Enterprise Risk Management (ERM)
What is Enterprise Risk Management (ERM)?
Enterprise Risk Management (ERM)An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
ERM is the discipline of managing risk holistically rather than in silos. Mature programs are sponsored by the board and CEO, owned by a Chief Risk Officer or equivalent, and embed risk in strategic planning, capital allocation, and performance management. Common frameworks include COSO ERM (2017), ISO 31000, and the NIST Risk Management Framework, which guide governance, culture, appetite setting, risk identification, response, monitoring and reporting. Cyber risk is increasingly treated as a top-tier ERM category alongside financial and operational risk because of regulatory pressure and the systemic impact of digital incidents. Effective ERM aligns risk taking with strategy and provides one consistent view to executives, the board, regulators, and rating agencies.
● Examples
- 01
COSO ERM aligned program covering strategic, financial, operational, compliance, and cyber risks.
- 02
Integrated risk dashboard combining credit, operational, and cyber risk exposures.
● Frequently asked questions
What is Enterprise Risk Management (ERM)?
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Enterprise Risk Management (ERM) mean?
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
How does Enterprise Risk Management (ERM) work?
ERM is the discipline of managing risk holistically rather than in silos. Mature programs are sponsored by the board and CEO, owned by a Chief Risk Officer or equivalent, and embed risk in strategic planning, capital allocation, and performance management. Common frameworks include COSO ERM (2017), ISO 31000, and the NIST Risk Management Framework, which guide governance, culture, appetite setting, risk identification, response, monitoring and reporting. Cyber risk is increasingly treated as a top-tier ERM category alongside financial and operational risk because of regulatory pressure and the systemic impact of digital incidents. Effective ERM aligns risk taking with strategy and provides one consistent view to executives, the board, regulators, and rating agencies.
How do you defend against Enterprise Risk Management (ERM)?
Defences for Enterprise Risk Management (ERM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Enterprise Risk Management (ERM)?
Common alternative names include: ERM.
● Related terms
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 934
Risk Appetite
The aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 1144
Third-Party Risk Management (TPRM)
The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
- compliance№ 402
FAIR (Factor Analysis of Information Risk)
An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors.
- compliance№ 733
NIST Risk Management Framework
A seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.