Site Search Site Search

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

Director’s guide to ERM fundamentals

  • June 29, 2023

ERM programs are intended to formalize how risks are identified, assessed, managed, monitored and reported on in light of strategic priorities. But what we’re seeing is that some ERM programs aren’t getting the desired traction, either losing momentum or lacking adequate investment. In short, they’re not doing what they’re supposed to do.

Having an effective ERM program can help the board and management make more informed decisions in the face of uncertainty — whether that’s specific to a particular company or sector or facing the entire economic landscape.

Read the report

How to use this guide

The first part of this guide introduces what it means to build a sustainable and enabling ERM program, including how the board can assess whether their ERM program’s maturity is where it should be. The second part of this guide outlines six key elements that we think make up an effective Enterprise Risk Management program. These key elements offer directors a foundation for overseeing enterprise risk management.

Enterprise

  • Alignment with corporate strategy: helping boards oversee risk as part of strategic planning and execution, not separate risk from strategy
  • Risk strategy and governance: driving clarity for managing and overseeing risk

Risk

  • A common risk language: promoting a consistent view of risk
  • Enterprise risk assessment: helping senior leadership and the board prioritize risk

Management

  • Risk response plans: managing prioritized risks
  • Ongoing monitoring: recognizing changes in risk

PwC’s ERM Maturity Model at a high level

How can we assess whether our ERM program’s maturity is where it should be?

Boards should question the maturity of the company’s ERM program and help management set expectations for where the organization wants to be in the future.

Some informal practices exist. Formal policies and processes are not developed. Issues are dealt with reactively.

Systems and processes are in place and effective in some parts of either design and/or operation. Approaches are partially aligned to business operations.

Frameworks and systems are formally established, embedded and operating to meet expectations contained within recognized standards.

Systems and processes are integrated, collaborative and enhanced so that it drives a coordinated strategic and efficient response to current and emerging risks.

Systems, processes and culture are integrated with key organizational programs, linked directly with the strategic priorities, and use technology to optimize governance, risk management and monitoring/reporting.

Foundational elements of enterprise risk management — breaking E-R-M down

Helping boards oversee risk as part of strategic planning and execution, not separate risk from strategy

Unexpected risk events have shown boards and management the value of instituting ERM practices. The degree of complexity and change facing organizations today highlights the need for strategies that account for risk.

Read more in the report

Driving clarity for managing and overseeing risk

Having a written charter or plan takes a concrete step towards a commitment to action; it is critical to ERM program development and survival. A charter or plan is a good first step...BUT if you want to really advance your program, you need a risk strategy and governance framework.

Read more in the report

Promoting a consistent view of risk

For successful implementation of an ERM program, leaders should also institute a common risk language across all levels of the organization. This creates a single version of the truth and a consistent view of risk. Boards should look for standardization in the company’s risk management terms and processes.

Read more in the report

Helping senior leadership and the board prioritize risk

Many companies see a simple enterprise risk assessment as the end product of the risk management process; however, it’s only one aspect of ERM. One of the most important elements in the risk assessment process is the prioritization of risks and the analysis of capabilities in order to drive the development of risk-based strategies and response plans.

Read more in the report

Managing prioritized risks

The output of a risk assessment process is often a risk response plan — a plan that details the company’s actions in mitigating risk issues. Plans should clearly articulate the risks, underlying causes, potential consequences and interrelated risks, along with how they relate to strategic objectives and current initiatives.

Read more in the report

Recognizing changes in risk

Establish a risk appetite and key risk indicators. One of the most common and effective forms of ongoing monitoring is done through the development of a risk appetite framework and a set of key risk indicators. Risk appetite defines the level of risk an organization is willing to accept in pursuit of its strategic objectives; it sets the boundaries within which risks should be managed.

Read more in the report

Conclusion: supporting management in the company’s ERM journey

The design and implementation of foundational ERM components can take time and depends on both the complexity the company faces in its operations and external environment and the resources committed to risk management. Leaders can’t take a one-size-fits-all approach to ERM - the process must align with the company’s culture, size, and complexity. To adequately oversee risk management, boards need to understand the foundational ERM elements and where they can make a difference in supporting management in the company’s journey. As the ERM program matures, the board can promote continuous improvement by challenging management on what is working and what is not.

{{filterContent.facetedTitle}}

Contact us

Ray Garcia

Ray Garcia

Partner & Leader, Governance Insights Center, PwC US

Email
Brian Schwartz

Brian Schwartz

Principal, Governance Insights Center, PwC US

Email
Lillian Borsa

Lillian Borsa

Principal, Governance Insights Center, PwC US

Email
Carin Robinson

Carin Robinson

Director, Governance Insights Center, PwC US

Email
Catie Hall

Catie Hall

Director, Governance Insights Center, PwC US

Email
Katee Puterbaugh

Katee Puterbaugh

Director, Cyber, Risk and Regulatory, PwC US

Email
Follow us

Required fields are marked with an asterisk(*)

I agree PwC can email me about its insights, newsletters, events, services, products, and offerings.*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Hide

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.