Sustainable ERM in the Public Sector – Part 2 

By William T. Dykstra, CRMA, CIA, and Mark J. Maraccini, CPA
Sustainable ERM in the Public Sector – Part 2
Embedding risk management into an organization’s culture begins with a plan. An enterprise risk management (ERM) framework can provide an organization with that plan, helping to develop a comprehensive program for identifying and addressing risks. 

However, making ERM sustainable requires embedding a risk mindset and risk mitigation practices into the very culture of an organization. Educational institutions and not-for-profit organizations are turning to ERM to build on existing risk management processes. They also are embracing the opportunity to create strategically aligned approaches to the challenges they face. This article, the second in a two-part series, addresses how to establish a sustainable ERM program in the public sector that makes ERM a part of an organization’s decision-making, culture, and mindset.

Establishing ERM

One of the underlying goals of an ERM program is to change how an organization views and responds to risk. An organization’s mindset indicates how decisions are made and determines whether training and collaboration can be used to create change. ERM can direct an organization to a new way of doing business by providing stakeholders with a clearer understanding of risk. An organization’s culture can begin to shift as the focus on managing risk becomes part of everyday practices. The components of a sustainable ERM program discussed in this article are not intended to be completed in sequence. Instead, many of these components need to be developed together in order to achieve the desired results. 

One of the first steps in establishing ERM in an organization includes assembling an ERM team to identify existing risk management practices. Most organizations will be able to leverage the activities they already perform, although they might not have previously been identified as a risk management activity. For example, most organizations already have commonplace risk management activities such as standard operating procedures, management reviews, bank reconciliations, insurance policies, and codes of ethics. However, these activities have probably not been categorized in this manner. Many organizations manage risks on a case-by-case basis and without a formal program that identifies and addresses inherent and residual risks. ERM can assist an organization in integrating its various risk management practices with the goal of having a comprehensive, sustainable approach to risk. ERM practices promote the use of a common vocabulary for risk to promote a better understanding for both internal and external stakeholders.
    For ERM to be successful, an organization must embed risk management principles and practices into its culture, strategy, and decision-making. There is no prescription for implementing a successful ERM program, but most successful programs complete the following steps: 
  • Define the organization’s risk appetite
  • Establish common terminology and a communication flow pertaining to risk 
  • Identify risk owners and response mechanisms
  • Link risk to the organization’s strategic planning and budgeting processes
  • Establish administrative responsibilities and reporting processes for the ERM program

Defining a risk appetite

Setting expectations about the level of risk an organization might assume is a baseline step for establishing an ERM program. Defining the risk appetite for an organization can be complex, as each organization’s capacity and willingness to take on risk is unique and must align with its culture and operations. 

A risk appetite statement is often used to define the consequences of risks facing an organization and the levels of risks that are deemed acceptable or unacceptable. The statement focuses on future operations and scenarios. It reflects what has been learned from past experiences and integrates current best practices for risk management and mitigation. A risk appetite statement enables organizations to reduce the number of surprises and unexpected losses, as well as to make risk-informed decisions on resources, controls, and consequences. 

The risk appetite statement typically is:
  • Actionable, real, and applicable to all the organization’s activities
  • Integrated with the organization’s mission and strategies
  • Proactive and forward-looking
  • Clear on the types of risks the organization will or will not take

Establishing meaningful risk communications 

A risk communications program is an effective way to engage stakeholders in risk discussions and introduce the principles of ERM. It can help stakeholders better understand the magnitude of risks, both on a broad level and in the processes and activities in which an organization participates. Communication upward and downward, from the highest-ranking leader through the most junior team member, helps bring each member of an organization into the risk discussion. A risk communications program can facilitate the flow of discussion by establishing a shared vocabulary about risk among all stakeholders. It can also help the ERM team assess and catalogue the risks and embed the principles of ERM into the organization’s culture and mindset.

Identifying risk owners and responses

The flow of risk communications can lead to a better understanding of the roles and responsibilities of stakeholders and employees in mitigating risks. Subject matter experts in each department or area are often the most knowledgeable resources for identifying risks, developing an appropriate response strategy, and measuring the effectiveness of risk response activities. A best practice is to assign risk ownership to an individual with the optimal balance of subject matter knowledge and position of influence in the organization. While this might be highly subjective, the goal is to place someone in that role who can use their expertise in a particular area to influence decisions.

Risk ownership is fundamental to establishing a repeatable, sustainable ERM process. Risk owners should have the authority and knowledge to implement risk management plans and report on them. The risk owner maintains and implements the risk response activity, which should be aligned to an organization’s risk appetite. The risk owner should monitor risk response implementation and report results to the risk management committee or similar oversight function.

Strategic planning and budgeting

One of the benefits of an effective ERM program is that it can provide a structured understanding of strategic opportunities and threats for better decision-making. ERM’s systematic and prioritized approach to addressing risk can help focus attention on an organization’s goals as well as the challenges it faces. ERM can help to align resources and budgets appropriately, monitor progress, and achieve compliance with applicable laws, regulations, and controls.

