HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Free Professional Tool — COSO ERM 2017

Enterprise Risk Management
Assessment & Implementation Tool

Assess and implement the COSO 2017 Enterprise Risk Management — Integrating with Strategy and Performance framework. All 5 components and 20 principles with maturity ratings, assessment questions, evidence checklists, implementation guidance, and a prioritised action plan.

5Components
20Principles
5Maturity Levels
3Tool Modes
0 / 20 rated
Maturity: Initial Developing Defined Managed Optimising

ERM Components

GC

Governance & Culture

The board of directors is responsible for oversight of enterprise risk management. The board must be knowledgeable about the content and operation of the risk management program, exercise reasonable oversight, approve the risk appetite, and ensure sufficient resources and authority exist to manage risk effectively.

P1 Exercises Board Risk Oversight
The board of directors is responsible for oversight of enterprise risk management. The board must be knowledgeable about the content and operation of the risk management program, exercise reasonable oversight, approve the risk appetite, and ensure sufficient resources and authority exist to manage risk effectively.
Key Characteristics
Require the board to oversee risk management including approval of the risk appetite and ERM charter
Ensure the board is knowledgeable of and demonstrates active oversight (regular board agenda items, monitors risk metrics)
Require that the board includes members who possess relevant risk expertise
Document evidence of board oversight in board and committee meeting minutes
Provide input or approve appointment and dismissal of the Chief Risk Officer (CRO)
Ensure that sufficient resources are provided for the ERM programme
Receive regular reports from the CRO and management on risk profile and emerging risks
Ensure the board is informed about material risk events and remediation efforts
Assessment Questions
Does the board have a formally defined role in ERM oversight documented in its charter or mandate?
Does the board review and approve the organisation's risk appetite at least annually?
Are risk management updates a standing item on the board agenda?
Does the board possess members with relevant risk management expertise?
Are private sessions held between the board and the CRO or risk function?
Does the board review the results of the ERM programme including the risk register and emerging risks?
Has the board approved adequate resources and budget for the ERM function?
Evidence to Gather
Board and audit/risk committee charters showing ERM oversight responsibilities
Board meeting minutes demonstrating active risk discussions
Risk appetite statement approved by the board
Board skills matrix showing risk expertise
Risk management reports presented to the board
ERM programme budget approved by the board
Records of board private sessions with risk function
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Establish a board risk committee or assign ERM oversight to the audit committee with a formal charter
2Develop a risk appetite statement and present it to the board for annual review and approval
3Include a risk dashboard as a standing agenda item at every board meeting
4Ensure the CRO or equivalent has direct access to the board without management filtering
5Conduct a board skills assessment to identify risk expertise gaps and address through recruitment or training
6Present the annual ERM self-assessment results to the board for review and challenge
Common Deficiencies
Board receives risk management updates but does not challenge or question management's risk assessments
No formal risk appetite statement exists — board oversight is reactive rather than strategic
Risk expertise is absent from the board — directors cannot meaningfully evaluate the risk programme
ERM updates are infrequent and superficial — no depth of discussion at board level
ERM Maturity Descriptors
LevelCharacteristics
InitialBoard has minimal awareness of ERM. No formal oversight structure.
DevelopingBoard receives occasional risk reports but oversight is passive and informal.
DefinedBoard has formal ERM oversight role; risk appetite approved; regular reporting.
ManagedBoard actively challenges risk assessments; private sessions with CRO; risk expertise present.
OptimisingBoard drives risk culture; ERM embedded in strategic decision-making; proactive oversight.
P2 Establishes Operating Structures
Management establishes operating structures in pursuit of objectives. The risk function should be led by a suitably positioned leader with practical authority, resources, and tools. It should be functionally independent, operate under a board-approved charter, and have documented policies and procedures governing risk management decision-making.
Key Characteristics
Maintain independence of the Chief Risk Officer (CRO) and the risk management function
Ensure the CRO directly reports to and regularly communicates with the board
Ensure the CRO and ERM programme have sufficient stature relative to other functional leaders
Grant sufficient authority to the CRO to manage the programme effectively
Provide sufficient resources (budget, headcount, technology) for the ERM programme
Address ERM programme oversight in a formal charter approved by the board
Document policies and procedures specific to the operation of the ERM programme
Establish escalation protocols for significant risk events
Assessment Questions
Is there a designated Chief Risk Officer or equivalent with formal ERM responsibility?
Is the ERM function structurally positioned to be independent and effective?
Does the CRO have direct access to the board/risk committee?
Is there a board-approved ERM charter or policy framework?
Are ERM roles and responsibilities formally documented across the three lines?
Does the ERM function have adequate resources — staff, budget, and technology?
Are escalation procedures documented for significant risk events?
Evidence to Gather
Organisational chart showing CRO/risk function positioning and reporting lines
ERM charter or mandate approved by the board
ERM budget and staffing plan
Three lines model or RACI chart for risk management
Escalation policy for significant risk events
Risk committee terms of reference
CRO job description and qualifications
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Appoint a Chief Risk Officer or designate a senior leader with formal ERM responsibility
2Develop and obtain board approval for an ERM charter defining scope, authority, and responsibilities
3Map ERM roles and responsibilities across all three lines — first (business), second (risk), and third (internal audit)
4Establish risk committees at entity and business unit level with documented terms of reference
5Develop escalation protocols defining what constitutes a significant risk event and the required reporting path
6Ensure the ERM budget is approved by the board and is adequate for the organisation's risk profile
Common Deficiencies
ERM function is positioned within Finance or Legal — lacks independence and strategic stature
No ERM charter — risk management operates without formal authority or mandate
Three lines of defence are poorly defined — risk responsibilities overlap or are unclear
CRO does not have direct board access — risk information is filtered through management
ERM Maturity Descriptors
LevelCharacteristics
InitialNo formal ERM structure. Risk management is ad hoc and uncoordinated.
DevelopingSome risk roles exist but lack formal authority, charter, or board-level positioning.
DefinedFormal ERM structure with board-approved charter; CRO appointed; three lines defined.
ManagedCRO has direct board access; adequate resources; escalation protocols operating.
OptimisingERM structure is best-in-class; risk function is a strategic partner to the board.
P3 Defines Desired Culture
The organisation defines the desired behaviours that characterise its risk culture. Culture begins with a sincere commitment to risk awareness and ethical conduct at the leadership level, cascaded throughout the organisation through tone, communication, training, and meaningful performance metrics that embed risk accountability.
Key Characteristics
Ensure the board approves a code of conduct and key risk-related policies
Articulate risk culture expectations through a code of conduct and leadership communications
Provide mandatory training on risk awareness and ethical decision-making for all staff
Perform ongoing monitoring or assessment of organisational risk culture
Develop objectively measurable risk metrics tied to performance evaluations
Adopt meaningful incentives to promote consistent risk management behaviour
Include references to organisational values and risk expectations in leadership communications
Assessment Questions
Is the organisation's desired risk culture formally defined and communicated?
Does the code of conduct address risk awareness expectations and risk management responsibilities?
Is risk culture assessed or monitored on a periodic basis (surveys, indicators)?
Are risk management behaviours incorporated into performance evaluations and incentive structures?
Does senior leadership visibly model and communicate the desired risk culture?
Are employees encouraged and able to raise risk concerns without fear of retaliation?
Is there a speak-up culture — do employees proactively escalate emerging risks?
