Facilitating GRC Best Practice
Supported Standards:
ISO 31000
BS 10500
ISO 19600
ISO/IEC 38500
ISO/IEC 27001
ISO/IEC 22301
ISO/IEC 20000
Balanced Scorecard
Consultancy Topics:
IT Governance
IT Risk
IT Compliance
Information Security
Business Continuity

COSO ERM Enterprise Risk Management Establishment

Risk Management

​Analytix risk management consulting services assist clients with implementing a practical approach to Enterprise Risk Management (ERM) that is integrated with existing management strategy, objectives, and processes — with the goal of providing an enterprise-wide view of risk, improving information for decision-making, and reducing the risk of costly surprises.

New Programmes or Improvement to Existing Programmes

Our ERM consulting services are flexible and are suited to either ERM establishment or improvement initiatives.

Alignment with COSO ERM and ISO 31000

Our consultants will assist to align your ERM programme with the COSO ERM framework and the ISO 31000 risk management standard's ERM best practice guidelines.

Tailored to Your Needs

The scope and structure of an ERM programme can vary, and our effort expended will be tailored to the needs of your organisation. Our consultants will assist you to customise your risk management framework to include the components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.  

ERM Programme Establishment - Elements

Depending on your specific requirement and the Scope of Work, the following elements may be addressed as part of the ERM project: 

  • Identifying executive sponsors for ERM
  • Designing and documenting the risk management principles and risk management policy
  • Developing an ERM framework and methodology that enables secure participation of all stakeholders
  • Establishing a common risk language or glossary
  • Describing the entity's risk appetite (i.e., risks it will and will not take)
  • Identifying and describing the risks in a "risk inventory"
  • Implementing a risk-ranking methodology to prioritize risks within and across functions
  • Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions
  • Establishing ownership for particular risks and responses
  • Demonstrating the cost-benefit of the risk management effort
  • Developing action plans to ensure the risks are appropriately managed
  • Developing consolidated reporting for various stakeholders
  • Monitoring the results of actions taken to mitigate risk
  • Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities

Our consulting approach to risk management advisory projects makes provision to assist you with the development and tailoring of an enterprise risk framework which makes provision for the design and documentation of the risk management principles, policy, process and procedures to implement a Risk Management System. 

ERM Project phases

  • Assess - Evaluate existing risk management practices, understand current organization and governance structure, determine the enterprise risk profile, and develop a project and change management plan that supports the ERM program vision.
  • Design – Mobilize the project team, confirm the plan, and develop the company-specific ERM program- to include governance structure, standard language, policies, processes, roles, responsibilities, tools, and templates.
  • Training and Awareness – Develop and deliver enterprise-wide training on all aspects of the ERM program, from boardroom governance to enterprise-wide risk quantification, mitigation, and reporting activities.
  • Implement – Communicate change initiatives, conduct highly specialized trainings within each business unit, rollout the ERM program, and begin identifying, assessing, reporting, and responding to risks.
  • Monitor – Benchmark and track performance, gather feedback, and incorporate into a continuous learning life cycle for the enterprise.Analytix approach to Enterprise Risk Management is based on assisting organisations to adopt and embed a risk management system that comprises of the eight risk management elements defined by the ISO 31000 Risk Management Standard as complimented by the COSO – Enterprise Risk Management framework and is designed to achieve compliance with the following regulations / best practices / standards where required


This Enterprise Risk Management framework and methodology can be implemented by organisations of all sizes, in all sectors:  public, private, non-profit, educational, manufacturing, etc.  





The COSO – ERM framework forms the basis upon which our approach to Enterpise Risk Management methodology is based. The COSO ERM Framework has eight Components and four objectives categories. 

The eight components components are:

  • Internal Environment
  • Objective Setting
  • Event Identification
  • Risk Assessment
  • Risk Response
  • Control Activities
  • Information and Communication
  • Monitoring


The four objectives categories are:

  • Strategy - high-level goals, aligned with and supporting the organization's mission
  • Operations - effective and efficient use of resources
  • Financial Reporting - reliability of operational and financial reporting
  • Compliance - compliance with applicable laws and regulations


ISO 31000:2009 - Risk management – Principles and Guidelines

ISO 31000 is the international standard for risk management. By providing comprehensive principles and guidelines, this standard helps organizations with their risk analysis and risk assessments. Whether you work in a public, private or community enterprise, you can benefit from ISO 31000, because it applies to most business activities including planning, management operations and communication processes.

Whilst all organizations manage risk to some extent, this international standard’s best-practice recommendations were developed to improve management techniques and ensure safety and security in the workplace at all times. By implementing the principles and guidelines of BS ISO 31000 in your organization, you’ll be able to improve operational efficiency, governance and stakeholder confidence, while minimising losses.

This international standard also helps you to boost health and safety performance, establish a strong foundation for decision making and encourage proactive management in all areas.

Depending on the scope of work and terms of refererence, typical deliverables of an Enterprise Risk Management programme implementation project may include:

  • Scope
  • Documentation
  • Enterprise Risk Management Training and awareness
  • Risk Management lifecycle 
  • Risk Management Policy
  • Risk Management Framework
  • Risk Management Methodology
  • Roles and Responsibilities
  • Internal Environment
  • Strategic Planning and Objective Setting
  • Event Identification
  • Risk Assessment Process and Procedures
  • Risk Response Process and Procedures
  • Control Activities
  • Information and Communication
  • Risk Monitoring

Our COSO ERM and ISO 31000 aligned Enterprise Risk Management consultancy delivers real business benefits:

  • An accurate view of current and near-future risks
  • End-to-end guidance on how to manage risks
  • Integration with the overall risk and compliance structures
  • A common framework/language to help manage the relationship amongst executive decision makers, management, staff, risk management, or between auditors and management
  • Promotion of risk responsibility and its acceptance 
  • A complete risk profile to better understand risk
  • Aligning risk appetite and strategy
  • Enhancing risk response decisions
  • Reducing operational surprises and losses
  • Identifying and managing multiple and cross-enterprise risks