3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

TRADE

BUSINESS BUSINESS ESSENTIALS

Enterprise Risk Management (ERM):

What Is It and How It Works
By ADAM HAYES Updated September 07, 2022
Reviewed by AMY DRURY

What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk
management strategically from the perspective of the entire firm or
organization. It is a top-down strategy that aims to identify, assess, and prepare
for potential losses, dangers, hazards, and other potentials for harm that may
interfere with an organization's operations and objectives and/or lead to losses.

KEY TAKEAWAYS
Enterprise risk management (ERM) is a firm-wide strategy to identify
and prepare for hazards with a company's finances, operations, and
objectives.
ERM allows managers to shape the firm's overall risk position by
mandating certain business segments engage with or disengage from
particular activities.
Traditional risk management, which leaves decision-making in the
hands of division heads, can lead to siloed evaluations that do not
account for other divisions.
The COSO framework for enterprise risk management identifies eight
core components of developing ERM practices.
Successful ERM strategies can mitigate operational, financial, security,
compliance, legal, and many other types of risks.

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 1/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

Understanding Enterprise Risk Management (ERM)

TRADE
Enterprise risk management takes a holistic approach and calls for
management-level decision-making that may not necessarily make sense for an
individual business unit or segment. Thus, instead of each business unit being
responsible for its own risk management, firm-wide surveillance is given
precedence.

It also often involves making the risk plan of action available to all stakeholders
as part of an annual report. Industries as varied as aviation, construction, public
health, international development, energy, finance, and insurance all have
shifted to utilize ERM.

ERM, therefore, can work to minimize firmwide risk as well as identify unique
firmwide opportunities. Communicating and coordinating between different
business units is key for ERM to be successful, since the risk decision coming
from top management may seem at odds with local assessments on the
ground. Firms that utilize ERM will typically have a dedicated enterprise risk
management team that oversees the workings of the firm.

In
E

In
Sto
New
While ERM best practices and standards are still evolving, they have been
formalized through COSO, an industry group that maintains and updates such
guidance for companies and ERM professionals.

FAST FACT

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 2/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

ERM-friendly firms may be attractive to investors because they

TRADE
signal more stable investments.
A Holistic Approach to Risk Management
Modern businesses face a diverse set of risks and potential dangers. In the past,
companies traditionally handled their risk exposures via each division
managing its own business. Enterprise risk management calls for corporations
to identify all the risks they face. It also makes management decide which risks
to manage actively. As opposed to risks being siloed across a company, a
company sees the bigger picture when using ERM.

ERM looks at each business unit as a "portfolio" within the firm and tries to
understand how risks to individual business units interact and overlap. It is also
able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management
has relied on each business unit evaluating and handling their own risk and
then reporting back to the CEO at a later date. More recently, companies have
started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is
required from an ERM standpoint. The CRO is responsible for identifying,
analyzing, and mitigating internal and external risks that impact the entire
corporation. The CRO also works to ensure that the company complies with
government regulations, such as Sarbanes-Oxley (SOX), and reviews factors
that could hurt investments or a company's business units. The CRO's mandate
will be specified in conjunction with other top management along with the
board of directors and other stakeholders.

FAST FACT
A good indication that a company is working at effective ERM is the
presence of a chief risk officer (CRO) or a dedicator manager who
coordinates ERM efforts.

Components of Enterprise Risk Management

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 3/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

The COSO enterprise risk management framework identifies eight core

TRADE
components that define how a company should approach creating its ERM
practices.

Internal Environment
A company's internal environment is the atmosphere and corporate culture
within the company set by its employees. This sets the precedence of what the
company's risk appetite is and what management's philosophy is regarding
incurring risk. The internal environment may be set by upper management or
the board and communicated throughout an organization, though it is often
reflected through the actions of all employees.

Objective Setting
As a company determines its purpose, it must set objectives that support the
mission and goals of a company. These objectives must then be aligned with a
company's risk appetite. For example, an ambitious company that has set far-
reaching strategic plans must be aware there may be internal risks or external
risks associated with these lofty goals. In response, a company can align the
measures to be taken with what it wants to accomplish such as hiring
additional regulatory staff for expansion areas it is currently unfamiliar with.

