Blog › ICP guides

Risk management consultant on retainer: tracking ongoing ERM advisory hours and demonstrating enterprise risk value between audits

July 16, 2026 · ~14 min read

The most visible deliverable in an enterprise risk management engagement has a meeting date and a board presentation: the audit finding reported to the risk committee, the annual risk assessment presented to the board, the insurance claim filed and managed, the regulatory examination response submitted. When the CFO and board chair discuss risk management outcomes with investors or regulators, those are the events on the agenda. What the agenda does not show is the continuous risk monitoring and advisory between those formal events that determined whether the company actually knew what risks it was carrying, whether the risk register was current when a new operating risk materialized, and whether the organization’s risk-taking behavior was consistent with the board-approved risk appetite in the quarters between formal risk presentations.

Enterprise risk management consultants and fractional Chief Risk Officers on monthly retainer do their most consequential work in the long stretches between formal risk events: the risk register maintenance review that caught an emerging third-party concentration risk six months before the supply chain disruption confirmed the exposure; the emerging risk scan that identified a regulatory development with material compliance implications fourteen months before the rule became effective; the insurance advisory session that caught a coverage gap created by a new technology deployment before a claim tested the policy; the risk culture conversation with a business unit leader that identified a risk tolerance drift before it produced a reportable incident or a board-level loss event.

The CFO and risk committee who approved the ERM advisory retainer see the audit findings, the board risk presentation, and the insurance renewal summary. They do not see the 18 risk register maintenance reviews that kept the enterprise risk inventory current through two major operational changes, the 12 emerging risk scans that identified and placed four new risks on the watch list before they reached materiality, the 8 insurance advisory sessions that provided continuous coverage gap analysis between annual renewals, or the quarterly risk culture conversations with business unit leaders that caught and corrected a risk tolerance drift in the commercial function before it generated an unauthorized risk exposure. All of that continuous advisory is invisible on a monthly invoice that says “enterprise risk management advisory services.”

This guide covers what ERM consultant retainer advisory actually consists of between formal risk events, what categories of continuous risk advisory are most commonly underlogged, how to structure and communicate hours so the CFO and board can see what the monthly retainer is producing, and the contract provisions that matter most in enterprise risk management advisory engagements.

ERM consulting versus regulatory affairs versus internal audit: the primary distinctions

Enterprise risk management, regulatory affairs consulting, and internal audit each address distinct organizational risk functions, and the distinctions matter for understanding what an ERM advisory retainer covers and what it does not.

A regulatory affairs consultant focuses on a specific regulatory domain — FDA product approval pathways and quality system regulations, SEC disclosure requirements and insider trading compliance, EPA environmental permitting and reporting, CFPB consumer financial protection requirements, state privacy law obligations — and their advisory is specific to the regulatory requirements in their domain. A regulatory affairs consultant knows the specific regulations in their specialty area and how they apply to the client’s products, operations, or transactions. An ERM consultant knows how regulatory risk fits into the enterprise risk portfolio alongside strategic, operational, financial, reputational, and technology risks, and advises on the aggregate risk profile rather than deep domain-specific regulatory interpretation. Companies that operate in regulated industries often engage both: a regulatory affairs specialist for domain-specific compliance advisory and an ERM consultant for enterprise-level risk governance.

An internal auditor assesses whether controls are designed and operating effectively to manage specific risks — they evaluate what is already in place and provide assurance to the board that the risk management and internal control environment is functioning as intended. Internal audit is fundamentally backward-looking: it tests controls that exist against the risks they are designed to address. An ERM consultant advises on what risks should be on the risk register, whether the risk appetite and tolerance thresholds are calibrated appropriately for the business strategy, whether the overall portfolio of risks is being managed coherently, where emerging risks are likely to arise before they appear in an audit scope, and whether the organization’s risk governance structure is adequate for the risk environment the business operates in. ERM advisory is forward-looking risk identification and portfolio-level risk governance; internal audit is control effectiveness assessment. Both are necessary; they serve distinct risk oversight roles, and effective ERM advisory actually improves the quality and relevance of internal audit by ensuring that the risks on the audit plan are the right risks.

