What is Enterprise Risk Management (ERM)?

Enterprise risk management (ERM) is a holistic, proactive approach to managing organizational risks.

Organizations base their ERM approach on a comprehensive assessment that identifies potential risks and determines which technologies, strategies and services can most effectively prevent or mitigate them. Because organizations and technologies continually evolve, leaders must periodically adapt their ERM approaches to counter new and emerging threats. ERM encompasses all aspects of risk, including cybersecurity-related, technological, regulatory, financial, physical, reputational and external, including third-party risks.

Organizations typically work with several types of third parties, such as materials suppliers, contractors, logistics partners, service providers and many others. At large organizations and those that serve an international market, third parties can be quite extensive. 

However, third-party user access can have serious repercussions for the organizations it works with. High-profile data breaches have occurred because cybercriminals were able to gain access to a smaller company’s systems, which then allowed them to circumvent the larger company’s defenses.

In recent years, it has become apparent that many leaders lack visibility into their third parties’ operations, which makes it difficult to assess their risks. Several regulatory bodies have noted this gap and strengthened requirements for third-party monitoring. Organizations incorporating third parties into ERM may implement measures such as more specific contract requirements, more frequent compliance audits and improved software asset management.

An organization’s supply chain partners are a special category of third party. ERM evaluates the same risks for these partners as for other third parties while considering additional risks unique to the supply chain. For example, natural disasters or geopolitical shifts could affect the flow of materials to an organization, so a risk management response would be to proactively identify alternative suppliers.

Many organizations use computer models to make decisions, predict future outcomes (e.g., ​forecast retail demand​) and perform other functions. Financial institutions use scoring engines to support lending decisions, engineers use structural models to analyze building stability, and IT companies use machine learning models to create chatbots and other automated tools. However, models’ accuracy depends on their data quality, analytical assumptions and methodologies. Models that are not reliable could result in poor decisions and negative outcomes. Model risk management is a way to assess data integrity and provide ongoing monitoring.

As organizations integrate AI into their operations, they need to understand and manage related risks. As with model risk management, some risks relate to data quality and the need to ensure that AI models are fair, unbiased and accurate. However, AI risk management also encompasses cybersecurity, regulatory compliance and ethical concerns. Transparency and explainability — the ability to see and understand how AI models arrive at their results — are important aspects of AI risk management.

ERM increases organizations’ ability to holistically assess their risks and determine the best strategies for preventing or mitigating them. The proactive nature of ERM is key because it increases the likelihood that organizations will be able to manage risks effectively and at a lower cost. When organizations are reactive, on the other hand, risks can become significantly more disruptive. For example, ERM ensures that critical systems, such as IT, are properly managed so that technology interruptions are minimal. 

ERM also enhances leaders’ ability to coordinate risk management activities across the organization. This allows for important stakeholder input, strategic decision-making and investments that align with business priorities. Ultimately, ERM is a way of increasing organizational resilience. By seeking out potential threats and figuring out how to navigate them, leaders are in a much better position to develop the best solutions.

ERM provides a comprehensive structure for identifying, analyzing and mitigating risk. This structure allows organizations to be strategic and consistent. The following sections describe key steps of the ERM process.

The first step is to identify current and potential risks using a SWOT (Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis, scenario planning, risk register or other method. Then, organizations use qualitative and quantitative methods to evaluate risks so that leaders understand how likely they are to occur and their potential impact. Scoring risks based on their urgency and severity informs the next step, which is to determine the appropriate response to each risk. 

There are four ways to manage risk: avoid, mitigate, transfer and accept. Organizations can take action to eliminate a risk, implement controls to reduce the risk or its effects, shift the risk to another party or accept the risk. Once leaders have decided how to handle each risk, they can determine who is responsible for the next steps. This phase is where much of the core ERM work occurs as the organization implements mitigation strategies, establishes controls and takes other steps. 

Ongoing monitoring is essential to ERM, allowing organizations to track key risk indicators, measure the effectiveness of risk response and identify emerging risks. Monitoring may include the use of audits, scenario analyses, dashboards and other tools to gain valuable insights and ensure strategies work as intended. Organizations may adapt their ERM approaches to address new threats and reflect operational changes.

Effective risk governance is an essential foundation for ERM. That means top leaders are invested in the program, and roles and responsibilities are clearly defined. ERM must also be a partnership between business and technology leaders. By working together, these groups can align on fundamental assumptions that drive ERM efforts, such as defining what risk means in a particular environment, and then work collaboratively to reduce risk. Ideally, ERM is aligned with organizational goals and integrated into strategic planning so that it becomes part of the decision-making culture.

Experts also recommend using an established ERM framework, especially when an organization is developing its ERM skills and capabilities. A framework helps to ensure that ERM efforts are appropriately broad and that leaders systematically identify, evaluate and prioritize risks using the appropriate tools. Finally, organizations should leverage advanced technologies where possible, taking advantage of AI and automation to increase the accuracy and efficiency of ERM processes.

ERM frameworks provide helpful guidance for organizations that want to base their approach on industry standards and best practices. Organizations may choose a framework based on their risk management goals, organizational size and complexity, geographical location and other factors. The following frameworks are some of the most popular.

The International Organization for Standardization (ISO) developed ISO 31000 as “a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.” It provides guidance and best practices for infusing risk management throughout every area of operations, from policies to culture, and for proactively addressing risks to increase resilience.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published “Enterprise Risk Management–Integrating With Strategy and Performance” as an update to its original guidance, reflecting changes in business and the evolving complexity of risk management. COSO also offers ERM guidance on specific topics, such as AI and cloud computing.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (CSF) helps organizations use high-level outcomes to “understand, assess, prioritize and communicate” their cybersecurity posture. It describes various outcomes that organizations can use to develop their own roadmaps, tailoring their strategies to their own objectives and risk tolerance profiles.

OCEG’s GRC Capability Model integrates multiple disciplines — governance, risk, compliance, strategy, auditing, IT and culture — into a single approach. Organizations can apply the model alone to address risk-related initiatives, use it to facilitate conversations with key stakeholders or combine it with more in-depth frameworks. 

Governance, risk and compliance (GRC) platforms help organizations see risks holistically so that stakeholders can coordinate. GRC platforms are a centralized resource that aggregates risk information into one platform, giving leaders increased visibility and actionable information for decision-making.

Cloud computing can introduce new risks but may also offer capabilities that help organizations minimize risks. Many organizations struggle to achieve cloud visibility, making it difficult to assess risks. Given the ease of spinning up cloud environments, organizations may be unsure of what data resides in the cloud, who has access and how well it is protected. All of these concerns are important to address through ERM. At the same time, cloud environments may offer advanced security features that reduce risks, while cloud-based backups can increase resilience and recovery capabilities.

The right ERM solution depends on organizational goals. In industries such as healthcare and financial services, leaders may want to improve their ability to demonstrate compliance with regulations. In other cases, leaders may want to increase visibility so they can more accurately identify risks and understand their impacts. Clarifying short- and long-term risk management goals — and understanding what capabilities already exist in the IT environment — will guide the selection of an ERM solution.

Successful ERM initiatives analyze risk with breadth and depth, identifying strategic concerns and carefully determining the best responses. A partner with ERM expertise can help business and IT leaders streamline and improve their risk management efforts to ensure they are comprehensive and appropriately detailed.  
 
CDW has helped thousands of customers across multiple industries assess their ERM maturity, identify gaps and vulnerabilities, and develop tailored roadmaps to implement the most effective solutions for a particular environment. CDW offers structured, holistic assessments and risk management strategies that help organizations align with industry frameworks and best practices.