What is Enterprise Risk Management (ERM)?

Estimated reading time: 4 minutes



In the business and finance world, Enterprise Risk Management (ERM) is essentially a given framework that is used in the management of risk.

This framework is one of the cornerstones of the GARP FRM examination program. We are quick note that ERM helps the firm in selecting appropriate opportunities. This, with regards to their chosen risk appetite.


The ERM Process

Enterprise Risk Management is a process that typically carries one through a few steps:

  1. The identification of those risk events that are applicable to the firm’s operations
  2. Determining the probability of the risk event occurring
  3. Determining the risk event’s magnitude of impact
  4. The formulation of an appropriate response action in the event of an occurrence
  5. Continuously monitoring the firm’s working environment

ERM has evolved into a comprehensive methodology.

We note that ERM is identified as an approach that integrates several components;

  • The Sarbanes-Oxley Act
  • Strategic Planning, as well as
  • Concepts of Internal Control

This, as ERM is increasingly utilized for the important benefits it may produce byway of identifying real risks in an organization.



There are several notable Enterprise Risk Management Frameworks that are in circulation. Each of them will carry their own outlines for identifying risks, analyzing risks and responding to the various types of risks.


The Casualty Actuarial Society ERM Framework

The Casualty Actuarial Society (CAS) outlined a definition in 2003. “ERM is a discipline by which an organization assesses, controls, and monitors all risks”

This is for the purpose of increasing the organization’s value to its stakeholders.

The Casualty Actuarial Society believes that ERM is broadly divided into:

  1. The Type of Risk and
  2. The Risk Management Process

The types of risk will include:

  • Operational Risks (example, reputation risk)
  • Strategic Risks (example, capital availability)
  • Hazard Risks (example, natural disasters)
  • Financial Risks (example, liquidity risk)

Whereas, the risk management process will see:

  • The Establishment of Content
  • The Identification of Risks
  • The Analyzing of Risks
  • The Integration of Risk Factors
  • The Prioritization of Risks
  • Continuous Monitoring and
  • Continuous Reviewing


The COSO ERM Framework

The COSO Enterprise Risk Management Framework was published in 2004. It defined ERM essentially as a firm’s process that was initiated by its board and other involved personnel to identify certain probable occurrences.

The COSO ERM Framework 4 objective categories and 8 components.


COSO ERM Categories

  • Strategy
  • Reporting
  • Operations
  • Compliance

COSO ERM Components

  • Pledge to the ERM
  • Risk Management Policy
  • ERM in the Firm
  • Assessment of Risk
  • Response to Risk
  • Reporting
  • Information / Communication
  • Monitoring


The RIMS Risk Maturity Model (RMM) for ERM

Originally based on the 1980s Capability Maturity Model, the RIMS Risk Maturity Model was created by Steven Minsky, CEO of Logic Manager.

This was eventually published in 2006 by the American Risk and Insurance Management Society. The RIMS Risk Maturity Model composes a framework methodology that outlines the conditions for sustainable ERM.

The Risk Maturity Model is made up of 7 key areas:

  1. The ERM-based Approach
  2. ERM Process Management
  3. Risk Appetite Management
  4. Root Cause Discipline
  5. Uncovering Risks
  6. Performance Management
  7. Business Resiliency and Sustainability


Objectives of the Program

You will observe that many firms will establish several different departments over time. This is done in order to properly address and manage the various forms of risk.

These departments, or functions, are commonly referred to as “Risk Functions”. It is also important to note that each risk function will differ in its capabilities.

It will also differ in how it harmonizes with other existing risk functions. Additionally, a common challenge of ERM deals with improving the synchronization among the various risk functions.


Examples of Risk Functions

Risk functions in larger more complex firms may include:

  • Compliance: Where there is monitoring of rule adherence 
  • Accounting: Showing the identification of reporting risks 
  • Marketing: Seeking to align product and consumer expectation 
  • Legal: Having the management of legal actions 
  • Treasury: Ensuring proper cash flows 
  • Strategic Management: Revealing possible threats 
  • Quality Assurance: Seeing that outputs are in proper standing 
  • Internal Auditing: Evaluating the aforementioned risks 


Difficulties in Implementing

As each firm is unique, so is the variability and complexity of implementing a good ERM program. There is much documentation about the many challenges a firm will encounter in implementing their ERM initiative.

We present some of the various issues:

  • Opinions on what types of risk to take
  • Creating a risk glossary and proper risk inventory   
  • Agreeing on what is the best way to rank risks 
  • The monitoring of the actions taken towards mitigating these risks
  • Forming a comprehensive and easily-understandable document for reporting
  • Showing the cost-benefit for all these various strenuous exercises


Current Problems in Risk Management  

Particularly since 2008, many US corporations have been facing increasing scrutiny from industry regulators. We note that this is true especially with respect to their risk management methodologies.

Senior staff members and directors are all under pressure as a result of the varied factors in contention. These include new and disruptive technological innovations, mergers, acquisitions, geopolitical tension etc.


The ERM Response

Yes, we do live in a world of risk and uncertainty. But there are many tools available to firms that will steer then through the choppy financial waters.

ERM frameworks are there to provide firms a guiding light for the identification of risks. We note that management will have to respond to the myriad of risk issues present.

But we know that some of their subsequent actions may fall around one of the following:

  • An Avoiding Action
  • An Action of Reducing
  • An Action of Sharing
  • An Accepting Action

We hope that you enjoyed reading this article! Please feel free to browse our other sections, particularly if you are planning on studying the FRM program. Or contact one of our administrators for more info: Phillip Pandohie


One step at a time,

The QuestionBank Family