In business, enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives. ERM program provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, and internal control. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies. Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:
ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, and internal control. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies. Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:
- Identifying executive sponsors for ERM.
- Establishing a common risk language or glossary.
- Identifying and describing the risks in a "risk inventory".
- Implementing a risk-ranking methodology to prioritize risks within and across functions.
- Establishing a risk committee and/or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions.
- Establishing ownership for particular risks and responses.
- Demonstrating the cost-benefit of the risk management effort.
- Developing action plans to ensure the risks are appropriately managed.
- Developing consolidated reporting for various stakeholders.
- Monitoring the results of actions taken to mitigate risk.
- Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.