Evidence to Gather
Code of conduct with risk culture provisions
Risk culture survey results and trend analysis
Leadership communications on risk culture and values
Performance evaluation criteria including risk management behaviour
Training completion records for risk awareness programmes
Whistleblower/speak-up mechanism and usage statistics
Risk culture indicators tracked by management and reported to the board
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Define the organisation's desired risk culture in a risk culture statement endorsed by the board
2Incorporate risk culture assessment into annual employee surveys — track trends over time
3Embed risk management behaviour criteria into performance reviews for all staff, especially management
4Conduct annual risk awareness training with scenario-based content relevant to each function
5Establish a confidential speak-up mechanism and visibly protect those who raise risk concerns
6Ensure senior leaders visibly reinforce risk culture through their communications and decisions
Common Deficiencies
Risk culture is assumed rather than defined — no formal articulation of expected behaviours
Risk management is seen as a compliance exercise — not embedded in daily decision-making
Performance incentives reward short-term results at the expense of sound risk management
Employees do not feel safe raising risk concerns — speak-up culture is absent
ERM Maturity Descriptors
LevelCharacteristics
InitialNo defined risk culture. Risk awareness is absent or inconsistent.
DevelopingSome risk culture messaging but not embedded in performance or incentives.
DefinedFormal risk culture statement; training; speak-up mechanism; culture monitoring.
ManagedRisk culture metrics tracked; incentives aligned; board receives culture reports.
OptimisingRisk culture is a competitive strength; proactive risk awareness at all levels.
P4 Demonstrates Commitment to Core Values
The organisation demonstrates commitment to its core values through actions, not just words. The tone set by senior leadership cascades through every layer of the organisation. Individuals are held accountable for risk management responsibilities, and wrongdoing is addressed with consistent disciplinary action regardless of seniority.
Key Characteristics
Actively promote a culture of risk awareness through consistent leadership tone and behaviour
Balance business performance incentives with meaningful risk management incentives
Incorporate accountability for risk management into performance measurement and promotions
Protect those who report risk concerns or suspected misconduct — zero tolerance for retaliation
Take allegations of misconduct seriously and investigate in a timely, thorough manner
Promote organisational justice — fairness and consistency in accountability and discipline
Communicate lessons learned from risk events and failures across the organisation
Assessment Questions
Does senior leadership consistently demonstrate commitment to risk management through observable actions?
Is there zero tolerance for retaliation against individuals who raise risk concerns?
Are incentive structures balanced — do they reward risk management alongside performance?
Are individuals held accountable for risk management failures regardless of seniority?
Are lessons learned from significant risk events formally captured and communicated?
Are allegations of risk misconduct investigated promptly and consistently?
Does the organisation have a documented investigation protocol for risk and ethics concerns?
Evidence to Gather
Leadership communications demonstrating risk management commitment
Incentive structure documentation — balance between performance and risk objectives
Disciplinary records for risk management failures (anonymised)
Lessons learned reports from significant risk events
Investigation protocol and records of investigation outcomes
Speak-up/whistleblower channel statistics — reports received, investigated, and resolved
Evidence of retaliation prevention — no confirmed retaliation cases
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Review incentive structures to ensure they balance business performance with risk management accountability
2Establish a formal investigation protocol for allegations of risk misconduct — consistent regardless of seniority
3Develop a lessons-learned process that captures root causes from significant risk events and distributes findings
4Communicate senior leadership's personal commitment to risk management through regular, substantive communications
5Ensure the speak-up mechanism is visibly promoted and that non-retaliation is enforced with visible consequence
6Include risk management accountability in promotion decisions and succession planning criteria
Common Deficiencies
Senior management says the right things but makes decisions that contradict stated risk values
Incentive structures heavily weight financial performance with minimal risk management criteria
Risk failures by senior leaders are not addressed — double standard undermines credibility
Lessons learned from risk events are documented but not distributed or acted upon
ERM Maturity Descriptors
LevelCharacteristics
InitialCore values exist on paper but are not reflected in management behaviour.
DevelopingSome commitment to values but accountability is inconsistent.
DefinedFormal accountability structure; investigation protocol; lessons learned process.
ManagedConsistent enforcement; balanced incentives; zero tolerance for retaliation enforced.
OptimisingValues drive strategic decisions; ethical leadership is a differentiator.
P5 Attracts, Develops and Retains Capable Individuals
The organisation demonstrates commitment to attracting, developing, and retaining capable individuals who can manage risk effectively. This includes appropriate qualifications for risk roles, risk-focused hiring practices, performance development aligned to risk competencies, and risk-based due diligence on third parties.
Key Characteristics
Hire and retain a CRO with appropriate experience and qualifications to lead the ERM programme
Staff the risk function with individuals who possess relevant risk expertise
Perform background checks appropriate to the risk level associated with each position
Consider execution of risk management responsibilities in performance evaluations
Tailor risk training based on the risks encountered in specific roles
Develop and retain individuals — succession planning for key risk roles
Perform risk-based due diligence on third parties with significant risk exposure
Assessment Questions
Are risk function roles staffed with individuals possessing the required risk competencies?
Is risk management capability included as a criterion in hiring decisions for relevant roles?
Are background checks performed appropriate to the risk level of each position?
Is there a succession plan for the CRO and other key risk roles?
Are individuals' risk management competencies assessed in performance reviews?
Is risk-specific training provided tailored to each function's risk exposure?
Is risk-based due diligence performed on third parties — suppliers, agents, outsourcing partners?
Evidence to Gather
Risk function staffing plan and competency requirements
CRO and risk staff qualifications and certification records
Succession plan for key risk roles
Performance evaluation criteria for risk competencies
Risk training plan and completion records by role/function
Third-party risk due diligence records and assessments
Background check policy and evidence of application
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a competency framework for all risk management roles including required qualifications and experience
2Implement risk-specific onboarding training tailored to each function's risk responsibilities
3Conduct annual training needs assessments for risk management capability across the organisation
4Establish succession plans for the CRO and all senior risk management positions
5Develop a third-party risk management programme including risk-tiered due diligence procedures
6Include risk management competency in hiring criteria for all roles with significant risk responsibilities
Common Deficiencies
Risk function is understaffed or staffed with individuals who lack relevant risk expertise
No succession plan for the CRO — creates single point of failure for the ERM programme
Risk training is generic rather than tailored to the specific risk exposures of each role
Third-party due diligence is minimal — significant risk from agents and outsourcing partners unaddressed
ERM Maturity Descriptors
LevelCharacteristics
InitialNo formal competency requirements for risk roles. Capabilities are ad hoc.
DevelopingSome risk qualifications required but training and succession are undeveloped.
DefinedCompetency framework; risk training plan; basic succession planning.
ManagedTalent strategy linked to risk objectives; third-party due diligence programme.
OptimisingRisk expertise embedded organisation-wide; third-party risk fully integrated.
SO

Strategy & Objective-Setting

The organisation considers the potential effects of business context on its risk profile. Context includes internal drivers (people, process, technology, culture) and external drivers (regulatory, economic, competitive, environmental) that can create, change, or eliminate risks. The risk function must be involved in strategy-setting to anticipate and manage contextual risk drivers.

