Enterprise Risk Management (AKA “ERM”)

Finally, there is an increasing emphasis on Enterprise Risk Management (AKA “ERM”) which helps an organization achieve its vision, mission and objectives and succeed through prevention, avoidance, and control of relevant risk. ERM also aids management in their business continuity and disaster recovery planning, but is not limited to those processes.

Definition of ERM - COSO:

ERM is the culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value. Enterprise risk management [(ERM)] does not create the entity’s strategy, but it informs the organization on risks associated with alternative strategies considered and, ultimately, with the adopted strategy. The organization needs to evaluate how the chosen strategy could affect the entity’s risk profile, specifically the types and amount of risk the organization is potentially exposed to. Enterprise risk management [(ERM)] addresses more than internal control. Internal control is an integral subset of enterprise risk management [(ERM)]. But enterprise risk management [(ERM)] also addresses other topics such as setting strategy, governance, communicating with stakeholders, and measuring performance.  Its principles apply at all levels of the organization and across all functions. Enterprise risk management [(ERM)] is not a checklist. It is a set of principles on which processes can be built for a particular organization, and it is a system of monitoring, learning, and improving performance.

Definition of ERMThe IIA

  • Organizational objectives support and align with the organization’s mission;
  • Significant risks are identified and assessed;
  • Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
  • Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.


In a nutshell:

ERM is a continuous process where the Board and senior University administration personnel continually intertwine strategic planning with the risks that threaten successful achievement of the University’s vision, mission, and objectives.  Many risks that threaten success at this strategic level are externally originated, and therefore contingent responses to the potential manifestation of such risks are developed so as to manage and minimize any potential impacts. Internal controls can be established for internally-sourced risks.