Enterprise risk management (ERM) fundamentals

Enterprise risk management fundamentals

Key Takeaway: Enterprise risk management (ERM) takes a top-down, integrated approach that aligns risk identification and treatment to strategic objectives. In 2026, ERM programs must absorb AI governance, third-party oversight, and operational resilience under regulations like DORA, the EU AI Act, and NIST CSF 2.0. PwC reports 37% of leaders now rank AI governance and third-party risk as top priorities.

Enterprise risk management is a top-down methodology that integrates risk activities across an organization and ties them to senior management's strategic objectives. ERM consolidates traditional risk management strategies, internal controls, and otherwise siloed risk functions, giving stakeholders a deeper view of the company's risk profile. Rather than reacting to risks after they materialize, ERM equips leaders to anticipate uncertainty and pursue opportunities that advance the organization's mission.

How ERM evolved from siloed risk management

The practice of risk management has a long history, with origins dating back to the 1920s. Around the turn of the century, risk practices took center stage along with increased focus on internal controls and a proliferation of risk management frameworks (RMFs). As the discipline evolved, organizations realized that previous approaches — which relied on business units to manage their own risks and mitigation plans — were allowing risks to pass through the gaps between silos. The need for a centralized, enterprise-wide approach gradually became clear. And so, the methodology of enterprise risk management (ERM) was born, representing a progression in how stakeholders, senior management, and even the federal government think about an organization's risk.

Other outgrowths of risk management include operational risk management (ORM), IT risk management (ITRM), project risk management (PRM), and supply chain risk management (SCRM), all of which can be consolidated under an ERM program.

ERM vs. traditional risk management

Traditional risk management is typically siloed, reactive, and tactical: individual business units identify and mitigate their own risks with limited cross-functional visibility. ERM takes an integrated, enterprise-wide, top-down approach that aligns risk treatment to strategic objectives and surfaces interdependencies between business units.

The shift also reframes risk as both threat and opportunity, supporting decisions that advance the organization's mission rather than only protecting against loss.

What organizations gain from a mature ERM program

By establishing a strong ERM program, organizations can better understand their risk appetite and improve decision-making, prioritizing initiatives and mitigation plans that support company goals. Many regulatory requirements and counterparties mandate some form of risk assessment or risk management process that an ERM program incorporates. ERM processes also encourage knowledge-sharing about potential risks, facilitating better and more timely reporting — and more efficient, effective risk response.

Read on to learn the essentials of enterprise risk management, and how to implement ERM processes at your organization.

Components of enterprise risk management

Depending on the ERM framework your organization uses, there may be a different number or categorization of components — but common themes run through every framework. This article identifies five key components of ERM, loosely based on the COSO framework (Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management – Integrated Framework (ERM-IF). Other frameworks have varying components, though they follow similar themes. We break down some of those frameworks later in this article.

The five components of enterprise risk management are:

1. Company culture, governance, and values
2. Strategic planning, objectives, and goal setting
3. Risk management cycle (COSO calls this "Performance")
4. Monitoring and continuous improvement (COSO calls this "Review & Revision")
5. Transparency, communication, and reporting

Image Source: COSO Components and Principles

1. Company culture, governance, and values

The company culture, governance structure, and values of an organization play a major role in establishing and maintaining a successful ERM program. The internal environment — defined by policies, procedures, codes of conduct, team norms, and operational norms — shapes how employees and business units view risk and how engaged they will be with the overall risk strategy. An organization with a risk-aware culture has an easier time implementing and actioning ERM processes.

This component also covers the organization's tone-at-the-top, operating structure, and retention. The attitudes, values, and actions of senior management have a ripple effect throughout the organization, and unethical leadership can lead to a going-concern risk — a reality reflected in board-level governance priorities for 2026. A poorly constructed operating structure brings risks related to meeting customer expectations and maintaining product quality.

Who owns ERM? Practitioners can't ignore the internal environment. ERM ownership is distributed across three lines: the board (and audit/risk committee) sets risk appetite and provides oversight; senior management and the Chief Risk Officer (CRO) own ERM program design, execution, and reporting; business unit leaders act as first-line risk owners; and internal audit provides independent third-line assurance over the program's design and operating effectiveness. Under NIST CSF 2.0, the CISO is increasingly accountable for the cyber slice of ERM, with explicit board-level reporting expectations. Appointing a CRO to oversee risk management, communicate with leadership, and own the program is a strong step toward strengthening ERM.

