Enterprise Risk Management (ERM): A practical 5-step guide to implement

What is enterprise risk management?

According to the international accounting and professional services firm PricewaterhouseCoopers, enterprise risk management (ERM) is “a comprehensive, systematic approach that helps organizations identify, assess, prioritize and respond to risks proactively in order to meet [their] most critical objectives.”

ERM involves looking across the entire organization to identify obstacles and threats to business objectives, day-to-day operations, and overall business continuity. It can also help organizations identify potential opportunities for taking risks, which can help them determine their “risk appetite”—that is, what level of risk the organization is willing to accept as part of pursuing business goals.

ERM vs. traditional risk management

Prior to the global financial crisis, risk management was largely practiced at the level of individual projects or business units. Risk managers carried out evaluations within their vertical silos, with little or no visibility into how risks interacted with one another across those silos.

After the financial crisis, businesses, regulators, and investors all realized that risk needed to be understood from a broader perspective. As described in Disaster Recovery Journal, an effective ERM strategy requires “a holistic and integrated risk approach” that takes “a top-down, enterprise-wide view of all types of risks,” supported by strong governance, active board oversight, and senior management accountability to ensure risks are managed cohesively rather than left in silos.

ERM practices make it possible to take a horizontal view of risk, highlighting interdependencies across business units and projects to develop a holistic picture of the organization’s overall risk exposure—and enabling a coordinated approach to managing and capitalizing on risk.

This evolution reflects more than a structural change. It represents a shift toward embedding risk awareness into leadership, culture, and strategy—so that risk management becomes not just a control function, but a foundation for informed, resilient decision-making.

Why ERM matters

For many organizations, ERM is crucial for regulatory compliance, transparency, and accountability. When integrated throughout the organization, however, ERM also has the potential for strategic impact. ERM not only helps businesses protect themselves from the negative outcomes of risks—it can also help identify how taking calculated risks can lead to new opportunities for growth.

Business benefits of ERM

A well-designed, well-executed ERM strategy provides a wide range of benefits for organizations, including:

• Access to risk information across the organization in real time
• More proactive decision-making and less reactive “firefighting”
• Fewer surprises—threats are managed, while opportunities are pursued intentionally
• Improved communication, confidence, and trust across the stakeholder community
• More effective cost control and resource allocation
• Strengthened organizational resilience

ERM drives outcomes leaders care about

The benefits of ERM lead to outcomes that support organizational goals, including:

• Increased customer/client satisfaction
• Enhanced organizational reputation that generates new business
• Safer workplaces for employees
• More sustainable, environmentally-friendly operations
• Lower finance costs and improved credit ratings
• Enhanced opportunities for revenue and profit growth

Common ERM frameworks

As ERM grows in importance, standards organizations, accreditors, and regulators have worked together to develop universal frameworks for practices and reporting that support compliance with laws around business and financial reporting. Two of the most common ERM frameworks currently in use are the COSO ERM framework and ISO 31000.

COSO ERM framework

The Committee of Sponsoring Organizations (COSO) is an alliance of financial, auditing, and accounting organizations that was founded in response to financial fraud scandals during the 1980s. COSO offers research and guidance into best practices for deterring fraud, improving governance, and strengthening internal control and risk management.

COSO’s ERM framework was first defined in 1992 and revised in 2013. COSO’s ERM framework includes five components that work together. These are:

• Governance and culture
• Strategy and objective setting
• Performance
• Review and revision
• Information, communication, and reporting

According to COSO’s 2020 whitepaper, “Compliance Risk Management: Applying the COSO ERM Framework”, ERM differs from other forms of internal control because of “its focus on creating, preserving, and realizing value.” In COSO, ERM is the practice of integrating risk with an organization’s strategy and performance.

ISO 31000

The International Organization for Standardization (ISO) is a non-governmental organization that works to develop evidence-based best practices for industry and trade. ISO standards cover “anything from making a product to managing a process.” ERM is one of the processes ISO has developed standards for. That standard is known as ISO 31000.

Initially developed in November 2009 and last revised in 2018, ISO 31000 “outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring, and communicating risks across an organization.” This approach is a flexible set of principles designed to help organizations find ways to embed ERM across their operations, rather than prescribing a specific set of steps.

Elements of the ISO 31000 ERM framework include:

• Leadership and commitment
• Program design
• Steps for implementation
• Evaluation criteria and processes
• Improvement
• Integration

The framework is often visualized as a wheel, as shown on page 9 in this Institute of Risk Management report. Leadership and Commitment sits at the center of the wheel with the other elements connecting in a circle around it. The idea is that ERM is an iterative process that supports continuous cycles of improvement.

Five steps for establishing an ERM strategy

Frameworks, even from international standards organizations, are meant to be a starting point. Organizations can (and should) customize ERM practices and processes to fit their needs. Whatever framework is decided on, everyone needs to follow a common, consistent approach that allows the whole organization to identify, communicate, and proactively manage risk.

