What Is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses.

Key Takeaways

Enterprise risk management (ERM) is a firm-wide strategy to identify and prepare for hazards with a company’s finances, operations, and objectives.

ERM allows managers to shape the firm’s overall risk position by mandating that certain business segments engage with or disengage from particular activities.

Traditional risk management, which leaves decision making in the hands of division heads, can lead to siloed evaluations that do not account for other divisions.

The COSO framework for enterprise risk management identifies eight core components of developing ERM practices.

Successful ERM strategies can mitigate operational, financial, security, compliance, legal, and many other types of risks.

Enterprise risk management takes a holistic approach and calls for management-level decision making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence.

It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM.

ERM, therefore, can work to minimize firm-wide risk as well as identify unique firm-wide opportunities. Communicating and coordinating between different business units are key for ERM to succeed, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of the firm.

While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals.

Fast Fact

ERM-friendly firms may be attractive to investors because they signal more stable investments.

Modern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM.

ERM looks at each business unit as a “portfolio” within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit.

Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling its own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach.

A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation.

The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company’s business units. The CRO’s mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders.

Fast Fact

A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts.

The COSO enterprise risk management framework identifies five core components that define how a company should approach creating its ERM practices.

Governance sets a company’s tone, reinforcing the importance of ERM and establishing oversight responsibilities for it. Culture relates to a company’s ethical values, desired behaviors, and understanding of risk. Principles of governance and culture are exercising board risk oversight; establishing operating structures; defining the desired company culture; demonstrating a commitment to core values; and committing to building human capital (attracting, developing, and retaining capable individuals) that aligns with the strategy and business objectives.

ERM establishes and aligns a company’s risk appetite with its strategy, while the company’s business objectives put the strategy into practice and serve as a basis for identifying, assessing, and responding to risk. As the company determines its purpose, it must set objectives that support its mission and goals. These objectives must then be aligned with its risk appetite. The company’s strategic plans can be aligned with what it wants to accomplish, such as hiring additional regulatory staff for expansion areas it is unfamiliar with. It can also evaluate alternative strategies.

Risks may affect the achievement of a company’s strategy and business objectives, so ERM guidance dictates that they be identified and assessed. They are prioritized by severity as it relates to risk appetite. For example, high-risk events may pose risks to operations (e.g., natural disasters that force offices to temporarily close) or strategic (e.g., government regulation outlaws the company’s primary product line). The company then identifies and selects risk responses and takes a portfolio view of the amount of assumed risk. The results are reported to key stakeholders.

A company can consider how well ERM components are functioning over time by reviewing risk and performance. Substantial changes, if any need to be made, are identified and assessed; necessary revisions are identified; and ERM improvement is pursued.

ERM requires a company to continually obtain and share necessary information from internal and external sources. Information technology (IT) systems should be able to capture data useful to management to better understand the company’s risk profile and risk management. This means not granting exceptions for departments outperforming others; all aspects of the company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets.

Important

The Committee of Sponsoring Organizations (COSO) board originally published the ERM framework in 2004, then an updated version was published in 2017. The publication has been widely used since.

ERM practices will vary based on a company’s size, risk preferences, and business objectives. Below are best practices that most companies can use to implement ERM strategies.

Tip

As a company implements ERM practices, it is widely advised to continually gather feedback from all employees. Everyone will have a different perspective of what might not be working or what could be done better.

ERM sets the organization-wide expectations around a company’s culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources, as well as greater customer service knowing how to respond to customers should certain risks actually occur.

ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summarizes the risks a company faces, the actions being taken, and the information needed for decision making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management.

ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant processes, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into.

As a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware of that may have more detrimental impacts. In this manner, some may consider ERM as reactive, as companies can only forecast risk based on what they have prior experience with.

ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance that a company forecasts the occurrence of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess.

ERM practices are time-intensive and therefore require the resources of the company to be successful. Though the company will benefit from protecting its assets, it must detract the time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM, as financial risks that do not occur must simply be projected.

ERM Practices

Pros

May make a company more prepared for risks and uncertainties

May leave employees more satisfied with the future state of the company

May result in greater customer service, as companies are prepared for certain situations

May result in efficient reporting to upper management that enhances decision making

May lead to more efficient company-wide operations

Cons

May not accurately identify the risks a company is likely to experience

May not accurately assess the financial impact or likelihood of an outcome

Often requires time investment from a company to be successful

Often requires capital investment from a company to be successful

ERM can help devise plans for almost any type of business risk. Business risk threatens a company’s ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:

Compliance risk threatens a company due to a violation of external law or requirement. An example of compliance risk is a company’s inability to produce timely financial statements in accordance with applicable accounting rules, such as generally accepted accounting principles (GAAP).

Legal risk threatens a company should the company face a lawsuit or penalty for contractual, dispute, or regulatory issues. An example of legal risk is a billing dispute with a major customer.

Strategic risk threatens a company’s long-term plan. For example, new market participants in the future may supplant the company as the lowest-cost provider of a good.

Operational risk threatens the day-to-day activities required for the company to operate. An example of operational risk is a natural disaster that damages a company’s warehouse where inventory is stored.

Security risk threatens the company’s assets if physical or digital assets are misappropriated. An example of security risk is insufficient controls overseeing sensitive client information stored on network servers.

Financial risk threatens the debt or financial standing of a company. An example of financial risk is translation losses by holding foreign currency.

ERM is particularly well-suited for large corporations operating in complex and diverse environments. These companies often face a bunch of risks across different business units, regions, and functions. ERM helps large corporations systematically identify, assess, and manage risks at both the operational and strategic levels.