Event Identification
Positive events may have a great impact on a company. On the other hand,
negative events may have detrimental outcomes on a company's ability to
continue to operate. ERM guidance recommends that companies identify
important areas of the business and associated events that may have dire
outcomes. These high risk events may pose risks to operations (i.e. natural
disasters that force offices to temporarily close) or strategic (i.e. government
regulation outlaws the company's primary product line).

Risk Assessment
In addition to being aware of what may happen, the ERM framework details the
step of assessing risk by understanding the likelihood and financial impact of
risks. This includes not only the direct risk (i.e. a natural disaster yields an office

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 4/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

unusable) but residual risks (i.e. employees may not feel safe returning to the
TRADE
office). Though difficult, the ERM framework encourages companies to consider
quantifying risks by assessing the percent change of occurrence as well as the
dollar impact.

Risk Response
A company can respond to risk in the following four ways:

1. The company can avoid risk. This results in the company leaving the activity
that causes the risk as the company would rather forgo the benefits of the
activity than incur the risk. An example of risk avoidance is a company
shutting down a product line and discontinuing selling a specific good.
2. The company can reduce risk. This results in the company staying engaged
in the activity but putting forth effort in minimizing the likelihood or
magnitude of the risk. An example of risk reduction is a company keeping
the product line above open but investing more in quality control or
consumer education on how to property use the product.
3. The company can share risk. This results in the company moving forward
as-is with the current risk profile of the activity. However, the company
leverages an independent third party to share in the potential loss in
exchange for a fee. An example of risk sharing is purchasing an insurance
policy.
4. The company can accept risk. This results in the company analyzing the
potential outcomes and determining whether it is financially worth
pursuing mitigating practices. An example of risk acceptance is the
company keeping open the product line with no changes to operations and
risk sharing.

Control Activities
Control activities are the actions taken by a company to create policies and
procedures to ensure management carries out operations while mitigating risk.
Control activities, often referred to as internal controls, are broken into two
different types of processes:

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 5/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

1. Preventative control activities are in place to stop an activity from

TRADE
happening. These controls aim to mitigate risk by disallowing certain events
from happening. An example of a preventative control is a keypad or
physical lock preventing all employees from entering into a sensitive area.
2. Detective control activities are in place to recognize when a risky action has
taken place. Although the event is allowed to happen (or was not supposed
to happen but still did), detective controls may alert management to ensure
appropriate follow-up steps occur. An example of a detective control is an
alarm for the room or a l

Information and Communication

Information systems should be able to capture data useful to management to
better understand a company's risk profile and management of risk. This means
not granting exceptions for departments outperforming others; all aspects of a
company should be continually monitored. By extension, some of this data
should be analyzed and communicated to employees if it is relevant to
mitigating risk. By communicating with employees, there is more likely to be
greater buy-in for processes and protection over company assets.

Monitoring
A company can turn to an internal committee or an external auditor to review
its policies and practices. This may include reviewing what is actually
performed compared to what policy documents suggest. This may also entail
getting feedback, analyzing company data, and informing management of
unprotected risks. In an ever-changing environment, companies must also be
ready to assess their ERM environment and pivot as needed.

Important: The Committee of Sponsoring Organizations (COSO)

board published the ERM framework in 2004, and the publication has
been widely used since. [1]

How to Implement Enterprise Risk Management Practices

ERM practices will vary based on a company's size, risk preferences, and
business objectives. Below are best practices most companies can use to
implement ERM strategies.
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 6/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

