Enterprise Risk Management (ERM): What It Is and How It Works

Adam Hayes, Ph.D., CFA, is a financial writer with 15+ years Wall Street experience as a derivatives trader. Besides his extensive derivative trading expertise, Adam is an expert in economics and behavioral finance. Adam received his master's in economics from The New School for Social Research and his Ph.D. from the University of Wisconsin-Madison in sociology. He is a CFA charterholder as well as holding FINRA Series 7, 55 & 63 licenses. He currently researches and teaches economic sociology and the social studies of finance at the Hebrew University in Jerusalem.

Updated June 21, 2024 Reviewed by Reviewed by Natalya Yashina

Natalya Yashina is a CPA, DASM with over 12 years of experience in accounting including public accounting, financial reporting, and accounting policies.

Enterprise Risk Management (ERM)

What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses.

Key Takeaways

Understanding Enterprise Risk Management (ERM)

Enterprise risk management takes a holistic approach and calls for management-level decision making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

ERM, therefore, can work to minimize firm-wide risk as well as identify unique firm-wide opportunities. Communicating and coordinating between different business units are key for ERM to succeed, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

ERM-friendly firms may be attractive to investors because they signal more stable investments.

A Holistic Approach to Risk Management

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM.

ERM looks at each business unit as a “portfolio” within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling its own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation.

The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company’s business units. The CRO’s mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts.

Components of Enterprise Risk Management

The COSO enterprise risk management framework identifies eight core components that define how a company should approach creating its ERM practices.

Internal Environment

A company’s internal environment is the atmosphere and corporate culture within the company set by its employees. This sets the precedence of what the company’s risk appetite is and what management’s philosophy is regarding incurring risk. The internal environment may be set by upper management or the board and communicated throughout an organization, though it is often reflected through the actions of all employees.

Objective Setting

As a company determines its purpose, it must set objectives that support the mission and goals of a company. These objectives must then be aligned with a company’s risk appetite. For example, an ambitious company that has set far-reaching strategic plans must be aware that there may be internal risks or external risks associated with these lofty goals. In response, a company can align the measures to be taken with what it wants to accomplish, such as hiring additional regulatory staff for expansion areas it is currently unfamiliar with.

Event Identification

Positive events may have a great impact on a company. On the other hand, negative events may have detrimental outcomes on a company’s ability to continue to operate. ERM guidance recommends that companies identify important areas of the business and associated events that may have dire outcomes. These high-risk events may pose risks to operations (e.g., natural disasters that force offices to temporarily close) or strategic (e.g., government regulation outlaws the company’s primary product line).

Risk Assessment

In addition to being aware of what may happen, the ERM framework details the step of assessing risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (e.g., a natural disaster yields an office unusable) but also residual risks (e.g., employees may not feel safe returning to the office). Though difficult, the ERM framework encourages companies to consider quantifying risks by assessing the percent change of occurrence as well as the dollar impact.

Risk Response

A company can respond to risk in the following four ways:

  1. The company can avoid risk. This results in the company leaving the activity that causes the risk, as the company would rather forgo the benefits of the activity than incur the risk. An example of risk avoidance is a company shutting down a product line and discontinuing selling a specific good.
  2. The company can reduce risk. This results in the company staying engaged in the activity but putting forth effort in minimizing the likelihood or magnitude of the risk. An example of risk reduction is a company keeping the product line above open but investing more in quality control or consumer education on how to properly use the product.
  3. The company can share risk. This results in the company moving forward as-is with the current risk profile of the activity. However, the company leverages an independent third party to share in the potential loss in exchange for a fee. An example of risk sharing is purchasing an insurance policy.
  4. The company can accept risk. This results in the company analyzing the potential outcomes and determining whether it is financially worth pursuing mitigating practices. An example of risk acceptance is the company keeping open the product line with no changes to operations and risk sharing.

