Risk Strategy
What Enterprise Risk Management Actually Looks Like at a Mid-Market Company
A practitioner's field guide to building a lean, board-ready ERM program at a $50M–$500M company: COSO 2017 rightsized, risk appetite vs. tolerance, the four gaps that break mid-market programs, and a 90-day path.
By Eric Kennedy · Thu May 21 2026 · 11 min read
TL;DR: Enterprise risk management at a mid-market company ($50M to $500M revenue) is not a smaller version of the Fortune 500 ERM program. It is a different operating model entirely: lean, finance-led, focused on the 15 to 20 risks that actually matter to strategy, run on a quarterly cadence, and anchored to a board-ready one-slide artifact. This guide covers what ERM actually looks like at mid-market scale, the COSO 2017 framework rightsized for a 200-person finance and risk function, the difference between risk appetite and risk tolerance (which trips up nearly every program), the four gaps that consistently break mid-market programs, and a 90-day path to a working ERM program. The thesis: most mid-market companies do not need more ERM. They need the right kind.
Most articles on enterprise risk management are written for the Fortune 500. They describe ERM programs with dedicated chief risk officers, risk committees layered three levels deep, ERM software platforms, full-time risk analysts in every business unit, and quarterly enterprise risk assessments that take six months to complete. That is the program a $50 billion company runs. It is not the program a $250 million company should run, and trying to build a smaller version of it is the single most common reason mid-market ERM programs fail.
The mid-market reality is different. The CFO usually owns risk in addition to finance, treasury, and FP&A. The risk function is one person, or zero. There is no dedicated ERM platform. The audit committee meets four times a year and the risk discussion gets 20 minutes if it is lucky. And the company is moving fast enough that the risk picture changes meaningfully every quarter, not every year.
This guide is the field manual for what ERM should actually look like at a mid-market company. Not the Fortune 500 version with a smaller headcount. A different operating model entirely.
Per the AICPA and NC State 2025 State of Risk Oversight Report, only 11% of senior finance leaders view their organization's risk management process as a strategic competitive advantage, with 64% indicating it provides no or minimal advantage. Only 35% report having comprehensive ERM processes in place, and just 32% rate their oversight as mature or robust. Only 30% integrate risk exposure into capital allocation decisions. The numbers have barely moved in three years. The framework exists. The execution gap is at the mid-market.
What enterprise risk management actually is (and is not)
ERM is the discipline of identifying, assessing, prioritizing, and managing the full portfolio of risks an organization faces, across strategic, operational, financial, compliance, and reputational categories, in a way that supports strategic decision-making. That is the definition. Now what it is not.
ERM is not a risk register. A risk register is an inventory. ERM is what you do with the inventory.
ERM is not a heat map. A heat map is one output. ERM is the discipline that produces it and acts on it. (For more on getting the heat map itself right, see our prior article on building a risk heat map that actually drives decisions.)
ERM is not internal audit. Audit tests whether controls work. ERM identifies whether the right risks are being managed in the first place.
ERM is not insurance. Insurance is one of many possible risk responses. ERM is the framework that decides when insurance is the right answer and when something else is.
ERM is not a compliance program. Compliance manages a specific subset of regulatory risk. ERM covers the full risk portfolio, including the strategic and operational risks that no regulator cares about but that determine whether the business succeeds.
The shorthand: ERM is the management discipline that connects risk awareness to executive decision-making. At a Fortune 500, that discipline has a small dedicated risk team led by a CRO, audit committee oversight (in most cases), and a GRC software platform. At a mid-market company, it has the CFO, a one-page risk report, and a quarterly cadence.
The COSO 2017 framework, rightsized for mid-market
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the 2017 Enterprise Risk Management Framework, which is the de facto reference standard for ERM in the United States. The framework has five components and twenty principles. Most mid-market companies cannot operationalize all twenty principles, and they should not try. They should rightsize the framework to what their scale and resources will support.
1. Governance and Culture. At Fortune 500 scale, this is a chief risk officer and a small core risk team (median around 5 full-time equivalents), an enterprise risk management policy, a code of conduct refresh program, and a culture survey. Note that even at Fortune 500 scale, the audit committee (not a dedicated risk committee) typically owns ERM oversight at the board level. Only about 12% of S&P 500 companies have a dedicated board risk committee, and the majority of those are financial services firms. At mid-market, it is: an audit committee that owns risk oversight as part of its existing charter, risk as a recurring agenda item in the CFO's monthly leadership meeting, and a one-page risk policy that says who owns what. That's it. The discipline matters. The bureaucracy does not.