P6 Analyses Business Context
The organisation considers the potential effects of business context on its risk profile. Context includes internal drivers (people, process, technology, culture) and external drivers (regulatory, economic, competitive, environmental) that can create, change, or eliminate risks. The risk function must be involved in strategy-setting to anticipate and manage contextual risk drivers.
Key Characteristics
Consider and reflect organisational strategy in performing risk assessments
Assess how risks are affected by internal changes — people, structures, processes, technology
Evaluate effects of external factors — competitive, economic, regulatory, political, social forces
Identify and consider risk interdependencies in the development of strategy
Give consideration to cultural and regional differences in risk frameworks
Involve the risk function in strategy discussions — CCO/CRO has a seat at the table
Monitor changes in the business environment that may shift the risk profile
Assessment Questions
Is the risk function involved in strategy-setting discussions?
Does the risk assessment process consider both internal and external contextual drivers?
Is there a process to identify how strategic shifts affect the risk profile?
Are risk interdependencies — how one risk affects another — formally considered?
Are geopolitical, regulatory, and macroeconomic factors systematically monitored?
Is the risk assessment updated when significant internal changes occur (restructuring, acquisitions, systems)?
Are cross-border or multi-jurisdictional risk differences addressed in the risk framework?
Evidence to Gather
Records of risk function participation in strategy-setting discussions
Environmental scan or PESTLE analysis used in risk assessment
Risk interdependency analysis in the risk register
Internal change management process showing risk trigger points
Risk register updates following strategic or operational changes
External risk monitoring reports (regulatory changes, economic analysis)
Board/management discussion records on strategic risk
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Formally include the CRO in the strategy development process — risk input before decisions are finalised
2Conduct an annual environmental scan (PESTLE analysis) as input to the risk assessment
3Map risk interdependencies in the risk register — identify risks that are correlated or causally linked
4Develop a process trigger that initiates a risk assessment update when significant changes occur
5Monitor regulatory and legal developments in all relevant jurisdictions on a continuous basis
6Present a strategic risk report to the board annually showing how strategy and risk profile interact
Common Deficiencies
Risk function is consulted after strategic decisions are made — too late to shape risk management
Risk assessment is annual and static — not updated when significant internal or external changes occur
Risk interdependencies are not mapped — risk is managed in silos
External context is poorly monitored — emerging risks are not identified until they materialise
ERM Maturity Descriptors
LevelCharacteristics
InitialNo systematic analysis of business context. Risk is assessed in isolation.
DevelopingSome environmental monitoring but not systematically integrated into risk assessment.
DefinedFormal environmental scan; risk function involved in strategy; interdependencies mapped.
ManagedDynamic context monitoring; risk updates triggered by strategic changes; board reporting.
OptimisingReal-time context monitoring; risk anticipates strategic shifts before they occur.
P7 Defines Risk Appetite
The organisation defines its risk appetite — the types and amount of risk, on a broad level, it is willing to accept in pursuit of value. Risk appetite must consider the organisation's strategy, risk profile, and culture. It should be discussed regularly by the board and management and updated as risk context changes.
Key Characteristics
Consider the full range of risks in determining overall risk appetite
Consider risk by type, business unit/function, and geography/location
Determine and evaluate the relationships between specific risks and the achievement of business objectives
Discuss risk appetite on a regular basis and update when risk context changes
Consider developing specific risk-centric appetite statements for key risk categories
Align risk tolerance (acceptable variation) with risk appetite for each objective
Use risk appetite to prioritise resource allocation across risk responses
Assessment Questions
Is there a formally documented and board-approved risk appetite statement?
Does the risk appetite statement address multiple risk types and dimensions?
Is risk appetite translated into operational risk tolerances for business units?
Is the risk appetite reviewed and updated at least annually?
Are risk appetite thresholds used to trigger escalation when exceeded?
Is the risk appetite communicated to all levels of management who make risk decisions?
Does the organisation have risk-centric appetite statements for key risk categories (financial, operational, regulatory)?
Evidence to Gather
Board-approved risk appetite statement
Risk tolerance thresholds by risk type and business unit
Risk appetite communication records — how it was cascaded
Records of risk appetite threshold breaches and escalation
Minutes of risk appetite discussions at board and senior management level
Risk-centric appetite statements for key risk categories
Risk appetite review and update history
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk appetite statement covering qualitative and quantitative dimensions across key risk types
2Translate the risk appetite statement into specific risk tolerance thresholds for each business unit
3Communicate risk appetite in practical operational terms — what it means for day-to-day decisions
4Review risk appetite at every board strategy session and when significant changes occur
5Implement an escalation trigger when risk exposure approaches or exceeds appetite
6Ensure the risk appetite statement is aligned with the organisation's strategic objectives
Common Deficiencies
Risk appetite statement is aspirational and vague — cannot be operationalised at business unit level
Risk appetite is approved but not communicated to operational managers who make risk decisions
Risk tolerance thresholds are absent — no mechanism to trigger escalation when appetite is exceeded
Risk appetite is not reviewed when strategy or risk profile changes significantly
ERM Maturity Descriptors
LevelCharacteristics
InitialNo risk appetite defined. Risk decisions are made without a reference framework.
DevelopingA risk appetite statement exists but is vague and not operationalised.
DefinedBoard-approved risk appetite; tolerance thresholds; communicated to management.
ManagedRisk appetite drives resource allocation; escalation triggers in place; regularly reviewed.
OptimisingDynamic risk appetite linked to strategy; real-time monitoring of appetite utilisation.
P8 Evaluates Alternative Strategies