Control Activities

Control activities are the actions taken by a company to create policies and procedures to ensure management carries out operations while mitigating risk. Control activities, often referred to as internal controls, are broken into two different types of processes:

  1. Preventative control activities are in place to stop an activity from happening. These controls aim to mitigate risk by disallowing certain events from happening. An example of preventative control is a keypad or physical lock preventing all employees from entering a sensitive area.
  2. Detective control activities are in place to recognize when a risky action has taken place. Although the event is allowed to happen (or was not supposed to happen but still did), detective controls may alert management to ensure appropriate follow-up steps occur. An example of a detective control is an alarm for a room.

Information and Communication

Information systems should be able to capture data useful to management to better understand a company’s risk profile and risk management. This means not granting exceptions for departments outperforming others; all aspects of a company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets.

Monitoring

A company can turn to an internal committee or an external auditor to review its policies and practices. This may include reviewing what is actually performed compared with what policy documents suggest. This may also entail getting feedback, analyzing company data, and informing management of unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM environment and pivot as needed.

The Committee of Sponsoring Organizations (COSO) board originally published the ERM framework in 2004, then an updated version was published in 2017. The publication has been widely used since.

How to Implement Enterprise Risk Management Practices

ERM practices will vary based on a company’s size, risk preferences, and business objectives. Below are best practices that most companies can use to implement ERM strategies.

As a company implements ERM practices, it is widely advised to continually gather feedback from all employees. Everyone will have a different perspective of what might not be working or what could be done better.

Advantages and Disadvantages of Enterprise Risk Management

Advantages

ERM sets the organization-wide expectations around a company’s culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources, as well as greater customer service knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summarizes the risks a company faces, the actions being taken, and the information needed for decision making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management.

ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant processes, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into.

Disadvantages

As a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware of that may have more detrimental impacts. In this manner, some may consider ERM as reactive, as companies can only forecast risk based on what they have prior experience with.

ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance that a company forecasts the occurrence of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require the resources of the company to be successful. Though the company will benefit from protecting its assets, a company must detract time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM, as financial risks that do not occur must simply be projected.

ERM Practices

What Types of Risk Does Enterprise Risk Management Address?

ERM can help devise plans for almost any type of business risk. Business risk threatens a company’s ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:

Ideal Entities for ERM Systems

ERM is particularly well-suited for large corporations operating in complex and diverse environments. These companies often face a bunch of risks across different business units, regions, and functions. ERM helps large corporations systematically identify, assess, and manage risks at both the operational and strategic levels.

ERM can also be specifically useful in certain industries. For example, ERM is great for financial institutions such as banks, insurance companies, and investment firms. These companies operate within highly regulated and volatile markets. These institutions face so many of the risks discussed above. By integrating ERM into their operations, financial institutions can strengthen risk management practices, optimize capital allocation, and enhance their resilience to economic downturns.

Last, it's worth calling out multinational corporations and global enterprises as ideal entities. These companies benefit from ERM because of their expansive operations across multiple countries and jurisdictions. These companies encounter diverse risks related to geopolitical instability, currency fluctuations, supply chain disruptions, and regulatory compliance in varying regions. By implementing ERM frameworks, global enterprises can better track and maintain these risks, especially if their entity has higher risks in certain areas, departments, or business units.

ERM vs. ERP

ERM is primarily concerned with identifying, assessing, managing, and mitigating risks across an organization. On the other hand, enterprise resource planning (ERP) tools focus on integrating and optimizing core business processes. The primary purpose of ERP systems is to streamline operations across finance, manufacturing, sales, and marketing (amongst others). ERM addresses risks across various functions and departments within an organization. ERP systems are generally more specific in their scope. They tend to focus on more granular operational efficiencies instead of bigger-picture, comprehensive risks.

Implementing ERM tools requires collaboration among key stakeholders like risk managers, compliance officers, executives, and board members. These stakeholders work together to establish risk management frameworks. ERP implementations may be more geared towards collaboration among IT teams, department heads, and end-users. In addition to having a heavy part to play in operations, a primary component of ERP systems is the potentially live, interconnected play between data. For this reason, as opposed to an ERM tool, ERP systems may have a more technical demand to them.

