Enterprise Risk Management (ERM): What Is It and How It Works

Enterprise Risk Management (ERM)

Investopedia / Michela Buttignol

What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses.

Key Takeaways

  • Enterprise risk management (ERM) is a firm-wide strategy to identify and prepare for hazards with a company's finances, operations, and objectives.
  • ERM allows managers to shape the firm's overall risk position by mandating certain business segments engage with or disengage from particular activities.
  • Traditional risk management, which leaves decision-making in the hands of division heads, can lead to siloed evaluations that do not account for other divisions.
  • The COSO framework for enterprise risk management identifies eight core components of developing ERM practices.
  • Successful ERM strategies can mitigate operational, financial, security, compliance, legal, and many other types of risks.

Understanding Enterprise Risk Management (ERM)

Enterprise risk management takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

ERM-friendly firms may be attractive to investors because they signal more stable investments.

A Holistic Approach to Risk Management

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM.

ERM looks at each business unit as a "portfolio" within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling their own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation. The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company's business units. The CRO's mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts.

Components of Enterprise Risk Management

The COSO enterprise risk management framework identifies eight core components that define how a company should approach creating its ERM practices.

Internal Environment

A company's internal environment is the atmosphere and corporate culture within the company set by its employees. This sets the precedence of what the company's risk appetite is and what management's philosophy is regarding incurring risk. The internal environment may be set by upper management or the board and communicated throughout an organization, though it is often reflected through the actions of all employees.

Objective Setting

As a company determines its purpose, it must set objectives that support the mission and goals of a company. These objectives must then be aligned with a company's risk appetite. For example, an ambitious company that has set far-reaching strategic plans must be aware there may be internal risks or external risks associated with these lofty goals. In response, a company can align the measures to be taken with what it wants to accomplish such as hiring additional regulatory staff for expansion areas it is currently unfamiliar with.

Event Identification

Positive events may have a great impact on a company. On the other hand, negative events may have detrimental outcomes on a company's ability to continue to operate. ERM guidance recommends that companies identify important areas of the business and associated events that may have dire outcomes. These high risk events may pose risks to operations (i.e. natural disasters that force offices to temporarily close) or strategic (i.e. government regulation outlaws the company's primary product line).

Risk Assessment

In addition to being aware of what may happen, the ERM framework details the step of assessing risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (i.e. a natural disaster yields an office unusable) but residual risks (i.e. employees may not feel safe returning to the office). Though difficult, the ERM framework encourages companies to consider quantifying risks by assessing the percent change of occurrence as well as the dollar impact.

Risk Response

A company can respond to risk in the following four ways:

  1. The company can avoid risk. This results in the company leaving the activity that causes the risk as the company would rather forgo the benefits of the activity than incur the risk. An example of risk avoidance is a company shutting down a product line and discontinuing selling a specific good.
  2. The company can reduce risk. This results in the company staying engaged in the activity but putting forth effort in minimizing the likelihood or magnitude of the risk. An example of risk reduction is a company keeping the product line above open but investing more in quality control or consumer education on how to property use the product.
  3. The company can share risk. This results in the company moving forward as-is with the current risk profile of the activity. However, the company leverages an independent third party to share in the potential loss in exchange for a fee. An example of risk sharing is purchasing an insurance policy.
  4. The company can accept risk. This results in the company analyzing the potential outcomes and determining whether it is financially worth pursuing mitigating practices. An example of risk acceptance is the company keeping open the product line with no changes to operations and risk sharing.

Control Activities

Control activities are the actions taken by a company to create policies and procedures to ensure management carries out operations while mitigating risk. Control activities, often referred to as internal controls, are broken into two different types of processes:

  1. Preventative control activities are in place to stop an activity from happening. These controls aim to mitigate risk by disallowing certain events from happening. An example of a preventative control is a keypad or physical lock preventing all employees from entering into a sensitive area.
  2. Detective control activities are in place to recognize when a risky action has taken place. Although the event is allowed to happen (or was not supposed to happen but still did), detective controls may alert management to ensure appropriate follow-up steps occur. An example of a detective control is an alarm for the room or a l

Information and Communication

Information systems should be able to capture data useful to management to better understand a company's risk profile and management of risk. This means not granting exceptions for departments outperforming others; all aspects of a company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets.


A company can turn to an internal committee or an external auditor to review its policies and practices. This may include reviewing what is actually performed compared to what policy documents suggest. This may also entail getting feedback, analyzing company data, and informing management of unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM environment and pivot as needed.

The Committee of Sponsoring Organizations (COSO) board published the ERM framework in 2004, and the publication has been widely used since.

How to Implement Enterprise Risk Management Practices

ERM practices will vary based on a company's size, risk preferences, and business objectives. Below are best practices most companies can use to implement ERM strategies.

