Enterprise Risk Management (ERM) Fundamentals

Enterprise risk management is a methodology of risk management, taking a top-down approach to the risk management process, and taking into account the organization and senior management’s business objectives and strategic objectives. ERM integrates traditional risk management strategies, internal controls best practices, and otherwise siloed risk activities, giving stakeholders a deeper view of the company’s risk profile.

The practice of risk management has a long history, with origins dating back to the 1920s. Over time, and around the turn of the century, risk practices took center stage along with increased focus on internal controls and a proliferation of risk management frameworks (RMFs). As the discipline of risk management evolved, organizations and practitioners realized that the previous approaches to risk management — which often relied on business units to manage their own risks and mitigation plans — were allowing risks to pass through the gaps between silos. The need for a centralized and enterprise-wide approach to risk management gradually became clear. And so, the methodology of enterprise risk management (ERM) was born, representing a progression in how stakeholders, senior management, and even the federal government thinks about an organization’s risk. Other outgrowths of risk management include operational risk management (ORM), IT risk management (ITRM), project risk management (PRM), and supply chain risk management (SCRM), which can all be consolidated into an enterprise risk management program.

By establishing a strong ERM program, organizations can better understand their risk appetite and improve decision-making capabilities, prioritizing initiatives and mitigation plans that support the company’s goals. In addition, many regulatory requirements and even other organizations mandate some kind of risk assessment or risk management process which an ERM program incorporates. ERM processes encourage effective communication and knowledge-sharing about potential risks, facilitating better and more timely reporting — and ideally more efficient, effective risk response.

Read on to learn about the essentials of enterprise risk management, and how to implement ERM processes at your organization.

Components of Enterprise Risk Management

Depending on the ERM framework your organization chooses to leverage, there may be a different number or categorization of components — but there are common themes among various frameworks. In this article, we have identified five key components of ERM, loosely based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management – Integrated Framework (ERM-IF). Other frameworks have varying components, though they follow similar themes. We’ll break down some of the other ERM frameworks available to you and your organization later in this article.

The five components of enterprise risk management are: 

• Company Culture, Governance, and Values
• Strategic Planning, Objectives, and Goal Setting
• Risk Management Cycle (COSO calls this “Performance”)
• Monitoring and Continuous Improvement (COSO calls this “Review & Revision”)
• Transparency, Communication, and Reporting

Image Source: COSO Components and Principles

1. Company Culture, Governance, and Values

The company culture, governance structure, and values of an organization play a major role in establishing and maintaining a successful enterprise risk management program. The internal environment defined by policies, procedures, codes of conduct, team norms, and operational norms affect how employees and business units view risk, and how engaged they will be with the overall risk strategy. An organization with a risk-aware culture and values will have an easier time implementing and actioning ERM processes. 

This component of ERM also has to do with the organization’s tone-at-the-top, overall operating structure, and retention. As we now know, the attitudes, values, and actions of a company’s leadership and senior management have a ripple effect throughout the entire organization, and unethical leadership can even lead to a going-concern risk. A poorly defined or constructed operating structure brings potential risks related to meeting customers’ expectations and maintaining product quality. 

Despite the pressures and politics associated with senior management, company culture, and governance, risk professionals and teams can’t turn a blind eye to their organization’s internal environment, and should proceed to identify and document possible risk exposures in management practices. Appointing or hiring a Chief Risk Officer (CRO) to oversee the business’s risk management processes, communicate with leadership, and be accountable for the program is a good step towards strengthening ERM.

2. Strategic Planning, Objectives, and Goal Setting

Strategic planning, objectives, and goal setting is another component of ERM. Since the foundational principles of ERM take a top-down approach, an important step in the process is to collaborate with stakeholders, senior management, and even the Board of Directors to define the company’s objectives, goals, and strategy for meeting those goals. Once these are set, the process of identifying, assessing, responding, reporting, and monitoring risks can begin.

