GACO Masterclass Series: Modern ERM - Design, Embed, and Operate

Risk management is no longer just about ticking boxes—it’s about creating a resilient framework that scales with your business. We are proud to announce an exclusive three-part series designed to take you from foundational design to advanced third-party oversight.

Modern Enterprise Risk Management (ERM) is a strategic discipline that integrates risk awareness directly into an organisation's decision-making process. At its core, it’s about identifying, assessing, and preparing for any event—financial, operational, or reputational—that could interfere with a company's ability to achieve its objectives. Rather than managing risks in silos (where IT only looks at tech and Finance only looks at books), modern ERM creates a unified, top-down view that treats risk as a potential source of competitive advantage and value creation.

In practical terms, ERM is evolving from a periodic reporting cycle into a continuous, data-driven operation. Organisations are increasingly leveraging AI and predictive analytics to move from "hindsight" to "foresight," allowing them to navigate a landscape defined by rapid geopolitical shifts, cybersecurity threats, and ESG (Environmental, Social, and Governance) requirements. The focus has shifted toward organizational resilience—the ability to not just withstand a crisis, but to pivot and adapt faster than the competition. This means risk managers are spending less time on spreadsheets and more time acting as strategic advisors to the board.

Therefore, GACO is very happy to have organised this Masterclass Series on Modern ERM that will bring you from the ERM foundations to a practical workshop on fully managing the risks of third-party relationships.  We are honored to be joined by international Risk Specialist Nicola Crawford, FIRM, owner of riskinpractice.com, who will lead us through this comprehensive Masterclass Series.

This Masterclass Series will be delivered in 3 parts (2 online webinars and 1 face-to-face seminar). Here are further details: 

Webinar 1 (2 hours): ERM Blueprint — How to Design and Embed ERM That Scales

12th February 2026 - 09.30am - 11.30am

What you’ll get

A clear, implementable blueprint for ERM that connects governance, culture, strategy, appetite, and decision-making—without slowing the business down.

What we cover

• Why ERM fails (and how to avoid it): common failure modes, overload, “tick-box” registers, weak ownership, and poor MI
• Building the ERM business case: how to position ERM as an enabler (growth, confidence, resilience, better decisions)
• Designing a practical ERM operating model: roles, RACI, escalation pathways, committee touchpoints, and how to apply the updated Three Lines Model in a way that reduces duplication and closes gaps
• Risk taxonomy that people actually use: consistent categories, definitions, and how to make it work across business units
• Risk appetite and thresholds: turning appetite into usable metrics, triggers, and decision guardrails
• Embedding ERM into the “rhythm of business”: planning, product/change governance, incident learning, assurance mapping, and performance reporting
• Resilience as a design principle: linking ERM to operational resilience expectations (e.g., impact-focused thinking, services/processes, vulnerabilities)

Takeaways (you can use immediately)

• ERM “Blueprint” checklist (what good looks like, minimum viable ERM vs. mature ERM)
• ERM governance + accountability map (Three Lines aligned)
• Practical implementation roadmap (30/60/90-day launch plan + 6–12 month maturity plan)

Webinar 2 (2 hours): ERM in Practice — Tools, Techniques and Tech That Make ERM Work

12th March 2026 - 09.30am - 11.30am

What you’ll get

A field-tested toolkit to run high-quality risk assessments, produce board-ready reporting, and build monitoring that drives action, supported by technology and automation (without a painful implementation).

