Enterprise risk management (ERM) is the organization-wide discipline of identifying, assessing, treating, and monitoring the risks that could affect an organization’s objectives — viewed as a connected portfolio rather than as isolated, departmental concerns.
Where traditional risk management often operated in silos, ERM takes a top-down, strategic view that links risk directly to strategy and performance, giving leadership a single picture of the exposures that matter most.
This page is part of our governance, risk, and compliance resource library. ERM is the analytical engine of a GRC program; the tooling that supports it is profiled in our risk management software directory.
What ERM covers
ERM spans every category of risk an organization faces — strategic, operational, financial, compliance, technology, and increasingly third-party and AI risk — and aggregates them into an enterprise-wide view.
See the latest GRC Webinars (Updated Daily!)
The goal is not to eliminate risk but to manage it deliberately against an agreed risk appetite: the amount and type of risk the organization is willing to accept in pursuit of its objectives.
ERM makes those choices explicit and traceable, so leadership knows which risks are material, who owns them, and whether residual exposure sits within appetite.
The ERM process
A mature ERM program runs as a continuous cycle:
- Establish context and appetite — define objectives and how much risk the organization will accept.
- Identify risks — surface exposures across all categories, often into a central risk register.
- Assess — evaluate likelihood and impact, increasingly with financial quantification. (See our guide to the risk assessment process.)
- Treat — decide to accept, mitigate, transfer, or avoid each risk, and link risks to the controls that address them.
- Monitor and report — track residual risk and treatment over time, and report to leadership and the board.
The COSO ERM framework
The most widely referenced model is the COSO Enterprise Risk Management Framework, which integrates risk management with strategy and performance rather than treating it as a standalone compliance exercise. It is principles-based, emphasizing governance, strategy-setting, performance, review, and communication.
See our guide to COSO and COBIT for how it sits alongside internal-control and IT-governance frameworks.
How ERM fits a GRC program
ERM is the “R” in GRC, but it does not stand alone. Governance sets the appetite and oversight that direct ERM; compliance obligations are themselves a category of enterprise risk; and cyber risk management feeds technology exposures into the enterprise view. Mature programs run all of these from a shared risk register, so a single control links to the risks it mitigates and the obligations it satisfies.
Frequently asked questions
What is enterprise risk management?
ERM is the organization-wide practice of identifying, assessing, treating, and monitoring risks as a connected portfolio, linked to strategy and managed against a defined risk appetite — giving leadership a single, prioritized view of material exposures.
What is the difference between ERM and risk management?
Traditional risk management often addresses risks within individual functions or projects. ERM takes a top-down, enterprise-wide view, aggregating all risk categories into one portfolio tied to strategy and overseen by leadership.
What is the COSO ERM framework?
It is the most widely used ERM model, integrating risk management with strategy and performance through a set of principles covering governance, strategy, performance, review, and communication.
What is risk appetite?
Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is the benchmark against which residual risk is judged acceptable or in need of further treatment.