Key Takeaways
| # | Takeaway |
| 1 | An ERM dashboard translates the risk register, KRI data, appetite metrics, and treatment-action status into a visual, decision-ready format that boards, executives, and risk owners can act on. |
| 2 | This guide presents 12 ERM dashboard examples: Enterprise Risk Summary, Risk Heatmap, KRI Traffic-Light, Risk Appetite Monitor, Top-10 Risks, Treatment-Action Tracker, Emerging Risks, Compliance Posture, Cyber Risk, Operational Resilience / BCM, Third-Party Risk, and ESG / Climate Risk. |
| 3 | Every dashboard follows the “What, So What, Now What” framework: current status (What), business implication (So What), and recommended action or decision needed (Now What). |
| 4 | Board dashboards must be one page per topic. Executives and directors do not read 30-slide risk decks. One page, three visuals maximum, plain-language commentary, and a clear decision ask. |
| 5 | The traffic-light system (Green/Amber/Red) is the universal visual language of risk dashboards. Every metric on every dashboard must map to defined thresholds from the risk appetite statement. |
| 6 | Data feeds should be automated wherever possible. Manual dashboard updates introduce delays, errors, and credibility risk. Connect the dashboard to the risk register, GRC platform, SIEM, and financial systems. |
| 7 | Start with Dashboard #1 (Enterprise Risk Summary) and Dashboard #3 (KRI Traffic-Light). Add the remaining dashboards as the risk program matures and data sources become available. |
What Is an ERM Dashboard and Why Boards Demand One
An ERM dashboard is a visual reporting tool that aggregates risk data from the risk register, KRI monitoring systems, risk appetite metrics, and treatment-action trackers into a concise, decision-ready format designed to answer three questions: Where are we exposed? How severe is the exposure? What are we doing about the exposure?
The COSO ERM Framework (2017) requires organizations to communicate risk information to stakeholders through effective reporting mechanisms (Information, Communication & Reporting component).
ISO 31000:2018 mandates that risk information be communicated to decision-makers in a timely, clear, and relevant manner (Clause 6.6). The IIA Three Lines Model assigns the second line (risk function) the responsibility to produce enterprise-level risk reporting that the governing body can act on.
Boards are demanding better risk reporting. A 30-page quarterly risk report that arrives two weeks after the board meeting is obsolete.
The modern standard is a one-page visual dashboard per risk domain, updated monthly or in real time, with traffic-light status, trend arrows, and a plain-language commentary that a non-risk-specialist trustee can understand and challenge.
Seven Design Principles Behind Effective ERM Dashboards
| # | Principle | Rationale | Implementation |
| 1 | One page per topic | Board members process information faster in single-page formats; multi-page reports bury critical insights | Each of the 12 dashboards below fits on one page. Use landscape orientation when tables are wide. |
| 2 | “What, So What, Now What” structure | Ensures every metric is paired with context and a recommended action; prevents data dumps without decisions | Column 1: metric/visual (What). Column 2: commentary explaining the implication (So What). Column 3: recommended action or decision ask (Now What). |
| 3 | Traffic-light color coding (Green/Amber/Red) | The human eye processes color faster than numbers; traffic lights are universally understood | Map every metric to the Green/Amber/Red thresholds defined in the risk appetite statement. Use a fourth color (dark red or black) when risk exceeds capacity. |
| 4 | Trend arrows (↑ → ↓) | Static traffic lights show current state but not direction; a Green metric trending downward is more urgent than a Red metric trending upward | Calculate trend from the last 3–4 data points. Display an arrow alongside each traffic light. |
| 5 | Three visuals maximum per page | More than three charts on one page creates visual clutter and dilutes focus | Choose the three most impactful visualizations: a heatmap, a bar/tornado chart, and a summary table. Eliminate everything that does not drive a decision. |
| 6 | Automated data feeds | Manual data collection introduces delays (stale dashboards) and errors (wrong numbers undermine board trust) | Connect the dashboard to the risk register (GRC platform or Excel), the KRI data sources (SIEM, ERP, HR, financial systems), and the treatment-action tracker. |
| 7 | Plain-language commentary | Numbers without interpretation are meaningless to non-risk-specialist board members | Write 2–3 sentences per dashboard in business language: what changed, why the change matters, and what action management recommends. Avoid jargon. |
Apply these seven principles to every dashboard below. The principles are non-negotiable. A technically accurate dashboard that nobody reads is worse than no dashboard at all.