What we cover

• Modern enterprise risk assessment approaches: workshop-led, data-led, and hybrid models—when to use each and why
• How to run ERM workshops that don’t fail: stakeholder prep, facilitation structure, remote/hybrid delivery techniques, and avoiding “groupthink”
• Risk articulation that holds up to scrutiny: causes → controls → impacts; clear statements; linking to objectives
• Controls and assurance that reduce noise: mapping key controls, control effectiveness, and avoiding duplicate testing across teams
• KRIs that drive decisions (not vanity metrics): designing triggers, thresholds, trending, and linking to appetite
• Risk reporting that leadership reads: dashboards, narratives, emerging risk, and action tracking
• Selecting and delivering ERM/GRC technology: tips/traps, requirements definition, vendor evaluation, implementation governance, and adoption (so the tool doesn’t become a shelf-ware database)

Takeaways (you can use immediately)

• Risk assessment workshop “run-sheet” (agenda, prompts, outputs)
• KRI design guide + starter library structure
• Board/executive risk reporting template (what to include, what to stop reporting)
• ERM tech selection checklist (requirements + evaluation scorecard approach)

Seminar 3 (6 Hours) - Beyond the Enterprise: Managing the Risks of Third- Party Relationships

26th March 2026 - 09.30am - 12.30pm & 02.00pm - 05.00pm
Sunborn Yacht Hotel Atlas Rooms

Extending business activities beyond organisational boundaries to create value for the organisation is not new. However, the quantity and complexity of the relationships that now exist beyond organisational boundaries is increasing, as is regulatory and stakeholder scrutiny. While partnerships with third-parties can be beneficial to the organisation on so many levels, such alliances can expose the organisation to many unknowns, and those unknowns will undoubtedly increase the level of risk. The key, then, is properly managing the infrastructure, systems, staff and outside support to adequately manage that risk. This workshop focuses on how this can be achieved . Workshop participants will learn third party management governance and processes that can be applied across the organization at either an enterprise or a department level. Learning is done through presentation, collaboration with peers, and workshop tasks

What we cover

• Setting the context for third party risk management including definitions, alignment to third party management and enterprise risk management, the importance and value derived from managing third party risks
• The Challenges and pitfalls of managing third party risks
• Third Party Risk Framework Overview – third party risk management maturity
• Third Party Risk Governance
• Assessing third party risks and controls – process requirements, tools and techniques
• Third Party Risk Management and the Procurement Lifecycle – from onboarding to exit
• Managing third party risk management information

Takeaways (you can use immediately)

• Effectively managing due diligence and third-party risk.
• Understand the challenges and pitfalls of managing third-party risk
• Facilitate ongoing monitoring of third-party partners.
• Establish third party management ownership and accountability across the 3 lines of defence
• Provide third party management process consistency and enhance cross functional collaboration
• Communicate effectively with third parties on matters of risk and compliance
• Deliver effective third-party governance and assurance to the board of directors, regulators, and stakeholders
• Monitor metrics to establish effectiveness or third party management
• Why MLROs, Risk, Compliance Managers, and indeed board members and Senior Manager should attend

You’ll leave with a practical approach to:

• Create clarity on ownership and accountabilities
• Turn ERM into decision support (not admin)
• Improve MI quality and produce board-ready reporting
• Strengthen resilience and reduce surprises
• Implement tools and tech pragmatically—and get adoption

Who should attend

• Risk and Compliance Managers / Heads of Risk
• Board Members including NEDs/iNEDs to better understand ERM
• Operational Risk, Conduct Risk, and Operational Resilience leads
• Governance, Controls, and Assurance teams
• Internal Audit (as a key partner in the assurance framework)
• Transformation/PMO leaders responsible for change risk and controls

Speaker

Nicola is the owner of a new digital risk advisory - riskinpractice.com and a Fellow of the Institute of Risk Management. With decades of international experience, she is a leading voice in transforming complex risk theory into practical, actionable business strategies.

Attendance Fees

Webinar 1 only: £25 GACO & GRMA/IRM Gib; £40 for Non-Members
Webinar 2 only:  £25 GACO & GRMA/IRM Gib; £40 for Non-Members
Seminar 3 only: £65 GACO & GRMA/IRM Gib; £90 for Non-Members
Full Masterclass Programme: £80 GACO & GRMA/IRM Gib; £140 for Non-Members