Professional Documents
Culture Documents
Enterprise Risk Management (ERM) - What Is It and How It Works
Enterprise Risk Management (ERM) - What Is It and How It Works
TRADE
KEY TAKEAWAYS
Enterprise risk management (ERM) is a firm-wide strategy to identify
and prepare for hazards with a company's finances, operations, and
objectives.
ERM allows managers to shape the firm's overall risk position by
mandating certain business segments engage with or disengage from
particular activities.
Traditional risk management, which leaves decision-making in the
hands of division heads, can lead to siloed evaluations that do not
account for other divisions.
The COSO framework for enterprise risk management identifies eight
core components of developing ERM practices.
Successful ERM strategies can mitigate operational, financial, security,
compliance, legal, and many other types of risks.
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 1/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
It also often involves making the risk plan of action available to all stakeholders
as part of an annual report. Industries as varied as aviation, construction, public
health, international development, energy, finance, and insurance all have
shifted to utilize ERM.
ERM, therefore, can work to minimize firmwide risk as well as identify unique
firmwide opportunities. Communicating and coordinating between different
business units is key for ERM to be successful, since the risk decision coming
from top management may seem at odds with local assessments on the
ground. Firms that utilize ERM will typically have a dedicated enterprise risk
management team that oversees the workings of the firm.
In
E
In
Sto
New
While ERM best practices and standards are still evolving, they have been
formalized through COSO, an industry group that maintains and updates such
guidance for companies and ERM professionals.
FAST FACT
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 2/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
ERM looks at each business unit as a "portfolio" within the firm and tries to
understand how risks to individual business units interact and overlap. It is also
able to identify potential risk factors that are unseen by any individual unit.
Companies have been managing risk for years. Traditional risk management
has relied on each business unit evaluating and handling their own risk and
then reporting back to the CEO at a later date. More recently, companies have
started to recognize the need for a more holistic approach.
A chief risk officer (CRO), for instance, is a corporate executive position that is
required from an ERM standpoint. The CRO is responsible for identifying,
analyzing, and mitigating internal and external risks that impact the entire
corporation. The CRO also works to ensure that the company complies with
government regulations, such as Sarbanes-Oxley (SOX), and reviews factors
that could hurt investments or a company's business units. The CRO's mandate
will be specified in conjunction with other top management along with the
board of directors and other stakeholders.
FAST FACT
A good indication that a company is working at effective ERM is the
presence of a chief risk officer (CRO) or a dedicator manager who
coordinates ERM efforts.
Internal Environment
A company's internal environment is the atmosphere and corporate culture
within the company set by its employees. This sets the precedence of what the
company's risk appetite is and what management's philosophy is regarding
incurring risk. The internal environment may be set by upper management or
the board and communicated throughout an organization, though it is often
reflected through the actions of all employees.
Objective Setting
As a company determines its purpose, it must set objectives that support the
mission and goals of a company. These objectives must then be aligned with a
company's risk appetite. For example, an ambitious company that has set far-
reaching strategic plans must be aware there may be internal risks or external
risks associated with these lofty goals. In response, a company can align the
measures to be taken with what it wants to accomplish such as hiring
additional regulatory staff for expansion areas it is currently unfamiliar with.
Event Identification
Positive events may have a great impact on a company. On the other hand,
negative events may have detrimental outcomes on a company's ability to
continue to operate. ERM guidance recommends that companies identify
important areas of the business and associated events that may have dire
outcomes. These high risk events may pose risks to operations (i.e. natural
disasters that force offices to temporarily close) or strategic (i.e. government
regulation outlaws the company's primary product line).
Risk Assessment
In addition to being aware of what may happen, the ERM framework details the
step of assessing risk by understanding the likelihood and financial impact of
risks. This includes not only the direct risk (i.e. a natural disaster yields an office
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 4/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
unusable) but residual risks (i.e. employees may not feel safe returning to the
TRADE
office). Though difficult, the ERM framework encourages companies to consider
quantifying risks by assessing the percent change of occurrence as well as the
dollar impact.
