Log in links for this page

ERM Risk Management

The Enterprise Risk Management Office (ERM) provides leadership in the development, delivery, and maintenance of enterprise risk management and information governance programs to safeguard the Commonwealth’s information assets.

Table of Contents


The primary goals of an Enterprise Risk Management (ERM) program are to help an organization incorporate risk awareness into the process of daily decision-making.  The objectives of an ERM framework include the following:

  • Strategic – Understanding how an agency’s risk environment impacts the ability to achieve its business objectives across all departments.
  • Reporting – Identifying key risks by creating risk profiles and systems that allow for easy risk identification and sharing.
  • Operations – Prioritizing resources in alignment with desired outcomes, which includes mitigating losses and advancing opportunities.
  • Compliance – Building capabilities to detect, mitigate, and respond to risks that are presented at any point in time.

Risk Appetite Statement

The Office is responsible for examining and researching the risk practices of the Executive Office of Technology Services and Security (EOTSS) and producing a Risk Appetite Statement (RAS). A RAS is a concise document or statement that clearly lays out a strategic framework for addressing risk in an organization, including the amount and kinds of risks an organization is willing to take on to achieve its objectives.

Vendor Risk Management

The Vendor Risk Management Program conducts risk assessments on third-party vendors who want to do business with the Commonwealth to safeguard the security of the state’s systems. These assessments involve answering a series of questions about cybersecurity and operational business practices. The answers are used to produce a Risk Report and a Risk Score.

Risk Response

The Office recommends four responses to identified risks: accept, transfer, mitigate, and avoid.

  • Accept: No action taken, risk is acceptable 
  • Transfer: Action taken to decrease risk severity by either implementing controls or sharing risk 
  • Mitigate: Action taken to reduce the probability or impact of risk 
  • Avoid: Action taken to do something different because of the existing risk; so the risk is eliminated
Risk Response Graphic

Contact   for ERM Risk Management


For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov


McCormack Building
1 Ashburton Place, 8th Floor, Boston, MA 02108

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.