Enterprise Risk Management Framework, What is it?

Enterprise risk management (ERM) frameworks are types of risk management frameworks that relay crucial risk management principles. You can use an ERM framework as a communication tool for identifying, analyzing, responding to and controlling internal and external risks. An ERM framework provides structured feedback and guidance to business units, executive management, and board members implementing and managing ERM programs.   

ERM frameworks help establish a consistent risk management culture, regardless of employee turnover or industry standards. They guide risk management functions and help enterprises manage complexity, visualize risk, assign ownership, and define responsibility for assessing and monitoring risk controls. A custom ERM framework supports the enterprise in integrating risk management into significant business activities and functions. 

Types of Enterprise Risk Management Frameworks

The strategic framework you choose will depend on your industry, business goals, organizational structure, technology infrastructure, and available resources. Some frameworks are more applicable to enterprise-scale businesses, while others provide more customizable, scenario-based approaches to an organization’s specific ERM needs.  

There is also a subset of strategic enterprise risk management frameworks — for example, some may better fit the needs of highly regulated industries like finance and healthcare. You can use any of these as a starting point to build a custom ERM framework. 

The Casualty Actuarial Society (CAS) Enterprise Risk Management Framework 

The Casualty Actuarial Society (CAS) is an international credentialing and professional education entity. The organization focuses exclusively on property and casualty risks in insurance, reinsurance, finance, and enterprise risk management.  

The CAS, Society of Actuaries (SOA), and Canadian Institute of Actuaries (CIA) sponsor a risk management website with ERM education resources. The committee organizes the ERM framework by risk type and a sequential risk management process.  

The four risk types are defined as follows: 

Hazard Risks:  

This category contains liability suits, property damage, natural disasters, crime, work-related injuries, and business interruption.  

Financial Risks:  

This category contains price risk, liquidity risk, credit risk, inflation risk, and hedging risk. 

Operational Risks: 

 This category contains operational risk, empowerment risk, IT risk, integrity risk, and business reporting risk.  

Strategic Risks:  

This category includes competition, customer risk, demographic and cultural risk, innovation risk, capital availability, regulation, and political risk.  

The COSO Enterprise Risk Management Integrated Framework 

In 2017, COSO published an updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, to address the importance of ERM in strategic enterprise planning and performance. This updated model accounts for the increased complexity of modern business environments.  

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private-sector organizations dedicated to offering thought leadership by cultivating comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. COSO incorporated the Sarbanes-Oxley Act (SOX) legislation for risk management guidelines into its ERM framework. This integration made the COSO framework popular with large corporations, banks, and financial institutions subject to extensive legal codes and high-risk business. 

5 Interrelated Components of COSO ERM Framework 

The updated COSO framework includes five interrelated enterprise risk management components. These components include 20 principles that cover practices from governance to monitoring, regardless of enterprise-scale, industry, or type of organization.  

The following components of the widely-used ERM framework fit business models, not independent risk management processes: 

Governance and Culture 

This component incorporates five principles, including board risk and oversight, operating structures, defining culture, core values commitment, and human resources practices for recruiting, developing, and retaining individuals.  

Strategy and Objective-Setting 

This component covers four principles: analyzing business context, defining risk appetite, alternative strategies, and business objectives.  

Performance 

This component contains five principles, including risk identification, assessing risk severity, risk priority, risk response implementation, and portfolio development.  

Review and Revision 

 This component addresses three principles: substantial change assessment, risk and performance reviews, and pursuing ERM improvement.  

Information, Communication, and Reporting 

 This section includes leveraging IT, risk communication, and reporting on risk culture and performance.

The ISO 31000 Enterprise Risk Management Framework 

ISO’s 31000:2018 Risk Management-Guidelines is a widely embraced framework for implementing ERM in any type of organization.  Issued by the International Organization for Standardization (ISO), ISO 31000:2018 provides guidelines on managing risks to help business leaders create and protect entity value through the management of risks in the context of decision making. Originally issued by ISO in 2009, the framework was revised in 2018. The Framework bases the management of risks on principles, a framework, and a process. 

The COBIT Enterprise Risk Management Framework 

First released in 1996, Control Objectives for Information and Related Technology (COBIT) is a framework developed by the Information Systems Audit and Control Association (ISACA) that can help you create and implement strategies around IT management and IT governance.  

The COBIT management framework helps you deal with the risks to enterprise IT and the impacts those risks can have on your company, business processes, and IT systems.  

COBIT is a flexible umbrella framework for creating an ERM framework with processes that align business and IT goals to prevent risk management silos across an enterprise. 

The NIST Enterprise Risk Management Framework 

The National Institute of Standards and Technology (NIST) is a U.S. federal government agency (U.S. Department of Commerce). The NIST framework is a cybersecurity framework used by private enterprises doing business with the U.S. government agencies, such as the Department of Defense (DoD).   

The NIST framework provides a globally recognized standard for cybersecurity guidelines and best practices that apply to enterprise-scale organizations with critical infrastructure to protect. The framework is a flexible model for creating an ERM framework for organizations that rely on technology, are concerned with data privacy, and that manage risk associated with the latest digital workforce trends.