The risk function should be involved in evaluating alternative strategies from the standpoint of understanding risk implications and advising decision-makers. Strategy selection should incorporate risk-adjusted analysis. Mergers, acquisitions, and other major strategic decisions require risk-based due diligence before commitment.
Key Characteristics
Ensure the CRO/risk function has a seat at the table in discussions of strategic alternatives
Solicit risk input and insight before strategic decisions are finalised
Perform risk-based due diligence on merger and acquisition targets before transaction execution
Consider compliance and risk implications of strategic decisions in designing risk responses
Adjust risk management approaches when strategy changes — risk responses must evolve with strategy
Assess how each strategic alternative affects the overall risk profile relative to risk appetite
Document the risk analysis supporting major strategic decisions
Assessment Questions
Is the risk function formally involved in evaluating major strategic alternatives?
Are risk implications considered alongside financial and operational factors in strategy decisions?
Is there a formal due diligence process for mergers, acquisitions, and major partnerships?
Is the risk management programme updated when strategy changes significantly?
Are strategic risk analyses documented and presented to the board?
Are risk-adjusted financial models used in evaluating strategic options?
Is the risk appetite considered when selecting between strategic alternatives?
Evidence to Gather
Records of CRO/risk function participation in strategy review discussions
Risk analyses for major strategic decisions (board papers, strategy documents)
M&A or partnership due diligence reports with risk assessments
Risk programme updates following strategic changes
Board papers showing risk-adjusted analysis of strategic alternatives
Strategy approval documents referencing risk assessment findings
Post-implementation risk reviews of major strategic initiatives
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a strategic risk assessment framework that evaluates each alternative against the risk appetite
2Require a formal risk opinion from the CRO for all major strategic decisions above a defined threshold
3Establish a due diligence protocol for M&A and major partnerships covering risk assessment requirements
4Require the risk programme to be reviewed and updated within 90 days of any significant strategic change
5Include risk-adjusted scenario analysis in board strategy papers
6Conduct post-decision reviews of major strategic choices to assess whether risk management was effective
Common Deficiencies
Risk function is not involved in strategy discussions — risk implications only surface after decisions are made
M&A due diligence is financially focused — risk and compliance considerations are superficial
The risk programme is not updated when strategy changes — risk management becomes misaligned
Strategic decisions are not evaluated against the risk appetite — alignment is assumed rather than verified
ERM Maturity Descriptors
LevelCharacteristics
InitialRisk not considered in strategy evaluation. No due diligence process.
DevelopingSome risk input to strategy but ad hoc — not systematic or mandated.
DefinedRisk function formally involved; due diligence protocol; strategic risk analysis documented.
ManagedRisk-adjusted strategy evaluation; risk appetite drives strategy selection; programme updated.
OptimisingRisk is central to strategic planning; risk-adjusted decisions are standard practice.
P9 Formulates Business Objectives
Business objectives must be formulated with risk in mind. Risk implications of objectives and performance metrics must be considered to ensure incentives do not inadvertently promote risk-taking that conflicts with risk appetite. Compliance with applicable requirements should itself be a stated business objective where not addressed by other objectives.
Key Characteristics
Identify and evaluate risks associated with planned business objectives before finalising them
Consider establishing risk management and compliance as explicit business objectives
Incorporate risk management accountability into performance measures and evaluations
Consider interactions between risks when business objectives change
Include objectively measured risk metrics within business objectives
Ensure performance incentives do not create pressure to violate risk appetite
Align objective-setting with the organisation's risk appetite and strategic risk profile
Assessment Questions
Are risks associated with each business objective formally identified and assessed?
Is risk management explicitly included as a business objective at the entity or department level?
Are performance metrics reviewed to ensure they do not create unintended risk-taking incentives?
Is the risk function consulted before business objectives are finalised?
Are measurable risk KPIs included in business scorecards alongside financial KPIs?
Are objective changes subjected to a risk impact assessment?
Does the incentive structure balance performance targets with risk management accountability?
Evidence to Gather
Business objective-setting process documentation showing risk function involvement
Risk assessments linked to specific business objectives
Performance scorecards showing risk KPIs alongside financial and operational KPIs
Incentive structure review documenting risk-performance balance
Minutes of risk function consultation on business objective-setting
Risk impact assessments for changes to objectives
Risk appetite alignment analysis for business unit objectives
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Add risk management as an explicit objective in all business unit annual plans
2Require the risk function to review all business objectives before approval — flag risk-appetite conflicts
3Develop objective-linked risk KPIs for each business unit included in scorecards
4Conduct an annual incentive structure review to identify and remove unintended risk-taking incentives
5Create a risk impact assessment process for any change to business objectives above a defined threshold
6Ensure incentive and compensation structures include meaningful risk management weighting
Common Deficiencies
Business objectives are set without risk input — risk implications identified too late
Performance metrics create pressure to take risks beyond appetite — short-term targets override risk discipline
Risk management is not included as a business objective — it remains a back-office compliance function
No risk KPIs in business scorecards — risk management performance is invisible to management
ERM Maturity Descriptors
LevelCharacteristics
InitialNo linkage between business objectives and risk. Objectives set without risk input.
DevelopingSome risk consideration in objective-setting but not systematic.
DefinedRisk function consulted; risk KPIs in scorecards; incentives reviewed.
ManagedRisk-adjusted objectives; appetite-aligned incentives; objective changes trigger risk review.
OptimisingRisk and performance objectives fully integrated; dynamic risk KPI management.
PE

Performance

The organisation identifies risks to the achievement of its objectives across the entity. Risk identification should be systematic, comprehensive, and continuous — not limited to a single annual exercise. It should cover the full range of risk types including strategic, operational, financial, compliance, and reputational risks, as well as emerging risks.

P10 Identifies Risk
The organisation identifies risks to the achievement of its objectives across the entity. Risk identification should be systematic, comprehensive, and continuous — not limited to a single annual exercise. It should cover the full range of risk types including strategic, operational, financial, compliance, and reputational risks, as well as emerging risks.
Key Characteristics
Conduct a systematic risk identification process covering all organisational levels and risk types
Use multiple techniques — workshops, interviews, scenario analysis, data analytics
Consider emerging risks — new technologies, regulatory changes, competitive threats
Identify risk at entity, division, business unit, and process levels
Include both internally generated and externally driven risks
Integrate risk identification with the strategic planning and objective-setting process
Assign preliminary risk ownership during the identification process
Assessment Questions
Is there a formal, systematic risk identification process covering all levels of the organisation?
Does the risk identification process cover all relevant risk categories — strategic, operational, financial, compliance?
Are multiple identification techniques used including interviews, workshops, and data analysis?
Is there a process to identify emerging risks before they materialise?
Is risk identification integrated into strategic planning and objective-setting?
Are risk owners assigned during the identification process?
Is the risk register updated outside the annual cycle to capture newly identified risks?
Evidence to Gather
Risk identification methodology documentation
Risk register with full inventory of identified risks across all categories
Workshop or interview records from risk identification exercises
Emerging risk monitoring reports or watchlist
Risk identification coverage map — entity, division, and process level
Mid-year risk register updates
Horizon scanning or scenario analysis outputs
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk identification methodology combining top-down (strategic) and bottom-up (operational) approaches
2Conduct quarterly risk identification updates — not just annual — to capture emerging risks
3Establish an emerging risk watchlist maintained by the risk function with board visibility
4Use structured facilitation techniques (bow-tie analysis, scenario planning) to identify non-obvious risks
5Build risk identification into the business planning cycle so risk and strategy are aligned from the start
6Leverage data analytics to identify risk signals from operational and financial data
Common Deficiencies
Risk identification is an annual exercise only — risks emerging mid-year are not captured
Risk identification is siloed — business units identify risks independently with no cross-functional view
Emerging risks are not systematically monitored — the organisation is consistently surprised
Risk identification relies on interviews and workshops only — data-driven identification is absent
ERM Maturity Descriptors
LevelCharacteristics
InitialNo systematic risk identification. Risk universe is unknown.
DevelopingAnnual risk identification exercise; basic risk register; limited coverage.
DefinedFormal methodology; full risk inventory; multiple techniques; emerging risks monitored.
ManagedContinuous identification; data-driven; emerging risk watchlist; cross-functional view.
OptimisingReal-time risk sensing; AI-assisted identification; fully integrated with strategy.
P11 Assesses Severity of Risk
The organisation assesses the severity of identified risks to enable prioritisation and resource allocation. Severity is assessed on the basis of likelihood and impact, using a consistent, uniform methodology. Both inherent risk (without controls) and residual risk (after controls) should be assessed, with control effectiveness explicitly considered.
Key Characteristics
Adopt a uniform scale and scoring system for measuring severity of risk
Consider both qualitative and quantitative measures of likelihood and impact
Establish criteria to assess impact across multiple dimensions — financial, reputational, operational, regulatory
Assess severity of risk at different organisational levels
Consider the design and operating effectiveness of existing controls in the residual risk assessment
Minimise subjectivity and bias — use multidisciplinary teams; avoid self-assessments where possible
Document risk assessment rationale and assumptions for transparency and challenge
Assessment Questions
Is there a documented, consistent risk assessment methodology with defined scales?
Does the methodology assess both inherent risk and residual risk?
Are impact dimensions clearly defined — financial, reputational, operational, regulatory?
Is control effectiveness explicitly considered in the residual risk assessment?
Are risks assessed at multiple levels — entity, division, and process?
Are quantitative risk measures used where data is available?
Are risk assessments challenged by independent parties to reduce management bias?
Evidence to Gather
Risk assessment methodology and rating scale documentation
Risk register showing inherent risk, control rating, and residual risk for each risk
Risk and control matrix linking risks to controls
Multi-dimensional impact criteria definitions
Records of independent challenge or validation of risk assessments
Quantitative risk models where applicable
Risk assessment calibration exercises or benchmarking data
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a documented risk assessment methodology with defined 5-point scales for likelihood and impact
2Define impact criteria across all relevant dimensions — financial, operational, reputational, regulatory, HSE
3Require residual risk assessment separately from inherent risk — control effectiveness must be considered
4Build a risk and control matrix linking each risk to the specific controls designed to mitigate it
5Use multidisciplinary assessment teams to reduce individual bias — independent challenge is essential
6Introduce quantitative risk models for the most significant risks where data supports this
Common Deficiencies
Inherent and residual risk are conflated — control effectiveness is not separately assessed
Impact is assessed on financial dimensions only — reputational and regulatory impacts are ignored
Self-assessments by risk owners are not challenged — assessments are optimistic
Rating scales are undefined — assessments are not comparable across different business units
ERM Maturity Descriptors
LevelCharacteristics
InitialNo consistent methodology. Risk severity is subjective and undocumented.
DevelopingBasic likelihood/impact matrix; inconsistent application; no residual risk assessment.
DefinedFormal methodology; inherent and residual risk; multi-dimensional impact; control linkage.
ManagedQuantitative models for key risks; independent challenge; control effectiveness measured.
OptimisingSophisticated quantitative modelling; dynamic assessments; real-time risk indicators.
P12 Prioritises Risks
Risk prioritisation enables the organisation to focus resources on the risks that matter most. Risks are prioritised by severity relative to risk appetite, and other factors such as velocity, persistence, and recovery time may also be considered. Risk prioritisation should drive risk response planning and resource allocation.
Key Characteristics
Prioritise risks based on assessed severity relative to the organisation's risk appetite
Use objective, transparent scoring criteria — avoid political influence on prioritisation
Consider additional prioritisation factors — velocity, persistence, recovery time, interdependencies
Develop risk-based action plans for the highest-priority risks
Align resource allocation to risk prioritisation — most resources to highest risks
Communicate risk priorities to the board and senior management
Review and update risk priorities when significant changes occur
Assessment Questions
Is there a formal risk prioritisation process that ranks risks by severity and appetite alignment?
Does the prioritisation consider factors beyond likelihood and impact — velocity, persistence?
Are the highest-priority risks the focus of most active risk management attention and resources?
Is the risk register presented to management and the board in priority order?
Are risk priorities updated when significant new risks are identified or when context changes?