As part of this stage, senior management should define their risk appetite and thresholds, drawing lines around the risks that they will accept, versus risks that should not be accepted. If possible, key risks that have a material or otherwise significant effect on the business should also be identified and discussed. This is a good time to decide if the company will be employing an existing enterprise risk management framework, or a bespoke framework, and to brainstorm metrics and key risk indicators (KRIs) that the organization can use to measure its risk management performance.

3. Risk Management Cycle

Once senior management has set the organization’s goals and objectives, and defined their risk appetite, the cycle of risk identification, risk assessment, risk mitigation and response can begin. If this process looks familiar, it should — this is the foundational risk management cycle that appears in most risk management methodologies.

At this point, if you haven’t already, it would be a good idea to start updating your risk register or risk library as you proceed through the risk analysis steps.

Risk Identification: Risk identification should be an ongoing and continuous process, with the organization’s risk register updated with each newly identified risk. In this step, the company examines its internal environment, business processes, and policies to pinpoint potential risks and develop risk statements for each. Risk statements should be documented in the company’s risk register, and are written with a condition, then the consequence if that condition occurs.

Throughout risk identification, the company must be vigilant towards all types of risk, including digital risk, which many organizations overlook or fail to account for entirely.

Risk Assessment: Following identification, risks need to be assessed, both in terms of category and overall risk score. Sometimes referred to as risk analysis, this step results in the categorization and prioritization of identified risks.

Risk Scoring (Likelihood and Impact): The simplest and generally accepted method for scoring risks involves assigning a likelihood or probability score and an impact or severity score to the risk, and then multiplying them together to get the cumulative “risk score.” Most companies employ a 3×3 or 5×5 risk assessment matrix,  with one being the lowest likelihood and impact, and higher numbers indicating a greater likelihood and impact.

• Likelihood can be determined by assessing how probable it is that a given risk will occur or be realized. The more likely the event is to occur, the higher the likelihood score.
• Impact can be determined by analyzing how severe the impact to the company would be if the risk were realized. The more severe the impact to the organization would be, the higher the impact score.

By giving risks a quantitative risk score and color-coding them accordingly, teams can better prioritize which risks need to be treated first, and can come up with appropriate action plans and mitigation strategies.

Types of Risk Categories: There are many different types of risk categories, including: strategic, financial, operational, compliance, security, reputational, and external risks, to name a few.

• Strategic Risk: Strategic risks involve the company’s business strategy and objectives. Risks in this area can be realized when the business does not follow strategic plans, fails to define corporate strategy, and/or prepares an inadequate plan. Impacts from strategic risks that occur can resound throughout the entire organization, from senior management to granular business processes.
• Financial Risk: These types of risks involve financial planning, debt management, and market changes among other factors that could affect an organization’s financials. There are subtypes of financial risk, such as currency, default, and liquidity risks. These are often significant risks that receive considerable attention from leadership, and can have a fundamental impact on business decisions.
• Operational Risk: Operational risks impact day-to-day functions at the business, and are realized when a business process, control, or system fails. Risks in this category can impact an organization’s ability to deliver their products and services on time. Failure to complete internal and administrative tasks could also have an adverse impact on the company. Examples of operational risk can include, but not limited to, global crises, IT system failures, natural catastrophes, and employee errors.
• Quality Risk: Quality risks affect the product or service that customers consume. Any risks to the quality of products or services, or to the controls and processes that ensure quality meets acceptable thresholds would fall into this bucket. When quality risks are realized, they can affect customer satisfaction and trust.
• Compliance Risk: Compliance risks are those risks related to legal, regulatory, and contractual obligations. Compliance risks are realized when compliance controls fail to operate effectively, do not address the risk in its entirety, and/or if the organization does not successfully fulfill their obligations. The impact of this category of risks typically take the form of fines, terminated contracts, and/or inability to obtain a certification or attestation.
• Security Risk: Security and cybersecurity risks pertain to the organization’s security posture, both physically and virtually. Cyber threats continue to proliferate and evolve in complexity, and malicious actors target companies to exfiltrate data, demand ransoms, and exploit vulnerabilities. This category of risks is quickly growing, and has rocketed to the top of risk teams’ priorities. The costs of cybersecurity breaches have risen each year, and the rise in cybercrime shows no sign of stopping.
• Reputational Risk: These risks could impact an organization’s standing with clients, partners, investors, employees, regulatory bodies, customers, and the public. Reputational risks are often realized when a company makes a decision that demonstrates a lack of competence or awareness of social and environmental issues.
• External Risk: External risks, unlike the risk categories listed above, do not come from an organization’s ability or inability to complete a function, establish controls, or mitigate risks. These risks are uncontrollable and can include events like natural disasters, geopolitical strife, climate change, and social upheaval. While companies may not be able to prevent these events, they can come up with contingency plans to limit collateral damage. 

