What is an enterprise risk assessment?

An enterprise risk assessment is a structured, organisation-wide exercise to identify, score and prioritise the risks that could prevent an organisation from achieving its strategic objectives. Unlike a project or ad-hoc risk assessment, it covers every business unit and every risk category - strategic, operational, financial, regulatory, technology and reputational - and produces a single, consistent view that the board and executive committee can act on.

What is the difference between an enterprise risk assessment and a risk assessment?

A risk assessment is the generic exercise of identifying and scoring risks - it can be done for a single project, a single process or a single control. An enterprise risk assessment is the same exercise applied across the whole organisation, using one consistent methodology and one consistent scoring scale, so that risks in different business units can be compared and prioritised against each other.

How often should an enterprise risk assessment be carried out?

Most mid-market regulated firms run a full enterprise risk assessment annually, with a lighter quarterly refresh. The full cycle re-runs identification and scoring from scratch; the quarterly refresh updates scores against the existing register, captures emerging risks and removes risks that no longer apply. Material changes - acquisitions, new products, regulatory change, major incidents - trigger an out-of-cycle update.

What is the process for an enterprise risk assessment?

Five steps, in order: (1) define scope and methodology - business units, risk categories, scoring scales and appetite; (2) identify risks through workshops, interviews and existing registers; (3) score each risk on likelihood and impact, gross and net; (4) consolidate into a ranked enterprise risk profile - usually a heat map and a top 10 list; (5) report to the executive committee and board, then track treatment actions through to the next cycle.

Who owns the enterprise risk assessment?

The risk function (second line) typically runs the process - sets the methodology, runs the workshops, consolidates the output and authors the board paper. But the risks themselves are owned by the first line: the heads of business units who run the activities the risks attach to. A common failure mode is for the risk team to also own the risks, which inverts the Three Lines of Defence model and produces a register that nobody on the operating side recognises.

What does the output of an enterprise risk assessment look like?

Three artefacts: an enterprise risk register (the full list, with owners, scores, controls and treatment actions); a heat map (the visual summary of all risks plotted on likelihood vs impact); and a board paper (the top 8-12 risks with narrative, residual position relative to appetite, and the treatment plan). The board paper is what the assessment exists to produce - everything else is the working data behind it.

Is an enterprise risk assessment the same as ERM?

No. Enterprise Risk Management (ERM) is the ongoing discipline - the framework, the operating model, the policies, the reporting cadence. An enterprise risk assessment is one of the activities ERM produces, typically on an annual cycle. Think of ERM as the system and the enterprise risk assessment as one of its outputs.

Enterprise Risk Assessment: Process, Methodology & Output (2026)

In short

An enterprise risk assessment is the organisation-wide exercise that identifies, scores and prioritises every material risk against a single consistent methodology. It is what produces the heat map, the top 10 risk list and the board paper. The point is not to list every risk anyone can imagine - it is to give the executive committee a defensible view of what could stop the organisation hitting its objectives, ranked in a way different business units can be compared.

An enterprise risk assessment is a structured, organisation-wide exercise to identify, score and prioritise the risks that could prevent an organisation from achieving its strategic objectives. It covers every business unit and every risk category - strategic, operational, financial, regulatory, technology, people and reputational - and produces a single ranked view the board and executive can act on.

It is not the same as a project risk assessment (one piece of work), a process risk assessment (one workflow), or a control assessment (one control). Those exist further down the stack. The enterprise risk assessment sits at the top, and feeds the board pack, the strategic plan and the capital and resource decisions that follow from it.

Enterprise vs project risk assessment: the practical difference

The two are easy to confuse because the underlying mechanic - identify, score, treat, monitor - is the same. The difference is scope, audience and what the output is used for.

Project / process risk assessment

Bottom-up, narrow scope

Scope: a single project, process, change or control.

Audience: the project sponsor and the operational owner.

Used to: make a go/no-go decision, set mitigations, or escalate one specific issue.

Enterprise risk assessment

Top-down, organisation-wide

Scope: the whole organisation, every business unit, every risk category.

Audience: the executive committee, the risk committee and the board.

Used to: set the enterprise risk profile, prioritise capital and management attention, and demonstrate to regulators that risks are understood and within appetite.

In practice, the enterprise assessment consumes the outputs of the lower-level assessments. The project, process and control assessments produce the evidence; the enterprise assessment aggregates, normalises and ranks them so the board sees one consistent picture instead of fifteen incompatible ones.

The 5-step enterprise risk assessment process

There is no single "official" methodology - ISO 31000, COSO ERM, the FRC Risk Guidance and the FCA's operational resilience expectations all describe broadly the same shape. The practical version most UK mid-market firms run looks like this:

Step 1 - Define scope, taxonomy and methodology

Before any workshops, agree the structure of the assessment. Which business units are in scope. Which risk categories will be used (typically 6-10: strategic, operational, financial, regulatory, technology, people, third party, reputational, ESG, fraud). What the likelihood and impact scales are - usually 5x5, with impact defined in monetary, operational and reputational terms. And what the organisation's risk appetite is for each category.

If you skip this step, every workshop scores risks differently and the consolidated output is not comparable. The methodology debate is what makes the rest of the exercise defensible.