Define risk philosophy. Before implementing any practices, a company must

TRADE
identify how it feels about risk and what its strategy around risk will be. This
should involve strategic discussions between management and an analysis
of a company's entire risk profile.
Create action plans. With a company's risk philosophy in hand, it is time to
create an action plan. This defines the steps a company must take to protect
its assets and plans to protect the future of the organization after a risk
assessment has been performed.
Be creative. When considering risks, ERM entails thinking broadly about the
problems a company may face. Though far-fetched, it is in a company's best
interest to think of as many challenges it may face and how it will respond
(or decide to not respond) to should the event happen.
Communicate priorities. A company may determine several high-important
risks are critical to mitigate for the continuation of the company. These
priorities should be communicated and broadly understood as the risks that
should not be incurred under any circumstance. Alternatively, a company
may wish to communicate the plans if the event were to occur.
Assign responsibilities. When an action plan has been devised, specific
employees should be identified to carry out specific parts of the plan. This
may include delegating tasks to specific positions should employees leave
the company. This not only allows for all action items to be worked on but
will hold members responsible for their area(s) of risk.
Maintain flexibility. As companies and risks evolve, a company must design
ERM practices to be adaptable. The risks a company faces one day may be
different the next; the company must be able to carry its current plan while
still making plans for new, future risks.
Leverage technology. ERM digital platforms may host, summarize, and track
many of the risks of a company. Technology can also be used to implement
internal controls or gather data on how performance is tracking to ERM
practices.
Continually monitor. Once ERM practices are in place, a company must
ensure the practices are adhered to. This means tracking progress towards
goals, ensuring certain risks are being mitigated, and employees are
performing tasks as expected.

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 7/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

Use metrics. As part of monitoring ERM practices, a company should

TRADE
develop a series of metrics to quantifiably gauge whether it is meeting
targets. Often referred to as SMART goals, these metrics keep a company
accountable on whether it met objectives or not.

Tip: As a company implements ERM practices, it is widely advised to

continually gather feedback from all employees. Everyone will have a
different perspective of what might not be working or what could be
done better.

Advantages and Disadvantages of Enterprise Risk Management

Advantages of ERM
ERM sets the organizational-wide expectations around a company's culture.
This includes communicating more openly about the risks a company faces and
how to mitigate them. This leads to less unexpected risks and more guided
direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in
place to protect company resources as well as greater customer service
knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to

upper management. This report succinctly summaries the risks a company
faces, the actions being taken, and information needed for decision-making. As
a result, a company may be more efficient with its time, especially considering
what is delivered to upper management

ERM may also have a company-wide positive impact on the resourcefulness of

the business. ERM may eliminate redundant process, ensure efficient use of
staff, reduce theft, or increase profitability by better understanding what
markets to enter into.

Disadvantages of ERM
As a company builds out its ERM practices, it will likely consider familiar risks it
has been exposed to in the past. Therefore, ERM is limited in identifying future
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 8/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

risks that the organization is unaware that may have more detrimental impacts.
TRADE
In this manner, some may consider ERM as reactive as companies can only
forecast risk based on what they have prior experience on.

ERM also relies very heavily on management estimates and inputs. This may be
nearly impossible to accurately predict. For example, in the very low chance a
company forecast the occurance of the COVID-19 pandemic, would a company
be able to accurately calculate the fiscal impact of business closures or changes
in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require resources of the

company to be successful. Though the company will benefit from protecting its
assets, a company must detract time of its staff and may make capital
investments to implement ERM strategies. In addition, a company may find it
difficult to quantify the success of ERM as financial risks that do not occur must
simply be projected.

ERM Practices
Pros
• May make a company more prepared for risks and uncertainties
• May leave employees more satisfied with the future state of the company
• May result in greater customer service as companies are prepared for
certain situations
• May result in efficient reporting to upper management that enhances
decision-making
• May lead to more efficient company-wide operations

Cons
• May not accurately identify the risks a company is likely to experience
• May not accurately assess the financial impact or likelihood of an
outcome
• Often requires time investment from a company in order to be successful
• Often requires capital investment from a company in order to be
successful
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 9/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

What Types of Risks Does Enterprise Risk Management

TRADE
Address?
ERM can help devise plans for almost any type of business risk. Business risk
threatens a company's ability to survive, and these risks may be further
classified into different risks discussed below. In general, ERM most commonly
addresses the following types of risk:

Compliance risk threatens a company due to a violation of external law or

requirement. An example of compliance risk is a company's inability to
produce timely financial statements in accordance with applicable
accounting rules such as GAAP.
Legal risk threatens a company should the company face lawsuit or penalty
for contractual, dispute, or regulatory issues. An example of legal risk is a
billing dispute with a major customer.
Strategic risk threatens a company's long-term plan. For example, new
market participants in the future may supplant the company as the lowest-
cost provider of a good.
Operational risk threatens the day-to-day activities required for the
company to operate. An example of operational risk is a natural disaster that
damages a company's warehouse where inventory is stored.
Security risk threatens the company's assets if physical or digital assets are
misappropriated. An example of security risk is insufficient controls
overseeing sensitive client information stored on network servers.
Financial risk threatens the debt or financial standing of a company. An
example of financial risk is translation losses by holding foreign currency.