Is there a defined threshold above which risks are escalated to the board?
Does resource allocation reflect risk priorities?
Evidence to Gather
Risk prioritisation methodology documentation
Risk register in priority order with appetite alignment indicators
Resource allocation plan showing alignment to risk priorities
Risk heat map or risk matrix
Board risk reports showing top risks and their status
Records of risk priority updates following significant changes
Escalation thresholds and records of escalated risks
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a transparent risk scoring and prioritisation process with defined criteria beyond likelihood/impact
2Build a risk heat map that visually shows the relationship between risk severity and risk appetite
3Require resource allocation proposals to demonstrate alignment with risk priorities
4Define escalation thresholds — risks above the line require mandatory board reporting
5Conduct a quarterly top-risk review at senior management level
6Update risk priorities within 30 days of a significant risk event or contextual change
Common Deficiencies
All risks are treated equally — no differentiation between critical and minor risks
Risk prioritisation is influenced by internal politics — high-risk areas owned by influential leaders are downgraded
Resource allocation does not reflect risk priorities — budget goes to operational preference, not risk need
Risk priorities are not reviewed between annual cycles — the risk register becomes stale
ERM Maturity Descriptors
LevelCharacteristics
InitialNo formal prioritisation. All risks treated with similar attention.
DevelopingBasic ranking by likelihood/impact; no appetite alignment; static prioritisation.
DefinedFormal prioritisation; appetite-aligned; risk heat map; priority-driven resource allocation.
ManagedMulti-factor prioritisation; quarterly reviews; escalation thresholds; board reporting.
OptimisingDynamic prioritisation; real-time risk ranking; fully integrated with strategic planning.
P13 Implements Risk Responses
Risk responses are designed and implemented to manage risk to within the organisation's risk appetite. Responses include avoiding, reducing, sharing, or accepting risk. Each response must address root causes, assign clear accountability, have defined timelines, and be monitored for effectiveness. Follow-up confirms responses have been properly implemented.
Key Characteristics
Select and implement risk responses appropriate to the assessed risk level and risk appetite
Design responses that address root causes — not just symptoms
Assign accountability for each risk response with defined timelines
Consider potential effects of risk responses on other risks — avoid unintended consequences
Follow up to confirm risk responses have been properly implemented as designed
Include risk responses in monitoring and auditing plans
Blend preventive and detective controls in the response design
Assessment Questions
Is there a documented risk response for every risk above the risk appetite threshold?
Do risk responses address the root causes of the risks rather than just their symptoms?
Is accountability for each risk response assigned to a named individual with a target date?
Are risk response interactions — how one response affects another — considered?
Are risk responses followed up to verify they have been implemented as designed?
Is the effectiveness of risk responses measured after implementation?
Are monitoring and auditing activities planned around the highest-priority risk responses?
Evidence to Gather
Risk response register showing response type, owner, timeline, and status for each risk
Root cause analysis documentation for significant risks
Risk response implementation verification records
Risk response effectiveness measurement data
Internal audit or monitoring plan aligned to significant risk responses
Risk response interaction analysis
Post-implementation reviews of significant risk responses
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk response register linked to the risk register — every risk above appetite has a documented response
2Require root cause analysis before designing responses to significant risks — treat causes, not symptoms
3Assign each risk response to a named owner with a specific target completion date
4Include risk response implementation verification in the internal audit and monitoring plan
5Conduct post-implementation effectiveness reviews for all significant risk responses
6Map risk response interactions to identify potential conflicts or unintended consequences
Common Deficiencies
Risk responses are documented but not implemented — follow-up verification is absent
Responses treat symptoms rather than root causes — risks recur despite formal responses
No accountability for risk responses — no named owner and no timeline
Risk response effectiveness is not measured — it is assumed to be sufficient without evidence
ERM Maturity Descriptors
LevelCharacteristics
InitialRisk responses are ad hoc and undocumented. No accountability.
DevelopingSome risk responses documented but ownership and timelines are unclear.
DefinedFormal response register; root cause analysis; named owners; implementation follow-up.
ManagedResponse effectiveness measured; monitoring plans aligned; interaction analysis.
OptimisingDynamic response management; continuous effectiveness monitoring; rapid adaptation.
P14 Develops Portfolio View
The organisation develops a portfolio view of risk — considering how risks interrelate and how the aggregate risk profile looks from an entity-wide perspective. Individual risks that appear minor in isolation may be significant when combined. Risk management must go beyond siloed management of individual risks to consider the organisation's overall risk exposure.
Key Characteristics
Consider risk interactions — how mitigating one risk can create or affect other risks
Consider interactions of risk responses with other risk responses
Integrate risk management into ERM — not managed in functional silos
Maintain regular communication between the risk function and all business units
Assess how risks consolidate across the organisation — bottom-up vs. entity-level view
Present an entity-level portfolio view to senior management and the board
Consider risk concentrations — excessive exposure to a single risk type or source
Assessment Questions
Is there a portfolio-level view of the organisation's overall risk exposure?
Are risk interdependencies and correlations formally considered and documented?
Is the risk function actively coordinating with all business units to avoid siloed risk management?
Is the aggregate risk profile — across all risk types — presented to the board?
Are risk concentrations identified and monitored?
Are risk response interactions analysed to avoid conflicts or unintended consequences?
Is ERM integrated with strategic planning at the entity level?
Evidence to Gather
Entity-level risk portfolio report presented to the board
Risk interdependency and correlation analysis
Risk concentration analysis by risk type, business unit, or geography
Records of cross-functional risk coordination meetings
Risk portfolio presented in board reporting
Risk aggregation methodology documentation
Integration evidence — risk portfolio linked to strategic plan
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop an entity-level risk portfolio dashboard that aggregates risks from all business units and functions
2Conduct regular cross-functional risk forums to identify interdependencies and avoid siloed management
3Build a risk correlation analysis into the risk assessment process for significant risk categories
4Present the entity-level risk portfolio to the board at least quarterly
5Identify risk concentrations and ensure they are within the board-approved risk appetite
6Integrate the risk portfolio view with the strategic planning process — risk should inform strategy
Common Deficiencies
Risk is managed in silos — business units manage their risks independently with no entity-level view
Risk portfolio is not presented to the board — the board only sees individual risk reports
Risk interdependencies are not considered — a response to one risk creates new exposures elsewhere
Risk concentrations are unidentified — the organisation has unknown clusters of correlated risk
ERM Maturity Descriptors
LevelCharacteristics
InitialNo portfolio view. Risks managed in functional silos with no aggregation.
DevelopingSome aggregation exists but entity-level portfolio is incomplete.
DefinedEntity-level portfolio view; interdependencies mapped; presented to board.
ManagedRisk concentration analysis; cross-functional forums; portfolio linked to strategy.
OptimisingReal-time portfolio view; dynamic correlation monitoring; fully board-integrated.
RR