ERM consulting is also distinct from the legal advisory that a general counsel or outside legal counsel provides on specific legal risk matters. Legal counsel advises on the legal dimensions of a specific transaction, dispute, regulatory matter, or compliance question. ERM advisory addresses legal risk as one component of the enterprise risk portfolio, advises on how legal risk concentration or correlation with other enterprise risks should inform the risk register, and ensures that the board understands aggregate legal risk exposure without duplicating the specific legal advice that requires a licensed attorney.

What ongoing ERM retainer advisory actually consists of

Risk register maintenance and governance

The enterprise risk register is the company’s current inventory of material risks: the risks that could prevent the organization from achieving its strategic objectives, affect its financial performance materially, damage its reputation, or result in regulatory penalties or legal liability. A risk register that was accurate twelve months ago may be significantly incomplete or misleading today if the business has entered new markets, launched new products, changed its technology infrastructure, restructured its operations, experienced leadership changes, or been affected by shifts in its competitive or regulatory environment.

Risk register maintenance in a retainer context means: reviewing the risk inventory on a defined cadence (typically monthly for the full register, with more frequent targeted reviews when specific operating changes create likely risk profile changes); updating risk assessments — likelihood, impact, velocity, and interconnectedness — as the business environment changes; ensuring risk owners have current risk information for their mitigation activities; retiring risks that have been effectively mitigated or that no longer apply to the current operating model; adding new risks identified through emerging risk scanning or management-level risk conversations; and maintaining the risk register in a format that supports effective board communication without being operationally overwhelming.

Risk register maintenance is the most consistently underlogged ERM retainer function because the most common finding is that the risk register is current and no material changes are required. A monthly risk register review that confirmed all existing risk assessments remain appropriate, updated three risk owners following an organizational restructuring, and found no new risks meeting the materiality threshold for register addition was two hours of legitimate ERM advisory work. “Risk register reviewed; existing assessments confirmed current; risk owner updates made; no new register additions; register submitted to risk committee” is a valid advisory output. Without a log entry, none of it appears in the retainer record.

Emerging risk scanning

The risks on the current risk register are the known risks — the exposures the organization has already identified and is actively managing. The risks that will actually generate the next major loss event, regulatory penalty, or strategic setback are more likely to be risks that are not yet on the register: regulatory developments moving through the rulemaking process, geopolitical dynamics that have not yet materialized into supply chain disruption, technology shifts creating new competitive vulnerabilities, macroeconomic trends generating financial stress in ways not currently modeled, or industry structural changes creating strategic risks not yet visible in the operating data.

Emerging risk scanning in a retainer context means: monitoring regulatory rulemaking calendars across jurisdictions relevant to the client’s operations for new requirements with material compliance implications; tracking geopolitical, macroeconomic, and trade policy developments for supply chain, currency, and market access risks; reviewing industry analyst reports, peer company disclosures, and industry association risk surveys for emerging risks being tracked by comparable organizations; monitoring technology and cybersecurity threat intelligence for new attack vectors, vulnerability categories, or technology dependency risks; and synthesizing signals from across these streams into a regular emerging risk briefing for management with recommendations on which signals warrant risk register watch-list addition and what preparatory risk mitigation activity is warranted before the risk matures.

Emerging risk scanning sessions are systematically underlogged when the session concludes that no new risks meet the materiality threshold for immediate register addition. A two-hour emerging risk scanning session that reviewed regulatory developments across five jurisdictions, assessed three geopolitical developments for supply chain risk implications, reviewed two competitor disclosures for peer risk signals, and concluded that two developments warrant watch-list addition while the remaining signals do not currently meet materiality thresholds was two hours of ERM advisory that produced no register change for the month. The watch-list additions and the documented rationale for not elevating the other signals to the register are the correct ERM output. Log every scanning session with the domains covered, the signals reviewed, and the disposition of each signal.

