Enterprise Risk Management (ERM)

It is a general process for managing risk within an organization.

Author: Marazban Tavadia
Marazban  Tavadia
Marazban Tavadia
I have completed my Bachelors in Business Administration. I am currently working as a Financial Analyst with Northern Trust and am a trader by the side.
Reviewed By: Sid Arora
Sid Arora
Sid Arora
Investment Banking | Hedge Fund | Private Equity

Currently an investment analyst focused on the TMT sector at 1818 Partners (a New York Based Hedge Fund), Sid previously worked in private equity at BV Investment Partners and BBH Capital Partners and prior to that in investment banking at UBS.

Sid holds a BS from The Tepper School of Business at Carnegie Mellon.

Last Updated:October 20, 2023

What is Enterprise Risk Management (ERM)?

Enterprise Risk Management is a framework for managing organizational risk. Organizational risk is a broad term; it encompasses concerns ranging from ensuring employee safety and securing sensitive data to meeting statutory regulations and stopping financial fraud.

ERM is concerned with managing the risks in an enterprise consistently and coherently. 

Thus if we take an enterprise as a whole, we're not just looking at the top-level strategic risks but also functional and departmental risks, portfolio and program risks, and project and operational risks.

A general process for managing risk within an organization is referred to as enterprise risk management (ERM). Because it is implemented at the company level rather than in departmental silos, an ERM system is highly integrative.

The benefit of this top-down strategy is that risk is evaluated concerning its possible impact on several business divisions rather than independently.

Risk management has a propensity to be reduced to a single metric, which is one issue with the ERM approach (e.g., either VaR or economic capital). In a dynamic-risk setting, this attempt is overly simplistic.

The financial crisis of 2007–2009 taught risk managers that risk is complex and necessitates analysis from multiple angles. 

Risk managers must conduct statistical analysis and make wise decisions to implement an ERM framework properly.

The two main enterprise risk management objectives are understanding corporate risks and incorporating risk management into strategic business planning. However, ERM is more than just corporate risk aggregation. 

Fortunately for risk managers and corporate executives, resources are available to aid in lowering uncertainty.

Enterprise risk management (ERM) is one tool business leaders in virtually every industry may utilize to more efficiently recognize, understand, and reduce risk. 

On the other hand, taking the proper risks at the right moments can help an organization advance. This is because it considers risk and how it should affect an organization's strategic planning

Businesses must manage their risk to ensure their continuity and profitability. Moreover, managing risk is an essential part of running a business.

Objectives of enterprise risk management (ERM)

Enterprise Risk Management is focused on accomplishing an entity's objectives, outlined in four categories:

  • Strategic: Mission-driven, high-level goals and objectives (Strategic Objectives, External Forces, Governance, Business Model, etc.)
  • Operations: Resource development, management, and allocation (Business Process, Upstream Value Chain, Downstream Value Chain, etc.)
  • Reporting: Information gathering, analysis, and communication (Information Technology, Financial, Internal, Intellectual Property, etc.)
  • Compliance: Conformance with laws and regulations (Securities and Exchange Commission, Environmental, Legal, Contractual, etc.)

Terminologies Relating to Risk:

  1. Risk Appetite: It concerns the level of risk a firm is willing to take to scale business operations and leverage to boost profits.
  2. Risk Tolerance: When calculating risk tolerance levels, management considers the significance of related objects and balances risk appetite with risk tolerance. It reflects the modest variance around a specific set of risk-based objectives.

understanding Enterprise Risk Management (ERM)

When implementing and overseeing ERM programs, business units, upper management, and board members receive structured feedback and direction from an ERM framework.

The comprehensive approach of enterprise risk management necessitates managerial decisions that might not be appropriate for a particular corporate division or sector. Thus, firm-wide surveillance takes precedence over the individual business units' responsibility for risk management.

Regardless of personnel turnover or industry standards, ERM frameworks aid in establishing a constant risk management culture.

Establishing an ERM Framework is essential because it allows a company to see its whole risk level accurately. The steps that must be taken to develop an ERM Framework, together with any advantages or challenges, are discussed below.

A practical, comprehensive ERM framework gives businesses a playbook for preventing corporate disasters, gaining competitive advantages, and developing new market opportunities.

