Enterprise risk management (ERM) is an ongoing business process that assesses, identifies, and plans for risks to an organization s financial and operational health while also targeting market opportunities. Often part of an organization s Governance, Risk and Compliance (GRC) strategy, risks can broadly include internal concerns such as company culture as well as external factors, such as data privacy regulations like GDPR and CCPA, disasters, a pandemic or cybersecurity attack.
A proactive business strategy that is employed across most business sectors, ERM takes a holistic approach to evaluating and managing risk across an entire organization and provides a structured process for management of those risks. In addition to warding off potential threats, ERM can also provide competitive advantages.
Objectives of Enterprise Risk Management
ERM is aimed at meeting organizational objectives rather than solely detailing potential problems. It is the implementation of a series of actions and activities that guide how an organization will assess and control risks.
Risk managers employ a combination of policies, practices and procedures to create frameworks for risk management, beginning with three key steps:
- Establishing risk governance steered by a board of directors that ensures decisions are made in line with an organization s goals and strategies, a team of senior managers focused on risk management with Board oversight, and an independent risk management team that is responsible for the execution of business plans that are in line with the organization s risk management framework
- Evaluation of the level of risk an organization is prepared to accept before action needs to be taken
- Implementation of risk management techniques that measure risks across products and businesses and that ensure compliance with an organization s policies and guidelines
Enterprise Risk Management Frameworks
Over the past few years several ERM frameworks have emerged with each providing varied approaches to identifying, analyzing, and managing enterprise risk. Here are three of the most popular ERM frameworks:
- COSO (The Committee of Sponsoring Organizations). Established in 1985, COSO is a joint initiative between five U.S. associations the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA) to fight corporate fraud. COSO s goal is to provide thought leadership dealing with three interrelated subjects: enterprise risk management, internal control, and fraud deterrence. The COSO ERM framework has five components:
- Governance and culture
- Strategy and objectives
- Review and revision
- Information, communication and reporting
- ISO 31000 is a group of risk management standards established by The International Organization for Standardization. As a set of guidelines, ISO 31000 provides principles, a framework, and a process for managing risk, with the objective of improving the identification of opportunities and threats and best practices for allocating and using resources for risk management.
- The Casualty Actuary Society s (CAS) Enterprise Risk Management Committee set out to define ERM in 2003 with a two-pronged approach to conceptualizing a framework: defining risk type followed by a risk management process that identifies, analyzes, integrates, and prioritizes risks before implementing risk management strategies alongside ongoing monitoring and reviewing of the process to identify what works and what doesn t.