Auditing, Governance, and Digital Transformation

Enterprise Risk Management (ERM): How to build a risk register and heat map

Posted by author-avatar
Illustration for Risk Management
Skip to content
Strategy & Compliance Enterprise Risk Management • ERM • Risk Register • Inherent Risk • Residual Risk

Enterprise Risk Management (ERM): How to Build a Risk Register and Assess Risks Practically

Enterprise Risk Management (ERM): A practical guide to building a Risk Register, performing risk assessment (Inherent vs. Residual), identifying owners and procedures, and linking controls via a Risk Control Matrix (RCM)—Digital Salla.

Protect your company: Financial Fraud Guide — To understand that fraud risk is one of the most critical categories to include in your strategic risk register.
ERM design showing a magnifying glass identifying various risks across departments and mapping them to a heat map.
Core Principle: Risk management is not about “Avoiding Risks,” but about Understanding them and choosing which to accept, mitigate, or transfer to achieve strategic growth safely.
What will you learn in this guide?
  • Fundamental definition of Enterprise Risk Management (ERM).
  • How to structure a professional Risk Register for all departments.
  • Risk Assessment Methodology: Likelihood × Impact (The 5×5 Matrix).
  • Inherent Risk vs. Residual Risk: Measuring control effectiveness.
  • How to design a Risk Control Matrix (RCM) to bridge the gap between risk and audit.
  • Strategic Risk Responses: Accept, Avoid, Transfer, or Mitigate.
Practical Note: ERM is a Top-Down process. If the Board of Directors and CEO do not define the company’s “Risk Appetite,” the risk register becomes just a paper-filling exercise.

1) The Concept of Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM) is the culture, capabilities, and practices integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value.

Key Insight: ERM moves risk from being “A Department Problem” (e.g., IT’s problem) to being “The Entity’s Shared Problem.”

2) The Risk Register: Structure & Fields

The Risk Register is the master database of everything that could go wrong. A professional register must contain:

  • Risk ID: Unique identifier.
  • Category: Strategic, Financial, Operational, or Compliance.
  • Description: Clear statement of the risk event.
  • Inherent Score: Risk level before controls.
  • Mitigation Action: Existing internal control procedure.
  • Residual Score: Risk level after controls.
  • Risk Owner: The specific person accountable for managing this risk.

3) Risk Assessment (The Heat Map)

We measure risk using two dimensions: Risk Score = Likelihood (1-5) × Impact (1-5).

The 5×5 Risk Heat Map
Likelihood / Impact Negligible (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
Almost Certain (5) 5 10 15 20 25
Likely (4) 4 8 12 16 20
Rare (1) 1 2 3 4 5

4) Inherent vs. Residual Risk Logic

This is the heart of Risk Control Effectiveness.

Recommended for you
Internal Audit & Risk Matrix - Word & Excel Files

Internal Audit & Risk Matrix - Word & Excel Files

Internal Control RCM Pack: Builds a Risk & Control Matrix (RCM) for key cycles, with MUS sampling an...
156.65 $
View Product

  • Inherent Risk: The risk level assuming NO internal controls exist (The raw threat).
  • Residual Risk: The risk level that remains after internal controls are functioning.
Management Goal: If the gap between inherent and residual risk is small, your controls are likely Ineffective or redundant.

5) The ERM Value Path (Visual Logic)

How risk management turns from a defensive shield to a strategic fuel?

The ERM Lifecycle Diagram showing Identify, Assess, Respond, and Monitor as a continuous loop. Strategic ERM Cycle 1) Identify The Risk 2) Assess Likelihood/Impact 3) Respond Mitigate/Transfer 4) Monitor Audit/Review The goal is to keep “Residual Risk” within the “Risk Appetite” approved by the Board.
Insight: Risk management is not a one-time project, but a Continuous Discipline that evolves as the market changes.

6) Linking Controls: The RCM Matrix

The Risk Control Matrix (RCM) is where management and audit meet. It links each specific risk to a specific internal control.

  • Risk Statement: “Payments made to fictitious vendors.”
  • Control Procedure: “System requires 3-way match and dual authorization for new vendors.”
  • Control Type: Preventive / Automated.
Deep dive: Control Procedures — To learn how to design the “Mitigation Actions” that fill the RCM matrix.

7) Strategic Risk Responses

Once a risk is assessed, management must choose one of four responses:

  1. Avoid: Exit the activity (e.g., stopping operations in a war-torn country).
  2. Reduce (Mitigate): Apply controls (e.g., installing a fire suppression system).
  3. Transfer (Share): Buying insurance or outsourcing a risky process.
  4. Accept: Do nothing because the risk level is within appetite or the cost of control is too high.

8) Operational Controls & Readiness Checklist

To ensure your ERM System is working:

ERM Quality Gate Checklist

  1. Does every risk in the register have a Specific Owner (Name/Role)?
  2. Is the register updated at least quarterly to reflect new market threats?
  3. Are Inherent and Residual scores clearly distinguished?
  4. Is the Risk Control Matrix (RCM) verified by Internal Audit annually?
  5. Does the Board receive a “Top 10 Strategic Risks” dashboard every period?
Related topic: COSO Framework — Because COSO provides the overall governance umbrella that ERM sits under.

9) Common Errors and How to Prevent Them

  • Risk Register as a “Static PDF”: Building it once and never looking at it again. Solution: Integrate risk into monthly ops meetings.
  • Confusing Controls with Tasks: Recording “Managing the store” as a control. A control is “Daily count of high-value items.”
  • Ignored External Risks: Focusing only on internal theft and ignoring competitors or new government regulations.
  • Undefined Appetite: Mitigating low-impact risks while ignoring high-likelihood strategic shifts.
Deep dive: Payroll Reconciliation — To see how a simple “Mitigation Action” in the register (Matching) significantly reduces the residual risk of payroll fraud.

10) Frequently Asked Questions

What is a Risk Appetite?

It is the amount and type of risk that an organization is willing to pursue or retain in order to meet its strategic objectives.

Why do we need a Risk Control Matrix (RCM)?

To prove that for every significant risk identified, there is a functioning control that reduces that risk to an acceptable level.

Can ERM eliminate all business risks?

No. The goal of ERM is to Manage risks to an acceptable level, not to eliminate them. Some risks are inherent to being in business.

11) Conclusion

Mastering Enterprise Risk Management (ERM) transforms a company from “Reactive” to “Resilient.” By utilizing a disciplined Risk Register and performing deep Inherent vs. Residual assessments, you provide the organization with a strategic navigation system. This ensures that you are not just building a list of problems, but designing a robust entity capable of pursuing high-growth opportunities while keeping its most critical assets protected behind a shield of verified controls.

Action Step Now (30 minutes)

  1. Pick one department (e.g., IT or HR).
  2. Identify the #1 risk that could stop them from hitting their targets.
  3. Ask the manager: “If our current internal control fails tomorrow, what is our Plan B?”. This is the start of your Risk Response plan.

© Digital Salla Articles — General educational content for management, compliance, and risk management purposes.

Newer
Corporate Governance: The role of the audit committee and the board of directors
Back to list
Older Financial fraud: Fraud triangle, red flags, and prevention methods