What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses.

ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence. For instance, if a risk manager at an investment bank notices that two trading desks positioned in different areas of the firm have similar exposures to the same risk, they may force the lesser important of the two to eliminate that same position. This decision is made with the entire firm in mind (not with the specific trading desk).

Key Takeaways

  • Enterprise risk management (ERM) is a firm-wide strategy to identify and prepare for hazards with a company's finances, operations, and objectives.
  • ERM allows managers to shape the firm's overall risk position by mandating certain business segments engage with or disengage from particular activities.
  • Traditional risk management, which leaves decision-making in the hands of division heads, can lead to siloed evaluations that do not account for other divisions.
  • ERM techniques have evolved substantially over the last decades.

Understanding Enterprise Risk Management (ERM)

ERM not only calls for corporations to identify all the risks they face and to decide which risks to manage actively (as other forms of risk management may), but it allows top managers to make executive decisions regarding risk management that may or may not be in the particular interest of a certain segment—but which optimizes for the firm as a whole. This is because risks can be siloed in individual business units that do not or cannot see the bigger risk picture.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling their own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation. The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company's business units. The CRO's mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

ERM-friendly firms may be attractive to investors because they signal more stable investments.

A Holistic Approach to Risk Management

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business.

Indeed, many large firms dealt with growth by assigning more and more responsibility to heads of individual business units, with the CEO and other top managers uninvolved in those daily operations.

However, as companies grow and take on multiple divisions or business segments, this approach can lead to inefficiency and amplification or misrecognition of risk. In this case, each division of a firm becomes its own "silo."

They are unable to see the risk exposures of other divisions, how their risk exposures interact with other units, and how different exposures across units interact as a whole. So, while a division manager may recognize potential risk, they may not realize (nor even be able to realize) the significance of that risk to other aspects of the business.

A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts.

ERM looks at each business unit as a "portfolio" within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.