Enterprise Risk Management (ERM): The Definitive Guide

Everything you need to know about ERM to help you decide if it’s the right move for your organization.


Enterprise Risk ManagementERM – is a frequent topic of discussion these days in boardrooms around the globe. But what exactly is ERM? Is it just another buzzword – or is it really a new way to manage risk? And the most important question: Will ERM give you more visibility into your risks so you can better protect your enterprise?

This guide will answer all of those questions and more. You’ll learn what ERM is, why it’s worthwhile, and how to begin managing risks and opportunities holistically.

ERM enterprise risk management integration

Why all the talk about ERM?

The spectrum of potential risks faced by organizations today has expanded beyond those covered by traditional insurance. Getting a handle on the potential costs and likelihood of occurrence of something like a cyberattack or environmental disaster, however, is a challenge to say the least. Yet these are real threats with real costs that need to be recognized – and a growing number of companies are turning to Enterprise Risk Management to do just that.

ERM collectively looks at all risks, how they relate to each other, and the cumulative impact on the enterprise. Advances in technology are making it easier than ever to manage risks at an enterprise level. But technology alone is not the answer. To be successful, the ERM mindset must be embedded into the very fabric of the organization. With ERM, risk management is everyone’s responsibility.

Despite some signs of greater ERM maturity for organizations, a recent study found that many executive teams and boards are now, unfortunately, realizing the implications of being ill-prepared to manage the multitude of enterprise-wide risks triggered by such a large-scale root cause event of the magnitude of the COVID-19 crisis.

What Is ERM?

ERM is a structured, proactive, and continuous process that is applied across the enterprise to better understand all risks, how they relate to each other, and the cumulative impact on the organization. It looks to increase an organization’s value by both minimizing losses and maximizing opportunities for growth. While traditional risk management generally focuses only on those risks that are insurable, ERM goes a step further and includes risks that are best managed in other ways.

A company’s reputation, for instance, can’t be directly insured. But you can reduce the risk of damage by proactively identifying and managing potential threats.

Think of ERM as the natural extension to traditional risk management. The question isn’t one of EITHER traditional risk management OR enterprise risk management; rather, those are two ends of the risk management spectrum.

ERM Enterprise Risk Management vs Traditional

How well will your current approach to risk management hold up in a crisis?
Take this two-minute assessment to find out.

“ERM really provided visibility into our risk ecosystem … While this particular virus was not anticipated per se, contagious disease and outbreak was a known risk that we’ve planned for… ERM allowed us to have a response strategy already in place.”

– Bob Bowman, Senior Director of Risk Management
The Wendy’s Company

Watch the video of Bob describing his experience managing The Wendy’s Company through the COVID-19 crisis.

What are the Advantages of an ERM Program?

The idea of managing risk on an enterprise-wide basis may seem daunting. But migrating toward ERM can be well worth the effort when you consider all that could be gained.

ERM Advantages
  • Supports better decision-making by holistically looking at risks and the collective impact on the enterprise

  • Breaks down silos and encourages communication and collaboration across all areas of the enterprise

  • Adapts to changing conditions with a flexible process for identifying risks, prioritizing actions, and measuring results in terms of the value created for the enterprise

  • Promotes a risk-aware culture throughout the enterprise by involving disciplines outside of the risk management department

More than 50% of organizations recently surveyed said felt their ERM program is integrated well with other assurance functions and the company as a whole. Half of those surveyed also indicated that they have been able to achieve a more holistic view of enterprise risk by improving the engagement of assurance functions.

How to Get Started with an ERM Program

Implementing ERM does not mean you must rip out your current risk management program by the roots. Indeed, processes that are working well can often be rolled out across the enterprise. The best place to start your ERM journey is to examine your current processes, people, and technology to determine what is working and what could use improvement – then evaluate that in terms of extending risk management across the enterprise. What do you need to add, change, or expand to get you where you want – and need – to be? Here are six questions to get you started:

Identify your risks and the potential impact on the company.
What is your strategy for responding to risk – and how will ERM help create and protect value? And what is your risk appetite? Defining your risk appetite sets the stage for your response.

Leverage what your organization is already doing to manage risk.
Apply current practices and strategies for managing well-understood risks – like worker injuries – to other risks. This also may be a good opportunity to re-examine your risk management process to ensure your operational risks align with strategy.

Build support.
Enlist the support of all stakeholders – operations, sales, accounting, legal, and more. And designate a leader – preferably from the C-suite – to champion the ERM cause.

Break it down.
The idea of managing all risks can be overwhelming at first, so start with the risks that have the biggest impact on the company’s success and build from there.

Assign accountability.
Designate responsibility for each risk to whoever is most closely associated with that risk.

Report on progress.
How has ERM added value to the enterprise?

How Technology Can Help Execute an ERM Program

Managing risk at an enterprise level is virtually impossible with spreadsheets, which is why many organizations struggle with executing a proper Enterprise Risk Management program. It takes the power of today’s cloud-based technology to successfully manage high-level risks on such a broad scale.

ERM software gathers all risk-related information into one source – which alone adds value to the organization by increasing efficiency in the process, as well as accuracy and consistency in the data. ERM software also can:

  • Identify threats – including industry-specific, general enterprise, and emerging issues
  • Assess the impact of risks – both positive and negative
  • Visualize interdependencies between risks – by frequency, severity, and exposure for both insurable and non-insurable risks
  • Enhance communication – with reporting and dashboards
  • Prioritize risks – so you can take action

Digital transformation is rapidly becoming a ‘must have’ for businesses … not only for future competitiveness and growth, but also for survival.”

–John Wheeler, Gartner

Why Culture is a Critical Component of Enterprise Risk Management

For ERM to be successful, risk management must be a part of every critical decision throughout the organization. That means cultivating a risk culture. People at all levels and functions must not only understand the organization’s approach to risk, but take personal responsibility for managing risk in their everyday work.

Making that happen requires top-level buy-in. If the C-suite incorporates risk into their decisions, others will follow. Add to that by communicating widely, clearly, and continuously about expectations. Assign responsibility for managing specific risks – and hold people accountable.

ERM doesn’t eliminate risk – of course – but it will minimize surprises. And if something unexpected does happen, you’ll have the knowledge, tools, and culture to turn those challenges into opportunities for success.

ERM enterprise risk management company culture icon

How’s Your View?

Find out how
Riskonnect can transform
the way you view risk.

Risk management solutions