Insurance portfolio advisory

The company’s insurance program — property and casualty, general liability, directors and officers, errors and omissions, cyber liability, employment practices liability, umbrella and excess layers, and any specialty coverages — is the financial backstop for the risk exposures the organization cannot or chooses not to fully mitigate operationally. Insurance programs are designed at renewal time to cover the risk profile as understood at that moment; the risk profile changes continuously as the business operates, expands, contracts, changes its technology infrastructure, enters new contracts, or operates in new geographies.

Insurance portfolio advisory in a retainer context means: reviewing the insurance program coverage against the current risk profile on a continuous basis rather than only at renewal; identifying coverage gaps created by business changes that occurred between renewals — a new technology deployment that created uninsured cyber risk, a new contract that required higher limits than the current program provides, a new geography that created jurisdictional coverage gaps; advising on whether specific risk incidents or near-misses have claims notification implications under existing policies before the notification window closes; supporting insurance renewal negotiations with current risk quantification data to achieve favorable underwriting outcomes; reviewing endorsements, exclusions, and policy language changes for material changes to coverage scope; and advising on whether captive insurance, parametric insurance, or risk transfer structures other than traditional insurance are appropriate for specific risk categories given the company’s risk profile and financial capacity.

Insurance advisory between annual renewals is almost entirely invisible in retainer work logs because it does not generate a policy document, a premium payment, or a claims transaction. A 90-minute review of whether a recent cloud infrastructure migration has created cyber liability coverage gaps under the current policy, concluding that one existing exclusion could apply to the new architecture and recommending a call with the broker to clarify the coverage position before the next renewal, was advisory work that may have prevented a coverage dispute on a future claim. It produced no insurance document. Log every insurance advisory interaction with the coverage area reviewed, the business change that triggered the review, and the advisory finding or recommendation.

Risk culture monitoring

Risk culture is the set of values, norms, and behaviors that determine how the organization actually makes risk decisions in practice — not what the risk policy says, but what the observed behavior in business decisions, resource allocation, and operating choices reveals about the organization’s actual risk appetite. Board-approved risk appetite statements define the intended risk culture; risk culture monitoring assesses whether the actual decision-making behavior across the organization is consistent with that intention.

Risk culture monitoring in a retainer context means: conducting structured risk culture conversations with business unit leaders to understand the risk considerations in recent significant decisions; reviewing the risk implications of major operational decisions as they are made to assess whether the risk-taking behavior is within the approved risk tolerance boundaries; monitoring for indicators of risk culture drift — decisions that exceeded approved risk tolerances, risk escalation protocols that were bypassed, risk controls that were circumvented to achieve a commercial objective; advising the CEO and CRO on cultural signals that suggest a business unit or function is operating with a risk tolerance that differs materially from the board-approved appetite; and developing risk culture assessment processes that give the board current visibility into whether the organization is actually managing risk as intended rather than as reported.

Risk culture monitoring is systematically underlogged because the most important finding is often that the observed risk-taking behavior is consistent with the board-approved risk appetite — a confirmation, not a finding that generates a corrective action. A quarterly risk culture conversation with the Chief Operating Officer that reviewed three major operational decisions, assessed each against the approved operational risk tolerance, and confirmed that all three were within the approved boundaries was 90 minutes of ERM advisory that produced a risk culture confirmation rather than a risk tolerance violation. Log every risk culture monitoring interaction with the business unit or leader, the decisions reviewed, and the risk culture assessment.

Board and risk committee support

Effective risk governance requires a board and audit/risk committee that understands the enterprise risk profile with sufficient depth to provide meaningful oversight — not just receive a risk report and approve it, but understand the risk landscape well enough to ask the right questions, identify whether the risks being reported reflect the actual risk environment, and provide strategic guidance on risk appetite calibration. ERM advisory support for the board and risk committee is a distinct advisory function from management risk reporting.

Board and risk committee support in a retainer context means: preparing risk report materials for board and audit/risk committee meetings in formats that communicate current risk profile effectively without requiring board members to interpret risk register data; developing board risk literacy through ongoing advisory and educational materials that help board members understand the risk categories, risk assessment methodologies, and risk management practices relevant to the company’s specific risk environment; advising the audit/risk committee chair on risk oversight process improvements; reviewing draft risk disclosures in public filings for accuracy and completeness relative to the current risk register; and advising on risk governance structure — risk committee composition, charter, and responsibilities; risk escalation protocols; risk reporting cadence; and the integration of ERM with internal audit, compliance, legal, and finance functions.

Risk-informed decision support

The company makes decisions continuously that have material risk implications: major capital investments, strategic acquisitions, new product launches, new market entries, significant technology changes, major operational restructurings, new financing arrangements, executive leadership changes, and large contract commitments. Each of these decisions should be informed by a current assessment of its risk implications — not just whether the decision is a good idea commercially, but what risks it introduces, how those risks compare to the approved risk appetite, and whether the risk mitigation plan is credible.

Risk-informed decision support in a retainer context means: providing risk analysis for proposed strategic initiatives before the decision is made rather than after; reviewing acquisition targets’ risk profiles in the due diligence process; assessing the risk implications of major operational changes before they are implemented; advising on the risk dimensions of significant contracts and commitments; modeling the risk-adjusted return of capital allocation decisions; and ensuring that risk analysis is part of the standard decision-making process for material decisions rather than an afterthought that is applied only to decisions that have already gone wrong.

Risk-informed decision support is underlogged when the advisory recommends against a proposed action. A four-hour analysis of a proposed market entry that identified concentration risk, currency risk, and regulatory risk exceeding the board-approved risk appetite for international expansion, leading to a recommendation against the entry, produced a correct risk advisory output that prevented a loss exposure. No subsequent risk management activity was required because the decision was not made. Log the initiative analyzed, the risk dimensions assessed, the risk profile relative to approved tolerance, and the recommendation — including recommendations against proposed actions.

Three modes of ERM retainer advisory intensity

Enterprise risk management advisory retainers operate at significantly different intensity levels depending on whether a formal risk event is in progress and what the current risk environment requires.

Steady-state risk monitoring and advisory (15–30 hours/month): The baseline advisory mode between active risk events. Core work: risk register maintenance reviews, emerging risk scanning, insurance advisory between renewals, risk culture monitoring conversations, and risk-informed decision support for ongoing management decisions. This is the most systematically underlogged mode because no formal risk event is creating urgency and no specific deliverable is due to the board. A month that included 3 risk register maintenance reviews, 2 emerging risk scanning sessions, 1 insurance advisory review, 2 risk culture monitoring conversations, and 3 risk-informed decision support sessions consumed 20–25 hours of ERM advisory and produced no formal board deliverable. It kept the risk register current, identified two watch-list risks, caught one potential coverage gap, confirmed risk culture alignment in two business units, and provided risk analysis for three operational decisions. Without logging, none of it appears in the retainer record.

Active risk event management (30–60 hours/month): When a formal risk event is in progress — an insurance claim, a regulatory examination, an audit finding remediation, an emerging risk reaching materiality and requiring register addition and mitigation planning, or a major business change with significant risk implications requiring intensive advisory — advisory intensity increases substantially. These events generate clear, client-visible deliverables: examination response submissions, audit finding remediation plans, risk mitigation roadmaps, insurance claim documentation. This phase is well-logged because the formal risk event creates urgency and the deliverables are recognizable.

Crisis or transformation risk advisory (50–100 hours, compressed): When the company faces a major loss event, a significant regulatory action, a strategic crisis with material risk implications, or a transformational business event such as a major acquisition or a fundamental operating model change that requires intensive risk assessment and governance support, ERM advisory intensity peaks and the work becomes both urgent and highly visible. These periods are almost never underlogged. They also reveal whether twelve months of steady-state risk monitoring built the risk intelligence, risk register currency, and risk governance infrastructure needed for an effective crisis response — or whether the ERM function has to start from scratch at the moment of highest pressure.

ERM advisory retainer pricing

Enterprise risk management advisory retainer rates reflect the consultant’s breadth of ERM methodology expertise, their sector-specific risk knowledge, and the scope of their advisory access within the organization and to the board.

$100–$175/hour for ERM practitioners with 7–12 years of risk management experience, formal ERM credentials (RIMS-CRMP, PMI-RMP, or equivalent), and a track record of risk register development and risk advisory for companies in the $50M–$500M revenue range. Monthly retainers at this level typically run $2,500–$5,250/month for steady-state risk advisory.

$150–$275/hour for senior ERM advisors with deep expertise in a specific risk category (cybersecurity risk, operational risk, financial risk, or strategic risk), significant experience advising boards and audit committees on risk governance, or a track record of supporting organizations through major risk events including regulatory examinations, significant insurance claims, and strategic transformation risk management. Monthly retainers at this level typically run $3,750–$8,250/month.

$250–$450/hour for principal-level ERM advisors or fractional Chief Risk Officers with board-level credibility, experience as a formal CRO or Chief Risk Officer at companies with sophisticated risk governance requirements, or specialized expertise in high-complexity risk environments including financial services, healthcare, defense, or other heavily regulated sectors. Monthly retainers at this level typically run $6,250–$13,500/month and often include formal CRO advisory scope with direct board access, not just management-level risk support.

What ERM retainer advisory work is most commonly underlogged

The advisory work most systematically absent from enterprise risk management retainer work logs is the continuous monitoring and advisory that occurs between formal risk events and produces no single visible risk artifact.

1. Risk register maintenance that finds no material changes required. Reviewing the enterprise risk register against current operating conditions, confirming that existing risk assessments remain appropriate, updating risk owner information following organizational changes, and concluding that no new risks meet the materiality threshold for immediate addition required the maintenance work to produce that conclusion. “Risk register reviewed; existing risk assessments confirmed current; risk owner updates made for three risks following HR reorganization; no new register additions; emerging risk watch list updated” is a valid ERM advisory output. Log every maintenance review with the register state and the finding.

2. Emerging risk scanning with no actionable findings. Reviewing regulatory rulemaking calendars, geopolitical developments, macroeconomic signals, industry risk publications, and technology threat intelligence for potential new enterprise risks, and concluding that no developments currently meet the materiality threshold for register addition or immediate management escalation, required the scanning work to produce that conclusion. The two regulatory developments that were assessed and found not yet material are also valid outputs — they are now on the watch list with documented rationale for their current threshold status. Log every scanning session with domains covered and signal dispositions.

3. Insurance advisory between renewals that confirms adequate coverage. Reviewing whether recent business changes have created coverage gaps or redundancies, and confirming that the current insurance program adequately covers the updated risk profile, required the advisory review to produce that confirmation. “Insurance program reviewed against Q2 operational changes including new data center vendor and expanded credit terms with international customers; no material coverage gaps identified; endorsement clarification recommended for cyber coverage scope; broker conversation to be scheduled before Q4 renewal” is a valid advisory output. Log every insurance advisory interaction between renewals.

4. Risk culture monitoring that confirms risk appetite alignment. Conducting a risk culture conversation with a business unit leader, reviewing recent significant decisions for risk tolerance consistency, and confirming that the observed risk-taking behavior is within the board-approved risk appetite is valid ERM advisory work that produced a risk culture confirmation rather than a risk tolerance violation. “Q2 risk culture review with Commercial VP: reviewed three major customer contract decisions; risk-taking behavior consistent with approved commercial risk tolerance; no tolerance breach identified; risk escalation protocol reinforced for contract value exceeding $5M threshold” is a valid output. Log every monitoring interaction.

5. Risk-informed decision support that recommended against a proposed action. Analyzing the risk profile of a proposed strategic initiative and recommending against it because the risk profile exceeds the approved risk appetite produced a correct risk advisory output with no subsequent risk management artifact — because the decision was not made. The risk analysis, the risk profile assessment relative to approved tolerances, and the recommendation are the advisory deliverable. Log the initiative, the risk dimensions analyzed, and the recommendation, including recommendations against proposed actions.

