Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.


Enterprise risk management (ERM): An overview

· 12 minute read

· 12 minute read

Establish resilient enterprise risk management (ERM) with strategic planning, comprehensive risk identification, and effective communication, ensuring business sustainability and growth.

Jump to:

 What is enterprise risk management?

 Steps to the ERM process

 Benefits and challenges of ERM

 Best practices to ERM

 Final words


This blog is part of this series.


Not long ago, retailer Bed Bath & Beyond was a Fortune 500 company. In 2023, it filed for Chapter 11 bankruptcy, closing its last store at the end of July. The reasons for its closure are numerous and complex. But it’s clear that it didn’t or couldn’t plan for all the dangers that brought down its once-booming business model.

As events such as the pandemic, the decline of many economies, and rapidly rising interest rates have demonstrated, even solid businesses can be disrupted. Companies of all kinds face numerous risks that could damage their operations, their reputation, their profitability, and even their viability. This makes the implementation of an enterprise risk management (ERM) initiative absolutely crucial. The goal of ERM is to help businesses make informed decisions about risk in order to operate more efficiently and profitably. But to be effective, an ERM initiative needs careful planning and enterprise-wide participation.

What is enterprise risk management?

Enterprise risk management (ERM) is a systematic approach to identifying risks associated with running a business, assessing their likelihood and potential impact, and developing strategies to manage and mitigate them. Most businesses have some kind of risk management program in place. But in “traditional” risk management, the management is typically left in the hands of separate divisions or departments. By contrast, ERM is a holistic approach, requiring communication and coordination between business units to identify and manage risks across the entire organization. Many companies have established an ERM team that includes stakeholders from several key departments.

This is because of the risks that enterprise risk management (ERM) addresses across departmental boundaries. These include strategic risks, which involve activities related to achieving business objectives. They also include financial risks that need to be managed such as debt levels, cash flow shortfalls, or investments that could harm the business’s bottom line. New technologies, notably generative AI technologies such as ChatGPT, could disrupt many companies’ business models and open them up to possible compliance challenges. Insufficient cybersecurity can cause crucial company or customer data to fall into the hands of cybercriminals. There are legal risks that would need to be managed such as lawsuits involving contracts or other business agreements. Then there are the risks associated with compliance–not meeting regulatory requirements such as Sarbanes-Oxley regarding financial reporting, for instance.

Enterprise risk management (ERM) also includes operational risk management (ORM), which focuses specifically on identifying, assessing, and managing risks related to the organization’s day-to-day operations. These can include risks associated with technology, regulatory compliance, and onboarding vendors. Like ERM, ORM seeks to reduce risks. However, the risks ORM addresses are unintentional risks, such as employees who accidentally open up company data systems to cybercriminals. Besides managing all types of risk, ERM can also help an organization to optimize certain intentional strategic risks—those that could bring in new customers, new product lines, and new ways to reduce expenses and improve performance.

In addition, enterprise risk management (ERM) incorporates the use of key performance indicators, or KRIs, with metrics that track risk assessment performance. It also typically includes the development of a “risk register” that outlines potential risks associated with certain activities or operations.

There are numerous reasons why enterprise risk management (ERM) is essential. Most notably, it allows organizations to be proactive in identifying and monitoring potential internal and external risks rather than simply reacting to them after they occur. It also establishes protocols for mitigating those risks that an enterprise simply can’t avoid.

Another key reason a business should establish an ERM program is to enhance its ability to operate more efficiently and profitably. By raising the profile of the potential dangers a company faces, ERM protocols can help inform strategic decision-making and implementation while also minimizing losses from potentially damaging risks.

By openly and transparently sharing information about risk and mitigation, a company-wide risk management initiative can keep all employees and other stakeholders aware of risks and risk management protocols. This can be beneficial when employees interact with customers about potential risks. That in turn can reassure all stakeholders about a company’s resilience and durability.

Steps to the enterprise risk management process

Crafting a successful enterprise risk management (ERM) initiative requires careful thought and rigorous execution. That thinking informs the following ERM components, which were developed by the Committee of Sponsoring Organizations (COSO), a private-sector group that helps organizations provide guidance on internal control, risk management, and fraud deterrence:

Setting goals

This involves defining the organization’s goals and objectives and aligning them with its tolerance for risk. A business should recognize that long-range strategic plans are fraught with risks that could translate into opportunities–or dangers.

Internal workflows

Internal factors that influence the organization’s risk management include its management structure, governance, and company culture. These factors determine the enterprise’s risk appetite and what kinds of risks it needs to manage. While it is senior management (and, in many organizations, the company’s board of directors) that typically identifies what risks require managing, many organizations also engage employee input.

Identifying risks

This involves identifying risks, defined as events or situations, that could affect the organization’s ability to achieve its objectives. These impacts can be either beneficial or harmful to the company’s future operations. An ERM program should identify high-risk events that could be particularly damaging. An example of such an event might be the current backup at the Panama Canal, which is snarling numerous companies’ supply chains.

Assessing risk

In this step, a company determines how likely the risks it has identified risks are likely to occur. It also prioritizes them based on how significant an impact they might have. The COSA ERM framework suggests that companies assess both the percent change of occurrence and the dollar impact of a potential risk. In addition, COSA advises that an organization assess not only the direct risk (COVID-19 social distancing) but also residual risks (employees resisting returning to the office). There are many types of risk assessments depending on the industry, but overall, risk assessment tools have their benefits.

