Enterprise Risk Management Plan: Steps & Best Practices Guide

Enterprise risks don’t always come from the outside—they often start inside the risk management processes organizations design themselves. As Erick Anez, Head of Enterprise Risk & Resilience for Bridgestone West, explained on an episode of The Employee Safety Podcast, breakdowns usually occur when a process assumes people will perform perfectly every time. Humans adapt—they do not execute identically—and a strong enterprise risk management plan accounts for that from the beginning.

The risk landscape is shifting more rapidly than traditional risk management strategies can keep pace with. New risks are constantly emerging—including financial risks, regulatory compliance pressure, supply chain instability, and reputational exposure. In this environment, the priority is maintaining continuity—making informed decisions quickly without slowing business operations.

That’s where a robust enterprise risk management process is crucial. It provides the organization with a defined way to anticipate disruptions, capture ground-level signals, and respond based on structure—not panic or assumption.

By the end of this guide, you’ll have a practical ERM strategy, a starter risk register, and a clear set of metrics and key risk indicators (KRIs)—so you can actively manage potential risks before they escalate into a risk event.

Why Do You Need an Enterprise Risk Management Plan?

An enterprise risk management plan is a flexible solution that goes beyond reacting to threats. Ideally, it empowers you to meet business goals while consistently overcoming challenges in your industry. An ERM plan provides a structured and adaptable set of guidelines for various scenarios. Here are some benefits of implementing a well-thought-out ERM framework.

• Proactivity: The worst time to establish a risk management plan is when a threat is already present. Panic can feed into ineffective stopgap decisions. With a proactive approach to risk identification, you position yourself to make informed and strategic choices, fostering resilience and minimizing risk exposures.
• Flexibility: The ERM framework is not built for a single, major threat. It incorporates all types of risk, whether you face a new data protection law or supplier disruption from a hurricane. The ERM framework guides all your overall business processes, making it suitable for all risk types.
• Resilience: Many risk management plans focus on weathering the storm, putting business goals on hold. For enterprises, the purpose of their operation is to provide value. If they cannot do that, the very core of their existence is compromised. Resilience in risk management means surviving challenges and ensuring the continuous delivery of value, even in the face of adversity.
• Agility: Agility differs from flexibility in addressing the interconnected and cascading nature of risks. While flexibility involves adapting to the type of risk, agility is about responding to the unforeseen consequences and interdependencies that may arise from a specific scenario. For instance, in the case of natural disasters, agility means adapting to the initial impact and then swiftly shifting to secondary effects, such as power outages, putting building security at risk.
• Rapid response: Quick and decisive action is the most valuable resource in any emergency, especially when employing risk mitigation strategies. Time is of the essence, and a rapid response lessens the immediate impact and establishes a foundation for a more controlled and well-managed resolution in critical situations.

One clear benefit of adopting an enterprise risk management framework is its contribution to an effective risk management lifecycle. The key lies in having a well-established plan you can follow and communicate consistently. Fortunately, ample guidance is available for developing and implementing an effective ERM.

The Components of an ERM Program (COSO 2017 Framework)

COSO—the Committee of Sponsoring Organizations of the Treadway Commission—is one of the most influential authorities in how organizations structure governance, risk, and internal controls. Their guidance is widely used by regulators, audit teams, and Fortune 500 leadership teams to standardize and mature enterprise risk practices.

Their most recent ERM guidance, published in 2017, reframed risk management from a compliance activity into a strategic discipline. Instead of treating ERM as something that happens after strategy is set, COSO’s model embeds it into how strategy is evaluated, executed, and adapted over time.

To add practical context to this framework, we pulled insights from a recent episode of The Employee Safety Podcast featuring Erick Anez, Head of Enterprise Risk & Resilience at Bridgestone West. His real-world perspective helps illuminate how concepts like governance tone, system design, and feedback culture come to life inside high-stakes environments.

1. Governance & culture

The level of governance and culture is where an enterprise risk management program succeeds or fails, even before any risk management process begins. Governance and culture define who owns risk, but just as critically, what kind of behavior leadership validates and reinforces.

Erick Anez explains that in high-hazard business operations, the instinct is often to assign blame the moment a risk event occurs—to ask, “What did the employee do wrong?” His team rejects that approach entirely. Instead, they begin with a different question:

“The system failed the employee—why did it allow this to happen?”

That mindset is essential to building true operational resilience. It signals to employees that reporting potential risks early will not lead to punishment or extra workload, which dramatically increases the likelihood that you will surface new risks before they escalate.

Strong governance and culture are defined by:

• Clear tone from leadership that prioritizes learning over blame
• Defined risk ownership and accountability at every level
• Trust that raising early signals will lead to action, not consequences
• Risk treated as part of strategic planning and business performance—not only regulatory compliance

COSO places this first for a reason—if employees filter what they share, your ERM strategy is built on a sanitized version of reality, not the truth.

2. Strategy & objective-setting

COSO emphasizes that risk must inform strategy at the moment of design—not after critical decisions have been made. Leadership defines the organization’s risk appetite and evaluates strategic options against it to ensure objectives are achievable within acceptable limits.