ERM advisory retainer contract provisions that matter

Enterprise risk management advisory retainer agreements should be more explicit than most professional services agreements about several provisions that are specific to the risk advisory function.

Risk domain scope definition. Define which risk categories are within the ERM advisory scope and which are handled by specialist advisors. A typical ERM scope covers strategic risk, operational risk, financial risk, compliance risk (at the governance and enterprise level, not domain-specific regulatory interpretation), reputational risk, and technology and cybersecurity risk at the risk governance level. Cybersecurity operational risk management, specific regulatory compliance advisory (FDA, SEC, EPA, CFPB), and legal risk management advice requiring a licensed attorney are typically out of scope. Make the scope explicit so both parties understand what the ERM advisory covers and where specialist advisor engagement begins.

Advisory versus assurance boundary. ERM advisory provides independent risk perspective to management and the board on the design and execution of the risk management program. Internal audit provides assurance on control effectiveness. Define the boundary between these functions: the ERM consultant should advise on risk governance design without providing assurance on controls they have recommended, and should not be positioned as a substitute for the independent assurance function that internal audit provides. The conflict of interest risk is real: an ERM consultant who both advises on risk management design and provides assurance on whether the design is working effectively has a structural independence problem. Keep the functions separate.

Risk data confidentiality. Enterprise risk register data, insurance program details, risk incident histories, board risk committee materials, and individual risk culture assessment findings are among the most sensitive information in the company. Define how risk data is stored, transmitted, and protected during the engagement; what happens to risk data in the ERM consultant’s files on engagement termination; and whether the risk register itself (or components of it) are proprietary client information that may not be used in other engagements without explicit permission.

Board and audit committee access. Effective ERM advisory requires the consultant to have direct access to the board or risk committee, not just to management. A risk advisor who can only communicate risk findings through the CEO or CFO is not in a position to provide the independent risk perspective that boards need. Define the ERM consultant’s access to the audit/risk committee chair, what communications go directly to the board versus through management, and the protocol for the ERM consultant to raise risk governance concerns directly with the board if management is not addressing a material risk appropriately.

Hours visibility. Define the mechanism through which the CFO and risk committee can review the ongoing ERM advisory work log and understand what the continuous risk function is producing between formal board presentations. A retainer dashboard that shows the risk advisory work completed, the risk domains covered, and the hours consumed in the current and prior periods makes the ongoing ERM function legible to the oversight bodies responsible for risk governance without requiring the consultant to generate separate status reports. Real retainer hour visibility is what converts a monthly invoice line that says “ERM advisory services” into a board-level understanding of what the risk function is actually doing.

The case for logging every ERM advisory interaction

The most effective argument for a continued ERM advisory retainer is not the risks the organization is currently managing — those are visible in the risk register and the board presentation. The most effective argument is the risks the organization identified and mitigated before they materialized into losses, and the decisions it made with accurate risk information that would have been made with incomplete risk information without ongoing ERM advisory. Neither of those outcomes appears in a monthly invoice without a work log that connects the advisory work to the risk outcome.

Enterprise risk management advisory retainers are evaluated at renewal time against a simple question: is the risk management function the ERM consultant provides worth the retainer cost? If the answer requires the ERM consultant to construct a post-hoc case from memory about what was done in the prior twelve months, the renewal conversation starts from weakness. If the answer can be grounded in a continuous work log that shows which risks were identified before they materialized, which insurance gaps were caught before claims tested them, which risk culture drifts were corrected before they produced losses, and which decisions were made with accurate risk information that the ERM advisory provided, the renewal conversation starts from a documented track record.

Log every risk advisory interaction — the risk register maintenance reviews that found nothing wrong, the emerging risk scans that placed two signals on the watch list and confirmed twelve others below threshold, the insurance advisory sessions between renewals, the risk culture conversations that confirmed alignment rather than identifying drift, the risk-informed decision analyses that recommended against proposed actions. The continuous advisory record is the retainer’s most valuable long-term asset, and it accumulates one work log entry at a time.