Here are five basic steps to establishing an ERM strategy for any organization.

Step 1 – Identify risks and establish a central risk register for ERM

In any risk management process, the first step is to identify risks, analyze them, and record them in a register. For ERM, this involves collating and evaluating risks from across the entire organization. Because of its holistic, strategic focus, an organizational risk register will look different from the risk register for an individual project or business unit. Risks in an ERM register can include:

• Operational risks: Events that disrupt the normal functioning of your business, such as supply chain disruptions or workforce issues.
• Financial risks: Market fluctuations, investment losses, or credit risk issues that impact the financial health of your organization.
• Strategic risk: Any other type of risk that affects your organization’s ability to accomplish its objectives—for example, reputational risks, changes in the regulatory environment, or the emergence of a new competitor.

Registers should also include which business unit or individual “owns” each risk and an assessment of the risk’s impact and probability, based on risk analysis.

The goal of an ERM risk register is to improve visibility, communication, and central reporting across the entire organization while also maintaining ownership and responsibility within business units and business functions. Placing horizontal structures, e.g., horizontal functional structures, side by side with vertical executive structures is not enough, however.

Instead, risks should be aggregated using a combination of vertical structure and horizontal intelligence. This is a key factor in establishing ERM.

Step 2 – Assess, prioritize, and assign risks

The next step is to evaluate the potential impact of risks and then prioritize them according to how likely they are to disrupt organizational goals. This should be a systematic process led by a central risk officer who collects information about risks using both qualitative and quantitative risk analysis methods.

Qualitative risk assessment

Qualitative risk evaluation in ERM allows for quick identification, categorization, and scaling of risks based on organizational experience or expert opinion. Qualitative risk assessment methods can include:

• The Delphi method
• Brainstorming and discussion
• Bow-tie analyses
• Risk assessment matrices

Quantitative risk assessment

Quantitative risk assessment methods produce estimates of cost, schedules, and other “hard” models of risk impact by using objective data and statistical analysis tools, such as Lumivero’s @RISK risk analysis software. Methods for qualitative risk assessment can include:

• Stress testing (including sensitivity analysis and scenario analysis)
• Decision trees
• Monte Carlo simulation

Monte Carlo simulation, in particular, allows teams to model uncertainty across thousands of possible outcomes—revealing probability distributions rather than single-point forecasts. This enables leaders to understand not just what might happen, but how likely different outcomes are and where the greatest exposure lies.

While @RISK provides deep quantitative modeling within Excel, Predict! extends this insight across the enterprise. Predict! centralizes qualitative assessments (such as bow-tie diagrams and risk matrices) alongside quantitative outputs from @RISK, creating a structured, organization-wide risk register. Simulation results—such as confidence intervals, distributions, and expected values—can be captured within Predict! and translated into dashboards, governance workflows, and executive reporting.

In this way, risk assessment moves beyond isolated analysis. It becomes part of a living enterprise risk structure—where risks are visible, traceable, and aligned to objectives at every level of the organization.

Assigning risk owners

Once risks have been identified, assessed, and prioritized, the next step is to assign clear ownership. Effective ERM depends not only on analysis, but on accountability.

Within Predict!, risks are organized into a defined hierarchical structure tied to the organization’s structure and strategic objectives. Nodes in this structure represent business units, programs, functions, or projects—each with a designated manager responsible for achieving objectives and managing associated risks..

Ownership operates vertically and horizontally:

Vertical managers

• Take executive responsibility for their own risk register
• Provide leadership oversight for nodes beneath them
• Approve risk responses and allocate budget
• Communicate risk appetite and performance expectations
• Escalate or delegate risks when necessary

For example, a program manager oversees program-level risks while also maintaining leadership accountability for risks within each underlying project.

Horizontal managers

• Manage risks within their functional or business discipline
• Consolidate cross-cutting risks from across the enterprise
• Bring systemic issues—such as skills shortages or facility dependencies—under centralized management

For instance, an HR leader may identify workforce capability risks across multiple programs and manage them as a single enterprise-level exposure. A business continuity leader may consolidate location-specific risks into one coordinated response plan.

This structured assignment of ownership ensures that every prioritized risk has a clear decision-maker, defined authority, and an escalation pathway. Assessment alone does not reduce risk—accountable leadership does.

By combining robust modeling in @RISK with structured governance in Predict!, organizations can move from understanding uncertainty to actively managing it—at scale, across portfolios, and in alignment with strategic objectives.

Step 3 – Develop mitigation strategies

ERM makes it possible to manage risks more efficiently by bringing them together at a high level. With visibility across the entire organization, it is possible to develop mitigation strategies that affect both the local risks (those related to a specific project or business unit) and the universal risks (the “ripple effects” from local risks that can impact the entire organization.

With Predict!, you can create an enterprise risk map—a central point of reference for all risks, their owners, and the strategies that will address each one. To create an enterprise risk map, you need:

• A set of global categories to communicate information to the right place
• The ability to define the relationships between risks (parent and child, relates to, etc.)
• Scoring systems with consistent common impact types

Predict! makes enterprise risk mapping more efficient.

Global risk categories

Global categories are used to map risks to common themes, such as:

• Strategic or business objectives
• Functional areas (e.g. finance, legal, sales, HR)
• Suppliers or service providers

Once defined, global categories make it possible to bring together common risks from across different projects, business units, functions, and strategies into a single register for collective management and reporting.

Risk relationships

Defining risk relationships makes it possible to visualize connections and interdependencies across the organization. Common risks in different projects can be brought together under a parent risk to centralize mitigation efforts, and correlation between risks can be identified.

Mapping the risks makes it possible to view everything from supply chains issues to labor shortages centrally, rather than project by project. SharpCloud helps make ERM mapping more intuitive, with the ability to clearly visualize dependencies, spot common bottlenecks, and model what-if scenarios to test different risk mitigation strategies.

Because SharpCloud connects risks, projects, and strategic objectives into a single decision environment, leaders can see how a change in one area cascades across the enterprise. This supports real-time decision-making with full context—allowing teams to explore trade-offs, align on priorities, and respond to emerging risks before they escalate. Instead of reviewing static reports, decision-makers interact with a living model of their risk landscape.

Scoring systems

In an ERM strategy, scoring systems can be challenging to manage. That’s because a “high” impact at the project level may not translate into a high impact on the business. For example, if there’s a risk that a project’s completion date could be delayed for two months, that may be considered a high impact for the individual business unit, but not necessarily the entire organization.

With Predict!, risk scoring systems can be defined at the local level and then automatically “scaled” when viewing at the enterprise level.

Step 4 – Implement the mitigation strategy

The most important aspect of ERM is mitigation: carrying out appropriate actions to manage the risks. For an effective decision-making process, it’s important to define risk appetite against objectives and set a baseline. Enterprise-wide reporting makes it possible to evaluate risks holistically, helping to steer implementation decisions at the individual level, so they align with overall business goals.

Step 5 – Monitoring and reporting

Effective ERM requires continuous monitoring and regular reports. These reports not only help organizations meet regulatory or compliance requirements—they also inform how well mitigation strategies worked and help point towards opportunities for improvement.

With Predict! and SharpCloud, monitoring and reporting are centralized and standardized across your entire organization. You can:

• Gain real-time insights into the status of different risks at all levels of the business
• Develop a common set of reports to share internally and externally, saving time spent interpreting unfamiliar formats
• Quickly generate interactive visualizations, including heat maps, bow-tie diagrams and dashboards that automatically update as circumstances change

For additional insight into reporting, Predict! also integrates with other business intelligence tools like Microsoft Power BI as well as Microsoft Excel and @RISK.

The main challenge for ERM: Changing organizational culture around risk

Successful ERM implementation requires a shift in the culture of an organization. Any leader knows how heavy a lift cultural change can be. When it comes to risk management, ERM champions may find themselves fighting against an attitude that risk management stifles innovation, or reluctance to change existing practices from teams that do local risk management well.

Best practices for achieving ERM success at the cultural level include:

Illustrate the need for change

Demonstrate how current practices slow down the company, cause fragmentation, or put the company at risk of failure to comply with regulations.

Bring together a diverse steering group

Achieve buy-in by gathering a cross-organizational risk leadership group of senior executives, business unit heads, and individual managers. Encourage cross-disciplinary discussions about risk and define business objectives all levels of the team can agree to align towards.

Recognize and incorporate existing processes

Most organizations have pockets of good risk management. An ERM initiative should allow good local practices to continue, provided they are in line with enterprise policy and process.

Create a single source of truth for ERM

Build a centralized risk management information hub using Predict! and SharpCloud. This streamlines monitoring and reporting—no more hours spent compiling spreadsheets from 10 different departments—and provides visibility and accountability across the enterprise.

Provide ongoing training and support

All the skills and techniques required to implement ERM can be learned and applied. From senior leaders to risk practitioners, targeted training, coaching, and clear process definition play a critical role in supporting a successful ERM rollout.

ERM is about connection, not just compliance

When implementing ERM practices, what ultimately drives impact is not just better analysis or better reporting, but better connection. Your organization will be well on the way to ERM success if you:

• Create a practical enterprise risk structure, define clear ownership, and hold teams accountable.
• Use consistent risk maps supported by localized practices that reflect how different parts of the organization perceive and manage risk.
• Ensure decisions are visibly grounded in reliable, up-to-date risk information.

Predict! and SharpCloud work together to help you develop ERM strategies that turn insight into action. Predict! provides the structure and rigor to capture, assess, and manage risk consistently across the enterprise, while SharpCloud connects those risks to projects, controls, and strategic objectives in a shared visual model.

Together, they give leaders the context they need to see how decisions ripple across the organization—so risk information doesn’t just inform analysis, but actively guides confident, aligned decisions at scale.

Want to see how Lumivero's decision software can enhance your risk management strategy? Request a demo today.