Risk Response: After risks have been assessed and categorized, with the results captured in a risk register, risk practitioners, business stakeholders, and management can begin to define their ERM strategy and risk response plans. Each identified and assessed risk should now be “treated” according to the business’s risk appetite and thresholds. Risk treatment takes four common forms:

• Risk Mitigation: The company addresses the risk with controls and processes to limit likelihood and/or impact.
• Risk Avoidance: The company avoids the risk, usually by not proceeding with that opportunity or decision.
• Risk Transference: The company migrates the risk to a third-party provider or insurance.
• Risk Acceptance: The company chooses to accept the risk. This option should only be used if all other risk treatment possibilities have been exhausted, or if the risk is negligible in impact.

From the selected treatment method, teams can then devise action plans to match each risk. These decisions should be documented (in the risk register) regardless of which treatment method is used, along with justification if the organization chooses to accept, transfer, or avoid a risk. When opting to mitigate a risk, the business may have to establish new control activities or processes to achieve their desired outcome.

Control Activities: The final phase in the enterprise risk management cycle involves defining, implementing, and executing on control activities that mitigate identified risks. New controls may have to be put into place to remediate gaps, and new processes may need to be captured in documentation to outline the steps employees must follow. 

Control activities are those activities designated by policies and procedures that address risks and support management objectives. They occur at every level of the company, from business processes to technology controls to strategic planning.

4. Monitoring and Continuous Improvement

Monitoring and continuously improving your program is another key component of an effective ERM function. Organizations should monitor their risk management program performance periodically, establishing benchmarks to assess results year-over-year. Through monitoring of ERM activities, the company can get ahead of large-scale changes at the organization that could affect overall risk strategy. Any substantial changes to ERM processes should be reflected in documentation, such as policies and procedures. 

Continuous improvement follows as a natural step to monitoring. An organization’s risk profile, ERM strategy, and stakeholders will change over time, necessitating regular updates to an ERM program. By capturing observations and gaps through the monitoring process, risk teams can iterate on and improve enterprise risk management.

5. Transparency, Communication, and Reporting

The final component we have identified as part of enterprise risk management is transparency, communication, and reporting. In order to create a valuable feedback loop, the outcomes and status of ERM initiatives should be communicated to relevant stakeholders and reported back to leadership. Their feedback should be solicited and taken into account to optimize the ERM program.

Reports on enterprise risk management include information about the program, formal reports on risks, mitigation, culture, and program performance. Remaining mindful of the audience and customizing reports to meet the needs of senior management can go a long way in terms of communicating your message and garnering executive buy-in.

What Are the Benefits of Enterprise Risk Management?

Enterprise risk management takes a holistic view of an organization’s risk posture, objectives, and internal environment, unifying once-siloed risk management activities. In addition to providing a more comprehensive view of company risks and action plans, ERM processes encourage collaboration across different business units for the purpose of mitigating and better managing risks. ERM practices offer other benefits in the form of standardized risk reporting, increased focus on risk, greater efficiency in resource allocation, effective compliance coordination, and enhanced confidence.