2. Strategic planning, objectives, and goal setting

Strategic planning, objectives, and goal setting is the second component of ERM. Since ERM takes a top-down approach, an important step is to collaborate with stakeholders, senior management, and the board of directors to define the company's objectives, goals, and strategy. Once these are set, the process of identifying, assessing, responding, reporting, and monitoring risks can begin.

As part of this stage, senior management should define risk appetite and thresholds, drawing lines around the risks they will accept versus those they will not. Key risks that have a material or otherwise significant effect on the business should also be identified and discussed. This is a good time to decide whether the company will employ an existing ERM framework or a bespoke one, and to brainstorm metrics and key risk indicators (KRIs) that the organization can use to measure risk management performance.

3. Linking ERM to strategy: Defining risk appetite and tolerance

An effective ERM strategy begins with a clear definition of risk appetite — the level and types of risk leadership is willing to accept in pursuit of strategic objectives. This step is more than procedural; it establishes the foundation on which the entire ERM program is built.

Risk appetite reflects the organization's vision and goals. A high-growth technology startup may accept greater innovation and market risks than a well-established utility company that prioritizes stability and reliability. Once risk appetite is set at the strategic level, it must be translated into practical risk tolerances — measurable thresholds that outline acceptable deviations for different categories of risk.

By linking risk appetite and tolerance directly to strategic objectives, organizations ensure that day-to-day risk decisions remain aligned with long-term business goals. This top-down connection strengthens decision-making, drives consistency across the enterprise, and reinforces ERM as a strategic enabler rather than a compliance exercise.

4. Risk management cycle

Once senior management has set the organization's goals and defined risk appetite, the cycle of risk identification, assessment, mitigation, and response can begin. If this process looks familiar, it should — this is the foundational risk management cycle that appears in most methodologies.

At this point, if you haven't already, start updating your risk register or risk library as you proceed through the risk analysis steps.

Risk identification: Risk identification should be an ongoing process, with the risk register updated as each new risk surfaces. The company examines its internal environment, business processes, and policies to pinpoint potential risks and develop risk statements for each. Risk statements are written with a condition, then the consequence if that condition occurs.

Throughout identification, the company must be vigilant toward all types of risk, including digital risk, which many organizations overlook.

Risk assessment: Following identification, risks need to be assessed by category and overall risk score. Sometimes called risk analysis, this step results in the categorization and prioritization of identified risks.

Risk scoring (likelihood and impact): The simplest and generally accepted method assigns a likelihood (or probability) score and an impact (or severity) score to each risk, then multiplies them for a cumulative risk score. Most companies use a 3×3 or 5×5 risk assessment matrix, with 1 being the lowest likelihood and impact, and higher numbers indicating a greater likelihood and impact.

• Likelihood is determined by assessing how probable it is that a given risk will occur. The more likely the event, the higher the score.
• Impact is determined by analyzing how severe the consequences would be if the risk were realized. The more severe the impact, the higher the score.

By giving risks a quantitative score and color-coding them, teams can better prioritize which risks need treatment first and develop appropriate action plans.

Types of risk categories: There are many risk categories, including strategic, financial, operational, compliance, security, reputational, and external risks.

• Strategic risk: Involves business strategy and objectives. Risks are realized when the business does not follow strategic plans, fails to define corporate strategy, or prepares an inadequate plan. Impacts can resound throughout the entire organization, from senior management to granular business processes.
• Financial risk: Involves financial planning, debt management, and market changes, among other factors that could affect financials. Subtypes include currency, default, and liquidity risks. These often receive significant attention from leadership and can fundamentally shape business decisions.
• Operational risk: Impacts day-to-day functions and is realized when a business process, control, or system fails. Examples include global crises, IT system failures, natural catastrophes, and employee errors. These risks can affect an organization's ability to deliver products and services on time.
• Quality risk: Affects the product or service customers consume. Any risks to product or service quality, or to the controls and processes that maintain quality, fall into this bucket. Quality failures can erode customer satisfaction and trust.
• Compliance risk: Relates to legal, regulatory, and contractual obligations. Compliance risks are realized when compliance controls fail, do not address the risk in full, or the organization does not fulfill its obligations. Recent regulations such as the EU DORA requirements, which entered application in January 2025, exemplify how compliance risk now extends into digital and third-party operational domains. Impacts typically take the form of fines, terminated contracts, or inability to obtain a certification or attestation.
• Security risk: Pertains to physical and cyber security posture. Cyber threats continue to proliferate, with malicious actors exfiltrating data, demanding ransoms, and exploiting vulnerabilities. According to PwC's 2026 Global Digital Trust Insights, 60% of business and tech leaders rank cyber risk investment in their top three strategic priorities.
• Reputational risk: Could impact standing with clients, partners, investors, employees, regulators, customers, and the public. Reputational risks are often realized when a company makes a decision that demonstrates a lack of competence or awareness of social and environmental issues.
• External risk: Unlike the categories above, these risks do not come from an organization's ability to complete a function or establish controls. They are uncontrollable and include natural disasters, geopolitical strife, climate change, and social upheaval. Companies can develop contingency plans to limit collateral damage.

