ABSTRACT
This chapter introduces a taxonomy of Enterprise risk management (ERM) maturity in an organization. It is based on three levels of maturity, Beginner, Intermediate, and Advanced maturity levels. ERM is a special case of risk management, as enterprise risk is defined as risk of an enterprise where the consequences are related to the principal objectives or overall performance judged important for the organization. Threats and risks can be classified according to three categories: high, medium and low. A risk program is a set of documented activities necessary for the implementation of ERM. These risk program activities primarily involve oversight and implementation of the risk management, including the hazard/threat/opportunity identification, risk assessment and the risk treatment. Many organizations have already-existing procedures for balancing risk concerns, such as cost-benefit methods. As part of the risk prioritization process, organizations should adopt formal procedures for identifying appropriate risk management strategies that are in agreement with the overall risk appetite of the organization.