  • Define risk philosophy. Before implementing any practices, a company must identify how it feels about risk and what its strategy around risk will be. This should involve strategic discussions between management and an analysis of a company's entire risk profile.
  • Create action plans. With a company's risk philosophy in hand, it is time to create an action plan. This defines the steps a company must take to protect its assets and plans to protect the future of the organization after a risk assessment has been performed.
  • Be creative. When considering risks, ERM entails thinking broadly about the problems a company may face. Though far-fetched, it is in a company's best interest to think of as many challenges it may face and how it will respond (or decide to not respond) to should the event happen.
  • Communicate priorities. A company may determine several high-important risks are critical to mitigate for the continuation of the company. These priorities should be communicated and broadly understood as the risks that should not be incurred under any circumstance. Alternatively, a company may wish to communicate the plans if the event were to occur.
  • Assign responsibilities. When an action plan has been devised, specific employees should be identified to carry out specific parts of the plan. This may include delegating tasks to specific positions should employees leave the company. This not only allows for all action items to be worked on but will hold members responsible for their area(s) of risk.
  • Maintain flexibility. As companies and risks evolve, a company must design ERM practices to be adaptable. The risks a company faces one day may be different the next; the company must be able to carry its current plan while still making plans for new, future risks.
  • Leverage technology. ERM digital platforms may host, summarize, and track many of the risks of a company. Technology can also be used to implement internal controls or gather data on how performance is tracking to ERM practices.
  • Continually monitor. Once ERM practices are in place, a company must ensure the practices are adhered to. This means tracking progress towards goals, ensuring certain risks are being mitigated, and employees are performing tasks as expected.
  • Use metrics. As part of monitoring ERM practices, a company should develop a series of metrics to quantifiably gauge whether it is meeting targets. Often referred to as SMART goals, these metrics keep a company accountable on whether it met objectives or not.

As a company implements ERM practices, it is widely advised to continually gather feedback from all employees. Everyone will have a different perspective of what might not be working or what could be done better.

Advantages and Disadvantages of Enterprise Risk Management

Advantages of ERM

ERM sets the organizational-wide expectations around a company's culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources as well as greater customer service knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summaries the risks a company faces, the actions being taken, and information needed for decision-making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management

ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant process, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into.

Disadvantages of ERM

As a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware that may have more detrimental impacts. In this manner, some may consider ERM as reactive as companies can only forecast risk based on what they have prior experience on.

ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance a company forecast the occurance of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require resources of the company to be successful. Though the company will benefit from protecting its assets, a company must detract time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM as financial risks that do not occur must simply be projected.

ERM Practices

  • May make a company more prepared for risks and uncertainties

  • May leave employees more satisfied with the future state of the company

  • May result in greater customer service as companies are prepared for certain situations

  • May result in efficient reporting to upper management that enhances decision-making

  • May lead to more efficient company-wide operations

  • May not accurately identify the risks a company is likely to experience

  • May not accurately assess the financial impact or likelihood of an outcome

  • Often requires time investment from a company in order to be successful

  • Often requires capital investment from a company in order to be successful

What Types of Risks Does Enterprise Risk Management Address?

ERM can help devise plans for almost any type of business risk. Business risk threatens a company's ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:

  • Compliance risk threatens a company due to a violation of external law or requirement. An example of compliance risk is a company's inability to produce timely financial statements in accordance with applicable accounting rules such as GAAP.
  • Legal risk threatens a company should the company face lawsuit or penalty for contractual, dispute, or regulatory issues. An example of legal risk is a billing dispute with a major customer.
  • Strategic risk threatens a company's long-term plan. For example, new market participants in the future may supplant the company as the lowest-cost provider of a good.
  • Operational risk threatens the day-to-day activities required for the company to operate. An example of operational risk is a natural disaster that damages a company's warehouse where inventory is stored.
  • Security risk threatens the company's assets if physical or digital assets are misappropriated. An example of security risk is insufficient controls overseeing sensitive client information stored on network servers.
  • Financial risk threatens the debt or financial standing of a company. An example of financial risk is translation losses by holding foreign currency.

What Is ERM and Why Is It Important?

ERM is a company's approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks its business faces. ERM is important because it helps prevent losses or unexpected negative outcomes. ERM is also important because it helps a company set the plans in place to strategically approach risk and garner employee buy-in.

What Are the 3 Types of Enterprise Risk?

ERM often summaries the risks a company faces into operational, financial, and strategic risks. Operational risks impact day-to-day operations, while strategic risks impact long-term plans. Financial risks impact the general financial standing and health of a company.

What Are the 8 Components of ERM?

The COSO framework for ERM identifies eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. These eight core components drive a company's ERM practices.

What Is the Difference Between Risk Management and Enterprise Risk Management?

Risk management has traditionally been used to describe the practices and policies surrounding a specific risk a company faces. More modern risk management has introduced ERM, a comprehensive, company-wide approach to view risk holistically for the entire company.

The Bottom Line

As a company makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management, a company-wide, top-down approach of assessing risk and devising plans. The ultimate goal of ERM is to protect a company's assets and operations while have strategies in place should certain unfortunate events occur.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. COSO. "Guidance on Enterprise Risk Management."

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.