Step 2 - Identify the risks

Risk identification happens through a combination of:

Workshops with each business unit leadership team (usually 60-90 minutes per unit).
Existing registers from the prior cycle, RCSA outputs and incident logs.
Targeted interviews with executive sponsors of cross-cutting risks (cyber, third party, regulatory).
Horizon scanning for emerging risks - regulatory change, geopolitical, technology disruption.

For deeper guidance on running the workshops themselves, see our piece on how to assess risk in practice. The aim is breadth - capture everything that could materially affect the strategy - knowing the next step will filter ruthlessly.

Step 3 - Score each risk (gross and net)

Each risk gets two scores: gross (what the risk would look like with no controls), and net (residual - what it actually looks like with current controls in place). The difference between the two is the control environment - and it is one of the most informative outputs of the whole exercise. For the distinction between these terms, see our explainer on gross vs net vs residual risk.

Scoring uses the scales agreed in step 1. For a 5x5 matrix, see our explainer on what a 5x5 risk matrix is and how to calibrate it. The single most important calibration job is making sure "high impact" means the same thing in every workshop - usually anchored to a specific monetary or operational threshold.

Step 4 - Consolidate and rank

Once every business unit has scored its risks, the risk function consolidates everything into one enterprise view. This is where inconsistencies show up - the same third-party risk scored 4x5 in one unit and 2x3 in another, the same regulatory risk owned by three different people. The consolidation pass forces those inconsistencies to be reconciled before anything reaches the board.

The output is usually three things: an enterprise risk heat map; a ranked top 10-15 list with brief narrative for each; and a comparison to the prior cycle (which risks moved up, which moved down, which appeared for the first time).

Step 5 - Report, treat, monitor

The board paper is the artefact the whole assessment exists to produce. For what good board-level risk reporting actually looks like, see our piece on board-ready risk reporting. After the board takes the paper, each top risk needs a named treatment action with a deadline and an owner - and those actions get tracked through to the next assessment cycle.

What the output should look like

A defensible enterprise risk assessment produces a small number of clearly defined artefacts. Each one serves a different audience.

Artefact	Audience	What it shows
Enterprise risk register	Risk function, executive	Full list with owners, scores, controls, actions.
Enterprise heat map	Risk committee, board	Visual summary of every net risk on likelihood vs impact.
Top 10-15 risks paper	Board	Narrative, residual position vs appetite, treatment plan.
Appetite breach summary	Risk committee, board	Risks where net position is outside agreed appetite.
Emerging risk view	Executive, board	New or rising risks since the prior cycle.

Common failure modes

Most enterprise risk assessments are technically complete and substantively useless. The pattern of failure is consistent:

The risk team owns the risks. The second line drafts the register, completes the scoring and writes the board paper. The first line nods at it. The output is internally consistent but disconnected from the operating reality - and falls apart the moment a regulator or auditor speaks to a business unit head directly. For the structural fix, see our explainer on the Three Lines of Defence model.
Inconsistent scoring across units. "High impact" means £10m in one workshop and £200k in another. The consolidated heat map is mathematically wrong. The fix is a calibrated impact scale agreed in step 1 and enforced in step 4.
Output too long to be useful. A 60-risk register goes to the board. They engage with 4-5 of them and ignore the rest. The fix is ruthless prioritisation: top 10-12 risks with narrative, the rest in an appendix.
No connection to appetite. The register lists scores but never shows them against appetite thresholds. The board cannot tell which risks are within tolerance and which need action. The fix is to overlay appetite directly on the heat map.
One-off exercise, no follow-through. The assessment lands, the board takes the paper, and treatment actions are never tracked. By the next cycle, the same risks reappear at the same scores. The fix is a quarterly action tracker reported alongside the assessment refresh.

Where it sits in the broader GRC operating model

An enterprise risk assessment is not a standalone artefact. It connects to almost everything else in the GRC framework:

It feeds from the RCSA cycle (the bottom-up first-line view of risks and controls). For the detail, see what an RCSA actually is.
It feeds into the enterprise risk register, the board pack, the strategic plan and the capital allocation conversation.
It is independently tested by internal audit as the third line of defence.
It is reviewed by regulators in any prudential or conduct supervision visit, and by external audit when it forms part of the going concern or internal controls disclosure.

If the assessment cannot trace cleanly from a first-line risk score, through the consolidated register, to the board paper, to a treatment action with an owner - the framework is decorative.

How software changes the exercise

A spreadsheet-based enterprise risk assessment can work for a small organisation with one or two business units. Past that point, three things start to break: version control (which workshop output is the latest), audit trail (who changed this score, when, and why), and reporting (how long does it take to rebuild the board pack each quarter).

Purpose-built risk management software removes those three failure modes by design: one canonical register, structured scoring, automatic audit trail, linked controls and assessments, and board-ready reporting built from the live data. For a deeper view of when the spreadsheet stops being enough, see our piece on risk register software.

Takeaway

An enterprise risk assessment is the exercise that turns a hundred local conversations about risk into one defensible, board-level view of what could derail the strategy. Done well, it shapes capital allocation, management attention and regulatory positioning for the year ahead. Done badly, it is the artefact regulators ask to see when something has already gone wrong.

The mechanics are not complicated - five steps, consistent methodology, ruthless prioritisation. The hard part is keeping the first line in the driving seat of their own risks, and making sure the output is short enough that the board reads it. If you would like to see what running a clean enterprise risk assessment looks like inside a modern platform, book a 30-minute walkthrough.