Enterprise risk management is a process that's effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
This definition reflects certain fundamental concepts. Enterprise risk management:
Is a process - it's a means to an end, not an end in itself
Is effected by people - it's not merely policies, surveys and forms, but involves people at every level of an organization
Is applied in strategy setting
Is applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks
Is designed to identify events potentially affecting the entity and manage risk within its risk appetite
Provides reasonable assurance to an entity's management and board
Is geared to the achievement of objectives in one or more separate but overlapping categories.
This definition is purposefully broad for several reasons. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across different types of organizations, industries and sectors. It focuses directly on achievement of entity objectives. And, the definition provides a basis for defining enterprise risk management effectiveness. We codified this in a framework that's easier to internalize... COSO Framework for Enterprise Risk Management
brought to you by enabling practitioners & organizations to achieve their goals using: