What is enterprise risk management?

COSO defines enterprise risk management as a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

This definition is broad for a reason. It reflects certain fundamental concepts, each of which is discussed in the COSO ERM framework. As summarized in the framework, “enterprise risk management is:

• A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy-setting

• Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk

• Designed to identify potential events affecting the entity and manage risk within its risk appetite

• Able to provide reasonable assurance to an entity’s management and board

• Geared to the achievement of objectives in one or more separate but overlapping categories – it is “a means to an end, not an end in itself.”

ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment.

It advances the maturity of the enterprise’s capabilities around managing its priority risks. Before a company can assert it is applying ERM, it must address ALL of the above concepts embodied in COSO’s definition.

Other links related to enterprise risk management fundamentals: