Enterprise risk management

Enterprise risk management (ERM) evolved from the insurance, finance, and banking sectors of private industry. It has now grown to include a wide variety of private sector industries even as it is increasingly being adopted by governmental and nonprofit organizations. The Committee of Sponsoring Organizations (COSO) describes it as a process, effected by an entity's board of directors that is applied in strategy-setting and across the enterprise in order to identify potential events that may affect the entity's ability to meet its objectives. The International Organization for Standardization (ISO) describes ERM as “coordinated activities to direct and control an organization with regard to risk.” Both the COSO and ISO 31000:2018 models are described. ERM brings its own unique jargon and there are too many competing descriptions of ERM to call any one of them typical. ERM does tend to rely on risk profiling followed by the establishment of enterprise-level risk appetites and risk tolerances. ERM is substantively similar, if not identical, to the generic risk management model described in this text.