This evaluation includes:

• Assessing internal and external conditions that may affect long-term success
• Defining risk appetite in clear business terms (financial loss tolerance, operational disruption thresholds, reputational sensitivity, etc.)
• Aligning strategic objectives with those limits so decisions are deliberate, not accidental
• Looking at both the current risk environment and the future conditions the strategy will operate in

As Erick Anez explains it, leaders should ask two questions before committing to any plan:
“What risks are we managing today—and what risks will this strategy introduce or intensify over the next few years?”

3. Performance

This is where ERM becomes reality—where organizations do more than acknowledge risks; they actively evaluate and act on them. COSO’s Performance component focuses on ensuring the right risks surface fast enough to influence decisions, rather than being buried in static documentation.

A mature organization treats risk as a dynamic input, not a quarterly report. It continuously draws signals from real operations—frontline observations, customer escalations, supply chain patterns, market shifts—and converts those signals into prioritized action.

As Erick Anez emphasizes, this requires understanding how work is actually done, not just how it’s written in procedures. Near-misses and friction points are performance data, not mistakes to ignore.

Core activities within Performance include:

• Identifying risks from both structured assessments and real-time operational insight
• Assessing each risk based on impact, likelihood, speed of escalation, and current readiness
• Prioritizing ruthlessly so leadership addresses what matters most now—not the last incident
• Selecting a response: accept, avoid, reduce, transfer, or exploit based on risk appetite
• Viewing risk as a portfolio, not a list—so leaders see total enterprise exposure, not isolated threats

4. Review & revision

This stage is where ERM proves whether it’s a living system or just documentation. COSO’s intent is straightforward—risk strategy must adapt based on what the organization actually learns.

During the review and revise stage, leaders step back and ask:

• Did our response work under real conditions—or did we just satisfy the process?
• Did frontline feedback validate leadership’s assumptions or expose blind spots?
• Are we about to carry a flawed assumption into the next quarter or the next incident?

Erick Anez emphasizes the value of after-action learning loops. His teams walk through what happened during an incident, what people had to adapt around, and what they would change if the same scenario occurred tomorrow—while the insight is still fresh and actionable.

To ensure those insights actually influence how the organization manages risk over time, many ERM programs apply a recurring operational cadence:

• Monthly — Monitor KRIs for early movement
• Quarterly — Realign priorities based on current operating reality
• Annually — Recalibrate risk appetite and top risk list based on proven lessons, not static planning

The mark of maturity here is the use of feedback to adjust strategy at regular intervals, ensuring continuous integration of knowledge.

5. Information, communication & reporting

COSO makes it clear that ERM fails when risk information is slow, incomplete, or siloed. This stage ensures relevant information reaches the right people quickly enough to influence decisions. Executives get visibility early, and operational teams get clarity on what needs action.

Effective alignment and coordination work only if communication is two-directional. Leadership needs risk intelligence from the front lines, and employees need to know their input leads to decisions. Erick Anez emphasizes that this is where trust is either built or lost. A closed feedback loop means that leadership visibly acts on or responds to risks raised, rather than letting them disappear without resolution.

To support this clarity, COSO aligns ERM communication with the Three Lines Model:

• The first line (business units) manages risk in everyday operations.
• The second line (risk and compliance) advises and monitors.
• The third line (internal audit) provides independent assurance.

When communication is working, these three are a synchronized system.

Alternative Guidance From ISO 31000

Another commonly turned-to resource for risk management is ISO 31000. The International Organization for Standardization offers a comprehensive guide to risk management that leaders can adapt to organizations of all sizes. This set of principles shares many similarities with those established by COSO, providing a globally recognized framework that emphasizes a systematic and integrated approach to managing operational risks.

Of course, as they are internationally recognized standards, both are extremely extensive. Suppose you’d like something a bit more manageable that you can adapt to your organization. In that case, you can also use AlertMedia’s risk mitigation template to start addressing your enterprise’s threats.

Cultivating Risk Awareness From the Top Down

Risk intelligence is vital to ERM frameworks because individuals can hold themselves responsible only for the threats they are aware of. Organizations must continuously gather information on these threats and communicate them to key stakeholders on their team, from front-line employees to the board of directors. Here are some methods for managing this:

• Conduct periodic risk assessments to identify and analyze potential threats, evaluating both internal and external factors that impact the organization.
• Implement monitoring systems and tools to track changes in the business environment, industry trends, and emerging risks. Automated tools and real-time data collection can be particularly valuable for highly regulated industries.
• Establish a robust risk reporting system for employees to report potential threats, and consider adding anonymous options to encourage a culture of openness without fear of retribution.
• Use external intelligence sources, including threat intelligence services, industry reports, and regulatory updates, to stay informed about emergency risks that may impact the organization.
• Establish feedback mechanisms, such as surveys and focus groups, to gather insights from employees, customers, and stakeholders. These individuals may be more familiar with your organization’s realistic threats and can offer insight into them.
• Conduct safety audits of various risk segments, like fire emergency planning or cybersecurity, to spot-check your plan and quickly address any issues.
• Provide ongoing employee training on risk awareness and reporting procedures, ensuring everyone in the organization understands their role in identifying and addressing potential threats.