To become effective and sustainable, a risk management mindset must become part of highly impactful business cycles such as budgeting and strategic planning. The careful consideration of how to navigate risks can be informative in developing goals and tactical plans as well as in deciding how best to allocate the organization’s limited financial resources and staffing. 

An effective way to establish an ERM framework and related risk management practices in an organization is to use the existing strategic planning cycle and to add a risk component to the process. By teaming with the strategic planning function, the ERM team can pair risks with the organization’s goals to define tolerable risk levels. The strategic planning process can benefit by incorporating plans for navigating challenges and risks and by setting parameters and milestones to define success. Incorporating risk management into the strategic planning process yields several benefits, including the following:
  • ERM offers a fully integrated, prioritized, and forward-looking view of risk to drive strategy and business decisions and eliminate organizational barriers
  • Transparency inherent in risk mitigation planning and processes supports informed decision-making at all levels of an organization
  • ERM allows for the identification and assignment of clear roles and responsibilities for risk throughout an organization
  • Risk response strategies help identify actions and priorities for inclusion in performance plans for individuals and the organization overall 
Similarly, the budget cycle can be used to embed risk response practices into an organization. One of the first steps is to ask whether the organization is adequately funding the risk responses developed from the enterprise risk assessment. ERM can be used to evaluate program areas for staffing and budget considerations by determining their alignment with or impact on strategic goals and entity-level risks. It can help the team focus on limited resources, strengthen efficiencies, direct project funding oversight, and assist in capital investment planning. If an area or project is not covered in the budget, it can bring new risk exposure that might need to be addressed under the risk management plan.

Administration and reporting 

The challenge for many organizations is how to make their risk management practices sustainable. To be effective, the ERM program should designate an appropriate team to provide administrative support to the program. The team should comprise members with relevant experience and an understanding of risk management. The size of the ERM team should reflect an organization’s risk management needs. The ERM team should meet periodically to collaborate and share information, and organizations should provide continuous training, tools, and resources. 

Organizations should also consider having outside audits performed periodically on their risk management processes and controls. Independent assessments of the effectiveness of risk measures and controls can be performed as part of an organization’s internal audit processes.

Embedding ERM reporting into existing protocols can standardize risk management into the process of doing business and measuring progress. Monthly or quarterly reporting can help an organization share information on risks and the programs in place to address them. Adding an ERM component to financial reports, management reports, and performance reporting can inform leaders and stakeholders on progress achieved in addressing risk. ERM key performance indicators (KPIs) and key risk indicators (KRIs), dashboards, and other measures can be used to measure progress against strategic and tactical goals.

Many organizations use ERM software solutions to track progress and assist in reporting. These software programs can add value in terms of efficiency and accuracy for reporting purposes. Governance, risk, and compliance (GRC) platforms are often used to help administer ERM programs more efficiently and effectively, especially for more sophisticated and complex ERM initiatives. Some organizations opt to use ERM-specific software programs. When deciding whether to use an ERM software solution, the costs of the software should be viewed in relation to its perceived benefits. Exhibit 1 lists benefits and limitations of ERM software.


Exhibit 1: Benefits and limitations of ERM software

Benefits and limitations
Source: Crowe analysis

Bringing ERM to maturity 

Once embedded in an organization’s culture, the ERM approach to risk management often evolves and matures over time. As an organization grows and becomes more complex, ERM processes can be adapted to address changes in operations and emerging risks.

Exhibit 2 shows the maturity process of ERM implementation that progresses from nascent to advanced levels. Every organization has its own level of organizational and process maturity, and not all levels and processes need to achieve an advanced level. The level of maturity for ERM depends on the organization’s risk levels and risk appetite. The resources and risk responses deployed for risk management should be appropriate to meet its risk threshold or tolerance.

Exhibit 2: Maturity of ERM implementation

Maturity of ERM implementation
Source: United States Chief Financial Officers Council and Performance Improvement Council, “Playbook: Enterprise Risk Management for the U.S. Federal Government,” p. 75,

Sustaining an ERM program

Organization leaders face several challenges when trying to implement an ERM program, and many underestimate the cultural change that this implementation represents. Resistance to altering established procedures, a disincentive to make changes, or an unwillingness to embrace a risk management mindset by employees or other stakeholders can all emerge during implementation. 

When adopting risk management practices, some organizations attempt to take on too much, too quickly. Without proper planning, an organization might lack the resources, authority, or support to execute ERM risk assessments and risk response plans. If the ERM initiative lacks support from senior leaders, the team might not have a broad view of the entire risk landscape. The ERM team should tap into the expertise and knowledge of stakeholders throughout the organization, including senior-level leaders, subject matter experts, and those closest to major risk areas who are most knowledgeable and experienced. 

Adopting an ERM program should be an iterative process in which the program grows successively and the team refines its process along the way through periodic assessment and adjustments. By helping stakeholders better understand the risks an organization faces and how they can help mitigate those risks, a successful ERM program can be firmly established and sustained. 


Contact us

Bill Dykstra
Mark Maraccini
Partner, Consulting