Question asked by
AFERM Experts Say...
This question touches on an important distinction within ERM program implementation. There is a significant difference between a fully compliant ERM program and a fully capable ERM program. Compliance focuses on the contents of an ERM program, while capability focuses on what an ERM program can achieve.
A fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc. It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome-oriented. In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years. However, in a larger, complex, decentralized agency, it could take 5-10+ years. It is important that agencies not be discouraged by those projections. Effective ERM is meant to be a long-term, evolving endeavor.