Balancing Your Risk Assessment With Your Risk Appetite

A traditional risk assessment identifies and scores potential threats—but scoring alone doesn’t drive decisions. In a mature ERM plan, the output of an enterprise risk assessment informs a conversation about the level of risk the organization is willing to accept intentionally.

If your team does not yet have a formal structure in place, start with an enterprise risk assessment template—such as our Operational Risk Assessment Template, which walks you through identifying, scoring, and prioritizing risks in a consistent and repeatable format.

For example, when assessing a significant strategic move, such as going public, a risk assessment would reveal exposure to regulatory scrutiny, market volatility, liquidity pressure, and reputational sensitivity. A weak organization would treat that as a warning. A strong one would test those risks against its risk appetite—a leadership-defined statement of how much stress the business can absorb in pursuit of strategic gain.

That decision is typically expressed in a simple structure like this:

“We are willing to accept [type of risk] to [enable strategic outcome], provided [critical threshold] remains above/below [defined limit].”

Applied to the IPO example, that might become:

“We are willing to accept short-term market volatility during the public listing process, provided liquidity remains above 120% and no material audit deficiencies are identified.”

And that’s where this stops being conceptual—because once that appetite is declared, it flows directly into how the business monitors and governs execution.

• Specific KRIs are defined to track those thresholds in real time.
• Those KRIs are presented to the board, not buried in operational dashboards.
• Escalation triggers are agreed upon before anything breaks the boundary, not after.

At this point, risk assessment evolves into strategy, and ERM becomes a performance control mechanism.

Performing, Reviewing, and Communicating Your ERM Program

Performing, reviewing, and communicating an ERM plan is a continuous cycle where you will revisit each section repeatedly, ideally improving it along the way. This iterative process is crucial for organizations to proactively manage risks, enhance resilience, and ensure alignment with their strategic objectives.

How Do You Implement Your ERM Plan?

When implementing your plan, you should progress through six risk review and risk response stages, aligning with your business objectives.

Evaluating Your Risk Management Practices

While an after-action review is not an inherent part of a traditional risk management program, it can be closely related and complementary. AAR is typically used to evaluate and learn from past actions or events, identifying what worked well and what could be improved. In contrast, a risk management framework concentrates on identifying, assessing, and mitigating risks before and during the execution of a plan or project, ensuring alignment with strategic goals.

Here are some questions senior management and other business leaders can consider in adopting an AAR approach for their enterprise risk management framework:

• What aspects of the ERM program were executed successfully, and how can we build on these achievements across business units?
• Where did we encounter challenges or errors in the execution, and what measures can we take to address and prevent similar issues?
• What actions contributed to positive outcomes, and how can we integrate these into our internal controls?
• What areas require improvement in our risk control strategies, and what concrete steps can we take to enhance our approach?
• Were there any unforeseen circumstances or gaps in our decision-making, and how can we better anticipate and mitigate similar issues in upcoming projects?

Governance and Oversight That Make ERM Enforceable

Governance defines whether ERM influences decisions or stays on paper. Executive leadership and the board are responsible for setting the risk appetite, regularly reviewing exposure, and requiring escalation before risk reaches a critical point.

COSO reinforces this through the Three Lines Model. Business leaders own and manage risk. Risk and compliance teams provide guidance and challenge decisions to ensure they are well-informed. Internal audits independently verify whether controls are functioning as intended.

Regulators and investors increasingly expect proof that this structure is active. Weak governance shows up when risk reaches leadership only after reputational, legal, or financial damage has already occurred. Strong governance makes risk visible early—and forces action before it has an impact.

Technology and Automation in ERM

Technology supports ERM when it improves risk visibility, signal accuracy, and speed of escalation—not when it adds more reporting layers.

Anez stresses that most risk failures are not due to poor intent, but because the right people never saw the weak signal in time to act. His view is that risk cannot depend on people doing the right thing when tired or overwhelmed—the system must surface the signal before humans miss it. That is where automation earns its value.

Effective ERM technology focuses on:

• Real-time dashboards and KRI alerting that surface risk boundary movement while corrective action is still possible
• Automated control testing with evidence capture to prove controls are working continuously
• Structured incident intake and triage workflows so frontline observations do not sit in inboxes or die in informal conversations
• System integrations across finance, operations, and security tools to ensure leaders see interconnected exposure

The outcome is earlier intervention. Technology becomes credible when it enables leaders to anticipate and prevent surprises.

A Framework for Continuous Improvement

A strong enterprise risk management plan is designed to be iterative. It improves decision-making over time by continuously absorbing insights gained from operations, disruptions, and changes.

Erick Anez emphasizes that effective programs don’t rely on people always getting it right—they design systems that make risk visible early, before it reaches escalation. That mindset keeps ERM grounded in reality rather than theory.

A framework like this ensures that ERM becomes strategic, not reactive—helping leaders determine which risks to prevent, which to mitigate, and which to pursue because they create competitive advantage.