Skip Ribbon Commands
Skip to main content
ERM > Methodology

Skip Navigation LinksMethodology

ERM - Banner 1.jpg

The ERM methodology consists of six key elements in line with the ISO 31000:2018. Please see the guidance on risk management for further details

Step 1: Establishing the Scope, Context and Criteria Policy

UNDP’s ERM Policy defines the scope and criteria for consistent risk management across the organization. Risk appetite may vary at the unit/office level based on the context and objectives. 

Risk Assessment Chart.jpg

Step 2: Risk Assessment

Risk assessment is the iterative process of risk identification, analysis, and evaluation. The objective is to provide sufficient information at appropriate intervals for risk-informed management decisions. High-quality risk assessments enable greater acceptance of risk-taking opportunities (e.g. innovation) while ensuring rigorous due diligence, treatment, monitoring, and control. 

Step 3: Risk Treatment

For each High, Substantial or Moderate level risk one or more risk treatment measures must be identified. In case of threats to organizational objectives, risk treatment may be of four types: terminate (seeking to eliminate activity that triggers such a risk), transfer (passing ownership and/or liability to a third party), mitigate (reducing the likelihood and/or impact of the risk below the threshold of acceptability), and tolerate (tolerating the risk level). 


Step 4: Communication and consultation

ERM requires an inclusive communication and consultation approach with all relevant stakeholders, including programmatic and operational staff as well as other relevant stakeholders (e.g. UN system, national partners, experts, donors, target groups and project affected people). Communication and consultation take place at regular/planned intervals to inform risk identification, assessment, treatment, monitoring, reporting and review. 


Step 5: Monitoring and Review

UNDP’s Risk Register provides an integrated platform for monitoring all levels and categories of risk. Regular risk monitoring and review is conducted to inform management decisions, enabling adaptive management and course corrections. The results of monitoring and review must be recorded and reported as appropriate and be used as a regular input to programme and project management decisions, audits, and organizational performance. 

Step 6: Recording and Reporting

Risk reporting ensures that relevant risk information is available across all levels of the organization in a timely manner to provide the necessary basis for risk-informed decision-making. Risk reporting must be carried out on a semi-annual basis at a minimum. 

 These steps are applied organization-wide:

  •  at the project level (i.e. Development Projects, Engagement Facilities, Development Services, Institutional and Development Effectiveness Projects, Multi-Country and South-South Projects);
  •   at the programme /unit level (i.e. Country Office/Programme, Regional Bureaux/Programme, Central Bureaux/Programme);
  •   at the corporate level. 

Application of ERM Across UNDP