What is it?

All organisations have business objectives on performance and growth that must be met or exceeded whilst managing risk. Many of these organisations strive for IS31000 accreditation; the only internationally recognised standard for enterprise risk management.

The principles, framework and processes of enterprise risk management (ERM) are used to manage the risks and opportunities that materially influence each business objective at all levels.



ERM drives an organisation forward to:


  • Meet and exceed business objectives
  • Define the risk appetite and reduce risk
  • Increase performance and revenue
  • Achieve compliance
  • Reduce costs
  • Reduce incident frequency and impact

A holistic ERM approach encompasses the real-estate of the organisation, its projects impacting the real estate, the provision of facilities, and ongoing operations and maintenance. Within the ERM framework, business criticality determines the optimum stacking of facilities by locating critical business departments in appropriately resilient facilities. Business criticality also determines vendor or service levels, and incident and crisis response priorities for business continuity management and disaster recovery.

Why is it important?

Business operations have become increasingly complex, ‘siloed’, regulated and outsourced. Also, client-retained organisations are becoming much smaller while the Managing Agent or Principal Vendor-Partner relationship with the ultimate client is becoming more complex. Outsourcing creates a mismatch between risk control and ownership of consequential losses. The responsibility for regulatory compliance and risk ownership remains firmly with the client while the risk and reward factors for vendors are smaller and limited be contracts. All these issues result in increased risk to organisational operations.


A holistic ERM approach:

  • Helps manage performance, risk and compliance while taking advantage of market opportunities
  • Ensures better policy making, setting strategies, governance, compliance, all informed by horizon-scanning and oversight
  • Provides greater insights into business criticality which is key to prioritising performance and risk management of the operations
  • Ensures a robust management Information System for both performance and risk that includes Incident Reports.

These are used to aid continuous improvement of performance and risk, including a reduction in the operating costs and the likelihood, impact and duration of adverse incidents

What do we do?

CRA provides a full life-cycle facility performance and risk management service.


We review and develop systems consistent with ERM requirements to ISO31000 and our client’s business objectives, irrespective of a task’s size or complexity. These include creating policy, strategy, governance, audit, Operational Risk Management (ORM), Compliance, Management Information System (MIS), KPIs, KRIs, Responsibility Assignment (RACI) matrices, down to procedures and tools. By reviewing the engagement of all stakeholders, costs, control/governance arrangements and the consequences of management actions, we gain a first hand understanding of our clients’ needs.


CRA provides significant performance and compliance enhancements while reducing the risks caused by the impact, duration and likelihood of adverse events. Using innovative tools and processes designed for safety and critical industries such as nuclear power, defence and banking, CRA delivers best-practices gained from its cross-sector expertise.


Our teams are specialists in quantitative risk assessment, business impact analysis, dependency modelling, setting and analysing KPI/KRIs, and testing performance during normal operation or in the event of disruption.


CRA can help by integrating with your teams and stakeholders within an ERM framework to improve performance.

Our enterprise performance and risk management services include:

Real Estate Portfolio Risk Management

Capital Project Governance

Facilities Risk Management

Business Resilience

Incident Reporting and Crisis Management

Business Continuity/Disaster Recovery

Our Work

risk management

We have been working closely with a client in the fusion energy industry to provide world class qualitative and quantitative expertise in the areas of Safety and Regulation and also Enterprise Risk Management that is ISO 31000 compliant.


We have reviewed the risk management framework for the company and helped them develop their risk register. We are currently advising them on the risk assessment tools that match their requirements for use during the design and development of their technologies.

Get in touch