Risk Response
A company can respond to risk in the following four ways:
1. The company can avoid risk. This results in the company leaving the activity
that causes the risk as the company would rather forgo the benefits of the
activity than incur the risk. An example of risk avoidance is a company
shutting down a product line and discontinuing selling a specific good.
2. The company can reduce risk. This results in the company staying engaged
in the activity but putting forth effort in minimizing the likelihood or
magnitude of the risk. An example of risk reduction is a company keeping
the product line above open but investing more in quality control or
consumer education on how to property use the product.
3. The company can share risk. This results in the company moving forward
as-is with the current risk profile of the activity. However, the company
leverages an independent third party to share in the potential loss in
exchange for a fee. An example of risk sharing is purchasing an insurance
policy.
4. The company can accept risk. This results in the company analyzing the
potential outcomes and determining whether it is financially worth
pursuing mitigating practices. An example of risk acceptance is the
company keeping open the product line with no changes to operations and
risk sharing.
Control Activities
Control activities are the actions taken by a company to create policies and
procedures to ensure management carries out operations while mitigating risk.
Control activities, often referred to as internal controls, are broken into two
different types of processes:
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 5/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
Monitoring
A company can turn to an internal committee or an external auditor to review
its policies and practices. This may include reviewing what is actually
performed compared to what policy documents suggest. This may also entail
getting feedback, analyzing company data, and informing management of
unprotected risks. In an ever-changing environment, companies must also be
ready to assess their ERM environment and pivot as needed.
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 7/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
In addition, this may lead to greater employee satisfaction knowing plans are in
place to protect company resources as well as greater customer service
knowing how to respond to customers should certain risks actually occur.
Disadvantages of ERM
As a company builds out its ERM practices, it will likely consider familiar risks it
has been exposed to in the past. Therefore, ERM is limited in identifying future
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 8/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
risks that the organization is unaware that may have more detrimental impacts.
TRADE
In this manner, some may consider ERM as reactive as companies can only
forecast risk based on what they have prior experience on.
ERM also relies very heavily on management estimates and inputs. This may be
nearly impossible to accurately predict. For example, in the very low chance a
company forecast the occurance of the COVID-19 pandemic, would a company
be able to accurately calculate the fiscal impact of business closures or changes
in consumer spending? ERM mitigation costs may also be difficult to assess.
ERM Practices
Pros
• May make a company more prepared for risks and uncertainties
• May leave employees more satisfied with the future state of the company
• May result in greater customer service as companies are prepared for
certain situations
• May result in efficient reporting to upper management that enhances
decision-making
• May lead to more efficient company-wide operations
Cons
• May not accurately identify the risks a company is likely to experience
• May not accurately assess the financial impact or likelihood of an
outcome
• Often requires time investment from a company in order to be successful
• Often requires capital investment from a company in order to be
successful
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 9/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 10/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
ERM often summaries the risks a company faces into operational, financial, and
TRADE
strategic risks. Operational risks impact day-to-day operations, while strategic
risks impact long-term plans. Financial risks impact the general financial
standing and health of a company.
What Are the 8 Components of ERM?
The COSO framework for ERM identifies eight components: internal
environment, objective setting, event identification, risk assessment, risk
response, control activities, information & communication, and monitoring.
These eight core components drive a company's ERM practices.
Open a trading account in under 5 minutes and join 900,000 others globally
trading long or shot on US, AU, UK and EU Share CFDs, and access 1000+ other
CFD products over assets like indices, gold, and forex with an award-winning
broker. Trade from $6 commission a side, and access free education and trading
tools with 24/5 phone support. Learn more about trading with Vantage and get
started today.
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 11/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
Related Terms
Operational Risk Overview, Importance, and Examples
Operational risk summarizes the chances a company faces in the course of conducting its
daily business activities, procedures, and systems. more
Partner Links
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 12/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
Related Articles
BUSINESS ESSENTIALS
Identifying and Managing Business Risks
BUSINESS
Risk Management Framework (RMF)
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 13/14
3/24/23, 3:35 AM Enterprise Risk Management (ERM): What Is It and How It Works
TRADE
TRUSTe
Advertise News
Careers
https://www.investopedia.com/terms/e/enterprise-risk-management.asp 14/14