Risk response: After risks have been assessed and categorized, with results captured in a risk register, practitioners and management can define their ERM strategy and response plans. Each risk should be "treated" according to the business's risk appetite. Risk treatment takes four common forms:

• Risk mitigation: Address the risk with controls and processes to limit likelihood or impact.
• Risk avoidance: Avoid the risk, usually by not proceeding with the opportunity or decision.
• Risk transference: Move the risk to a third-party provider or insurer.
• Risk acceptance: Accept the risk. Use only when other treatment options are exhausted or the risk is negligible.

From the selected treatment, teams devise action plans for each risk. These decisions should be documented in the risk register, along with justification when accepting, transferring, or avoiding a risk. When mitigating, the business may need to establish new control activities or processes.

Control activities: The final phase in the ERM cycle involves defining, implementing, and executing control activities that mitigate identified risks. New controls may need to be put in place to remediate gaps, and new processes may need to be captured in documentation.

Control activities are designated by policies and procedures that address risks and support management objectives. They occur at every level of the company, from business processes to technology controls to strategic planning.

5. Monitoring and continuous improvement

Monitoring and continuous improvement is another key component of an effective ERM function. Organizations should monitor program performance periodically, establishing benchmarks to assess results year-over-year. Through monitoring, the company can get ahead of large-scale changes that could affect overall risk strategy. Substantial changes to ERM processes should be reflected in policies and procedures.

Continuous improvement follows naturally. An organization's risk profile, ERM strategy, and stakeholders will change over time, necessitating regular updates to the program. By capturing observations and gaps through monitoring, risk teams can iterate on and improve ERM. Leading CROs are moving from manual, point-in-time audits to continuous monitoring, using automation to absorb routine testing and AI-enabled exception detection to accelerate analysis. Research confirms this is widespread: a resilience execution gap persists between leaders' recognition of resilience needs and actual implementation, underscoring why monitoring and continuous improvement cannot be treated as passive activities.

6. Transparency, communication, and reporting

The final component is transparency, communication, and reporting. To create a valuable feedback loop, the outcomes and status of ERM initiatives should be communicated to relevant stakeholders and reported back to leadership. Feedback should be solicited and incorporated to optimize the program.

ERM reports include program information, formal reports on risks, mitigation, culture, and program performance. Remaining mindful of the audience and customizing reports to meet the needs of senior management goes a long way toward communicating your message and earning executive buy-in.

What are the benefits of enterprise risk management?

ERM takes a holistic view of an organization's risk posture, objectives, and internal environment, unifying once-siloed risk activities. Beyond providing a comprehensive view of company risks and action plans, ERM encourages collaboration across business units to mitigate and better manage risks. ERM also helps surface opportunities — not just threats — supporting the organization's mission and strategic objectives. Other benefits include standardized risk reporting, increased focus on risk, greater efficiency in resource allocation, effective compliance coordination, and enhanced confidence.

Standardized risk reporting

An ERM program pulls together separate risk functions and consolidates them for a complete view of the organization. As part of this consolidation, ERM functions establish a standard for risk reporting that affects all or most risk activities. By standardizing format, content, and structure, companies stop comparing apples to oranges and gain a consistent set of parameters to measure ERM performance across the organization.

Increased focus and perspective on risk

ERM starts at the top, with senior management setting objectives and deriving risks from strategic goals. Since leadership is engaged from the start, that tone flows down to management, their teams, and employees. With strong risk-centric messaging from the top, the entire organization is encouraged to participate in ERM and maintain a culture of risk awareness.