Review & Revision

The organisation identifies and assesses changes that could significantly impact the ERM programme. Changes in strategy, people, processes, technology, the regulatory environment, and societal expectations can rapidly alter the risk profile. The ERM programme must be agile enough to respond to these changes in a timely manner.

P15 Assesses Substantial Change
The organisation identifies and assesses changes that could significantly impact the ERM programme. Changes in strategy, people, processes, technology, the regulatory environment, and societal expectations can rapidly alter the risk profile. The ERM programme must be agile enough to respond to these changes in a timely manner.
Key Characteristics
Monitor changes to the organisation's strategies and objectives that affect the risk profile
Assess the risk implications of changes to people, process, and technology
Monitor changes in regulatory requirements and societal expectations
Assess the impact of M&A, restructuring, and other major organisational changes on ERM
Update the risk register and risk responses following significant changes
Involve the risk function early when substantial changes are being planned
Distinguish between routine changes and substantial changes requiring full ERM review
Assessment Questions
Is there a formal process to identify changes that trigger an ERM programme review?
Are major operational or strategic changes assessed for their impact on the risk profile?
Are regulatory changes actively monitored and assessed for risk implications?
Is the risk register updated promptly when significant changes occur?
Is the risk function involved early in planning for major changes?
Is there a threshold that distinguishes routine changes from substantial changes requiring ERM review?
Are technology changes (new systems, cyber threats) assessed for their risk implications?
Evidence to Gather
Change management process documentation showing ERM review trigger points
Risk assessments conducted for major change initiatives
Regulatory change monitoring log and risk implications assessments
Risk register updates following significant changes
Records of CRO/risk function involvement in major change planning
Post-change risk reviews and updates
Technology risk assessment for significant system changes
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a change assessment protocol defining the threshold for triggering an ERM review
2Require the risk function to be consulted at the planning stage of all major change initiatives
3Build regulatory change monitoring into the risk management calendar — monthly review minimum
4Conduct risk register updates within 60 days of any substantial change
5Establish post-implementation risk reviews for major changes — assess actual vs. expected risk impact
6Create a change-risk trigger register that maps types of changes to required risk responses
Common Deficiencies
Risk register is only updated annually — significant changes throughout the year are not captured
Major system implementations proceed without risk assessment — new exposures emerge unexpectedly
Regulatory changes are monitored by legal but not assessed for risk management implications
Risk function is not involved in change planning — risk management is reactive rather than proactive
ERM Maturity Descriptors
LevelCharacteristics
InitialNo process to assess substantial change. Risk profile becomes stale.
DevelopingSome change assessment occurs but is ad hoc and not systematically triggered.
DefinedFormal change assessment protocol; regulatory monitoring; risk register updated.
ManagedProactive risk function involvement in change planning; post-change reviews.
OptimisingReal-time change monitoring; dynamic risk update process; fully integrated.
P16 Reviews Risk and Performance
The organisation reviews risk management performance against established metrics and objectives to ensure the ERM programme is effective. Reviews should cover the adequacy of risk identification, assessment quality, response effectiveness, and the appropriateness of the risk culture. Both management and the board have distinct review responsibilities.
Key Characteristics
Monitor performance against risk management metrics and report at management and board levels
Update risk assessments periodically — not only annually
Develop monitoring plans for high-priority risks with clear assurance responsibilities
Ensure internal audit considers ERM in its risk-based planning and engagement work
Periodically assess the organisation's risk culture
Ensure annual ERM work plans are cross-referenced to the risk assessment
Require that implementation of corrective action plans is monitored by management and the board
Assessment Questions
Are formal ERM performance metrics defined and reported to the board?
Is there a structured periodic review of risk management programme effectiveness?
Does internal audit include ERM programme effectiveness in its scope?
Are monitoring plans developed for all high-priority risks?
Is the organisation's risk culture periodically assessed and reported to the board?
Are risk assessment updates completed more frequently than annually for high-risk areas?
Are corrective action plans from ERM reviews tracked and verified?
Evidence to Gather
ERM performance metrics dashboard
Board reports showing ERM programme performance data
Internal audit reports on ERM programme effectiveness
Risk monitoring plans for high-priority risks
Risk culture assessment results and trend reports
Corrective action tracker from ERM reviews
Evidence of mid-year risk assessment updates for high-risk areas
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Define and implement an ERM performance measurement framework with key metrics reported to the board
2Schedule quarterly ERM programme effectiveness reviews at senior management level
3Include an assessment of ERM programme effectiveness in internal audit's annual plan
4Develop individual monitoring plans for each top-priority risk — who monitors, how, and how often
5Conduct an annual risk culture survey and present results to the board with trend analysis
6Implement a corrective action tracker for all ERM programme review findings — visible to the board
Common Deficiencies
No ERM performance metrics — effectiveness is assumed without evidence
Internal audit does not assess the ERM programme — a critical independent view is absent
Monitoring plans for key risks are absent — risks are identified and then unmonitored
Risk culture is never formally assessed — its status is unknown to the board
ERM Maturity Descriptors
LevelCharacteristics
InitialNo systematic performance review. ERM effectiveness is unknown.
DevelopingSome review occurs but no defined metrics; inconsistent; not board-reported.
DefinedFormal metrics; periodic reviews; internal audit involvement; culture assessed.
ManagedComprehensive performance framework; quarterly reviews; corrective actions tracked.
OptimisingContinuous performance monitoring; predictive metrics; integrated with governance.
P17 Pursues Improvement in Enterprise Risk Management
The organisation demonstrates a commitment to continuous improvement of the ERM programme. Merely identifying gaps is insufficient — the organisation must take action to improve the programme, respond to regulatory expectations for continuous evolution, and demonstrate that the programme does not become stale.
Key Characteristics
Maintain awareness of current trends in risk management through training and regulatory review
Ensure the risk function periodically self-assesses the ERM programme's performance
Obtain feedback from the board on the quality and usefulness of risk information shared
Consider obtaining periodic independent evaluation of the ERM programme
Benchmark the ERM programme against comparable organisations and leading practices
Review the efficacy of the risk assessment process on a periodic basis
Ensure internal audit plays an active role in periodically evaluating ERM effectiveness
Assessment Questions
Is there a documented ERM improvement plan with specific, tracked actions?
Does the risk function conduct an annual self-assessment of the ERM programme?
Are the results of ERM reviews used to drive programme improvements?
Is the ERM programme benchmarked against external standards or comparable organisations?
Does the board provide feedback on the quality of risk information it receives?
Are independent external evaluations of the ERM programme conducted periodically?
Are ERM improvement initiatives tracked and reported to the board?
Evidence to Gather
ERM self-assessment results and improvement action plan
External ERM evaluation or benchmarking report
Board feedback records on ERM reporting quality
ERM improvement tracking register
Evidence of ERM training and professional development for risk staff
Benchmarking data against industry peers or ERM standards (ISO 31000, COSO ERM)
Internal audit reports on ERM programme with improvement recommendations
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Conduct an annual ERM self-assessment using a structured framework (COSO ERM, ISO 31000) and document findings
2Develop a formal ERM improvement plan from self-assessment findings — assign owners and target dates
3Engage an external ERM reviewer at least every three years to provide an independent perspective
4Benchmark the ERM programme against industry peers and leading practice frameworks annually
5Establish a formal channel for the board to provide feedback on ERM reporting quality and usefulness
6Ensure ERM improvement initiatives are tracked in the same way as other risk action plans
Common Deficiencies
ERM improvement is discussed but never formally planned or tracked — it remains aspirational
No external benchmark or independent review — the organisation cannot gauge its maturity
Board feedback on ERM is never obtained — reporting continues regardless of usefulness
Self-assessments are conducted by the same team responsible for ERM — lack of independent challenge
ERM Maturity Descriptors
LevelCharacteristics
InitialNo commitment to improvement. ERM programme is static and stale.
DevelopingSome improvement actions but not systematically planned or tracked.
DefinedAnnual self-assessment; improvement plan; external benchmarking.
ManagedBoard feedback loop; independent evaluations; tracked improvement programme.
OptimisingContinuous improvement culture; best-in-class benchmarking; proactive evolution.
IC

Information, Communication & Reporting

The organisation leverages information and technology to support ERM. Technology enables timely access to risk-relevant information, more effective monitoring and auditing through data analytics, efficient risk training delivery, automated dashboards for risk reporting, and the identification of risk anomalies from large data sets.

