ERM is defined by the Treadway Commission¹ as “a process, effected by an entity’s board of directors, management and other personnel applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Various risk areas across the enterprise (i.e., strategic, operational, compliance and financial) as shown in the diagram below can impact an organization’s reputation. ERM is a holistic organizationwide approach to risk management and integrates risk management with strategic planning. Additionally, an ERM program can help position an organization to not only identify and mitigate traditional risks, but also to manage risk and, whenever possible, turn risk into opportunities.

ERM chart

Enterprise risk management focuses on an institution’s achievement of its objectives or mission in the following four areas:

  • Strategic – high-level goals that are aligned with and support the institution’s mission
  • Operational – ongoing management process
  • Financial – protection of the institution’s assets
  • Compliance – the institution’s adherence to applicable laws and regulations

¹ The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting.