Enterprise Risk Management (ERM)

Risk management methods that firms use to identify and mitigate risks that can pose problems for the enterprise

Over 1.8 million professionals use CFI to learn accounting, financial analysis, modeling and more. Start with a free account to explore 20+ always-free courses and hundreds of finance templates and cheat sheets.

What is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a term used in business to describe risk management methods that firms use to identify and mitigate risks that can pose problems for the enterprise. The simple question that ERM practitioners attempt to answer is: “What are the major risks that could stop us from achieving the mission?”

Enterprise Risk Management (ERM)


  • Enterprise Risk Management (ERM) is essential for public and private companies to approach risk management with confidence. An effective risk management method, if integrated properly, can result in substantial cost savings for the company.
  • There are four specific types of risks associated with each business – hazard risks, financial risks, operational risks, and strategic risks.
  • The ERM process includes five specific elements – strategy/objective setting, risk identification, risk assessment, risk response, and communication/monitoring.

Type of Risks

In 2004, the JLA research team analyzed 76 S&P 500 companies on their risk types, where there was a 30% or higher decline in market value. They found that 61% of occurrences were due to strategic risks, 30% were operational risks, and 9% were financial risks.

  • Hazard risks include risks that present a high level of threat to life, health, or property.
  • Financial risks refer to risks that are directly related to money. They include financial consequences like an increase in costs or a decline in revenues.
  • Strategic risks are risks that affect or are created by strategic business decisions.
  • Operational risks are risks that materially affect an organization.

Risk Response Strategies for Enterprise Risk Management

Management selects one of the five appropriate risk response strategies below to deal with their identified risks:

  1. Risk avoidance: The elimination of risks or activities that can negatively impact the organization’s assets. For example, the cancellation or halt of a proposed production or product line.
  2. Risk reduction: The mitigation or limitation of the severity of losses. For example, management can plan frequent visits to their major suppliers to identify potential problems early.
  3. Alternative actions: The consideration of other possible ways to reduce risks.
  4. Share or insure: The actions of transferring risks to third parties, like insurance agencies. For example, buying an insurance policy that could cover any unexpected loss for the business.
  5. Risk acceptance: The acknowledgment of the identified risks and the willingness to accept their consequences. Typically, any loss from a risk not covered or avoided is an example of risk acceptance.

Core Elements of an Enterprise Risk Management Process

ERM follows a very distinct and ongoing process, where it actively identifies and reassesses the various strategic and major risks to ensure financial security for businesses. The process includes five specific elements:

  1. Strategy/Objective setting: Understand the strategies and associated risks of the business.
  2. Risk identification: Provide a clear profile of major risks that can negatively impact the company’s overall financials.
  3. Risk assessment: Identified risks are strictly analyzed to determine both their likelihood and potential.
  4. Risk response: Consider various risk response strategies and select appropriate actionable paths to align identified risks with management’s risk tolerances.
  5. Communication and monitoring: Relevant information and data need to be constantly monitored and communicated across all departmental levels.

Example of an Enterprise Risk Management Process

  1. Strategy/Objective setting: Consider Tesla, a publicly traded company operating in two primary segments – automotive and energy generation. In this example, ERM will begin by considering what drives the company’s value during the strategy/objective setting. For Tesla, this could include the company’s competitive advantage, new strategic initiatives, key product lines, or an acquisition.
  2. Risk identification: Once the key drivers are identified, the ERM process will begin the risk identification process by evaluating relevant risks that can potentially hinder the success of each key driver.
  3. Risk assessment: The risks must then be carefully analyzed from cross-departmental views during the risk assessment step.
  4. Risk response: Once the discussion and acknowledgment of the potential risks are finalized by upper management, executives will consider an optimal risk response strategy.
  5. Communication and monitoring: Finally, upper management will measure, monitor, and communicate the effectiveness of the risk response strategies by utilizing any key risk indicators deemed effective by that organization.

Additional Resources

To keep learning and advance your career, the following resources will be helpful:

0 search results for ‘