Dashboard #1: Enterprise Risk Summary
Purpose: The single-page “executive summary” of the entire risk program. Presented at every Board Risk Committee meeting. Answers: “What is the overall risk posture of the organization right now?”
| Dashboard Element | Content | Data Source | Visual Type |
| Risk Profile Summary | Total risks on the register by residual rating: Extreme (count), High (count), Medium (count), Low (count). Show period-over-period change (+/– vs. last quarter). | Risk register (residual rating column) | Horizontal stacked bar chart or donut chart with red/amber/green segments |
| Top-5 Risks (by residual score) | Table: Risk ID, Risk Name, Residual Score, Trend Arrow, Risk Owner, Treatment Status | Risk register (sorted by residual score descending) | Mini-table with traffic-light badges |
| KRI Summary | Count of KRIs in Green, Amber, Red status. Show the number that deteriorated since last report. | KRI dashboard (aggregated status) | Three-circle summary: Green (count), Amber (count), Red (count) |
| Risk Appetite Compliance | % of appetite metrics within Green vs. Amber vs. Red. Highlight any metric at or beyond Capacity Ceiling. | Risk appetite monitoring data | Traffic-light bar or gauge chart |
| Treatment-Action Status | Total open actions; overdue actions; actions closed this quarter. Closure rate vs. target. | Treatment-action tracker | Progress bar or waterfall chart |
| Commentary and Decision Ask | 2–3 sentences: What changed? Why does the change matter? What decision does the Board need to make? | CRO narrative | Plain text box at the bottom of the page |
Dashboard #2: Risk Heatmap Dashboard
Purpose: Visual representation of all risks plotted on a 5×5 Likelihood × Impact matrix. Shows the concentration of risks across the matrix and highlights movement since the last assessment. See our risk assessment matrix guide to pair with this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| Inherent Risk Heatmap | All risks plotted by inherent Likelihood and Impact; cell counts show concentration | Risk register (inherent scores) | 5×5 color-coded matrix with risk count per cell; bubble size = number of risks |
| Residual Risk Heatmap | All risks plotted by residual Likelihood and Impact after controls | Risk register (residual scores) | Side-by-side 5×5 matrix; visual comparison of inherent vs. residual shows control effectiveness |
| Risk Movement Table | Risks that moved between rating bands (e.g., High → Medium or Medium → High) since last assessment | Risk register (current vs. prior period comparison) | Table: Risk ID, Risk Name, Previous Rating, Current Rating, Direction, Reason |
| Commentary | Which risks moved? Why? What treatment actions drove improvements? What emerging risks entered the register? | CRO narrative | Plain text box |
Dashboard #3: KRI Traffic-Light Dashboard
Purpose: Real-time monitoring of all Key Risk Indicators against their defined thresholds. The operational heartbeat of the risk program. See our KRI dashboard guide and 50 KRI examples to populate this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| KRI Status Table | Full table: KRI Name, Risk Category, Current Value, Threshold (G/A/R), Status, Trend, Linked Risk ID, Owner | KRI data feeds (automated where possible) | Table with traffic-light badges and trend arrows per row |
| KRI Summary by Status | Aggregate counts: total KRIs, count Green, count Amber, count Red; % deteriorated vs. last period | Aggregated from the KRI table | Three large traffic-light circles with counts; summary percentage |
| KRI Trends (Top Movers) | The 3–5 KRIs that showed the most significant change (improvement or deterioration) since last report | KRI trend data (3–4 period comparison) | Sparkline charts per KRI or small trend arrows with delta values |
| Escalation Actions | KRIs currently in Red status: what escalation action has been triggered, who owns the response, what is the expected resolution date | Escalation log / risk register treatment actions | Mini action-tracker table with status badges |
Dashboard #4: Risk Appetite Monitor
Purpose: Tracks all appetite metrics defined in the risk appetite statement against their Board-approved thresholds. Answers: “Are we operating within the risk boundaries the Board approved?”
| Dashboard Element | Content | Data Source | Visual Type |
| Appetite Metric Table | One row per appetite metric: Risk Category, Metric Name, Current Value, Green Threshold, Amber Threshold, Red Threshold, Capacity Ceiling, Status, Trend | Risk appetite monitoring data; linked KRI feeds | Table with color-coded status column and trend arrows |
| Appetite Compliance Rate | % of all appetite metrics currently in Green; % in Amber; % in Red; period-over-period trend | Aggregated from the metric table | Gauge chart or donut chart showing overall compliance % |
| Breach History | Table of appetite metrics that entered Amber or Red status in the past 12 months: metric, date of breach, duration, root cause, resolution | Historical appetite monitoring log | Timeline chart or table sorted by severity and recency |
| Commentary and Decision Ask | Which metrics are trending toward Amber? What proactive action is management taking? Does the Board need to adjust any appetite thresholds? | CRO narrative | Plain text box |
Dashboard #5: Top-10 Risks Deep Dive
Purpose: Detailed view of the organization’s ten highest-rated residual risks. Provides the depth that Dashboard #1 summarizes. Presented alongside Dashboard #1 at every Board meeting.
| Dashboard Element | Content | Data Source | Visual Type |
| Top-10 Risk Table | Rank, Risk ID, Risk Description (CEC format), Risk Owner, Inherent Score, Residual Score, Rating, Trend (vs. last quarter), Primary KRI, KRI Status | Risk register (top 10 by residual score) | Extended table with traffic-light badges, trend arrows, and linked KRI status |
| Treatment Action Summary per Risk | Per each top-10 risk: action description, action owner, due date, status (Open/In Progress/Closed/Overdue) | Treatment-action tracker filtered to top-10 risks | Nested sub-table or expandable rows |
| Velocity Indicator | Estimated speed at which each risk could materialize: Slow (months), Medium (weeks), Fast (days), Instant | Risk register (velocity field) or CRO assessment | Color-coded speed badges per risk (blue = slow, amber = medium, red = fast) |
| Commentary | Which top-10 risks improved or deteriorated? Why? What management actions are planned? Any risks approaching Extreme that require Board decision? | CRO narrative | Plain text box |
Dashboard #6: Treatment-Action Tracker
Purpose: Monitors the execution of all risk treatment actions. Answers: “Are we actually closing the risks we said we would close?” See our risk mitigation guide to design effective treatment actions.
| Dashboard Element | Content | Data Source | Visual Type |
| Action Summary | Total actions: Open, In Progress, Closed (this quarter), Overdue. Closure rate (% closed on time). | Treatment-action tracker | Summary tiles or progress bar |
| Overdue Actions Table | Action ID, Linked Risk, Action Description, Owner, Original Due Date, Days Overdue, Revised Due Date, Root Cause of Delay | Treatment-action tracker (filtered: overdue only) | Table sorted by days overdue (longest first); red highlighting on severely overdue items |
| Closure Trend | Monthly trend of actions opened vs. actions closed over the trailing 12 months | Treatment-action tracker (historical data) | Dual-line chart: opened (red line) vs. closed (green line); net backlog trend |
| Aging Analysis | Count of open actions by age bucket: <30 days, 30–60 days, 60–90 days, >90 days | Treatment-action tracker | Stacked bar chart with color gradient (green → amber → red by age) |
Dashboard #7: Emerging Risks Radar
Purpose: Identifies risks not yet on the formal risk register but trending toward materiality. Provides the Board with a forward-looking view.