HourTab gives enterprise risk management consultants a public, no-login retainer dashboard URL — import your time log via CSV and share a link with the CFO or risk committee chair. They see hours used, hours remaining, and the full work log without needing a portal login. Start free with one retainer →

Frequently asked questions

What does an enterprise risk management consultant on retainer typically do?

An ERM consultant or fractional Chief Risk Officer on monthly retainer provides risk register maintenance and governance (maintaining the enterprise risk inventory, updating risk assessments, ensuring risk owners have current information, and keeping the register aligned with strategic direction); emerging risk scanning (monitoring regulatory, geopolitical, macroeconomic, industry, and technology developments for risks not yet on the register that could become material exposures); insurance portfolio advisory (reviewing insurance program adequacy as the business changes, advising on coverage gaps, supporting renewal negotiations); risk culture monitoring (assessing whether actual risk-taking behavior is consistent with the board-approved risk appetite); board and risk committee support (preparing materials, developing board risk literacy, advising on risk governance structure); and risk-informed decision support (providing risk analysis for proposed strategic initiatives, acquisitions, major operational changes, and significant contracts before decisions are made). The retainer covers the continuous ERM function; the most valuable deliverable is often the risk exposure identified and mitigated before it produced a loss.

How is ERM consulting different from regulatory affairs or internal audit?

A regulatory affairs consultant focuses on a specific regulatory domain (FDA, SEC, EPA, CFPB) and advises on the specific regulations in their specialty. An ERM consultant advises on how regulatory risk fits into the enterprise risk portfolio alongside strategic, operational, financial, and technology risks. An internal auditor assesses whether controls are designed and operating effectively — backward-looking control effectiveness assessment. An ERM consultant advises on what risks should be on the register, whether risk appetite thresholds are appropriate, and where emerging risks are likely to arise — forward-looking risk identification and governance. Companies often engage both an internal audit function and an ERM advisor because they serve distinct and complementary risk oversight roles.

What ERM retainer work is most commonly underlogged?

The most consistently underlogged ERM advisory work is the continuous monitoring between formal risk events that produces no single visible artifact: risk register maintenance reviews where no new risks were added (but the register was confirmed current), emerging risk scanning sessions where signals were assessed and found below materiality threshold, insurance advisory sessions between renewals that confirmed adequate coverage, risk culture monitoring conversations that confirmed risk appetite alignment, and risk-informed decision analyses that recommended against proposed actions. All of these are valid advisory outputs that required real advisory time — they simply produced confirmations rather than findings, making them easy to omit from the retainer record.

What should an ERM advisory retainer agreement include?

ERM retainer agreements should define: the risk domain scope (which risk categories are covered and which are handled by specialist advisors); the advisory versus assurance boundary (ERM advises on risk governance design; internal audit provides control effectiveness assurance — keep the functions separate to avoid independence conflicts); risk data confidentiality provisions (risk register data, insurance details, incident histories, and board materials are highly sensitive); board and audit committee access protocols (effective ERM advisory requires direct board access, not just management-level communication); and hours visibility mechanisms so the CFO and risk committee can review the ongoing advisory work log between formal board presentations.

How should ERM retainer advisory hours be logged?

Log entries should capture the ERM function (risk register maintenance, emerging risk scanning, insurance advisory, risk culture monitoring, board/committee support, or decision support), the specific risk domain or business area, the activity performed, and the finding or recommendation. For example: “Emerging risk scanning — regulatory/compliance: reviewed CFPB rulemaking calendar and state privacy legislation tracker; identified two developments for watch list addition (CFPB small business data reporting rule, Colorado AI Act); remaining signals assessed below current materiality threshold; watch list updated: 2.5 hours” or “Risk culture monitoring — Commercial division: quarterly review with VP Commercial; three major Q2 contracts assessed against commercial risk tolerance; all within approved boundaries; $5M escalation protocol reinforced: 1.5 hours.” This level of entry makes the continuous ERM function legible to the board between formal risk presentations.