Responding to risk

The organization then develops and implements strategies for managing the risks it has identified. One strategy is avoidance. An example would be shedding a business line where the potential dangers outweigh any benefits. A second strategy is maintaining that business line while establishing protocols to reduce any potential damage. A third option is acceptance. A company may choose this route if it determines the possibility of a risk event occurring is low and the costs of reducing potential negative impacts are too high.

Controlling activities

Also known as internal controls, these activities involve implementing policies and procedures to mitigate the identified risks and monitoring their effectiveness. Control activities can be classified as preventative (preventing or mitigating a risk event) or detective (recognizing the risk event and responding appropriately).

Monitoring risk activity

This involves continuously monitoring the organization’s risk management processes and controls, and making adjustments as needed. A company may wish to contract with an external consultant to evaluate its risk management practices. Whether the monitoring is conducted externally or internally, it should determine how well the ERM process is working, and whether the company is leaving itself vulnerable to any risk despite the processes and policies in place.

Communicating information

This step ensures that the organization’s risk management processes and results are communicated to stakeholders. Those within the business overseeing its ERM initiative should gather data and design metrics regarding the company’s risks and how they’re being managed. Sharing this information with senior management and affected employees can ensure their involvement in any needed mitigation.


Risk & Compliance Report

A delicate balance between risk and reward

View report




Benefits and challenges to enterprise risk management

What are the benefits of enterprise risk management?

A rigorous, thoughtfully developed enterprise risk management (ERM) program can help avoid financial losses, reputational damage, compliance failures, and legal liability. It also improves business decision-making because it provides more complete information on the risks a company faces. As a result, an ERM program can strengthen corporate governance and oversight and reduce instances of fraud.

Enterprise risk management (ERM) also boosts internal communication and interdepartmental cooperation. The regular risk reports that a firm’s ERM team delivers to upper management include a list or “matrix” of the risks, how these risks are being prepared for or mitigated, and how the risks are being prioritized. This information is crucial for management decision-making and guidance regarding risk response and preparation.

An enterprise risk management (ERM) program can help a company’s operations and profitability in numerous ways. It can uncover areas where a company is vulnerable to theft or embezzlement. It can be useful in discovering markets and product areas to enter or to avoid. ERM also can strengthen a business’s supply chain by identifying areas where that chain might be weak. An example would be the recent semiconductor shortage, which slowed production for many companies. All this can result in better management of strategic risks that could lead to new opportunities (such as acquisitions and new products) or dangers (such as new competitors and disruptive technologies).

What are the challenges of enterprise risk management?

Despite all the advantages of enterprise risk management (ERM), getting a program established is by no means a slam dunk. For most companies, ERM requires culture, process, or system changes that can be costly, time-consuming, and disruptive. ERM can be particularly costly to businesses that have limited resources. As a result, it may be difficult for supporters of an effective ERM program to get buy-in from upper management.

Company leaders may believe that the investments of time, talent, technology, and capital needed to implement an enterprise risk management (ERM) initiative don’t pencil out, and that those costs exceed the potential benefits. They may argue that it’s difficult to project a program’s effectiveness, including a legal project management tool, because it involves assessing the probability and impact of risk events that may or may not occur. Establishing metrics is often one of the most significant challenges an ERM initiative wrestles with. In addition, ERM also could result in organizations becoming reliant on particular digital technology tools, which could be a risk in itself.

If a company does go forward with establishing an enterprise risk management (ERM) program, there are other risks it will need to anticipate. It makes perfect sense that the risks an enterprise will seek to manage will be those that the company has already faced or is currently facing. But the most potentially dangerous risks are those that it hasn’t encountered. The recent pandemic is a particularly notable example. How many companies not only anticipated the pandemic but also had metrics in place to measure its effect on the business’s customers, employees, and other stakeholders? And how could the potential costs of mitigating the risks associated with the coronavirus have been determined?

Best practices for enterprise risk management

Companies need to consider both the benefits and challenges of enterprise risk management as they craft their own enterprise risk management (ERM) program. This can help them determine the best practices they should follow.

The components of enterprise risk management (ERM) discussed earlier reflect many of the best practices of an effective ERM initiative. Clearly, such a program needs to identify, assess, and prioritize all risks an enterprise might face. It needs to develop consistent action plans that eliminate or reduce the most significant risks, as well as processes to continuously monitor risk and risk-related metrics–and then enforce risk management policies.

For this to succeed, a company should also develop a culture that includes open communication about risk and risk management throughout the organization. It should also assign risk management responsibilities to appropriate employees. And it should determine whether there are ways to automate risk management processes.

Final words

In an unpredictable, fast-changing business environment, an enterprise risk management (ERM) initiative is essential. An ERM program includes assessment, prioritizing, and mitigation of any potential risk to a company’s future health and success. And wherever necessary, it solicits the participation and input of all stakeholders—senior management, board of directors, employees, and customers.

The benefits of a well-crafted risk management strategy include thorough regulatory compliance, a clearer sense of how strategic risks can help or hurt a business, and improved decision-making about operations, opportunities, and future planning. It’s not stated too strongly to say that an enterprise risk management program could mean the difference between maintaining a successful business—or going out of business entirely.

More answers