See our geopolitical risk guide and AI risk assessment framework to populate this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| Emerging Risk Inventory | Table: Emerging Risk Name, Source (regulatory, technology, geopolitical, climate, social), Potential Impact (High/Medium/Low), Time Horizon (1–2 years, 3–5 years, 5+ years), Monitoring Owner | Horizon-scanning reports; regulatory-change feeds; industry intelligence; CRO analysis | Table with color-coded impact and time-horizon columns |
| Emerging Risk Radar Chart | Radar/spider chart plotting 6–8 emerging risks by proximity (time to potential materialization) and potential severity | CRO assessment scoring | Radar chart: inner ring = further out; outer ring = imminent |
| Trend Watch | The 3–5 emerging risks that moved closer to materialization since the last report | Period-over-period comparison of emerging risk assessments | Highlighted rows in the inventory table or small delta indicators |
| Commentary | Which emerging risks should the Board monitor? Which may require proactive strategy adjustment? Any emerging risk ready to migrate to the formal risk register? | CRO narrative | Plain text box |
Dashboard #8: Compliance Posture Dashboard
Purpose: Monitors the organization’s compliance health across all regulatory obligations. See our compliance risk assessment guide to build the assessment framework feeding this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| Regulatory Finding Status | Open findings by source (internal audit, external audit, regulator); count by severity; closure rate vs. target | Audit finding tracker / GRC platform | Stacked bar: open vs. closed by severity |
| Regulatory Change Pipeline | Count of pending regulatory changes by status: identified, assessed, implementation planned, implemented, validated | Regulatory-change management tracker | Pipeline funnel or Kanban-style status board |
| Mandatory Training Compliance | % completion across all mandatory compliance training programs; breakdown by department | LMS / HR system | Horizontal bar by department with completion % and color coding |
| Policy Exception Register | Active approved policy exceptions: count, age, risk rating, owner, expiry date | Policy exception tracker | Table sorted by risk rating; highlight expiring exceptions |
Dashboard #9: Cyber Risk Dashboard
Purpose: Provides the Board and CISO with a single view of the organization’s cyber risk posture. See our cyber risk assessment framework guide and technology risk guide to pair with this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| Vulnerability Posture | Critical/High/Medium CVEs: total, patched, unpatched, unpatched > 30 days; patch compliance rate | Vulnerability scanner (Qualys, Tenable, Rapid7) | Donut chart (patched vs. unpatched) + table of unpatched criticals |
| Security Incident Summary | Incidents this period by severity (P1/P2/P3/P4); MTTD and MTTR vs. target; trend vs. prior period | SIEM / incident management platform | Tile summary + trend sparklines |
| Phishing and Human Risk | Latest phishing simulation results: click-through rate, report rate; comparison to prior campaign; training completion rate | Phishing simulation platform; LMS | Bar chart: click rate trend over last 4 campaigns |
| Third-Party Cyber Risk | Count of critical vendors with current SOC 2 / ISO 27001; vendor security-assessment pass rate; any vendor in breach | TPRM platform / vendor assessment tracker | Traffic-light table by vendor with pass/fail badges |
Dashboard #10: Operational Resilience and BCM Dashboard
Purpose: Monitors business continuity readiness: BIA coverage, BCP status, DR test results, and RTO/RPO gap closure. See our business continuity plan guide and BIA template to build the underlying data.
| Dashboard Element | Content | Data Source | Visual Type |
| BIA Coverage | % of critical business activities with a current BIA (updated within last 12 months) | BIA register | Gauge chart: % coverage with Green/Amber/Red bands |
| BCP and DRP Status | Count of BCPs and DRPs by status: current, due to review, overdue; % of Tier 1 activities with tested BCPs | BCP register | Stacked bar: current vs. overdue |
| Exercise Results | Last 4 exercises: type (tabletop/simulation/live), date, RTO achieved vs. target, pass/fail, lessons-learned count | Exercise log | Table with pass/fail badges and RTO-achievement % |
| RTO/RPO Gap Summary | Count of Tier 1 activities with RTO gap (current recovery capability > target RTO); total financial exposure if gaps not closed | RTO/RPO Calculator (from BIA template) | Traffic-light summary: activities meeting RTO (Green) vs. gap (Red); total $ exposure |
Dashboard #11: Third-Party Risk Dashboard
Purpose: Monitors the risk posture of the organization’s vendor and third-party ecosystem.
See our third-party risk management guide to build the TPRM framework feeding this dashboard.
| Dashboard Element | Content | Data Source | Visual Type |
| Vendor Risk Tiering | Total vendors by tier: Tier 1 (critical), Tier 2 (important), Tier 3 (low risk); assessment status per tier | Vendor inventory / TPRM platform | Tier pyramid or donut chart with assessment completion overlay |
| Vendor Risk Assessment Status | % of Tier 1/2 vendors assessed on schedule; count overdue; average assessment score | TPRM platform | Horizontal bar: assessed vs. overdue by tier |
| Vendor SLA Performance | Aggregate SLA breach rate across monitored vendors; top 5 vendors by breach count | Vendor performance monitoring | Table: vendor name, SLA breach count, trend, action status |
| Concentration Risk | Heatmap of vendor concentration: % of critical services per vendor; highlight any vendor > 30% threshold | TPRM platform / procurement data | Concentration bar chart with tolerance-line overlay |
| Fourth-Party Visibility | % of critical vendors whose material sub-contractors have been identified and assessed | TPRM platform | Gauge chart with Green/Amber/Red bands |
Dashboard #12: ESG and Climate Risk Dashboard
Purpose: Tracks the organization’s ESG risk exposure and progress toward climate targets. Increasingly demanded by regulators (SEC, ISSB, EU CSRD). See our ESG KRI framework to populate this dashboard with 43 ESG KRIs.
| Dashboard Element | Content | Data Source | Visual Type |
| Emissions Tracking | Scope 1, 2, and 3 emissions vs. annual reduction pathway target; variance; trend | Emissions reporting system; energy invoices; Scope 3 estimation tools | Line chart: actual vs. target pathway + variance traffic light |
| ESG Rating Score | Current scores from major ESG agencies (MSCI, Sustainalytics, CDP); period-over-period change | ESG rating agency portals | Table with score, trend arrow, and peer comparison |
| Governance Indicators | Board diversity %; independent director %; executive pay ratio; ethics-hotline report trend | Board secretariat; HR system; ethics-hotline data | Summary tiles with traffic-light status |
| Climate Risk Exposure | Portfolio exposure to carbon-intensive sectors (%); stranded-asset count; TCFD scenario-analysis results summary | Investment data; TCFD reporting | Exposure bar chart with sector breakdown; scenario summary table |
| Commentary | Progress vs. net-zero commitments? Any ESG rating downgrades? Regulatory developments requiring board attention? | CSO / CRO narrative | Plain text box |
Technology Options: Where to Build Your ERM Dashboard
| Platform | Best Suited When | Strengths | Limitations |
| Microsoft Excel / Google Sheets | Early-maturity risk programs; < 50 risks; limited budget; single risk manager | Free; familiar; flexible; fast to prototype; formulas calculate automatically; conditional formatting creates traffic lights | Manual data entry; no multi-user real-time collaboration (Excel); no automated data feeds; version-control challenges; does not scale beyond ~100 risks |
| Microsoft Power BI / Tableau / Looker | Mid-maturity programs; 50–500 risks; data exists in multiple systems; need automated refresh and interactive visuals | Automated data connections; interactive drill-down; publication/scheduling; role-based access; strong visualization library | Requires data modeling expertise; licensing cost; dashboards are read-only (not a risk management workflow tool) |
| GRC Platform (Archer, ServiceNow, LogicGate, Diligent, Riskonnect) | Mature programs; > 500 risks; multi-business-unit; regulatory-driven; need workflow automation, audit trails, and integrated KRI feeds | End-to-end ERM workflow: register, assessment, KRIs, treatment tracking, reporting, audit trail; automated alerts and escalation; regulatory reporting templates | High cost (licensing, implementation, ongoing administration); long implementation timeline (6–12 months); requires dedicated GRC administrator |
| Custom-Built Application | Organizations with unique requirements not met by off-the-shelf platforms; in-house development capability | Fully tailored to the organization’s ERM framework; integrates with proprietary systems; unlimited customization | High development cost; ongoing maintenance burden; requires in-house technical team; risk of key-person dependency on the developer |
Start with Excel and our free risk register template. Graduate to Power BI or Tableau when you need automated data feeds and interactive visuals.
