Enterprise Risk Management Framework Services

The vendor required to provide enterprise risk management (ERM) framework consistent with the principles, framework, and process outlined in iso 31000:2018 – risk management guidelines.
- Establish a structured and integrated approach to managing risks across the organization that supports decision-making, enhances resilience, and enables achievement of strategic objectives.
- Requirement:
1. Planning and current state assessment
•    Review organizational strategy, structure, operations, existing risk practices, and current corporate risk register.
•    Conduct stakeholder interviews and workshop(s) to assess current risk management maturity, risk culture and level of integration of risk management into decision-making.
•    Perform a gap analysis comparing agency current state against iso 31000 principles, framework, and process. 
•    Deliver a current state and gap analysis report that includes an assessment of strengths, weaknesses, and maturity of existing risk management practices, identification of gaps relative to iso 31000, and clear, prioritized recommendations for addressing identified gaps, including recommendations related to governance, roles and accountabilities, risk processes, tools, policies, and integration into planning and decision making.
2. ERM framework design
•    Develop an ERM framework aligned with iso 31000 principles and tailored to agency mandate, risk profile, organizational structure, and strategic objectives. 
•    Define a risk governance structure, including roles, responsibilities, authorities, and reporting lines for risk oversight and management at the board, executive team, and operational levels. 
•    Draft risk management policy and supporting procedures that articulate agency approach to risk management. 
•    Recommend risk appetite and tolerance statements in consultation with leadership (agency board of trustees and executive team) to guide risk-informed decision making. 
•    Propose risk categories, taxonomy, and risk assessment methodology (e.g., likelihood and impact criteria, scoring scales, evaluation criteria).
3. Implementation support
•    Facilitate structured risk identification and assessment workshops with business units and key stakeholders. 
•    Develop and update the corporate risk register, using agency existing corporate risk register as a basis, and recommend appropriate risk treatment options for key risks. 
•    Establish risk reporting templates, dashboards, and protocols for escalation, monitoring and decision making at appropriate governance levels. 
•    Develop procedures to support consistent risk identification, assessment, tracking, documentation, and monitoring. 
•    Advise on integrating risk management into strategic planning, operational planning, project management, and decision-making processes. 
•    Recommend supporting tools that are practical for agency size, structure and resources for risk identification, assessment, tracking, documentation, and monitoring.
4. Capacity building and knowledge transfer
•    Deliver training sessions and guidance materials for leadership, risk owners, and staff to support understanding and application of the ERM framework. 
•    Provide coaching and practical tools for embedding risk considerations into day-to-day operations and management practices. 
•    Develop a sustainability plan explaining how agency will maintain, operate, and progressively mature the ERM program beyond the engagement.
5. Monitoring and continuous improvement
•    Propose performance indicators and monitoring mechanisms to assess the effectiveness, integration, and maturity of the ERM framework over time. 
•    Recommend a structured process for periodic review, management oversight, and continuous improvement of agency ERM framework.