Just like the word “bubblegum,” “enterprise risk management” loses its meaning as you continue to repeat it. Unfortunately, unlike bubblegum, enterprise risk management (ERM) keeps your business safe by minimizing threats.

Understanding Enterprise Risk Management & Its Importance

What is ERM?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined ERM in its Executive Summary as a way to handle uncertainty and associated risk to create opportunities that enhance value.

The COSO Enterprise Risk Managment framework tasked management with the job of setting strategies and objectives minimizing threats while allowing tolerance for risks that lead to business growth. Setting goals incorporates strategic, operational, reporting, and compliance management.

What are the Goals of COSO ERM framework?

Corporations need to align their risk appetite and strategy to enhance risk response decision while reducing operational surprises and losses. Moreover, in an attempt to seize opportunities that improve capital deployment, organizations need to identify and manage multiple and cross-enterprise risks. By creating strategic objectives that align with available operational resources, organizations can reliably report to customers and manage their compliance needs. Recognizing your risk appetites means looking at alternative options and developing risk management strategies.

Determining your risk tolerance allows you to accept, avoid, reduce, or share risks based on your business model. When you choose to accept a risk, however, you also increase the potential for loss which you must consider as part of your ERM.  Moreover, when reviewing your risk profile, you need to look not just at a single risk but the domino effect an event might have on other integrated areas. Understanding acceptable risks positions you better for taking on new opportunities and helps you assess your capital needs.

What are the Components of Enterprise Risk Management?

ERM consists of eight interrelated components based on management’s business decision-making and processes. Organizations need to take into account their entire landscape when establishing a program for ERM, meaning taking a holistic approach.

Objective Setting

Before determining acceptance or denial of risk, you need to determine your business goals. Management, in conjunction with the Board of Directors, needs to establish its mission and metrics for success to ensure they align with the decided risk appetite.

Risk Assessment

A risk assessment forms the foundation of your ERM. Conducting a risk assessment requires determining likelihood and impact to create your risk management program.

Risk Response

Once you establish the risks that impact your business, you need to align responses to your business objectives. You can choose to avoid, accept, reduce, or share risks but need to develop specific actions for managing risk.

Internal Environment

Every organization creates a tone for its risk. Your risk strategy impacts everything from how your employee’s integrity and ethics to the environment you create for them. Creating a corporate culture begins with policies but ends with people.

Event Identification

After determining success metrics and risk appetite, organizations need to review those events that affect meeting goals. Whether internal or external, events need to be classified as either opportunities or risks then aligned to the overarching strategy.

Control Activities

Your risk response and event identification processes require the creation of policies and procedure to implement the responses.

Information and Communication

Collecting and sharing information allows employees to do their jobs as defined by the objectives and culture your organization sets. Information needs to flow in a cross-departmental, role-based manner to ensure all employees engage in the appropriate business practices.


Whether through internal audit, external audit, or as part of ongoing management activities, ERM must be continuously monitored to adjust to changing risks.

What is the Auditor’s Role in ERM?

The COSO ERM Framework requires board and audit committee oversight to ensure implemented processes effectively address threats. Your internal auditor can help navigate the evaluation, reporting, and recommendation processes. Additionally, the COSO ERM Integrated Framework created benchmarks to help internal auditors assess the ERM process.

Why Is ERM Important?

The ongoing governance, risk, and compliance cycle created by establishing an ERM program help companies in many ways. Most importantly for many organizations, your ERM can make compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) easier.

A generalized ERM program is broader than the controls over financial reporting established by SOX 404. This means that organizations still need to ensure appropriate controls for that area of their organizational reporting structure. However, the strategy setting, management oversight, and multi-departmental communication help solidify a well-planned SOX program.

How Can ZenGRC Ease the ERM Burden?

ZenGRC’s SaaS platform offers seed content aligned to the COSO Framework. Whether you’re just starting the ERM process or trying to strengthen your compliance, our easy-to-use content gives you guidelines for assessing risk and aligning to business objectives to help manage corporate risk.

Additionally, ZenGRC’s risk assessment tools allow you to incorporate vendor management into your business risk management process more rapidly. Our Payment Card Industry Data Security Standard (PCI DSS) aligned questionnaires, and task reminders enable faster risk documentation tracking.

With our role-based authorization capabilities, you can provide all employees access to the information they need to enact your risk based corporate strategies. Empowering employees with the required information allows them to maintain the corporate culture you set and reinforces the environment management defined.

A primary component required for establishing an ERM is Board oversight and informed review. However, your Board of Directors does not want overly detailed reports. Creating annual presentations is time-consuming. ZenGRC’s reporting tools provide easy-to-digest reports with graphics that clearly explain your risk profile. These reports give your Board the information they need while saving you creation time.

This ease of communication applies to working with your internal auditor as well. Auditors need documentation to prove that implementation matches policy. When they spend time on the administrative information gathering tasks, audits take longer and information may end up incomplete. ZenGRC provides a single source of truth by aggregating all records, reports, policies, procedures, and control listing in one place. Streamlining the audit process not only saves time and money but also leads to stronger audit outcomes.

To learn more about how ZenGRC can help your company establish an enterprise risk management program effectively aligned to business objectives, schedule a demo.