Risk management is not just about avoiding disasters — it is about making better decisions. A well-designed Enterprise Risk Management (ERM) framework gives your organisation a structured, consistent way to identify threats, evaluate their potential impact, and take deliberate action to protect your business objectives.
Yet many Malaysian organisations — from listed companies to government-linked entities — still treat risk management as a documentation exercise. They produce a Risk Register once a year, file it away, and move on. This is not risk management. This is risk theatre.
In this guide, I will walk you through how to build an ERM framework that actually works — one that is embedded in business operations, understood by leadership, and continuously updated to reflect a changing risk landscape.
Framework basis: This guide draws on the COSO ERM Framework (2017) and ISO 31000:2018 — the two most widely accepted standards for enterprise risk management, both of which are recognised by regulators and rating agencies in Malaysia and globally.
Step 1 — Establish the Risk Governance Structure
Before you can manage risk, you need to be clear about who is responsible for it. Risk governance defines the roles, authorities, and accountability mechanisms that give your ERM framework its legitimacy and effectiveness.
- 1Board of Directors / Audit Committee — Responsible for approving the Risk Appetite Statement, overseeing the ERM framework, and receiving regular risk reports. Ultimate accountability sits here.
- 2Risk Management Committee (or equivalent) — Senior leadership body that reviews the Risk Register, sets priorities, and escalates emerging risks to the board.
- 3Risk Owners — Department heads and process owners who are responsible for managing specific risks within their areas. They are closest to the risk and must own the response.
- 4Internal Audit — Provides independent assurance that risk management processes are operating effectively. Internal audit does not own risk — it reviews the systems that manage it.
Step 2 — Define Your Risk Appetite
Risk appetite is the amount of risk your organisation is willing to accept in pursuit of its objectives. Without a clearly defined risk appetite, every risk decision becomes subjective and inconsistent — and management and the board will rarely be aligned.
Your Risk Appetite Statement should address different categories of risk separately, because the organisation may have a very different tolerance for financial risk versus reputational risk, for example.
Compliance & Legal Risk
No appetite for breaches of law, regulation, or ethical standards. Any regulatory violation is unacceptable regardless of financial impact.
Financial Risk
Willing to accept measured financial risk to achieve growth objectives, within defined limits approved by the board.
Reputational Risk
Low appetite for any action that could damage the organisation's reputation with customers, regulators, or investors.
Operational Risk
Willing to accept operational disruptions within defined thresholds, provided recovery plans are in place.
Step 3 — Identify Your Risks
Risk identification is the most collaborative part of ERM. It should not be done by the risk function alone sitting in a room — it requires structured input from all parts of the business. The goal is to build a comprehensive, living inventory of risks that could affect the organisation's ability to achieve its objectives.
Effective risk identification methods:
- →Risk workshops — Facilitated sessions with department heads to surface risks in their areas. Use structured prompts: What could prevent you from achieving your objectives? What kept you up at night last year?
- →Interview key personnel — One-on-one conversations with senior management often surface strategic risks that don't emerge in group settings.
- →Review industry trends and regulatory developments — What risks are peers facing? What new regulations are on the horizon in Malaysia or your operating regions?
- →Analyse past incidents and near-misses — Historical data is your best predictor of future risks. What has gone wrong before?
- →Review the strategic plan — Every strategic initiative carries risk. Expansion into new markets, new product launches, and M&A activity all create new risk exposures.
Step 4 — Assess and Prioritise Risks
Not all risks deserve the same attention. Risk assessment helps you prioritise by evaluating each risk on two dimensions: likelihood (how probable is it?) and impact (how serious would the consequences be if it occurred?).
The result is a Risk Heat Map — a visual representation of your risk profile that makes it easy for the board and management to see where attention is most needed.
| Likelihood → Impact ↓ |
Low | Medium | High |
|---|---|---|---|
| High | Medium Priority | High Priority | Critical |
| Medium | Low Priority | Medium Priority | High Priority |
| Low | Monitor | Low Priority | Medium Priority |
Step 5 — Design Risk Responses
Once risks are assessed and prioritised, the organisation must decide how to respond. There are four standard risk response strategies:
- 1Avoid — Eliminate the activity that creates the risk. Example: deciding not to enter a high-risk market.
- 2Mitigate — Reduce the likelihood or impact of the risk through controls, processes, or procedures. This is the most common response.
- 3Transfer — Shift the financial impact to a third party, typically through insurance or contractual clauses.
- 4Accept — Acknowledge the risk and do nothing further, because the cost of mitigation exceeds the benefit. This must be a conscious, documented decision — not ignorance.
Step 6 — Monitor, Report, and Improve
Risk management is a continuous cycle, not a one-time project. The Risk Register must be reviewed and updated regularly — ideally quarterly — and significant changes in the risk profile must be escalated to the board promptly.
Key risk reporting practices for Malaysian organisations:
- →Quarterly Risk Report to the Risk Management Committee, covering top risks, changes in ratings, and status of mitigation actions.
- →Semi-annual or annual Risk Report to the Board / Audit Committee, with a summary of the overall risk profile and emerging strategic risks.
- →Key Risk Indicators (KRIs) — early warning metrics that signal when a risk is deteriorating before it becomes a crisis.
- →Annual review of the Risk Appetite Statement to ensure it remains aligned to the organisation's strategy and external environment.
For Bursa-listed companies: Paragraph 15.26 of the Bursa Malaysia Listing Requirements requires the Audit Committee to assess the adequacy and integrity of internal controls, which includes risk management. Your Statement on Risk Management and Internal Control in the Annual Report must reflect a genuine, functioning ERM framework — not just a template document.
The Most Common ERM Failures I See
After 15+ years of reviewing risk management practices across industries and regions, these are the mistakes that consistently undermine ERM effectiveness:
- ✗Risk Register as a static document — Built once a year, never updated, never discussed. A Risk Register should be a living management tool, not an annual report attachment.
- ✗No link to strategy — Risks are identified in isolation from the strategic plan. Effective ERM connects every strategic objective to its key risk exposures.
- ✗Risk owners don't own the risks — Risks are assigned to the risk function rather than to the business units that actually create and manage them.
- ✗Board receives information but not insight — Risk reports are dense, backward-looking, and provide no clear picture of what requires board attention or decision.
- ✗Controls not tested — The Risk Register states controls exist, but no one verifies they are actually working. Internal audit plays a critical role here.