Enterprise Risk Management Framework

Building an Enterprise Risk Management Framework is mandated by the UK Corporate Governance Code, and the measures in the Code regarding risk management are being reinforced. UK businesses should take this opportunity to create a robust Enterprise Risk Management Framework, and to embed risk management in corporate culture.


Enterprise Risk Management (ERM) has been around for a long time, but many UK organisations have struggled to understand it or genuinely embrace it, as Deloitte explains in a recent report. The UK Financial Reporting Council, which publishes the British Corporate Governance Code, has included mandates in the Code for organisations to undertake Enterprise Risk Management. There are further revisions proposed in the Code at this writing to reinforce the Enterprise Risk Management Framework that companies should implement.

The revised Code is intended to drive a step-change in the way risk is managed and improve the insight that can be derived from related disclosures in annual reports and accounts. The Financial Reporting Council is clear that this is not business-as-usual; however, many organisations may have misinterpreted this, underestimating the extent of the change that may be required to satisfy the intent.

“The enterprise risk management-related measures in the Code are intended to drive a step-change in the way risk is managed and improve the insight that can be derived from related disclosures in annual reports and accounts. The revised Code remains high level, documenting principles-based guidance specifically requiring boards to:

  • confirm that a robust system of risk management has been developed and is fully integrated with business strategy and planning
  • define and articulate your appetite for risk in key areas
  • describe your principal risks and how they are being managed
  • confirm the identification and assessment e.g., via techniques such as stress and reverse stress testing, of all principal risks
  • review and confirm the continuous effectiveness of key operational, financial and compliance controls
  • define and embed behaviours that create a strong risk and control environment
  • measure and confirm the existence of an appropriate culture, which supports risk management across the organisation • consider how much assurance you need over the risk management process,” explains PwC in a note.

Want to find about 2019 corporate governance priorities & challenges for your board? Read more here.

Boards Must Embed Enterprise Risk Management in the Organisation

The FRC guidance reflects the reality that effective Enterprise Risk Management is a prerequisite to ensuring continuous business operation in line with desired risk appetite levels – these must be carefully defined by the board. In the absence of a reliable monitoring system, any breaches of defined appetite may be identified too late.

Defining risk appetite is not easy, nor is there a well-developed scientific approach. Organisations generally struggle to practically define and articulate their risk appetite in a way that adds value. The ultimate aim is to be able to articulate the output of this process into a statement or number of statements about the organisation’s willingness to take risk, and its risk tolerance, to empower people to take appropriate risks to make the organisation successful, while Enterprise Risk Management is embedded in the organisation so that there are controls of ongoing risk levels.

With an effective Enterprise Risk Management framework in the process, the board and management should be using ‘risk-based decision making’ to consider challenges and opportunities that arise, as the UK Institute of Risk Management explains.

Creating a Culture Based on an Effective Risk Management Framework

Enterprise Risk Management is not about reacting to risks as they happen, it’s about organisations focusing on avoiding them in the first place and better capitalising on opportunities.

“The Code requirement to not only monitor risk, but also provide assurance over the continuous effectiveness of all key controls is a huge ask and one that you need to respond to. Indeed, some forward-looking organisations are starting to explore and capitalise on technology-driven opportunities, harnessing the exploding data environment to generate genuine, leading risk awareness and insight,” the note says.

Interested in secure communication for your board? Find out more: ‘The Importance of Using Secure Communications Technology in the Boardroom’ with this white paper.

Hence the importance of promoting a strong culture aligned to organisational values in order to successfully embed risk management.

“This is often overlooked, but is one of the key reasons why ERM fails to deliver on expectations. Embedding an appropriate culture demands more than undertaking employee surveys and tracking resulting scores, it means defining and embedding the required behaviours and monitoring their drivers to provide insight on their effectiveness. For example, helping to understand and answer questions such as, ‘how do we know that an apparent one-off issue is not a deeper, systemic cultural problem due to a reluctance to challenge?’ Such an understanding will also provide a basis for reporting what is being done to instil the required behaviours and measure performance,” writes PwC.

The Choice is Diligent’s Governance Cloud

Diligent has a reputation for excellence and security that stands up to the challenges of today and tomorrow. Our governance solution is intended to assist your business development from the highest strategic planning on your board on down to the middle-level management and employees charged with implementing best practices for operations risk. We have a number of reliable and elegant solutions that will allow you to assess and manage all of the different kinds of business risk. We hope to be your first entry point into a safe and effective strategy to incorporate management of risk across your whole entity.

The Governance Cloud, the only integrated enterprise governance management solution that enables organisations to achieve best-in-class governance, is an ecosystem of software tools that digitises the various activities and tasks for the board of directors. As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.

Governance leaders, executives and board directors rely on the industry-leading Diligent platform for the most secure and intuitive solution to board material management and collaboration. Diligent Boards™ is a board portal that electronically stores a board’s agendas, documents, annotations and discussions within a secure board portal.

Company secretaries and board chairs can use the portal to put together board books in minutes. The portal also has designated virtual rooms for committee work. Administrators of the portal can designate permissions for users to access various areas of the portal to avoid unnecessary problems with confidentiality. The “Manage Meetings” feature consolidates board directors’ contacts, calendars and the logistics of meetings. The program is a secure and intuitive solution for managing board materials and collaboration.


Learn how your board can improve their governance and rely on Diligent’s dedication to customer performance. Request a demo today


Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog