There is no official certification (that I know of) for ERM at this point. But how would a board know or an ERM leader determine that their ERM process is set up in a way they’d want? There are the obvious signs such as too many surprises, not seeing risks, not correctly assessing, etc. There is also a program review that can be done.
First, some organizations can and do benchmark with other programs to get feedback.
Second, other organizations hire outsiders to review their program and provide feedback.
Third, ERM leaders can do this on their own. An unofficial approach might be:
Review your program for all COSO Components
Review your program for evidence of all relevant principles (the word relevant) is critical.
If your program has evidence of relevant principles, COSO components, and the components interact/work together then you’d unofficially have a good program.
Keep in mind:
It can be very valuable to do this.
This is unofficial; but if some senator gets mad at U.S. businesses again, they could make this the law (like they did with internal control / SOX).
Tread lightly. Choose wisely. Make it an TQM opportunity for improvement thing instead of a do or die ERM thing. It works better, you get to the same place (since this isn’t 100% the law), and management sees it as a positive thing about performance, etc.
Finally, if I were a board member I’d ask every ERM leader I know to do this.