high/medium and low scales.

The next stage is for Risk mitigation plans to be put into place to address those areas which pose the greatest threat. The internal controls will be measured and evaluated to determine how well the risks are being managed and whether the risk response is both appropriate and effective

All risks, responses and control effectiveness must be reported and communicated in a format to meet the different stakeholders and oversight/governance bodies. The oversight/governance bodies will be tasked with ensuring that the risk profile is aligning to business and capital plans and that the amount of capital is commensurate with the risk taking.


Given that management must address known and unknown risks, tools like scenario planning and stress testing are used both to help shed light on these missing risks and more importantly the interconnection of these risks. Armed with this information, the organization can develop contingency plans too at least counter the effects on the future operational viability and trend/model of these risks.

Passing thoughts

Enterprise Risk Management is not a passing fad as it is now instrumental to the survival of an organization. Its importance is both in the maturity of the thinking and the structured planning allowing the organization to navigate, with some certainty, the risks posed to the organizations business objectives and strategy. 

In short, Enterprise Risk Management is good business practice.


John Thackeray