P18 Leverages Information and Technology
The organisation leverages information and technology to support ERM. Technology enables timely access to risk-relevant information, more effective monitoring and auditing through data analytics, efficient risk training delivery, automated dashboards for risk reporting, and the identification of risk anomalies from large data sets.
Key Characteristics
Ensure the risk function has access to all information relevant to managing enterprise risk
Provide risk staff with relevant IT and data analytics skills or access to such expertise
Utilise data analytics in risk monitoring and auditing — detect anomalies and control failures
Create automated dashboards and reports for monitoring risk indicators
Leverage technology for delivery of effective risk training
Utilise technology to facilitate the risk assessment process — scoring, workflow, reporting
Monitor electronic communications and data flows for risk signals where appropriate
Assessment Questions
Does the risk function have access to all relevant data and information to manage risks effectively?
Are data analytics tools used in risk monitoring and the risk assessment process?
Are automated risk dashboards used to track key risk indicators in real time?
Is technology used to deliver risk training across the organisation?
Does the risk function have the data analytics skills required for effective risk monitoring?
Are risk assessment workflows supported by technology — scoring, approvals, reporting?
Are technology-generated risk signals (system logs, anomaly alerts) used in risk management?
Evidence to Gather
Risk management system or GRC tool in use and its functionality
Data analytics outputs used in risk assessments and monitoring
Automated risk dashboards and key risk indicator reports
Technology-delivered risk training records and completion rates
Risk staff data analytics training and qualifications
Risk assessment technology workflow documentation
Anomaly detection reports from data analytics or system monitoring
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Implement a GRC (Governance, Risk and Compliance) system to manage the risk register, assessments, and reporting
2Develop an automated key risk indicator (KRI) dashboard reported to senior management monthly
3Invest in data analytics capability within the risk function — tools and skills
4Deploy technology-based risk training with completion tracking linked to HR systems
5Build automated data feeds from key operational systems into the risk monitoring process
6Use anomaly detection analytics in high-risk processes to identify emerging risk signals
Common Deficiencies
Risk management is spreadsheet-based — no GRC system; risk data is fragmented and unreliable
No data analytics capability in the risk function — monitoring is manual and limited
Risk dashboards are produced manually — delays and errors make them unreliable
Technology is used for training but not for risk monitoring — the highest-value application is absent
ERM Maturity Descriptors
LevelCharacteristics
InitialNo technology support for ERM. Spreadsheet-based and manual.
DevelopingBasic risk register in a system; no analytics; limited dashboards.
DefinedGRC system in use; automated dashboards; data analytics in monitoring.
ManagedAdvanced analytics; real-time KRI monitoring; technology-integrated risk workflow.
OptimisingAI-assisted risk sensing; predictive analytics; fully integrated enterprise risk platform.
P19 Communicates Risk Information
The organisation communicates risk information effectively throughout the organisation and to the board. Risk communication is a two-way process — from the risk function to business units and from business units back to the risk function. An effective escalation protocol ensures that material risk events reach the appropriate level of governance promptly.
Key Characteristics
Ensure employees receive clear and regular communications on their risk management roles
Require periodic reporting to the board by the CRO
Establish protocols and ensure clear understanding of escalation policies
Provide risk communications that support and relate to training and job responsibilities
Engage in effective two-way communication between operations management and the risk function
Tailor communication to the audience — board-level communications differ from operational-level
Ensure timely escalation of material risk events — not delayed by management filter
Assessment Questions
Are risk management roles and responsibilities clearly communicated to all relevant staff?
Does the CRO report to the board on a regular, structured basis?
Is there a documented escalation protocol defining what constitutes a material risk event?
Is risk communication two-way — does the risk function receive feedback from business units?
Are risk communications tailored to different audiences — board, management, operational staff?
Are significant risk events escalated to the board without delay?
Are communication channels accessible and trusted by employees across the organisation?
Evidence to Gather
Risk communication plan covering all stakeholder groups
CRO reporting calendar and board reports delivered
Escalation protocol documentation and examples of use
Business unit feedback mechanisms and evidence of their use
Differentiated risk communication materials by audience level
Records of significant risk escalations to the board
Employee awareness of risk escalation channels — survey results
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk communication plan covering frequency, format, and content for each stakeholder group
2Implement a formal escalation protocol with defined thresholds and timelines for each severity level
3Establish regular two-way risk communication forums between the risk function and business units
4Tailor risk reports by audience — board reports focus on portfolio and strategy; operational reports on specifics
5Ensure all employees are trained on how to escalate risk concerns and to whom
6Establish a risk communication feedback loop — the board should tell the CRO what information it needs
Common Deficiencies
Risk communication is top-down only — business units do not feed risk information back to the risk function
Escalation protocol is documented but not understood by employees — material risks reach the board too late
Board risk reports are the same format as management reports — board does not get what it needs
CRO reporting to the board is infrequent and informal — no structured communication cycle
ERM Maturity Descriptors
LevelCharacteristics
InitialNo structured risk communication. Risk information is informal and ad hoc.
DevelopingSome risk reporting exists but is incomplete and not tailored by audience.
DefinedFormal communication plan; escalation protocol; CRO board reporting schedule.
ManagedTwo-way communication; tailored reports; escalation protocol in operation.
OptimisingSeamless risk communication ecosystem; real-time escalation; board-driven feedback loop.
P20 Reports on Risk, Culture, and Performance
The organisation produces risk reports tailored to the needs of each stakeholder group — board, senior management, business unit heads, and operational managers. Reports should address risk assessment results, material risks and responses, compliance metrics, culture indicators, and investigation outcomes. Documentation must be properly maintained for regulatory and legal purposes.
Key Characteristics
Provide periodic reports on risk assessments and related responses tailored to each stakeholder
Develop and report meaningful operational and substantive metrics on ERM effectiveness
Provide managers with reports on their teams' risk training completion and monitoring results
Use a case management and reporting system for risk events, investigations, and outcomes
Establish a clear policy on the nature of reporting for all significant remediation efforts
Include third-party risk management reporting as a regular element of board reports
Maintain proper documentation and records for all significant risk events and investigations
Assessment Questions
Are risk reports tailored to the different needs of each stakeholder group?
Do board risk reports address risk culture as well as the risk profile?
Are meaningful ERM performance metrics included in board reports?
Is there a case management system for risk events, investigations, and resolution tracking?
Are third-party risk management results reported to the board on a regular basis?
Are risk investigation records properly documented and retained?
Are corrective action plans for risk events tracked and their completion reported to the board?
Evidence to Gather
Sample board risk reports showing risk profile, culture, and performance metrics
Sample management-level risk reports
ERM performance metrics and trend analysis included in reports
Case management system records for risk events and investigations
Third-party risk management reports presented to the board
Risk event documentation and investigation records
Corrective action plan tracking records reported to the board
ERM Maturity Rating — Select Current Level
Implementation Guidance
1Develop a risk reporting framework defining the content, format, and frequency for each stakeholder level
2Include risk culture indicators in every board risk report — not just the risk register
3Implement a GRC or case management system for tracking risk events, investigations, and action plans
4Report third-party risk management outcomes to the board at least annually
5Develop a document retention policy for risk investigations aligned to legal and regulatory requirements
6Create a board-level risk scorecard with a consistent set of ERM performance metrics tracked over time
Common Deficiencies
Risk reports are the same for all stakeholders — not tailored to what each level actually needs
Board reports focus entirely on the risk register — culture and ERM performance are absent
No case management system — risk event records are fragmented across emails and spreadsheets
Corrective action tracking is informal — the board cannot see what has been resolved or what is overdue
ERM Maturity Descriptors
LevelCharacteristics
InitialNo structured risk reporting. Reports are ad hoc and non-standardised.
DevelopingBasic risk reporting exists but is not tailored or comprehensive.
DefinedTailored reports by stakeholder; culture included; case management system.
ManagedComprehensive metrics; third-party reporting; corrective action tracking.
OptimisingDynamic reporting; real-time dashboards; board-driven reporting design.

Need Help Implementing COSO ERM?

CTC Global delivers COSO ERM implementation support, risk appetite development, ERM gap assessments, and board-level ERM training workshops across Pakistan and the UAE.