Once the context has been defined, the ERM process can be implemented. However, this is not to say that the context cannot change. Both internal and external factors will develop over time, so it is important to constantly be aware of the context and its impact on the process

ERM is implemented as a control cycle. This means that it is a continual process rather than one with a defined start and end. The broad process is given in Figure 6.1.

The first stage in a risk management process is identification, but it is important to ensure that this is done using a consistent risk language and taxonomy. This involves not only defining all of the risks, but also grouping them in a coherent fashion. This is important because it ensures that risks have consistent meanings throughout the organisation.

Risk identification itself involves not only working out which risks an organisation faces, but also a description of the broad nature of those risks. It also means recording them in a consistent and complete way to make reviewing them in future a much easier process.

Having identified the risks, it is then time to assess them in the context of the risk appetite of an organisation. In practice, the risk appetite should be agreed and given in clear terms before risks are actually measured. This includes specifying the risk measures to be used, as well as the values of those measures that are thought to be acceptable.