What Is ERM and Why Is It Important?

ERM is a company's approach to managing risk. It is the practices, policies, and
framework for how a company handles a variety of risks its business faces. ERM
is important because it helps prevent losses or unexpected negative outcomes.
ERM is also important because it helps a company set the plans in place to
strategically approach risk and garner employee buy-in.

What Are the 3 Types of Enterprise Risk?

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 10/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

ERM often summaries the risks a company faces into operational, financial, and
TRADE
strategic risks. Operational risks impact day-to-day operations, while strategic
risks impact long-term plans. Financial risks impact the general financial
standing and health of a company.
What Are the 8 Components of ERM?
The COSO framework for ERM identifies eight components: internal
environment, objective setting, event identification, risk assessment, risk
response, control activities, information & communication, and monitoring.
These eight core components drive a company's ERM practices.

What Is the Difference Between Risk Management and

Enterprise Risk Management?
Risk management has traditionally been used to describe the practices and
policies surrounding a specific risk a company faces. More modern risk
management has introduced ERM, a comprehensive, company-wide approach
to view risk holistically for the entire company.

The Bottom Line

As a company makes, sells, and delivers goods to customers, it faces countless
risks from numerous sources. To better plan for these risks, companies are
turning to enterprise risk management, a company-wide, top-down approach
of assessing risk and devising plans. The ultimate goal of ERM is to protect a
company's assets and operations while have strategies in place should certain
unfortunate events occur.
Open A Trading Account in Under 5 Minutes SPONSORED

Open a trading account in under 5 minutes and join 900,000 others globally
trading long or shot on US, AU, UK and EU Share CFDs, and access 1000+ other
CFD products over assets like indices, gold, and forex with an award-winning
broker. Trade from $6 commission a side, and access free education and trading
tools with 24/5 phone support. Learn more about trading with Vantage and get
started today.

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 11/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

ARTICLE SOURCES TRADE

Related Terms
Operational Risk Overview, Importance, and Examples
Operational risk summarizes the chances a company faces in the course of conducting its
daily business activities, procedures, and systems. more

Risk Analysis: Definition, Types, Limitations, and Examples

Risk analysis is the process of assessing the likelihood of an adverse event occurring
within the corporate, government, or environmental sector. more

Internal Controls: Definition, Types, and Importance

Internal controls are processes and records that ensure the integrity of financial and
accounting information and prevent fraud. more

Chief Risk Officer Definition, Common Threats Monitored

A chief risk officer (CRO) is an executive who identifies and mitigates events that could
threaten a company. more

What Is Strategic Management?

Strategic management is the management of an organization’s resources in order to
achieve its goals and objectives. more

What Is a Gap Analysis?

Gap analysis is the process that companies use to examine their current performance vs.
their desired, expected performance. more

Partner Links

Trade at XM with low spreads, no commission

and negative balance protection.

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 12/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

Learn to trade stocks by investing $100,000

TRADE
virtual dollars...

Sign up for our daily newsletters

Listen to the Investopedia Express podcast on

Spotify

Related Articles
BUSINESS ESSENTIALS
Identifying and Managing Business Risks

BUSINESS
Risk Management Framework (RMF)

SOCIALLY RESPONSIBLE INVESTING

The 3 Pillars of Corporate Sustainability

CORPORATE FINANCE BASICS

Capital Budgeting: What It Is and How It Works

Business Meeting BUSINESS ESSENTIALS

Financial Risk: The Major Kinds That Companies
Face

Risk SECTORS & INDUSTRIES

management The Importance of Health Care Risk Management

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 13/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works

TRADE

TRUSTe

About Us Terms of Use

Dictionary Editorial Policy

Advertise News

Privacy Policy Contact Us

Careers

Investopedia is part of the Dotdash Meredith publishing family.

https://www.investopedia.com/terms/e/enterprise-risk-management.asp 14/14