Best Practices

Enterprise Risk Management

Risk management is a program designed to identify potential events that may affect the government and to protect and minimize risks to the government’s property, services, and employees.

Risk management is a program designed to identify potential events that may affect the government and to protect and minimize risks to the government’s property, services, and employees. Effective risk management ensures the continuity of government operations. The importance of risk management has been growing steadily over the last several years for a variety of reasons including legal, political, and medical liability, increased use of technology, and higher litigation costs.

Risk management is geared to achieving a government’s objectives through strategic decisions that flow through high-level goals, effective use of resources, reliability of reporting, and compliance with applicable laws and regulations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management as:

“a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

Enterprise risk management is:

  • A process, ongoing and flowing through an entity,
  • Effected by people at every level of an organization,
  • Applied in strategy setting,
  • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk,
  • Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite,
  • Able to provide reasonable assurance to an entity’s management and board of directors,
  • Geared to achievement of objectives in one or more separate but overlapping categories.” 

1. Risk Identification – An essential component in identifying risk is to understand the sources, types, and likelihood of risk. Risk identification should identify at a minimum the exposures in each of these areas.

  •  Physical environment (natural or man -made disasters and infrastructure) – Look at GFOA’s resource document on Disaster Preparedness.
  •  Legal and ethical environment (laws and legal precedents)
  • Operational environment (day-to-day activities and actions within the local government, including services provided and workforce demographics) – Look at GFOA’s resource document on Disaster Recovery for Technology.
  • Political environment (legislative activity, elections)
  • Social environment (socio-economic composition of the community)
  • Economic environment (market trends, interest rates)
  • Emerging risks (cybersecurity)
  • Internal environment (the attitude of individuals towards risk) – Look at GFOA’s resource document on Business Preparedness and Continuity Guidelines.

2. Risk Evaluation – The frequency and severity of claims should be monitored and modifications made as necessary. Risk evaluation reports often include such information as the number of open claims, the amount paid out, and the amount reserved. Report results should be communicated in a form and timeframe that enable employees to carry out their responsibilities. Over time, these reports reveal a government’s risk profile. The Public Risk Management Association (PRIMA) has a variety of risk evaluation data available to governments.

3. Risk Treatment – After identifying and evaluating risk exposures, the next step is to decide how best to treat the exposures. Management may select a variety of risk responses –avoiding, accepting, reducing, sharing, or transferring risk. A risk management program should be a well-rounded combination of preventative and control measures, risk transfer, and risk retention. The latter two methods refer to a government either shifting the financial burden of risk to another entity or performing the task of risk financing in-house. In addition to these three methods, governments may occasionally choose not to provide a service altogether, a risk management technique known as risk avoidance.

  • Loss prevention and control –Training, workshops, and inspections are common loss control measures.
  • Risk transfer – Two basic types of risk transfer involve financial or contractual risk.
  • Financial risk transfer may involve the use of an insurance company or risk managements pools. The criteria for procuring insurance should involve quality and scope of service, breadth of coverage (level of deductibles), financial stability, and cost. Most governments typically begin with three basic types of coverage.
  • Property insurance protects against damage or loss of property.
  • Liability insurance covers losses related to a government being found negligent in the performance of operations.
  • Worker’s compensation provides employees with coverage for all medical bills resulting from job-related injuries or disabilities as well as lost income.
  • Risk management pools may be classified through various factors like type of service, lines of coverage, or type of government. Additional information on risk management pools can be found through the Association of Government Risk Pools (AGRiP). A government can also transfer risk by having a contractor pick up the liability.
  • Risk retention – When a government retains risk (i.e., self insures) it assumes financial responsibility for some losses. Retaining some risk (e.g., paying a deductible) can lower the government’s premiums. Some governments use their own reserve policies to reduce risk. However, the government needs to be aware of its exposures through self-insurance.
  • Risk avoidance – Governments may avoid providing specific services if the risk management costs are excessive.

4. Risk Management Implementation – To implement a risk management program, consideration should be given to the establishment of risk management polices and procedures that includes a statement of the organization’s goals, identifies officials charged with carrying out risk-related functions (e.g., planning, organizing, coordinating, implementing, monitoring, and controlling the government’s risk management program), and contains guidelines for making decisions about fundamental activities (e.g., risk control and risk finance). It is essential that government officials are aware of not only the policies and procedures, but that the risk responses are implemented and effectively carried out.

5. Risk Program Review – In the environment of shrinking budgets and increased accountability within the government, it is essential that organizations review the effectiveness and efficiency of the risk management programs functioning within their organizations and make changes or modifications as necessary.


Association of Government Risk Pools (AGRiP) (

Public Risk Management Association (PRIMA) (

  • Board approval date: Friday, March 6, 2020