2. Strategy and Objective-Setting. At Fortune 500 scale, this is a formal risk appetite statement linked to corporate strategy, scenario planning across multiple time horizons, and a stress-testing framework. At mid-market, it is: a short risk appetite document (one to two pages, board-approved) that names the risks the company will and will not accept in pursuit of growth, plus an annual conversation between the CFO and CEO about how risk tolerance has shifted with the business plan.
A practitioner note on terminology that comes up in every audit committee conversation: risk appetite and risk tolerance are not the same thing. Risk appetite is the level of risk the organization is willing to accept in pursuit of its strategy, set by the board. Risk tolerance is the acceptable variation around specific objectives, set by management. Appetite is strategic and aspirational. Tolerance is operational and measurable. A board that says "we will accept moderate financial risk in pursuit of growth" has stated appetite. A CFO who says "we will not let working capital drop below 45 days of revenue" has stated tolerance. Both matter. They are not interchangeable, and conflating them is one of the most common ways mid-market ERM programs get tangled up in their own definitions.
The risk appetite is the most important and most-skipped piece. Per the AICPA and NC State 2025 report, only 35% of organizations have comprehensive ERM processes in place. The other 65% are running ERM without the foundational discipline, which usually starts with the missing risk appetite document. When risk appetite is implicit, every downstream choice (how often to assess risks, how much to document, when to escalate) is being made against a target nobody has agreed on. Write it down. Get it board-approved. Refresh it annually.
3. Performance. This is the part that gets most of the attention: risk identification, assessment, prioritization, and response. At Fortune 500 scale, this involves enterprise-wide workshops, structured interviews, dedicated risk software, and a register of 100-plus enterprise-level risks rolled up from functional registers across business units. At mid-market, it is: 15 to 20 named risks in a working register, scored by impact (in dollars) and likelihood (in probability ranges), refreshed quarterly with owner check-ins, and visualized on a single heat map. Both the inherent and residual views matter. The delta between them is the proof your controls are working.
A useful translation table for mid-market scoring, anchored to a $200M revenue business:
| Qualitative Label | Dollar-Denominated Impact |
|---|---|
| Low (Level 1-2) | Under $5M |
| Medium (Level 3) | $5M – $15M |
| High (Level 4) | $15M – $40M |
| Critical (Level 5) | Over $40M |
These ranges scale with the size of the business. A $50M company should anchor lower. A $500M company should anchor higher. The point is consistency, not perfection, and getting the table written down so the same scoring discipline applies across the next four quarters.
4. Review and Revision. At Fortune 500 scale, this includes internal audit's annual ERM audit, third-party ERM maturity assessments, and continuous monitoring through software. At mid-market, it is: a quarterly conversation between the CFO, the audit committee chair, and the CEO about what changed in the risk picture and why, plus an annual maturity self-assessment against the COSO 2017 framework. That is enough. More than that and the discipline becomes the work, rather than the output.
5. Information, Communication, and Reporting. At Fortune 500 scale, this is quarterly executive risk dashboards, quarterly board risk packages timed to the SEC reporting cycle, integrated reporting through GRC platforms, and external risk disclosures. At mid-market, it is: a one-page quarterly risk report to the audit committee, a quarterly leadership team review, and a simple escalation protocol when a risk moves materially between quarters. Boards do not need 40 pages. They need one well-prepared page and a 10-minute briefing.
The integrating point: COSO 2017 is the right framework. The error is assuming the Fortune 500 implementation is the only way to apply it. Every component can be rightsized to mid-market scale without losing the underlying discipline.
The four gaps that consistently break mid-market ERM programs
When the Fortune 500 ERM model gets forced onto a mid-market company, the same four gaps open up. They are predictable, diagnosable, and fixable.
Gap 1: No risk appetite, so every risk decision is ad hoc. Mid-market companies almost always skip risk appetite. It feels theoretical, and there is no obvious template. The result is that every risk conversation starts from zero. Is this acceptable? Is that too much? Without a written, board-approved risk appetite, the answer changes depending on who is in the room and what mood they are in. The fix: a one-to-two-page risk appetite document, drafted by the CFO with the CEO, approved by the board, refreshed annually. Short. Specific. Useful.
Gap 2: Risks owned by no one, so nothing happens between meetings. A risk without a named owner is not a risk. It is a worry. The mid-market pattern is to identify risks in a workshop, list them in a spreadsheet, and never assign accountability. Three months later, nothing has changed. The fix: every risk on the register has exactly one named owner, and that owner reports on the risk's status at each quarterly review. If a risk does not have an obvious owner, that is a signal that either the risk is not real or the org structure has a gap.
Gap 3: The risk register is too long to be useful. Mid-market companies frequently inherit a "risk register" from a consulting engagement or a vendor that has 80, 120, or 200 line items. Nobody manages 200 risks. The register becomes a file cabinet. The fix: ruthless curation down to 15 to 20 enterprise-level risks. Everything else either rolls up into one of those, lives in a functional risk register (IT, HR, vendor), or comes off entirely.
Gap 4: No connection to capital allocation. The AICPA and NC State 2025 data confirms this directly. Only 30% of organizations integrate risk exposure into capital allocation decisions. This is the moment ERM either earns its place or becomes overhead. The fix: at every quarterly business review, the risk picture is one of the inputs to the capital allocation conversation. Not a separate meeting. Not a separate process. The CFO connects the dots out loud, every quarter.
A 90-day path to a working mid-market ERM program
For a mid-market company starting from zero (or starting over from a broken program), here is a realistic 90-day path to a working ERM program.
Days 1-30: Foundation. Define the risk universe at the strategic level (no spreadsheet of 200 items yet). Draft the risk appetite statement in collaboration with the CEO. Get audit committee buy-in on the cadence and the format. Identify the 15 to 20 enterprise risks and name owners for each.
Days 31-60: Build. Score each risk on inherent and residual basis using dollar-anchored impact and probability-range likelihood. Produce the first heat map. Build the one-page board report template. Schedule the quarterly review cadence.
Days 61-90: First cycle. Run the first quarterly review with the leadership team. Bring the heat map to the audit committee. Make at least one capital allocation decision informed by the risk picture (this is the proof the program is working). Adjust the cadence and format based on what worked and what did not.
After 90 days, you have a board-ready ERM program. Not a Fortune 500 program. A working mid-market program that produces real decisions on a real cadence.
The mid-market companies that get the most value from ERM are not the ones with the most sophisticated frameworks. They are the ones who picked the right framework, rightsized it to their scale, named owners, and ran it on a real cadence with actual board engagement. The framework is solved (COSO 2017 is fine). The execution is the work.
Where ERM is headed next
Two changes are reshaping enterprise risk management at every scale, and mid-market companies should pay attention even though most of the noise is coming from Fortune 500 and big consulting firms.
First, AI is changing the scoring inputs that feed ERM. External signal aggregation, theme detection in unstructured internal data, and self-service risk analysis tools are real and increasingly accessible at mid-market price points. None of these replace the judgment layer of ERM. All of them make the inputs to that judgment faster and broader. We wrote about this at length in our prior article on using AI in risk management for mid-market CFOs, including a NIST AI RMF playbook for the AI risks ERM itself now needs to cover.
Second, the financial quantification movement is putting pressure on every risk program to translate qualitative scores into dollar exposures. The mid-market CFO will increasingly be asked by the board, "What's the financial exposure?" not "What color is the risk?" Programs that have anchored their impact scales to dollar thresholds (see our prior article on building a risk heat map that drives decisions) are positioned for this shift. Programs that have not are about to feel the gap.
Neither shift changes the fundamentals. COSO 2017 still works. The five components still apply. The mid-market operating model described above still holds. What changes is the quality of the inputs and the language of the outputs. The discipline that connects them is unchanged.
Key Takeaways
- Enterprise risk management at a mid-market company is not a smaller version of the Fortune 500 program. It is a different operating model: lean, finance-led, focused on 15 to 20 enterprise risks, run on a quarterly cadence.
- COSO 2017 is the right framework. The error is assuming the Fortune 500 implementation is the only way to apply it. Every component (Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information and Reporting) can be rightsized to mid-market scale.
- Risk appetite and risk tolerance are not the same thing. Appetite is strategic and board-set. Tolerance is operational and management-set. Both matter. Conflating them is one of the most common reasons mid-market ERM programs get tangled.
- Four gaps consistently break mid-market ERM programs: no risk appetite, risks owned by no one, registers too long to be useful, and no connection to capital allocation. All four are diagnosable and fixable.
- 90 days is enough to stand up a working ERM program at a mid-market company: 30 days of foundation, 30 days of build, 30 days of first-cycle execution.
- ERM either earns its place at the capital allocation table or becomes overhead. Only 30% of organizations make this connection. The CFO is the bridge.
Where to Start {eyebrow="BUILD YOUR PROGRAM"}
If you are starting from zero, starting over, or know your current ERM program is not earning its place on the agenda, the fix is a deliberate rebuild from the foundation up. Not bigger. Sharper.
ERM Foundation Build{.cta-primary} ERM Diagnostic{.cta-secondary}
The ERM Foundation Build (8 to 12 weeks) is KRG's flagship engagement. We build the program: risk appetite drafted and board-approved, 15 to 20 enterprise risks identified with named owners, COSO 2017 components rightsized to mid-market scale, quarterly cadence stood up, board-ready one-page reporting designed, and the first-cycle review run with the leadership team and audit committee. If you want a maturity assessment first, start with the ERM Diagnostic. The diagnostic fee is credited toward the Foundation Build if you move forward.
Frequently Asked Questions
What is enterprise risk management in simple terms?
Enterprise risk management (ERM) is the management discipline of identifying, assessing, prioritizing, and responding to the full portfolio of risks an organization faces (strategic, operational, financial, compliance, and reputational) in a way that supports executive decision-making. It is not a risk register, a heat map, internal audit, insurance, or a compliance program. Those are inputs or outputs. ERM is the discipline that connects risk awareness to the choices the leadership team and board actually make.
What is the COSO ERM framework?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its updated Enterprise Risk Management Framework in 2017. The framework has five interrelated components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting. Across those five components are twenty principles that describe what effective ERM looks like in practice. COSO 2017 is the de facto reference standard for ERM in the United States, and is principles-based rather than prescriptive, which means organizations of any size can apply it by rightsizing the implementation to their scale.
How is mid-market ERM different from Fortune 500 ERM?
Fortune 500 ERM programs typically have a chief risk officer leading a small core team (median around 5 full-time equivalents), GRC software platforms, and a register of 100-plus enterprise-level risks. Most Fortune 500 programs are overseen by the audit committee rather than a dedicated risk committee (only about 12% of S&P 500 companies have a dedicated board risk committee, and most of those are financial services firms). Mid-market companies ($50M to $500M revenue) cannot resource the Fortune 500 operating model and should not try. The mid-market version is finance-led (the CFO usually owns risk), lean (15 to 20 enterprise risks, not 100-plus), focused on quarterly cadence with one-page board reporting, and uses the audit committee for risk oversight. Same framework (COSO 2017), different operating model.
What is the difference between risk appetite and risk tolerance?
Risk appetite is the level of risk an organization is willing to accept in pursuit of its strategy, set by the board. It is strategic, aspirational, and typically expressed in a one-to-two-page document. Risk tolerance is the acceptable variation around specific operational objectives, set by management. It is operational, measurable, and typically expressed as specific thresholds. A board that says 'we will accept moderate financial risk in pursuit of growth' has stated appetite. A CFO who says 'we will not let working capital drop below 45 days of revenue' has stated tolerance. Both matter. They are not interchangeable. Conflating them is one of the most common ways mid-market ERM programs get tangled up in their own definitions.
What does a mid-market ERM program cost to build?
A mid-market ERM program built correctly should not require dedicated headcount, software platforms, or six-figure consulting engagements. The cost is primarily in CFO time (one to two days a quarter for the review cycle, plus annual maturity assessment) and modest external advisory support to build the foundation. Companies that try to copy Fortune 500 spending patterns typically end up with over-engineered programs that do not get used. The right answer is a lean program that produces a working board-ready heat map, named owners, and quarterly decisions, without the bureaucratic overhead.
How long does it take to build an ERM program?
For a mid-market company starting from zero or starting over from a broken program, a working ERM program can be stood up in 90 days: 30 days of foundation (risk universe, risk appetite, naming owners), 30 days of build (scoring, heat map, one-page report template, cadence), and 30 days of first-cycle execution (quarterly review, audit committee briefing, first capital allocation decision informed by risk data). The 90-day timeline assumes leadership team commitment and CFO sponsorship. Without those, no timeline works.