Standardized Risk Reporting

An enterprise risk management program looks to pull together separate risk functions and consolidate them for a complete view of the organization. As part of this consolidation, ERM functions tend to establish a standard for risk reporting that affects all or most risk management activities. By standardizing risk reporting format, content, and structure, companies will no longer be comparing apples to oranges and instead have a consistent set of parameters to compare across the organization and measure ERM performance. 

Increased Focus and Perspective on Risk

The ERM methodology starts at the top of the organization, with senior management setting objectives and deriving risks from those strategic goals. Since leadership is engaged in the ERM process from the get-go, driving focus on risk, that tone flows down to management, their teams, and the employees that comprise them. With strong risk-centric messaging and initiatives coming from the top, the entire organization is encouraged to participate in enterprise risk management and maintain a culture of risk awareness.

Enterprise risk management practices take a broad view of risks, expanding stakeholders’ perspectives, deepening their insights, and contributing to their decisions. Making decisions integrates risk considerations and information while also being compared to the organization’s risk appetite and thresholds. 

Effective Compliance Coordination

As we’ve mentioned before, one of the goals for enterprise risk management as a discipline was to improve coordination and collaboration between different business units as they manage their risks. ERM functions are positioned at the center of an organization’s risk management strategy, and seek to develop an all-encompassing understanding of the company’s entire risk profile. Through communication and teamwork with business units, an ERM approach builds relationships of trust and transparency that fuels better coordination between disparate risk management functions.

Greater Efficiency in Resource Allocation

With better communication, collaboration, and coordination, ERM programs drive efficiencies in resource allocation for risk activities. ERM functions have a comprehensive view of the company’s risk profile, including macro objectives and priorities. Thus, ERM teams are well-equipped to allocate resources where they are needed, and based on risk-conscious decision-making. 

Enhanced Confidence

Enterprise risk management methodology provides organizations with a holistic view of their risk posture. Companies gain more confidence from knowing that ERM practices are designed to catch risks that slip through the cracks of siloed business units, and facilitate better collaboration and communication with all levels of the organization. Senior management has more confidence that they are making risk-conscious decisions to pursue beneficial opportunities and protect the company. Regulators and auditors can be confident that a company with an effective ERM program conducts regular risk assessments and seeks to improve its risk management efforts.

What Are the Different ERM Frameworks?

To realize the benefits of enterprise risk management methodology, companies have the option of leveraging existing ERM frameworks to develop and improve their program. There are many ERM frameworks that have been released by standards bodies, information security thought leaders, professional associations, and even government organizations. We’ve listed a few here — though companies are also welcome to employ a bespoke or custom ERM framework derived from best practices.

COSO ERM Integrated Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed and released an initial ERM framework called the “Enterprise Risk Management – Integrated Framework” or ERM-IF. They are also responsible for creating and providing the COSO Internal Control – Integrated Framework (ICIF) that most public companies leverage for SOX internal controls purposes.

This framework was updated in 2017 with a new publication called “COSO Enterprise Risk Management – Integrating with Strategy and Performance.” This framework defines five components of effective enterprise risk management, with 20 principles divided among the five.

ISO 31000 Risk Management Standard

ISO, the International Organization for Standardization, has released a family of risk management standards and guidance, collectively known as the ISO 31000 family. This framework focuses on establishing management system standards and achieving organizational goals, much like other enterprise risk management approaches. While ISO 31000 cannot be certified against, many organizations, especially international organizations, leverage this framework for risk management best practices. ISO reviews its guidance and standards every five years, so you can expect regular updates and improvements.

NIST Risk Management Framework (RMF)

The National Institute of Standards and Technology Risk Management Framework (NIST RMF) with a focus on security, privacy, and the cyber supply chain. The NIST RMF has seven steps: prepare, categorize, select, implement, assess, authorize, and monitor. The RMF is supported by NIST’s Special Publications in the 800-53 family, specifically 800-53, 800-53B, and 800-53A. If your organization is looking to improve its cybersecurity risk management posture, the NIST RMF is a great place to start.