ERM practices take a broad view of risks, expanding stakeholder perspectives and contributing to better decisions. Each decision integrates risk considerations and is compared against the organization's risk appetite and thresholds.

Effective compliance coordination

A goal of ERM as a discipline is to improve coordination between business units as they manage their risks. ERM functions sit at the center of an organization's risk management strategy and develop an all-encompassing view of the company's risk profile. Through communication and teamwork with business units, an ERM approach builds relationships of trust and transparency that fuel better coordination between disparate risk functions.

Greater efficiency in resource allocation

With better communication, collaboration, and coordination, ERM programs drive efficiencies in resource allocation for risk activities. ERM functions have a comprehensive view of the company's risk profile, including macro objectives and priorities. ERM teams are therefore well-equipped to allocate resources where needed, based on risk-conscious decisions.

Enhanced confidence

ERM provides a holistic view of an organization's risk posture. Companies gain confidence from knowing that ERM practices are designed to catch risks that slip through the cracks of siloed business units. Senior management has more confidence that decisions are risk-conscious. Regulators and auditors can be confident that a company with an effective ERM program conducts regular risk assessments and seeks to improve its risk management efforts.

What are the different ERM frameworks?

To realize the benefits of ERM, companies can use existing frameworks to develop and improve their program. Many ERM frameworks have been released by standards bodies, infosec thought leaders, professional associations, and government organizations. A few are listed below — though companies are also welcome to employ a bespoke framework derived from best practices. Practitioners evaluating tooling to operationalize these frameworks can also explore ERM software options.

COSO ERM Integrated Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an initial ERM framework called the "Enterprise Risk Management – Integrated Framework" (ERM-IF). COSO is also responsible for the Internal Control – Integrated Framework (ICIF) that most public companies use for SOX internal controls.

This framework was updated in 2017 with a new publication, "COSO Enterprise Risk Management – Integrating with Strategy and Performance." The 2017 framework defines five components of effective ERM, with 20 principles divided among them. Organizations still operating against the original 2004 model, which named eight components, should plan a mapping exercise when refreshing their ERM charter.

ISO 31000 risk management standard

ISO, the International Organization for Standardization, has released a family of risk management standards collectively known as the ISO 31000 family. The revised standard emphasizes leadership by top management, ensuring risk management is integrated into all organizational activities starting with governance. While ISO 31000 cannot be certified against, many organizations — especially international ones — use it for risk management best practices. ISO reviews its guidance every five years, so expect regular updates.

NIST Cybersecurity Framework 2.0 and NIST RMF

The National Institute of Standards and Technology Risk Management Framework (NIST RMF) focuses on security, privacy, and the cyber supply chain. The NIST RMF has seven steps:

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

The RMF is supported by NIST's Special Publications in the 800-53 family, specifically 800-53, 800-53B, and 800-53A.

In February 2024, NIST released the final version of the NIST CSF 2.0, which added "Govern" as a sixth core function alongside Identify, Protect, Detect, Respond, and Recover. The Govern function requires that cybersecurity risk management strategy, expectations, and policy be established, communicated, and monitored at the enterprise level — elevating cyber risk from an IT issue to a board-level mandate. Practitioners should map existing ERM governance artifacts (charters, risk appetite statements, escalation policies) to the Govern category and reflect CISO accountability in board reporting metrics.

COBIT ERM framework

Another framework with a focus on IT risk management is the COBIT ERM framework, with COBIT 2019 as the current version (succeeding COBIT 5). It was developed by ISACA, a membership organization of IS/IT professionals and industry thought leaders. The COBIT ERM framework is flexible, allowing for integration with other frameworks like COSO's ERM-IF or ISO 31000. COBIT looks at enablers that contribute to risk functions, including processes; organizational structures; culture, ethics, and behavior; principles, policies, and frameworks; information; services, infrastructure, and applications; and people, skills, and competencies.

RIMS Risk Maturity Model ERM framework

The Risk and Insurance Management Society (RIMS) Risk Maturity Model (RMM) is another flexible framework usable by companies in every industry. It establishes five maturity levels for an organization's ERM program: Ad Hoc (Level 1), Initial (Level 2), Repeatable (Level 3), Managed (Level 4), and Leadership (Level 5). The RIMS RMM outlines seven attributes for effective ERM:

1. Take an ERM-based approach.
2. Integrate ERM processes and management.
3. Manage risk appetite.
4. Encourage and drive root cause analyses.
5. Uncover risks.
6. Manage performance.
7. Establish and maintain business resiliency and sustainability.

Custom ERM frameworks

Organizations in heavily regulated industries or with complex needs may opt to develop their own custom ERM framework. Even with a bespoke framework, referencing one or more of the frameworks above can help build the foundation of a custom program.

A custom ERM framework should still incorporate key practices:

• Executing the risk management cycle (identification, assessment, response, and monitoring).
• Establishing and defining overarching goals, objectives, and strategy.
• Collaborating across business units, management, and leadership.
• Conducting periodic risk assessments.
• Reporting on ERM performance and outcomes.
• Continuously improving ERM processes.

Frequently asked questions

Is ERM the same as ERP?

No. ERM (enterprise risk management) is a methodology for identifying, assessing, and managing risk across an organization. ERP (enterprise resource planning) refers to software systems like SAP or Oracle ERP that manage business resources such as finance, HR, and supply chain. The acronyms are similar, but the disciplines are unrelated — although ERP systems can be a source of operational and IT risks tracked within an ERM program.

What are the eight components of ERM?

The eight components come from COSO's original 2004 ERM – Integrated Framework: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. COSO's 2017 update consolidated these into five components and 20 principles, with stronger emphasis on strategy-setting and performance. Organizations still using the 2004 model should plan a mapping exercise to the 2017 components when refreshing ERM documentation.

What are the four pillars of ERM?

The four pillars of ERM are (1) risk identification and assessment, (2) risk response, (3) control activities and monitoring, and (4) information, communication, and reporting. This framing collapses broader COSO components into the operational execution layer of ERM and is often used as a simplified maturity checklist. Any framework — COSO, ISO 31000, NIST RMF, or custom — should demonstrably address all four pillars.

How does NIST CSF 2.0's "Govern" function change ERM accountability?

NIST released CSF 2.0 in February 2024, adding "Govern" as a sixth core function alongside Identify, Protect, Detect, Respond, and Recover. The Govern function requires that cybersecurity risk management strategy, expectations, and policy be established, communicated, and monitored at the enterprise level — elevating cyber risk to a board-level governance mandate. Practitioners should map existing ERM governance artifacts to the Govern category and ensure CISO accountability is reflected in board reporting.

What does DORA require of ERM and third-party risk programs?

The EU Digital Operational Resilience Act (DORA) entered into application on 17 January 2025 and requires in-scope EU financial entities to maintain digital operational resilience and oversee critical ICT third-party providers. ERM programs must map ICT supply chains, update vendor contracts with DORA-mandated clauses (incident reporting, audit rights, exit strategies), and prepare for direct oversight of critical ICT providers by European Supervisory Authorities. Non-EU firms providing ICT services to EU financial entities are indirectly in scope through contractual flow-down.

How should ERM programs incorporate AI governance?

ERM programs should integrate AI governance by building an inventory of all deployed AI models, classifying them by risk tier under the EU AI Act, and assigning ownership in the risk register. The EU AI Act's prohibited practices became enforceable on 2 February 2025, with penalties up to EUR 35 million or 7% of global turnover. Align with the NIST AI RMF and monitor regulator letters such as APRA's industry-wide guidance on AI use (May 2026) for sector-specific expectations.

How often should an organization conduct an enterprise-wide risk assessment?

Enterprise-wide risk assessments should be conducted at least annually, with continuous updates to the risk register throughout the year. Off-cycle reassessments should be triggered by major strategic changes (M&A, new market entry), regulatory shifts (DORA, EU AI Act enforcement milestones), material incidents (cyber breach, supply chain disruption, SEC-disclosable events), or significant changes to the third-party ecosystem. Audit committee priorities for 2026 emphasize linking cadence to emerging risk velocity rather than fixed calendars.

About the authors

Mitchell Nazarov, M.S., CDPSE, works on Optro’s implementation team specializing in compliance. Prior to joining Optro, Mitchell spent 5+ years scaling up GRC programs, vulnerability management teams and leading information security and compliance audits in the application security and healthcare industries. Mitchell specializes in cybersecurity audits, NIST frameworks, SOC 2, enterprise risk management, and software implementations. Connect with Mitchell on LinkedIn.