How to Establish an Enterprise Risk Management  (ERM) Department 

By Arif Zaman , Head of Internal Audit, Emaar Industries & Investments, UAE


“In a risk matures organization, the bad news moves faster than the good news to the top.” – Horst Simon, Risk Culture Builder

If you are either internally assigned within the organization a new task or you joined a new employer with the challenge to set-up ERM department, here what I will share how to establish the department within your organization based on my practical experience. It shall be made clear first and foremost in any organization that all employees are responsible for risk management not alone the ERM team.

“The enterprise risk management shall motivate not irritate the employees” – Horst Simon, Risk Culture Builder


Step 1 – Develop business acumen and stakeholder expectation

Before you embark on a daunting task, it is always better to give some time to yourself to have background work; It involves, understanding the stakeholder expectation, developing business acumen, assess risk maturity of the organization, research about other similar companies and their ERM set-up, if possible reach out to industry leader for any particular advice or suggestion, especially those who have headed the department. After this activity, you will be in a better position to define the value you will bring to the organization with the establishment of ERM department and choose an ERM framework that is more suitable for your entity.


The one which I am more comfortable with is ISO 31000 ERM framework. However, 44% of North American risk practitioners choose to adapt their practices from a number of standards rather than adopt any one standard.

Step 2 – Establish a reporting line within the organization

Always see, how would you like your ERM department to be positioned within the overall organization structure. I personally have seen multiple reporting lines based on the organization’s preference, industry norm and set-up. I have seen the ERM department head report to CFO, CEO, or some time to Audit or Risk Committee or Board directly. The recommended approach is the ERM shall report to Risk Committee or to the Board.


Step 3 – Developed Risk Charter and ERM Manual (Policies and Procedures)

It is always a good idea to establish a risk charter, which may define the role, responsibility, and scope of the ERM department along with established authority. After that, establish ERM manual (Policies and Procedures), how you will carry out your day-to-day activities. The most important element of the ERM manual is risk appetite, it could be a separate document or part of the manual. The risk appetite shall be developed in conjunction with the company’s management after discussion with them.

The charter, manual and risk appetite could be approved as per the established authority e.g. Risk Committee.


Step 4 – Choose Risk Champions in other Functional Areas

The ERM function shall assign each risk champions within each functional department. Risk champions are not fully dedicated resources, mostly it is the added responsibility assigned to be the contact person for that department with the ERM team and assigned the responsibility of maintaining the risk register and reporting.

It is very important that the risk champions are properly trained to understand the role of risk management and make sure they have the motivation to make the organization in general and that functional department in particular more resilient to any adverse impact.


Step 5 – Develop Risk Registers of key functional areas

The standard risk register shall be developed for each department. The important risk shall be populated by the respective department and the overall risk response and mitigation plan shall be observed and monitored by the ERM team. Assign the frequency by when it needs to be updated on the ERM activities and define risk champion reporting expectation of the risk register to the ERM team.


Step 6 – Report Entity Level Risk to the Stakeholders

Once the ERM team has achieved the above overall milestone, they need to obtain the input from each department and populate the key risk to form entity level risk register by aligning to the organizational strategy, rank the risk base on it’s working into top 10 risk and highlight the same to the relevant stakeholder for instance to Risk Committee along with mitigation (management) plan and carry out ongoing monitoring of exiting risk and scanning of emerging risks.

The outcome of this activity shall be risk registers at the functional and entity level.


Step 7 – ERM Awareness and Continuous Improvement

The last and important element to consider is to always think ERM activity as a continuous process not one of activity, regular risk awareness session shall be conducted with the management team to make them aware of the risk-based approaches in their day-to-day work or better informed decision about risks, review and revise risk appetite as per the organismal strategic changes, open to listen and improve ERM activities based on the suggestion and learning experience and always try to keep it simple.

The key purpose of ERM should be to embed the risk culture, eliminate silos and consolidate processes for better risk aware decision for an organization to act on a timely basis and achieve its objective. 

Arif Zaman