ERM can also be specifically useful in certain industries. For example, ERM is great for financial institutions such as banks, insurance companies, and investment firms. These companies operate within highly regulated and volatile markets. These institutions face so many of the risks discussed above. By integrating ERM into their operations, financial institutions can strengthen risk management practices, optimize capital allocation, and enhance their resilience to economic downturns.

Finally, it’s worth calling out multinational corporations and global enterprises as ideal entities. These companies benefit from ERM because of their expansive operations across multiple countries and jurisdictions. These companies encounter diverse risks related to geopolitical instability, currency fluctuations, supply chain disruptions, and regulatory compliance in varying regions. By implementing ERM frameworks, global enterprises can better track and maintain these risks, especially if their entity has higher risks in certain areas, departments, or business units.

ERM is primarily concerned with identifying, assessing, managing, and mitigating risks across an organization. On the other hand, enterprise resource planning (ERP) tools focus on integrating and optimizing core business processes. The primary purpose of ERP systems is to streamline operations across finance, manufacturing, sales, and marketing (among others). ERM addresses risks across various functions and departments within an organization. ERP systems are generally more specific in their scope. They tend to focus on more granular operational efficiencies instead of bigger-picture, comprehensive risks.

Implementing ERM tools requires collaboration among key stakeholders like risk managers, compliance officers, executives, and board members. These stakeholders work together to establish risk management frameworks. ERP implementations may be more geared toward collaboration among IT teams, department heads, and end users. In addition to having a heavy part to play in operations, a primary component of ERP systems is the potentially live, interconnected play between data. For this reason, as opposed to an ERM tool, ERP systems may have a more technical demand to them.

Finally, risk management strategies in ERM are designed to support long-term sustainability, protect organizational assets, and minimize potential disruptions. ERP systems align with an organization’s strategic goals by improving productivity, reducing costs, and providing real-time insights into business operation opportunities. In a sense, ERM and ERP systems may counteract each other. For instance, an ERP system may signal growth and efficiency opportunities to expand in a specific new market; an ERM may signal that a new market is too great of a risk to consider.

Customer relationship management (CRM) systems are centered around managing interactions with customers and prospects. It leverages technology and processes to organize, automate, and synchronize sales, marketing, customer service, and support activities. The primary aim of CRM is to improve relationships with customers, streamline business processes, and increase profitability by understanding and meeting customer needs effectively.

Like an ERM, a CRM system consolidates data. However, the nature of the data is entirely different. While ERMs track and monitor risks, CRMs care most about customer data, interactions, and insights that enable the company to enhance customer engagement and satisfaction. CRM implementation is crucial for sales teams, marketing departments, customer service representatives, and executives who rely on customer data to drive sales growth and improve overall business performance. Alternatively, ERMs are more useful for operational teams like risk, insurance, operations, or finance.

An ERM focuses on comprehensive risk management across all facets of an organization. This tends to be inward-looking, though it can also incorporate external market forces. A CRM, alternatively, is much more outward-facing. While it will consider current processes and resources within a company, a CRM exists to monitor what is going on outside of the company with a company’s arguably most important resource (i.e., its customers).

ExxonMobil (XOM) is a robust example of how ERM is implemented in a large multinational corporation operating in the oil and gas industry. ERM at ExxonMobil is a structured approach that spans all levels of the organization, aiming to identify, assess, manage, and mitigate risks that could impact its business operations and overall performance. Information on ExxonMobil’s ERM strategy is on the company’s website.

ExxonMobil’s framework integrates five core elements: organizing and aggregating risks, rigorous risk identification practices, a prioritization method, systems and processes for risk management, and comprehensive risk governance. This multilayered approach includes defined roles and responsibilities for risk owners, functional experts, and independent verifiers. The goal is that each type of risk is actively managed and aligned with corporate requirements and processes.

Prior to initiating new developments, the company employs advanced data and computer modeling to assess potential environmental, socioeconomic, and health risks associated with construction and operations. Engaging with communities through public meetings and collaborating with regulators ensures transparent communication and compliance with regulatory standards, both of which can minimize risks in the future.

This rigorous process guided by an integrated ERM also enables ExxonMobil to implement tailored measures to prevent, minimize, or mitigate environmental impacts. These different types of risks could range from changing weather patterns to sea level rise, seismic activity, or geological conditions. ExxonMobil’s environmental assessments with its ERM are conducted for both offshore and onshore facilities to deploy protective measures effectively and uphold operational safety.

What Is ERM?

ERM is a company’s approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks that its business faces.

Why Is ERM Important?

ERM is important because it helps prevent losses or unexpected negative outcomes. ERM is also important because it helps a company set the plans in place to strategically approach risk and garner employee buy-in.

What Are the 3 Types of Enterprise Risk?

ERM often summarizes the risks a company faces into operational, strategic, and financial risks. Operational risks impact day-to-day operations. Strategic risks impact long-term plans. Financial risks impact the general financial standing and health of a company.

What Are the 5 Components of ERM?

The COSO framework for ERM identifies five components: governance and culture; strategy and objective setting; performance; review and revision; and information, communication, and reporting. These five core components drive a company’s ERM practices.

What Is the Difference Between Risk Management and Enterprise Risk Management?

Risk management has traditionally been used to describe the practices and policies surrounding a specific risk that a company faces. More modern risk management has introduced ERM, a comprehensive, company-wide approach to view risk holistically for the entire company.

As a company makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management (ERM), a company-wide, top-down approach to assessing risk and devising plans. The ultimate goal of ERM is to protect a company’s assets and operations while having strategies in place should certain unfortunate events occur.