Move to a GRC platform when the program reaches enterprise scale with 500+ risks, multiple business units, and regulatory-driven reporting requirements.
Eight Pitfalls in ERM Dashboard Design
| # | Pitfall | Consequence | Fix |
| 1 | Too many metrics on one page | Visual clutter; board members cannot identify the signal in the noise; meeting time wasted on low-value data | Limit each dashboard to one page with three visuals maximum. Move detail to appendices. |
| 2 | Traffic lights without defined thresholds | Green/Amber/Red is assigned subjectively; different analysts color the same metric differently | Map every traffic light to the Board-approved risk appetite thresholds. No threshold = no traffic light. |
| 3 | No trend information | Current status is shown but not direction; a Green metric trending toward Amber is invisible | Add trend arrows calculated from the last 3–4 data points alongside every traffic light. |
| 4 | Data without commentary | Numbers fill the page but nobody explains what the numbers mean or what action is needed | Include 2–3 sentences of plain-language commentary per dashboard: What changed? Why? What should the Board do? |
| 5 | Dashboard updated manually once per quarter | Data is stale by the time the Board sees the report; risk events that occurred after the cutoff are invisible | Automate data feeds. Aim to update KRI dashboards monthly at minimum; real-time where data sources permit. |
| 6 | Dashboard disconnected from the risk register | Metrics and risks are reported separately; the Board cannot trace a Red KRI back to the specific risk and treatment action | Link every dashboard metric to its source risk register entry and treatment-action tracker. |
| 7 | One-size-fits-all reporting | The Board, the executive team, and the first-line managers all see the same dashboard; none of them get the right level of detail | Tier the dashboards: Board receives Dashboards #1–5 (summary and top risks); executives receive all 12; risk owners receive detailed KRI and action-tracker views. |
| 8 | No decision ask on the dashboard | The dashboard presents information but does not ask the Board to make a decision; reporting becomes ritual, not governance | Every board-facing dashboard must end with a clear decision ask: approve, escalate, adjust appetite, allocate resources, or note and monitor. |
Building Your ERM Dashboard Suite
| Phase | Timeline | Actions | Owner | Deliverable |
| Phase 1: Foundation | Days 1–25 | Ensure the risk register is current and scored; confirm the risk appetite statement defines all thresholds; verify KRI data sources exist; select the dashboard technology platform (Excel, Power BI, or GRC); design the Dashboard #1 (Enterprise Risk Summary) and Dashboard #3 (KRI Traffic-Light) layouts | CRO / Risk Manager | Current risk register; confirmed appetite thresholds; selected platform; draft dashboard layouts |
| Phase 2: Build Core Dashboards | Days 26–50 | Build Dashboards #1 (Enterprise Summary), #2 (Heatmap), #3 (KRI Traffic-Light), #4 (Appetite Monitor), #5 (Top-10 Risks), and #6 (Treatment Tracker); connect data feeds; populate with live data; test with CRO and one board member | Risk Manager / IT / Analytics | Six operational dashboards with live data and automated feeds where possible |
| Phase 3: Expand to Domain Dashboards | Days 51–75 | Build Dashboards #7–12 (Emerging Risks, Compliance, Cyber, BCM, Third-Party, ESG) as data sources become available; calibrate commentary templates; train dashboard owners per domain | Risk Manager / CISO / CCO / BCM Coordinator / CSO | Full 12-dashboard suite; commentary templates; trained domain owners |
| Phase 4: Present & Embed | Days 76–90 | Present the first full dashboard report to the Board Risk Committee; collect feedback; refine layouts and commentary; embed the dashboard cycle into the quarterly board calendar; schedule monthly refresh cadence | CRO / Board Risk Committee | First board dashboard report; feedback-incorporated revisions; quarterly and monthly cadence confirmed |
The Future of ERM Dashboards
AI-Generated Commentary. AI models are beginning to auto-generate the “So What / Now What” commentary by analyzing KRI trends, comparing them to historical patterns, and drafting narrative explanations. The CRO validates and edits the AI draft rather than writing from scratch. See our AI risk assessment framework guide.