There are five significant frameworks for understanding Enterprise Risk Management that include:

  • Corporate governance
  • Internal control 
  • Implementation
  • Risk management process
  • Sources of risk

Corporate Governance

Corporate governance is necessary to guarantee that the management and board of directors have created the proper organizational procedures and corporate controls to assess and manage risk throughout the entire firm.

Recent advancements in corporate governance can be seen as catalysts for and contributors to the strain that is currently being put on ERM. It clarifies what shareholders anticipate from boards of directors.

Additionally, it discusses the methods businesses have used to control risks and the level of disclosure of these methods. 

Because it offers top-down monitoring and administration, corporate governance now constitutes a crucial part of enterprise risk management.

It gives the board the duty of ensuring the correct risk management procedures and systems are in place.

Internal Control

A solid internal control system must be established and maintained to protect shareholder investments and company assets. Examining internal control provides an understanding of what should be regulated and how.

Internal control is the organization's strategy and the coordinated techniques and precautions a company uses to protect its assets. 

The activities include the plan and procedures and the daily activities within an internal control system.

The idea that no internal control system, no matter how thorough, can remove the possibility of fraud or error is crucial. 

There will always be a few occurrences, usually due to unanticipated events or a person who wants to perpetrate fraud with extreme zeal.

Corporate governance is a subset of internal controls, while internal controls are a subset of risk management. 

Risk management goals include improved internal and external reporting, compliance with laws and regulations, and efficient and successful corporate operations.


To maximize the advantages of the ERM process, specific resources should be set aside to build internal controls with the necessary skill and understanding.

A firm's internal control systems can support risk management implementation with resources from within or from outside consultants. Uncertainty and its impact on strategic goals and objectives are at the heart of risk.

Whichever route is selected, the parameters of any study must be mapped, communicated, and agreed upon so that the timeframe, resources, costs, inputs, and deliverables are understood. 

A set of procedures must be implemented as part of adopting an enterprise risk management approach to risk to ensure that an organization is aware of and pays attention to present and developing risks that could affect desired outcomes. 

The two most widely used frameworks for implementing ERM:

The COSO (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management Integrated Framework and ISO (International Organization for Standardization) Standard ISO 31000:2018 Risk Management-Guidelines, are two widely used frameworks for implementing ERM. 

Each of these frameworks has its supporters and differs in some ways. However, despite their differences, they give the organization the proper structure for ERM.

Risk Management Process

The formal risk management process aims to ascertain whether the perceived reward outweighs the anticipated hazards. For example, is it possible to lower the risks while maintaining a roughly equivalent return?

There is a four-way choice involved in the risk management process. The business may reduce risk by shifting production, selling a product line, or avoiding specific markets or jurisdictions.

Depending on the projected gains compared to the likelihood and frequency of anticipated losses, they can also choose to keep taking risks. Reducing the amount or frequency of exposure to the specific risk factor is another way to decrease risk.

Finally, risk managers could use structured products or derivatives to transfer risk to a different party. Additionally, they could buy insurance to transfer risk to an insurance provider.

The risk management process is composed of several fundamental components. These are what they are:

  • Identify dangers
  • Calculate and manage risks.
  • Separate predicted risks from unexpected hazards.
  • Examine the connection between the threats.
  • Create a plan for risk reduction.
  • Follow the risk mitigation plan and make changes as necessary.

Sources of Risk

The risk management process is useless without a thorough understanding of the sources of risk and the best practices for managing them. 

Consider that business risk comes from two sources: from within the company (related to its activities) and from the environment in which it has no control.

This is one approach to looking at the sources of business risk. Internal business procedures and the environment in which businesses operate are the two primary sources of risk.

Banks take on risks to increase profits to stay competitive. As a result, there may be a predisposition to take risks entirely unconnected to the return in pursuing better results.

Risk acceleration is influenced by some factors, including the choice of the appropriate counterparty, an inadequate risk assessment, a disregard for the borrower rating, etc. 

For banks and other sectors, competition continues to be a significant source of risk.

A classic PEST analysis, which stands for political, economic, social, and technical external influences, can be created using the risk resulting from these two stages.

Types of Risks

All firms face risk. These risks can be subcategorized as market risks, credit risks, liquidity risks, operational risks, legal and regulatory risks, business and strategic risks, and reputation risks.

Financial risk is one of the main worries for every organization, regardless of its industry or location. This is the cause of the Financial Risk Manager FRM Exam's enormous popularity among financial professionals worldwide. 

The highest certification available to risk management experts globally is the FRM. Once more, the fundamental idea of the FRM Level 1 exam is financial risk. 

It is crucial to comprehend what risk is and what forms of hazards there are before learning how to control and manage risk.

Risk is characterized as the possibility of an unexpected or unfavorable outcome. Any action or behavior that increases the likelihood of suffering a loss of any type is considered risky. 

A corporation may come across and have to manage a range of risks. The three categories of risks are financial risk, non-business risk, and business risk.

1. Market Risk

The constant fluctuation of market prices and rates is referred to as market risk. Market risk is the possibility of experiencing losses on financial assets due to unfavorable market changes.

Changes in equities or commodity prices, shifts in interest rates, or changes in foreign exchange rates are a few examples of market risk.

Along with credit and operational risks, market risk is one of the three primary risks for which all banks must disclose and retain capital. The value-at-Risk analysis is the accepted technique for assessing market risk.

The following four primary types of market risk:

Understanding how the positions relate to one another is essential for reducing these dangers. In addition, risk management strategies must adapt as these linkages alter.

2. Credit Risk

A party may lose money if the other party breaches a contract, taking credit risk. Credit risk may develop if the counterparty's default risk increases during the contract.

It is one of the three primary categories of risk that banks must deal with, together with operational risk and market risk, and it makes up the lion's share of risk-weighted assets (RWAs) at most banks.

Banks utilize credit risk modeling to determine how much capital to retain against credit losses. Expected and unanticipated losses are the two different categories. 

As a result, banks must set aside reserves to cover losses when the loan is made or bought. IAS 39, the previous accounting standard, only obliged banks to make a loss provision when a loan started to show indicators of credit deterioration. 

IFRS 9 is also available in the U.S. under the name CECL. Under the international accounting standard IFRS 9, banks must make provisions for anticipated losses. 

Credit risk is divided into four categories:

3. Liquidity Risk

Liquidity risk is the risk that a company or bank may be unable to meet short-term financial demands. 

It may incur losses resulting from its inability to meet payment obligations promptly when they become due or from being unable to do so at a sustainable cost.

Financial institutions of all sizes and shapes took liquidity and balance sheet management for granted before the global financial crisis. 

However, many institutions found it difficult to maintain adequate liquidity and a proper balance sheet structure during the crisis. 

This resulted in bank failures and the requirement for central banks to inject liquidity into national financial systems to maintain the economy's stability.

If liquidity risk becomes systemic, it could lead to elevated credit risk (e.g., a potential default scenario). Liquidity risk is subdivided into two parts:

4. Operational Risk

Potential losses resulting from insufficient (or failing) internal systems, human mistakes, or an outdoor event are operational risks. 

Operational risk is the possibility that a company's internal procedures, guidelines, and controls won't be sufficient to stop a loss from happening due to unstable market conditions or operational challenges.

These flaws may result from incorrect risk measurement or reporting, a lack of trading staff personnel controls, or both. 

Although the operational risk is more challenging to identify precisely than market or credit risk, many believe it was a factor in several recent highly publicized losses.

Operational risk is one of three elements of the first pillar of Basel II capital requirements for credit institutions (banks), along with market risk and credit risk.

The specifics of operational risk may be related to elements like insufficient internal controls, inept management, fraud, employee errors, natural disasters, cyber security threats, or rogue traders (technology risk).

5. Regulatory and Legal Risks

Legal risk is the chance of experiencing monetary or reputational loss due to operating carelessly, disregarding the law and its application, or using without knowledge (or with an incorrect view of how the law relates to your organization).

There is a chance that litigation will make a firm unpredictable. An illustration of legal risk in a two-way financial transaction is one side suing the other to sever the relationship.

The term "regulatory risk" refers to the potential for rules and regulations to alter and influence a particular industry or business. For example, such regulatory changes may significantly affect an industry's structure, cost structure, etc.

It alludes to the ambiguity surrounding a government body's acts. For example, a change in tax legislation or margin requirements are two examples of regulatory risk.

The strategic direction, business model, and compliance method you choose to follow can all be significantly impacted by new and developing legislation. Therefore, it's crucial to consider regulatory regulations while assessing business risks.

6. Business and Strategic Risk

Variability in inputs that affect revenues or cost structures is called business risk. The business risk could be applied to various business factors, including new product developments, shipment delays, and production cost overruns.

