ERM Defined

There are quite many definitions on ERM, but worth noted here is that defined by COSO (2004): “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” (COSO Enterprise Risk Management – Integrated Framework. 2004. COSO).


ERM is:

1. a process -> which has to be embedded into the business process
2. effected by the board and management -> after all this is a strategic initiative and must be set and monitored by them
3. applied in strategy setting -> thus the concern shifts from risk limit to risk strategy; it should align the statement of mission, strategic objectives down to tactical and operations objectives and activities
4. applied across the enterprise -> say good by to silo and partial approaches; risk is now everyone's business is designed to identify potential events that may effect the achievement of an entity's objectives -> define your goals/objectives first. set the criteria and performance measures, and then identify the potential risk events that may hindered (threats) or strengthen (opportunities) your organization capability to achieve its goals/objectives.
5. risks should be managed within an entity's risk appetite -> find the right balance between pursuing expected gains and taking appropriate risks. no risk no gain but excessive risk is a truly dangerous adventure.
6. reasonable assurance -> not absolute assurance. you can override the risk management process. you can deny the adverse facts. if that's the case, ERM dooms to fail. it's then also about modal and ethical standard not only data and calculations.