Internal Audit

Enterprise Risk Management(ERM): An Overview


Enterprise risk management demands management decisions that may not be acceptable for a single firm unit or industry. As a result, rather than making each business unit accountable for its own risk management, firm-wide monitoring takes priority.It is also usual for the risk management plan to be made public to all stakeholders as part of an annual report. ERM is used in many industries, including aviation, construction, public health, international development, energy, banking, and insurance.

ERM can thus aim to reduce firm-wide risk while also identifying distinctive firm wide opportunities. Communication and coordination across different business units is critical for ERM performance because risk decisions made by senior management may appear to contradict local assessments on the ground. Firms that use ERM often have a dedicated enterprise risk management team that oversees the firm’s operations.

Enterprise Risk ManagementComponents

The COSO enterprise risk management framework identifies eight key components that determine how a corporation should go about developing ERM procedures.

  • Internal Environment

The internal environment of a corporation is the atmosphere and corporate culture established by its personnel. This establishes what the company’s risk tolerance is and what management’s risk-taking mindset is. The internal environment may be established by high management or the board of directors and conveyed across a firm, but it is frequently mirrored in the activities of all employees.

  • Setting Objectives

When a corporation identifies its purpose, it must set objectives that support the company’s mission and goals. These goals must then be aligned with a company’s risk tolerance. For example, an ambitious corporation that has established far-reaching strategic plans must be mindful that these high aims may relate to internal or external dangers. As a result, a company can connect the actions to be taken with what it wishes to achieve, such as recruiting additional regulatory employees for expanding areas where it is now unfamiliar.

  • Identification of the Event
READ  Consumer Electronics and Appliances Audit Checklist

Positive events can have a significant impact on a business. Negative events, on the other hand, may have a negative impact on a company’s ability to continue operations. ERM guideline suggests that businesses identify critical areas of the business and events that may have negative consequences. These high-risk occurrences might be operational (for example, natural disasters that compel offices to close temporarily) or strategic (for example, a government regulation that prohibits the company’s principal product line).

  • Risk Evaluation

The ERM framework describes the step of assessing risk through understanding the possibility and financial effect of risks, in addition to being aware of what might happen. This encompasses both direct dangers (such as a natural disaster rendering a workplace unusable) and residual risks (such as employees not feeling secure returning to the office). Despite the difficulty, the framework encourages businesses to explore quantifying risks by calculating the % change in incidence as well as the dollar effect.

  • Risk Response

The company can respond to risk in four ways: avoid, reduce, share, or accept. Avoidance involves leaving the activity that causes the risk, reducing risk involves minimizing the likelihood or magnitude of the risk, sharing risk involves moving forward as-is, and accepting risk involves analyzing the potential outcomes and determining whether it is financially worth pursuing mitigating practices.

  • Communication and Information

Information systems should be capable of capturing data that can be used by management to better understand a company’s risk profile and risk management. This includes not making allowances for sections that outperform others; instead, all areas of a corporation should be constantly examined. By extension, if part of this data is useful to risk mitigation, it should be reviewed and presented to employees. Employees are more inclined to support processes and defend firm assets if they are communicated with.

  • Monitoring
READ  BPO Audit Checklist

To assess its rules and processes, a company can use an internal committee or an external auditor. This could include comparing what is really done to what policy regulations suggest. This may also include gathering feedback, assessing firm data, and notifying management of unprotected threats. Companies must be ready to evaluate their ERM environment and pivot as needed in an ever-changing climate.

Types Of Risks Addressed By ERM

ERM may assist in the development of plans for practically any sort of company risk. A company’s ability to continue is jeopardized by business risk, which is further divided into numerous dangers outlined below. It is most typically used to address the following types of risk:

  1. Compliance risk is one that threatens a corporation because of a violation of an external law or rule. A company’s inability to prepare timely financial statements in complying with existing accounting regulations such as GAAP.
  2. Legal risk arises when a company faces a lawsuit or a penalty as a result of a contractual, legal, or regulatory issue. A billing dispute with a significant customer is one example of legal risk.
  3. Strategic risk affects a company’s long-term objectives. For example, in the future, new market participants may dethrone the corporation as the lowest-cost provider of a good.
  4. Operational risk affects the company’s day-to-day operations, for example, A natural disaster that ruins a company’s warehouse where inventory is kept.
  5. Financial risk[1] is a risk to a company’s debt or financial condition. For example, Translation losses from holding foreign money.

Advantages Of Enterprise Risk Management

ERM sets the organizational-wide expectations around a company’s culture, leading to less unexpected risks and more guided direction on how to respond to certain events. It is often synthesized by a standardized risk report delivered to upper management, which summarizes the risks a company faces, the actions being taken, and information needed for decision-making. ERM may also have a positive impact on the resourcefulness of the business, such as eliminating redundant process, ensuring efficient use of staff, reducing theft, or increasing profitability.

READ  Internal Audit Report of NGO

Advantages Of Enterprise Risk Management

ERM practices are limited in identifying future risks that may have more detrimental impacts. They rely heavily on management estimates and inputs, making them difficult to accurately predict. Additionally, ERM practices are time-intensive and require resources of the company to be successful. Additionally, it is difficult to quantify the success of ERM as financial risks that do not occur must simply be projected.


Thus, it can be concluded that Enterprise Risk Management is a comprehensive approach to managing risks across a company. It involves identifying and assessing various types of risks, developing risk management strategies, and monitoring and adapting these strategies over time. The COSO ERM framework identifies eight key components that determine how a corporation should go about developing ERM procedures. While it has its advantages in setting organizational-wide expectations and improving resourcefulness, it also has its limitations in predicting future risks and relying on management estimates. Ultimately, the effectiveness of Enterprise Risk Management depends on a company’s commitment to ongoing evaluation and adaptation.

Read our Article:Advertising Audit & Risk Management Investment Analysis

Trending Posted

Get Started Live Chat