The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives”. A very convoluted definition. In English ERM is a process implemented at the top management of the organization designed to proactively identify risk across the entire enterprise. This definition is broad for a reason. ERM is:
ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. It advances the maturity of the enterprises capabilities around managing risk. Before a company can assert it is applying ERM it must address ALL of the above concepts embodied in COSO’s definition.