By: Ehab R. Saif

Edited by: Gautam Gandhi


Organizational maturity level is a key factor to consider prior to implementing an Enterprise Risk Management (ERM) program and is also critical to decide on the best approach to position an ERM function within any organization

organizational maturity level is important to plan a risk management road map, ERM functional reporting structure and helps design ERM implementation stages to embed risk management in business processes

What are the Basic Requirements to Establish an ERM Function?

Having a separate ERM function is a decision that has to be taken by an organization’s Board of Directors (BoD)/business owners
after the careful assessment of the following organizational readiness factors:


An organization’s BoD/business owners should have, at least,a basic understanding of risk management components and frameworks. They should believe in the importance of an ERM function and build a reasonable level of expectations regarding its roles and responsibilities.

In addition,an open communication culture is vital to identify and respond to internal and external risk exposures. An organization’s
BoD/business owners have to realize the fact that in order for an ERM function to add value, high level of transparency, support
and empowerment should be provided to the ERM team. The BoD/business owners should be prepared to accept change, new
ideas and initiatives as a result of ERM program implementation

The organizational culture should be in line with the ERM’s functional objectives in managing and mitigating business risks and promoting a strong internal control environment. This should be clear in the communications coming from the organization’s BoD/business owners to senior management and process owners.


Basic governance components have to be in place in order to achieve the intended objectives from establishing an ERM function. It is not possible to establish an effective ERM function without, at minimum, having the following components :

  • A BoD or another committee that plays a similar governance role (e.g. a Management Committee). The governance committee has to be active in its risk oversight role through continuous monitoring and assessment of the internal control environment;
  • Defined business objectives and strategic direction which will be translated and cascaded into departmental objectives;
  •  A clear reporting structure within the organization;
  • Appropriate  delegation of authorities, which empower middle management and process owners to make decisions on action plans and to become accountable for implementation of risk mitigation strategies;
  • Policies, procedures and systems that are in line with business objectives.


The first line of defense is the front-line management/employees who, through exercising their roles and responsibilities, are able to
manage business risks as part of their day to day activities.

It is clear that the organization cannot establish the second line of defense, being the Risk Management Function, without having
competent management members/employees in place, who would bear the direct responsibility to manage business risks.

ERM has to be supported by the first line of defense, which should bear the following responsibilities:

  • Help ERM teams in defining risk capacity, appetite and tolerance for the organization based on their risk attitude;
  •  Support the ERM function in strategic risk identification and analysis;
  •  Identify and validate operational, financial and compliance risks; hence, being able to give insights to analyze risks
    through their operational experience;
  • Communicate to the ERM team the existing controls and mitigating practices in place for the risks identified during
    the risk assessment process;
  • Participate in designing risk action plans to mitigate risk exposures; and
  • Take ownership over developed and agreed-upon Risk Registers to establish accountability and assign action plans’ execution responsibility.

On one hand, it is not essential for the resources of the first line of defense to be experts in risk management to ensure successful
implementation of the aforementioned ERM program steps,but on the other hand, it is required from them to have a basic understanding of risk management concepts and most importantly having the business acumen and competency to interact and be an integral part in the success of the ERM program.

ERM Positioning and the Level of Organizational Maturity

The 5 different organizational maturity stages with a brief description of the main characteristics of each stage are shown
below :


The decision of when and how to establish an ERM function depends on the organizational maturity levels outlined in the diagram above. The following structures are recommended for each level of organizational maturity:

Chaotic: In this stage, the organization is not ready to adopt risk management practices due to weak governance and unclear reporting lines. The priority should be given for building the fundamental components of the corporate governance framework. An internal Audit function might be established to provide assurance over company’s operations.

Fragmented: The focus of the organization should be on identifying gaps in corporate governance and improving internal policies and processes. Establishment of a “Risk Assessment” division, which is positioned under the umbrella of the Internal Audit function, would be helpful in risk identification and prioritization, ensuring that the correct direction is followed and available resources are appropriately optimized.

During this stage, the Internal Audit function should take the lead in establishing and leading the risk assessment practices,
considering its ability to justify the existence of such division and taking into consideration the low level of organizational maturity

Defined and Integrated: A corporate governance framework is already in place with an acceptable level of delegation of authorities. The company is ready to establish an independent ERM function, reporting directly to the CEO. This reporting structure will give more flexibility to the ERM function in its risk advisory role apart from Internal Audit independence considerations.

The organization’s BoD/Senior Management needs reliable advisors during those evolving stages to achieve the company’s
objectives and reach an advanced organizational maturity level. The ERM function would be the best fit for this role through
its ability to identify business risks and advise management on suitable risk mitigation plans.

 Optimized: Leading corporate governance practices are already implemented and a transparent and open culture is practiced. All  governance committees are well established and the monitoring environment is activated. Risk management practices are
embedded within business processes and a well-defined ethics and compliance program is adopted in the organization.
Due to the advanced organizational maturity level, the best reporting structure for the ERM function is to a Risk/Audit Committee.

The ERM function priority will be focusing on strategic risks and making sure that those risks are communicated to the responsible parties and proper risk mitigation plans are designed and practiced. This is due to the fact that the first line of defense is very capable and competent in managing business risks and it will be difficult for the ERM team to advise them in their core areas of expertise.


Based on what we discussed earlier, the decision to establish an ERM function should be justified and based on a detailed study
of organizational maturity, with reasonable level of expectations.Many organizations tend to establish ERM functions to satisfy
regulatory requirements, generally, in the absence of a solid business case. This will result in classifying the ERM function as
unnecessary luxury, which will be the first department to be let go in case of any business downturn.

Ehab R. Saif, CMA, CIA, CFE is an Internal Audit Manager at a private holding company in Abu Dhabi.