Last, risk management strategies in ERM are designed to support long-term sustainability, protect organizational assets, and minimize potential disruptions. ERP systems align with an organization's strategic goals by improving productivity, reducing costs, and providing real-time insights into business operation opportunities. In a sense, ERM and ERP systems may counteract each other. For instance, an ERP system may signal growth and efficiency opportunities to expand in a specific new market; an ERM may signal that a new market is too great of a risk to consider.

ERM vs. CRM

Customer relationship management (CRM) systems are centered around managing interactions with customers and prospects. It leverages technology and processes to organize, automate, and synchronize sales, marketing, customer service, and support activities. The primary aim of CRM is to improve relationships with customers, streamline business processes, and increase profitability by understanding and meeting customer needs effectively.

Like an ERM, a CRM system consolidates data. However, the nature of the data is entirely different. While ERMs track and monitor risks, CRMs care most about customer data, interactions, and insights that enable the company to enhance customer engagement and satisfaction. CRM implementation is crucial for sales teams, marketing departments, customer service representatives, and executives who rely on customer data to drive sales growth and improve overall business performance. Alternatively, ERMs are more useful for operational teams like risk, insurance, operations, or finance.

An ERM focuses on comprehensive risk management across all facets of an organization. This tends to be inward-looking, though it can also incorporate external market forces. A CRM, alternatively, is much more outward-facing. While it will consider current processes and resources within a company, a CRM exists to monitor what is going on outside of the company with a company's arguably most important resource (i.e. its customers).

Example of ERM

ExxonMobil is a robust example of how ERM is implemented in a large multinational corporation operating in the oil and gas industry. ERM at ExxonMobil is a structured approach that spans all levels of the organization, aiming to identify, assess, manage, and mitigate risks that could impact its business operations and overall performance. Information on ExxonMobil's ERM strategy is on the company's website.

ExxonMobil's framework integrates five core elements: organizing and aggregating risks, rigorous risk identification practices, a prioritization method, systems and processes for risk management, and comprehensive risk governance. This multi-layered approach includes defined roles and responsibilities for risk owners, functional experts, and independent verifiers. The goal is that each type of risk is actively managed and aligned with corporate requirements and processes.

Prior to initiating new developments, the company employs advanced data and computer modeling to assess potential environmental, socioeconomic, and health risks associated with construction and operations. Engaging with communities through public meetings and collaborating with regulators ensures transparent communication and compliance with regulatory standards, both of which can minimize risks in the future.

This rigorous process guided by an integrated ERM also enables ExxonMobil to implement tailored measures to prevent, minimize, or mitigate environmental impacts. These different types of risks could range from changing weather patterns to sea level rise, seismic activity, or geological conditions. ExxonMobil's environmental assessments with its ERM are conducted for both offshore and onshore facilities to deploy protective measures effectively and uphold operational safety.

What Is ERM?

ERM is a company’s approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks that its business faces.

Why Is ERM Important?

ERM is important because it helps prevent losses or unexpected negative outcomes. ERM is also important because it helps a company set the plans in place to strategically approach risk and garner employee buy-in.

What Are the 3 Types of Enterprise Risk?

ERM often summarizes the risks a company faces into operational, financial, and strategic risks. Operational risks impact day-to-day operations, while strategic risks impact long-term plans. Financial risks impact the general financial standing and health of a company.

What Are the 8 Components of ERM?

The COSO framework for ERM identifies eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. These eight core components drive a company’s ERM practices.

What Is the Difference Between Risk Management and Enterprise Risk Management?

Risk management has traditionally been used to describe the practices and policies surrounding a specific risk that a company faces. More modern risk management has introduced ERM, a comprehensive, company-wide approach to view risk holistically for the entire company.

The Bottom Line

As a company makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management, a company-wide, top-down approach to assessing risk and devising plans. The ultimate goal of ERM is to protect a company’s assets and operations while having strategies in place should certain unfortunate events occur.