Enterprise risk management (ERM) is difficult to define, let alone explain to someone unfamiliar with the concept. In short, it is “risk management” at the “enterprise” level. Although this kind of definition or explanation is not very useful and mostly meant for amusement here, it does highlight the fact that ERM involves two important notions brought together to form a unique concept.

Risk Management

Evidently, it is not possible to understand ERM without understanding risk management. Risk management can be defined as a process to identify, analyze, and prioritize risks, develop responses to risks, and monitor and review results. Risk management applies equally to risk-taking and risk-reduction activities. It helps organizations understand, anticipate and manage uncertainties and their effects. The uncertainties may have desirable or undesirable effects. The uncertainties can result in positive or negative outcomes, reflecting the potential upside or downside of risk.

The process of risk management involves a sequence of activities that need to be applied and reapplied on a regular basis. The main activities are context analysis, risk identification, risk analysis, risk assessment, risk evaluation, risk response, monitoring and reporting. Although these activities are sequential, they nonetheless inform one another, because they all contribute to update risk and risk management information. For example, risk analysis helps determine appropriate responses, and monitoring helps identify new risks and the effectiveness of current responses.

Enterprise Risk Management

In my book, ERM is defined as: “a discipline that provides an effective, structured and integrated approach for managing risks strategically and on an organization-wide basis, including for the organization as a whole and within all of its management functions and business units.” The term “enterprise” in ERM refers to every type of organization. It means that risk management is applied to whatever activities an organization carries out, or “enterprises” for achieving its mandate. The main features of ERM are as follows:

• Structure – Risk management is more effective when applied consistently and systematically across the organization. It cannot be optimal without a certain amount of process rigor and formality. Otherwise, it tends to be inconsistent, fragmented and sub-optimal. The amount of structure needed is driven by organizational culture, size and complexity.

• Integration – Risk management requires integration for optimal results. Integration implies that management functions and business units work collaboratively to coordinate their efforts. The integration enables organizations to focus on their most significant risks, and to set directions for managing those risks holistically to achieve optimal performance and results.

• Strategic focus – Risk management needs to be applied strategically. It must focus on the most significant risks that can affect organizational performance and results, including the achievement of goals, strategies and objectives. ERM is supported by management frameworks and integration mechanisms that help organizations apply risk management effectively.

• Organization-wide approach – Traditionally, risk management was applied only within certain management functions, with limited consistency and sharing of information. With an organization-wide approach, risk management is applied systematically. This approach ensures that risk management benefits the organization as a whole, not just individual functions.

ERM is the modern approach for risk management. Its scope includes all risks, and its focus is directed on the most significant risks. ERM includes structures and integration mechanisms that help organizations manage risks consistently and systematically across management functions and business units. It facilitates the aggregation and reporting of risk information. By extension, it enables organizations to analyze the relationships and interdependencies of risks, to make informed decisions about risks and risk management priorities, and to reallocate resources for better results.