AFERM EXPERTS SAY...

This question touches on an important distinction within ERM program implementation.  There is a significant difference between a fully compliant ERM program and a fully capable ERM program.  Compliance focuses on the contents of an ERM program, while capability focuses on what an ERM program can achieve.

A fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc.  It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome-oriented.  In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years.  However, in a larger, complex, decentralized agency, it could take 5-10+ years.  It is important that agencies not be discouraged by those projections.  Effective ERM is meant to be a long-term, evolving endeavor.