Strategic risk entails making long-term decisions on core corporate strategy. Large capital expenditures on either equipment or human resources may be necessary for these long-term strategic objectives.

An organization might invest millions of dollars in creating a new product line, for instance, only to see it fail on the market because customers don't find it meets their demands.

Another illustration of a strategy risk is a bank that alters its lending criteria to increase loan originations only to discover that, in a time of market difficulty, the risk of the loans increases to a catastrophic level.

Alternatively, the regulatory environment could change and affect a project's viability.

7. Reputation Risk

Reputation risk is the danger that a firm will suffer a loss in pubic perception (or consumer acceptance) due to either:

  • A loss of confidence in the firm's financial soundness or,
  • A perception of a lack of fair dealing with stakeholders.

The effects of reputation risk on an entity could begin with lost earnings and eventually result in insolvency if the public's opinion of the business declines along with the corporation's value.

Because users can swiftly share information that may or may not be factual, social media can potentially increase reputation risk. Similarly, operational hazards like a cyberattack could result from the exponential rise of technology.

Reputation risk is usually the outcome of facing a loss in one of the other risk categories. For example, a significant credit risk experienced by a bank can create a reputational impact on the firm.

Benefits of Enterprise Risk Management (ERM)

ERM is a comprehensive process for discovering, evaluating, managing, or dealing with internal and external risks.

The focus on developing a standardized, organized, and ongoing process that results in a 360-degree perspective of a company's risks and shares that view with total transparency throughout the entire organization distinguishes ERM from traditional risk management.

Employing an ERM strategy to manage risks in an organization has several advantages. These are what they are:

  • Pricing and decision-making take into account the capital related to stress testing.
  • Risk is considered when the bank chooses its business strategy and makes strategic decisions.
  • ERM aids in conforming to regulations.
  • ERM identifies threats to the entire organization that originate from certain business lines.
  • Emerging risks like cyber threats, reputation hazards, and anti-money laundering (AML) concerns are better addressed at the enterprise level.

Scenario-Analysis And Enterprise Risk Management (ERM)

The only thing that is guaranteed in both business and life is unpredictability. By examining the potential financial effects of prospective future developments and considering different potential outcomes, scenario analysis is a valuable tool for navigating future uncertainties.

Scenario analysis looks at multiple variables at once and involves developing a narrative to explain why variables change and the effects of those changes. A method that offers a logical and organized manner to examine the future is scenario analysis.

Sophisticated financial models are developed to assess the impact of various scenarios on the risks and performance of enterprises.

The study of scenarios is not new. The U.S. military invented it in the middle of the 20th century, and Shell Oil began utilizing it in the 1970s to assess and react to changes in the world's oil supplies.

Due mainly to financial modeling tools that substantially reduce human labor and speed up the process, enterprises frequently employ it. 

Since a single occurrence may more severely damage smaller organizations than larger ones, it might even be more crucial.

The collapse of the world financial markets between 2007 and 2009 exposed flaws in probabilistic risk measurements like VaR. Based on VaR models, actual danger levels seem unfathomable. 

As a result, risk identification in the ERM program now primarily relies on scenario analysis and stress testing. As a result, businesses better understand the implications of unusual or tail-risk events via scenario analysis.

Silo-Based Risk Management vs. ERM 

Silo-based risk management is concerned with evaluating each risk type by specific units within an organization in isolation.

For example, traders were responsible for managing market risk, actuaries worked on insurance risk, and management analyzed business risk. 

The traditional silo-based risk management approach may have proved successful in less volatile markets. Still, it suffers from the shortcomings of ignoring risks' dynamic nature and interdependencies. 

Given the shortcomings of the traditional approach, an integrated and centralized framework would significantly increase the efficiency of managing company risks. Such a centralized approach is known as Enterprise Risk Management (ERM).

The four main risk management methods are avoidance, retention, mitigation, and transfer. 

Without a comprehensive approach to the entire company risk, these are often regarded as discrete decisions in a compartmentalized fashion. Instead, risks are seen as a part of the whole from an ERM perspective.

Researched and authorized by Marazban Tavadia | LinkedIn

Reviewed and Edited by Aditya Salunke I LinkedIn

Free Resources

To continue learning and advancing your career, check out these additional helpful WSO resources: