The Four Steps of the ERM Process

August 19, 2019

An enterprise risk management (ERM) process allows institutions to identify, assess, treat, report, and monitor institutional risks. It is a repeatable process rather than steps that can be checked off with finality. A variety of tools can help build consistency and accountability into your ERM program. We recommend a few tools with each step of the ERM process below.

1. Identify Risks
Develop a list of institutional risks, or risks that cut across functional areas that could significantly affect the institution’s ability to achieve its mission. In most cases, a short list of fewer than 10 risks — even as few as three or four — provides a great starting point for ERM. To learn more about identifying institutional risks, read our blog post, “How to Elevate Institutional Risks.”

Tools that may help: surveys, risk register (or simply a list of identified risks).

2. Assess Risks
Analyze and prioritize the risks identified in step 1. Typically, this analysis focuses on the likelihood that each risk will occur and the severity of its impact if it does occur. By evaluating risks in this way, you can decide how to respond to each risk and how to prioritize your efforts. Assign risk owners, or the people responsible for managing a specific risk, at this stage. Every risk should have an assigned risk owner.

Tools that may help: scorecards, heat maps, prioritized risk report.

The ERM Process

3. Treat Risks
You can treat each risk in several ways: avoiding, mitigating, transferring, exploiting, or accepting each risk or using some combination of these options. For example, you could address the risk of sexual abuse by training employees on reporting requirements while transferring the financial risk through insurance coverage. The result is a treatment or mitigation plan that your school commits to implement.

Tools that may help: treatment plans, mitigation plans, risk reports.

4. Report and Monitor Risks
On a regular cadence, you should report your progress to the board and share your future goals. Consider creating a short overview report including all top risks for your board, president, or head of school, and separate, more detailed, operational reports on each institutional risk for each colleague participating in ERM to track progress, maintain accountability, and manage next steps.

This also allows you to continually evaluate your program. You should assess how the environment has changed and whether risk treatments work as expected. You may need to refine your approach to steps 1 through 3.

Tools that may help: risk reports, emerging risk registers.

ERM Workshop
What You Can — and Can’t — Borrow from Other ERM Programs
Why Pursue an Enterprise Risk Management (ERM) Program?
Three Keys to a Successful Enterprise Risk Management (ERM) Strategy