Enterprise Risk Management (ERM) and Risk Governance

Let’s consider the following scenario based true events which occurred within an organization I worked closely with recently. This company had a long-running project with a number of uncertainties. Risks were identified, then qualified, and risk responses planned. For implementation of these risk responses, a number of actions were needed. Some were taken, but most ignored or overlooked because of other projects and lack of understanding of risk management at an organizational level.

I came to know that there were no consistencies within risk governance parameters, such as risk appetite, or risk threshold, for example. In fact, there was no structured and uniform way to define the probability and impact scales, no standard form of risk reporting, and little to no accountability for addressing risks. Hence, when risks were reported, team members didn’t understand, or if they did, they wouldn’t know how or whether to act.

What happened?

As you may have correctly guessed, this project was in trouble. And, despite, it continued to run for a long time! It was a classic watermelon project, where everything looks green from the outside, but is all red when you open it.

In this article, we will explore how to manage such massive gap at an organizational level considering Enterprise Risk Management and Risk Governance. If you are preparing for the Risk Management Profession (RMP) examination, you need to be aware of both these concepts. In fact, in a recent RMP Success Story, a senior program management professional emphasized it.


What is Enterprise Risk Management?

Projects can exist independently, but usually they exist within a program or a portfolio, which in turn are held within an enterprise or organization. In most cases, such is the case for a program or portfolio. Hence when we talk of risk management, we also need to know how risk management happens in the context of enterprise: It has been found that organizations require risk management practitioners to use the risk management practices in project, program, and portfolio management, which are an integral part of the ERM framework.

In other words, ERM addresses risks at an enterprise or organizational level. ERM also addresses all the risks associated with an enterprise’s portfolios, which internally contains all programs and projects. A “Risk Governance Framework” for an organization is set at the enterprise level. There is a governance board which oversees the ERM and its framework.

On the other hand, portfolio risk management derives its policies, processes, methods etc. from the ERM framework, and program risk management, as well as project risk management, adopt their risk management practices from the portfolio risk management umbrella.


Why Go for Enterprise Risk Management?

Enterprise risks are also known as the business risks, and organization leaders must manage these to stay relevant and stay in the business. Typically, an organization runs many individual departments such as Development and Delivery (or Production and Distribution), Finance, Human Resources, Sales and Marketing, Legal and Compliance, among others.

All these functional departments may have their own risk management as shown in the below figure.

If the risks arising within these departments are managed individually, without a holistic or overall view of the risks from the organization’s perspective, the result is siloed risk management.


PPP Approach to ERM

Alternatively, organizations can take a common approach to risk management across the organization or enterprise, considering all the departments. In a projectized organization, ERM will consider all layers of management – project, program, and portfolio (PPP).

Portfolios of programs, projects, and operations are created to achieve strategic goals and objectives. In other words, portfolios are created to achieve an organization’s strategic goals and objectives. A portfolio internally contains programs and projects.

Considering PPP based management approach, the following should be noted about ERM:

  • Enterprise risk functions and management are performed by the Executive Management.
  • The ERM process is also determined by the Executive Management.
  • Best suited to handle ERM, the Executive Management is accountable for strategic goals and objectives.

Based on this understanding, we follow the below figure:

As shown, ERM supports an organization’s vision, mission, goals, and strategies. In fact, this support is the main objective of the ERM.


ERM Considerations for PPP Based Risk Management

ERM ensures that all organizational risks are properly identified, addressed, managed, and monitored. However, for the best application of ERM, a common approach to risk management is needed. This is because ERM should be considering all of the organization’s risks as an interrelated collection.

A common approach to risk management enables two things:

  • Normalization: The risk prioritization schemes, risk probability, and impact scales for the risks are standardized across the board.
  • Aggregation: Aggregation results in a combination of a number of risks coming from the portfolios of programs and projects.

With normalization and aggregation, one can state the risk at any level in the organization, making it understandable to everyone. There can be bi-directional movement and management of risks, or a cascading of risks from a higher level to PPP level or escalation from the lower level to the enterprise level.

Hence, modifying our previous figure with respect to layers of risk management, we can consolidate and present as the below figure.

This bidirectional movement of risks, results in integration, as well as alignment of ERM and PPP risk management.


Governance and Its Elements

Governance, as the name indicates, is the way to govern an “entity.” The purpose of governance is to ensure that the “entity” is managed in a proper way.

Governance can exist at the level of enterprise/organization, portfolios, programs, or projects. In such cases, they will be known as respective governance or governance framework. The governance framework is part of governance.

The major elements of an entity’s governance are these:

  • The Governing Body is a temporary or permanent group of members with responsibility and authority. This body provides the needed guidance and decision-making for portfolios, programs, and projects. An example is an executive board.
  • The Governance Framework contains governing domains with functions, processes, and activities for projects, programs, and portfolios. Examples of domains are governance communications, governance performance,
  • The Governance Domain refers to a group of functions carried out by an individual, group, or organization to address a specific area of concern.
    For example, the governance communications domain is about dissemination of information.
  • Governance Functions are a group of related processes executed/performed to support the governance of portfolios, programs, and projects.

The elements and interactions among the elements of governance are shown in the below figure.

Types of Governance

There can be various types of governance such as organizational governance, portfolio governance, program governance, etc. at the respective levels.

Organizational governance is a structured way to provide governance at the organizational level. The focus is to meet organizational strategic and operational goals.

Portfolio, program, or project governance refers to the framework, functions, and processes that guide portfolio, program, or project management activities, respectively.


Governance Vs. Management

At this point, you may be wondering:

  • What are the differences between governance and management?
  • Does not the portfolio, program, and project management exist to guide the respective management activities? If so, why is governance needed?

Yes, portfolio, program, and project management will still exist, but when it comes to governance there are some key distinctions, which can be summarized by this line.

Governance informs the “what” aspects. Management, the “how” aspect. The “what” aspects are about decisions, guidance, and ensuring PPP management. The “how” aspects are about organizing and doing the work.

Beyond the above key difference, I’ve noted some more differences between governance and management in the below table.

Risk Governance

With this background in mind, let’s now consider risk governance and the risk governance framework.

Risk management in the enterprise context is primarily about enterprise risk management (ERM), and it involves an integrated view of portfolio, program, and project management.

In this organizational context of risk management, these are the key points related to risk governance:

  • Risk governance is created, and the risk governance framework is also elaborated. Remember that the governance framework is an element of governance.
  • Within this framework, risks are identified at each level, i.e., the enterprise/organizational level or PPP.
  • Identified risks are analyzed—both qualitatively and quantitatively. Then, the best suitable governance layer is decided. It can be the portfolio governance layer, program governance layer, or project’s governance.
  • It’s possible that at each level of PPP governance, one can have a risk governance model, which is part of the corresponding P’s governance. For example, within the project governance, one can have project risk governance.
  • The respective governance layer decides on the escalated risks and what to do with them. Enterprise risks can be cascaded down to the respective suitable layer, if they can be managed at that level. As we have seen earlier, there can be bi-directional movement of risks in an organization.
  • Risk governance, at the chosen layer, guides in identification and assignment of risk owners. Next, it’s responsibility of risk owner to delegate risk actions to respective risk action owners.
  • Risk governance, at the chosen layer, guides on risk response strategies and risk response actions, which are associated with the response strategies.
  • Risk governance, at the chosen layer, also decides on the continuance or termination of a portfolio, program, or project.


Video – Risk Governance Vs. Risk Management  

Now, let’s look at the differences between Risk Governance and Risk Management.

For this purpose, I’ve put together a video [duration – 8m:36s], with additional explanations. For a better audio-visual experience, you may want to go full-screen with HD mode and plug-in your earphones. It’s one of many, from my RMP Live Lessons.


Let’s revisit the scenario explained at the beginning of this article, where a project had been running without any proper risk management. If you’ve watched the aforementioned video, you should be able to answer the following questions:

  • How did the ‘watermelon’ project exist?
  • Why was it running for a such a long time with little or no risk management?
  • How come no one was held accountable for it?

More importantly, I hope you have realized the importance of both Enterprise Risk Management and Risk Governance. I welcome your feedback below in the comments section.



[1] Online Course: RMP Live Lessons – Guaranteed Pass, by Satya Narayan Dash

[2] Online Course: RMP 30 Contact Hours, by Satya Narayan Dash

[3] Book: I Want To Be A RMP, The Plain and Simple Way To Be A PMI-RMP, Second Edition, by Satya Narayan Dash

[4] The Standard for Risk Management in Portfolios, Programs and Projects, First Edition, by Project Management Institute (PMI)



Written by Satya Narayan Dash
Satya Narayan Dash is a management professional, coach, and author of multiple books. Under his guidance, over 2,000 professionals have successfully cracked PMP, ACP, RMP, and CAPM examinations – in fact, there are over 100 documented success stories written by these professionals. His course, PMP Live Lessons - Guaranteed Pass, has made many successful PMPs, and he’s recently launched RMP Live Lessons - Guaranteed Pass and ACP Live Lessons - Guaranteed Pass. His web presence is at https://managementyogi.com, and he can be contacted via email at managementyogi@gmail.com.  
Share This Post
Have your say!
  1. Most articles people read about “project risk or ERM,” they end up thinking of an adverse event or threat may occur. Regardless, the terms carries a negative connotation or an aura. This common believe means you may be missing out on positive risks or opportunities that that potentially have a beneficial effect on your project’s deliverables and goals. When you are presented with a risk (and most projects have inherent positive risks), don’t try to avoid it. Either accept as is, try to increase the probability and impact of it occurring, or share it so other groups can get the full benefit. An environment that inspires risk and rewards success, but does not penalize failure is an organization to be reckoned with. The movers and shakers of tomorrow are taking risks today. Here are some examples of positive or risks – reducing your workload, growing your business, using new technology and moving to the cloud.

  2. Great comment. Indeed, positive risks (opportunities) are normally overlooked. I’ve mentioned it in the linked article.


    I agree with your observation that those organizations which reward risks, but less likely to penalize risk seekers are the ones to reckon with.

    Another aspect is negative risks (threats) literally knock on your doors. Opportunities usually don’t. Hence, you have to detect. Opportunities also pass by quite quickly (a shorter time window).

Leave a Reply