Skip to content

Flickr Photo by Paul Cross

ERM Best Practices

​With the rise of Enterprise Risk Management (ERM) programs in the security field, some leaders are on the hunt for ERM best practice guidance resources. One recent report, courtesy of the U.S. government, contains guidance that may be applicable to private sector security operations.​

Last year, the U.S. Office of Manage­ment and Budget (OMB) called on federal ag­encies to implement ERM so that federal managers could more effectively manage risks that could affect agency strategic objectives. Given OMB’s call, the U.S. Government Accountability Office decided to update the government’s risk management framework and identify good practices that some agencies have been using. 

The new report, Enterprise Risk Man­age­ment: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk, identifies six components of successful ERM programs, and then describes best practices that apply to each.


The six components and their best practices are as follows:

Element One: Align the ERM process to goals and objectives.

Senior leaders are fully engaged and committed to the ERM process, and they support how ERM contributes to the agency’s goal-setting process. This engagement helps demonstrate the importance of ERM to agency staff. 

Element Two: Identify risks.

Successful agencies develop an organizational “risk-informed” culture in which employees are encouraged to identify and discuss risks openly. This openness is critical to ERM success.

Element Three: Assess risks.

Successful agencies can integrate prioritized risk assessments into their strategic planning and organizational performance management processes. This integration of risk assessments helps improve the budget process, resource allocation planning, and other aspects of operations. 

Element Four: Select risk response

Successful agencies establish an ERM program that is customized to fit their particular operations. Once established, risk factors are regularly considered, and leaders select the risk response that is most appropriate for the structure and the culture of the agency. 

Element Five: Monitor risks.

Successful agencies are able to continuously manage risk by conducting the ERM reviews on a regular basis. Leaders also monitor the selected risk response with performance indicators that allow the agency to track results and the response’s impact on the mission. Leaders can then determine if the risk response is successful or if it requires additional actions.

Element Six: Communicate and report on risks. 

Sharing risk information and in­corporating feedback from internal and external stakeholders helps organizations better identify and manage risks. It also increases trans­parency and accountability to Congress and taxpayers. ​