While there is no ‘official’ or universally accepted definition of ERM, there are some common threads of the many definitions that exist that can be woven together. Consider the following three definitions of ERM after which we will propose a definition that is both inclusive and specific enough to be operationalized.
- Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization’s operations and objectives. (Investopedia)
- Enterprise risk management includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management which typically involves identifying particular events or circumstances relevant to the organization’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (Wikipedia)
- Enterprise risk management is a systematic and integrated approach to the management of the total risks that a company faces. (Enterprise Risk Management: Its Origins and Conceptual Foundation)
- … At the macro level, ERM enables senior management to identify, measure, and limit to acceptable levels the net exposures faced by the firm. By managing such exposures mainly with the idea of cushioning downside outcomes and protecting the firm’s credit rating, ERM helps maintain the firm’s access to capital and other resources necessary to implement its strategy and business plan. …. At the micro level, ERM adds value by ensuring that all material risks are “owned,” and risk‐return tradeoffs carefully evaluated, by operating managers and employees throughout the firm. (Enterprise Risk Management: Theory and Practice)
We propose the following operational definition:
- Enterprise wide — managing risks across all silos of the organization
- All inclusive — managing risks to all organizational objectives
- Both facing risks and taking risks — managing risks an organization faces by identifying, measuring, and controlling risk events as well as considering risks and opportunities taken when making decisions involving the selection of one or a portfolio of alternatives.