Predictive Dashboards. Current dashboards report the present state. Next-generation dashboards will project the future state using Monte Carlo simulation and machine learning. A predictive KRI dashboard will show not just the current liquidity coverage ratio but the probability that the ratio will breach the Amber threshold within the next 90 days, giving the CFO time to act.
Integrated Resilience Dashboards. Dashboards #8–12 (Compliance, Cyber, BCM, Third-Party, ESG) are converging into a single operational-resilience view mandated by regulations like the EU’s DORA and the UK’s operational-resilience framework. U.S. regulators are watching this convergence closely. Organizations that build the domain dashboards now will integrate them naturally when regulation arrives.
Build Your Board-Ready ERM Dashboard Suite
You now have 12 dashboard blueprints, seven design principles, eight pitfalls, and a 90-day roadmap. Start with Dashboard #1 and #3. Use these riskpublishing.com resources to build the data layer: Risk Register Template • KRI Dashboard Guide • Risk Appetite Statement Guide • Enterprise Risk Management Framework • Risk Assessment Matrix.
More resources: 50 KRI Examples • ESG KRI Framework • Risk Quantification for Boards • Monte Carlo Simulation • Scenario Analysis • Three Lines Model • Compliance Risk Assessment • Cyber Risk Assessment Framework • Third-Party Risk Management • Business Continuity Plan • BIA Template • Geopolitical Risk • AI Risk Assessment Framework.
Frequently Asked Questions
What is an ERM dashboard?
An ERM dashboard is a visual reporting tool that aggregates risk register data, KRI monitoring, risk appetite metrics, and treatment-action status into a concise, decision-ready format. The dashboard translates complex risk data into traffic-light visuals, trend indicators, and plain-language commentary that boards and executives can understand and act on.
How many dashboards should an ERM program have?
Start with two: the Enterprise Risk Summary (Dashboard #1) and the KRI Traffic-Light (Dashboard #3). Add the remaining ten dashboards as data sources, analytical capability, and board appetite to consume risk reporting expand.
A mature program operates all 12 dashboards, tiered by audience: the Board sees Dashboards #1–5 (summary level); the executive team sees all 12; risk owners see detailed KRI and action-tracker views.
Should ERM dashboards be built in Excel or a GRC platform?
Start with Excel. The risk register template and conditional formatting can produce effective traffic-light dashboards immediately. Graduate to Power BI or Tableau when you need automated data connections and interactive drill-down.
Move to a GRC platform (Archer, ServiceNow, LogicGate) when the program reaches enterprise scale with 500+ risks, regulatory reporting obligations, and multi-user workflow requirements.
How often should dashboards be updated?
The KRI Traffic-Light dashboard (#3) should be updated monthly at minimum, or in real time where automated data feeds permit. The Enterprise Risk Summary (#1) and Top-10 Risks (#5) should be updated quarterly, aligned to the Board Risk Committee meeting cycle. Domain dashboards (#8–12) should update monthly or as data becomes available. The Treatment-Action Tracker (#6) should update continuously as actions close.
What is the biggest mistake in ERM dashboards?
Presenting data without a decision ask. A dashboard that shows numbers and traffic lights but does not tell the Board what decision to make is a data dump, not a governance tool.
Every board-facing dashboard must end with a clear “Now What”: approve a treatment plan, adjust appetite thresholds, allocate resources, escalate to the full Board, or note and monitor. The decision ask transforms risk reporting from a compliance ritual into a governance mechanism.
References
1. COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017)
2. ISO 31000:2018 – Risk Management Guidelines
3. IIA Three Lines Model (2020)
4. NIST Cybersecurity Framework 2.0
6. IRM – Institute of Risk Management
9. SEC Climate-Related Disclosures
10. IFRS / ISSB Sustainability Standards
11. EU CSRD
12. EU DORA – Digital Operational Resilience Act
13. ISO 22301:2019 – Business Continuity Management
14. ISO 27001:2022 – Information Security Management
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.