5.1 Enterprise Risk Management (ERM)
Key Takeaways
- ERM is a firm-wide, integrated process to identify, assess, and respond to risks against the entity's risk appetite to create and protect value.
- The 2017 COSO ERM framework has five interrelated components: governance & culture; strategy & objective-setting; performance; review & revision; and information, communication & reporting.
- Risk appetite is the broad amount of risk an entity is willing to accept pursuing strategy; risk tolerance is the narrower acceptable variation around a specific objective.
- Risk is assessed on likelihood and impact, often plotted on a heat map; the four responses are avoid, reduce, share/transfer, and accept.
- Residual risk is the risk remaining after responses are applied; it must fall within risk appetite, and the chief risk officer (CRO) owns the ERM process.
What Enterprise Risk Management Is
Enterprise risk management (ERM) is a firm-wide, integrated process for identifying, assessing, and responding to the full portfolio of risks an organization faces, measured against its risk appetite, in order to create and protect value. ERM treats risk as both threat and opportunity rather than a siloed compliance checklist handled separately by each department.
The contrast on the exam is traditional, siloed risk management versus integrated ERM. Siloed management lets one unit hedge a risk another unit is creating, missing offsets and concentrations. ERM aggregates risks across the entity so leadership sees the total picture and allocates capital and controls accordingly.
Benefits of ERM
- Aligns risk appetite with strategy, so objectives are set with risk capacity in mind
- Links risk to performance and capital allocation, improving resource decisions
- Reduces operational surprises, losses, and earnings volatility
- Identifies and manages interrelated, cross-entity risks as a portfolio, not in isolation
- Seizes opportunities, not just avoids threats, by quantifying upside risk
The COSO ERM Framework
The 2017 COSO ERM framework, titled Enterprise Risk Management — Integrating with Strategy and Performance, replaced the older 2004 cube. It organizes ERM into five interrelated components supported by 20 principles. Memorize the five components and their order.
| Component | Focus |
|---|---|
| Governance & culture | Board oversight, operating structure, ethical values, attracting talent |
| Strategy & objective-setting | Risk appetite, strategy alignment, business objectives |
| Performance | Identify, assess, prioritize, and respond to risk; portfolio view |
| Review & revision | Assess change, review risk and performance, improve ERM |
| Information, communication & reporting | Capture data and report risk, culture, and performance |
A frequent trap: candidates confuse this with the COSO Internal Control — Integrated Framework, whose five components are the control environment, risk assessment, control activities, information & communication, and monitoring. ERM is broader and strategy-linked; internal control is the narrower control-focused model.
Risk Appetite vs. Risk Tolerance
Risk appetite is the broad amount and type of risk an organization is willing to accept in pursuit of its strategy and value creation. It is set by the board and senior management and stated at the entity level.
Risk tolerance is the acceptable level of variation around a specific objective. Tolerance is narrower and more measurable. Example: a firm's appetite may be "moderate financial risk," while its tolerance for a given project is "on-time delivery within plus or minus two weeks." Appetite is strategic and qualitative; tolerance is tactical and quantitative.
Identifying and Assessing Risk
After identification, each risk is rated on two dimensions: likelihood (probability of occurrence) and impact (severity if it occurs). A common scoring approach multiplies the two to rank risks, then plots them on a heat map — a grid with likelihood on one axis and impact on the other. High-likelihood, high-impact risks fall in the red zone and demand immediate response; low-likelihood, low-impact risks may simply be accepted and monitored.
Assessment can be inherent (risk before any controls) or residual (risk after planned responses). Boards want to see both so they can judge whether controls close the gap to appetite.
The Four Risk Responses
| Response | Action | Example |
|---|---|---|
| Avoid | Exit or do not enter the activity | Drop a product line that exposes the firm to litigation |
| Reduce (mitigate) | Lower likelihood or impact via controls | Add safety procedures, redundancy, or internal controls |
| Share / transfer | Shift risk to a third party | Buy insurance; hedge with derivatives; outsource |
| Accept (retain) | Take no action because risk is within appetite | Self-insure a small, predictable loss |
The choice weighs the cost of the response against the reduction in expected loss it buys. You never spend more on a control than the risk it removes is worth.
Residual Risk and the CRO
Residual risk is the risk that remains after responses are applied; it must fall within the entity's risk appetite. The chief risk officer (CRO) owns and coordinates the ERM process, reports to the board or audit/risk committee, and maintains the enterprise risk register — but the board retains ultimate oversight responsibility.
The CRO does not eliminate risk or personally own each exposure. Instead, the CRO sets a common risk language, consolidates the portfolio view so concentrations and offsets are visible across units, and challenges business leaders on whether residual risk truly sits within appetite.
Many firms use the three lines model: operating managers are the first line who own and run their controls; the risk function is the second line that monitors and aggregates; internal audit is the third line that independently assures the board.
Putting It Together
The ERM cycle flows in order: set appetite and objectives, identify risks, assess likelihood and impact, choose a response, then monitor residual risk and report. Each step ties to a COSO component, and the loop repeats as conditions change. A common trap is treating ERM as a one-time annual report rather than a continuous, embedded process — the review & revision component exists precisely to keep responses current.
A risk remains after the company has installed all planned controls and hedges. What is this remaining exposure called, and what condition must it satisfy?
Which statement correctly distinguishes risk appetite from risk tolerance?