Case Study

Enterprise Risk Management Framework

Enterprise Risk Management Framework
Published: 15 September 2021 Client name: Saudi Arabia Railways Service provided: Risk Management and Advisory

Enterprise Risk Management advice aligned with ISO 31000

In January 2021, Ricardo was appointed to design and implement an Enterprise Risk Management (ERM) Framework for Saudi Arabia Railways (SAR).

The requirement was to develop an approach aligned with ISO 31000:2018, the recognised international standard for risk management, that could be implemented on four specific networks operated by SAR:

  • North-South Railway
  • Eastern Railway
  • Haramain High Speed Railway
  • Al Mashaaer Al Mugaddassah Metro Southern Line (Mecca Metro)

The assignment took our teams from the capital, Riyadh, to major regional centres such as Jeddah, on the shores of the Red Sea, and to Dammam in the Eastern Province.

During the course of their assessments they met with a range of representatives from different functional departments, compiling more than 50 individual risk registers in the process.

These registers were then brought together to form a complete assessment of the risks faced by SAR from an organisational point of view.

By doing so, SAR could move from a typical 'silo' approach to assessments - where individual departments run their own risk exercises in isolation - to a model that is able to identify risks that transcend functions.


What is Enterprise Risk Management?

Enterprise Risk Management (ERM) is about developing an internal capability to identify hazards across an entire organisation and ensure coherent, joined up responses can be prepared.

Traditional risk management exercises tend to be organised by separate divisions, such as the maintenance team, who will naturally focus on their specific roles and responsibilities.

But experience from around the world shows this can lead to 'siloed' thinking. When exercises are run by departments in isolation it becomes difficult to identify when the same risks are shared by different teams, as each function might use different terminologies when they are actually referring to the same issue but from a different perspective.

This can also lead to mitigations introduced by one team in an organisation inflicting significant consequences on others.

For example, the central IT team may have strict responses they are prepared to enact as soon as they suspect risk from a cyber-attack. It is, after all, their responsibility to safeguard the organisation's information systems. But might their response impact on the customer services teams who are responsible for increasing ticket purchases through online channels?

ERM ensures a consistent, top-down approach is communicated across all functions, from the customer-facing frontline operations to support functions such as finance, human resources, property and marketing.

In the process, it also helps nurture a shared culture of risk awareness throughout the organisation.

Our approach

Business Process Mapping

To ensure a standardised approach across SAR is applied – with shared definitions and common practices for identifying, recording and treating risk – we prepared an Enterprise Risk Management Framework that was bespoke to the organisation and fully aligned with ISO 31000. This meant that as the Ricardo teams met with different functions across SAR, the process of capturing current procedures was conducted efficiently and without ambiguity.

Risk Assessment

Between February and June 2021, more than 190 consultation workshops were held with 57 functional departments. For each department, a risk register was updated setting risks out across ten core categories – including safety, reputational, legal – with each risk scored for impact/likelihood and for current mitigation measures.

By cross-analysing the risk registers from across the organisation the Ricardo experts were able to map any connections and relationships and compile a full list of priority risks as determined by SAR's own teams. For the first time, the organisation has the ability to link maintenance and infrastructure concerns alongside those of recruitment and revenue collection.

Risk Management Software solution

To help SAR track the progress of mitigation preparations, we helped introduce a unified risk monitoring software solution.

The cloud-based tool is where the risk registers are stored and can be updated by staff, with the information immediately available to approved management teams across each network.

The tool will play a key role in ensuring consistency and shared goals throughout the business, with management teams benefiting from common data tools, methodologies and reporting metrics.


In addition to the installation of the software tool, and following more than six months of workshops, assessments and cross analysis, Ricardo provided SAR with:

- Gap Analysis Report
- ERM Maturity Model
- Mitigation Plans
- Final Report with observations and recommendations for long-term improvement.

What is ISO 31000?

ISO 31000 is the global standard for effectively monitoring and managing risk.

It provides a strategy for developing a risk management mindset across an organisation's governance and encourage a shared understanding amongst staff, suppliers, customers and other stakeholders.

Ricardo has extensive experience in the requirements of this standard, having contributed to its development and earliest draft, through to its implementation in a range of rail environments across Europe, the Middle East and Australia.

Request more information

Please tick the boxes below if you give consent for Ricardo to contact you with additional information on our services, products or events. Your information will be stored on our secure systems, will not be shared with 3rd parties, click here for Ricardo’s privacy notice.