COBIT ERM Framework

Another framework with a focus on IT risk management is the COBIT ERM framework, also known as COBIT 5. This ERM framework was developed by ISACA, a recognized membership organization of IS/IT professionals and industry thought leaders. The COBIT ERM framework is a flexible one, allowing for integration with other frameworks, like COSO’s ERM-IF or ISO 31000. COBIT 5 looks at a set of enablers that contribute to risk functions and risk management, such as processes; organizational structures; culture, ethics, and behavior; principles, policies, and frameworks; information; services, infrastructure and applications; and people, skills, and competencies.

RIMS Risk Maturity Model ERM Framework

The Risk and Insurance Management Society (RIMS) Risk Maturity Model (RMM) enterprise risk management framework is another flexible framework that can be employed by companies in every industry. This framework establishes five maturity levels for an organization’s ERM program: Ad Hoc (Level 1), Initial (Level 2), Repeatable (Level 3), Managed (Level 4), and Leadership (Level 5). The RIMS Risk Maturity Model outlines seven attributes for effective enterprise risk management:

• Take an ERM-based approach.
• Integrate ERM processes and management.
• Manage risk appetite.
• Encourage and drive root cause analyses.
• Uncover risks.
• Manage performance.
• Establish and maintain business resiliency and sustainability.

Custom ERM Frameworks

Organizations in heavily regulated industries or with complex enterprise risk management needs may opt to develop their own custom ERM framework. Even if your organization plans to create a bespoke framework, referencing one or more of the frameworks above can help build the foundation of a custom program. 

In any event, a custom ERM framework should still incorporate some key practices, like:

• Executing the risk management cycle, including risk identification, assessment, response, and monitoring.
• Establishing and defining the organization’s overarching goals, objectives, and strategy.
• Collaborating and coordinating across business units, management, and leadership.
• Conducting periodic risk assessments.
• Reporting on enterprise risk management performance and outcomes.
• Continuously improving and optimizing enterprise risk management processes.

Leverage AuditBoard for Your ERM Needs

Regardless of which ERM framework your company chooses to leverage (even a custom one), utilizing an enterprise risk management software solution can make your team’s job much easier, driving efficiencies, collaboration, and centralization. 

• Define and track key risk indicators (KRIs), and set benchmarks to measure year-over-year performance in a central document repository. 
• Simplify risk assessments through AuditBoard’s collaboration and coordination features, which allow you to communicate across the enterprise and assign tasks to their owners. 
• Drive mitigation and action plans for identified risks, soliciting input from stakeholders, affected teams, and management, then tracking progress in one place. 
• Pull crucial reports with ease, saving your team time and money.

Schedule a tailored product walkthrough to learn how you can improve productivity, allocate resources more effectively, and communicate across the organization.

Frequently Asked Questions About Enterprise Risk Management

What are the components of enterprise risk management?

The five components of enterprise risk management are: 

• Company Culture, Governance, and Values,
• Strategic Planning, Objective, and Goal Setting,
• Risk Management Cycle (COSO calls this “Performance”),
• Monitoring and Continuous Improvement (COSO calls this “Review & Revision”), and
• Transparency, Communication, and Reporting

What are the benefits of enterprise risk management?

ERM practices offer other benefits in the form of standardized risk reporting, increased focus on risk, greater efficiency in resource allocation, effective compliance coordination, and enhanced confidence.

What are the different ERM frameworks?

There are several different ERM frameworks that have been released, including the COSO ERM – Integrated Framework, the ISO 31000 family of standards and guidance, the NIST Risk Management Framework (RMF), the COBIT ERM Framework, and the RIMS Risk Maturity Model (RMM) ERM Framework.