GRC 101: What is ERM?

A skier starts for speedriding. Speedriding is a new extreme sport and combines skiing with paragliding.

Written by: Andrew Steioff

Reviewed by:
Updated: May 01, 2023

Table of contents

For as long as humans have been getting out of bed in the morning, there has been risk. This has been true from the time of woolly mammoth hunts all the way up to modern voyages to Mars. Projects, initiatives, and activities large and small have always carried the chance that something could go wrong.

In the modern business context, the collection of efforts to manage risks to projects, people, and profits has become a function all its own. This function is called Enterprise Risk Management, and it plays a critical role in protecting companies from threats internal and external.

Modern businesses, in fact, face an incredibly diverse collection of obstacles and potential dangers. Programs to manage all of them have in turn grown increasingly complex and important to the health of the company. Thus, it can be helpful to layout some definitions for this complicated, fast-evolving discipline.


Assessing the Costs and Benefits of ERM

The Textbook Definition of ER

According to Investopedia

Enterprise Risk Management (ERM) is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives.

The Committee of Sponsoring Organizations (COSO) takes this definition a step further, pointing out that ERM is...

  • ...a process, ongoing and flowing through an entity
  • ...applied in strategy setting
  • ...applied across the enterprise, at every level and unit
  • ...effected by people at every level of an organization
  • ...designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
  • to provide reasonable assurance regarding the achievement of business objectives
  • ...geared to achievement of objectives in one or more separate but overlapping categories

At its highest level, ERM encompasses the discipline, culture, and control structure an organization has in place to continuously monitor and improve its risk management capabilities in a changing business environment.

Why is ERM important?

ERM is important because every business faces risks, and the smart ones go about mitigating those risks in an intelligent, strategic manner.  After all, the time will come—sooner than many executives may expect—when the fundamentals of the business change. ERM is about staying one step ahead of the risks that threaten the company now as well as in the future.

Even the most effective risk management strategy can’t identify and eliminate every single threat—the world is too complex and unpredictable for that. Sooner or later, the firm will face a situation that places its reputation, financial resources, operations, people, and more in jeopardy. The goal of ERM is to limit the exposure as much as humanly possible, and limit the damage when an adverse event does occur.

ERM in Practice

Enterprise Risk Management involves four primary categories of activity: 

(1) Identifying Risks

(2) Assessing Risks

(3) Managing Risks (prevention, avoidance, mitigation, acceptance, or transfer)

(4) Monitoring the risk over time

At most companies, these high-level components, along with their many subtasks, are spelled out within an Enterprise Risk Register.

While many companies have an ERM program in place, there’s little agreement as to what ERM really looks like in practice beyond the baseline features. This is partly inevitable, of course: businesses, people, and circumstances can be markedly different from firm to firm. Combine this with the number of emerging risks to worry about and the fast-evolving nature of the business world, and the variegated nature of ERM can be understood.

Against this backdrop, it can be difficult to truly measure a program’s effectiveness, and hence many businesses fall short of effectively managing their Enterprise Risks. Unfortunately too many companies take a limited view of ERM—managing it as more of a “list of risk” as opposed to a dynamic and interconnected network of risk relationships.  The result is many companies think they are implementing ERM, but aren’t doing so at the level necessitated by the myriad risks that exist in the world today. 

In its immature state, ERM adds limited value because it often leaves management with a list of risks and very little insight as to what to do next. In its various forms, ERM may increase risk awareness with management, the board of directors and others, but it will not be effective in driving decisions because it typically isn’t integrated with the enterprise’s decision-making processes. As a result, risk is often an afterthought to strategy and risk management is an appendage to performance management.

The Future of ERM

ERM is a relatively new and evolving management discipline. For this reason, “best practices” are still being written. This is why program flexibility is key when companies set up their ERM programs—they never know when new methods, policies, and frameworks will need to be implemented.

Technology can help companies get their ERM program off the ground—while keeping it agile enough to evolve with emerging threats. LogicGate’s Enterprise Risk Management solution facilitates collaboration across departments in such areas as Policy Management, Process Automation, Third-Party Risk, and Vendor Management. We use state-of-the-art graph databases to define, monitor, and remediate risks as your business grows. We are passionate advocates for the important role ERM software can play in any industry, including financial services, energy, and healthcare.


For more on ERM, check out LogicGate's eBook, Assessing the Costs and Benefits of ERM: An Inquisition

Get the eBook



Related Posts