Enterprise risk management (ERM)

Category: Risk management frameworks · Reviewed by Matt Bartlett, Director · Founder · Last reviewed

Enterprise risk management (ERM)

Enterprise risk management (ERM) is the integrated, organisation-wide discipline of identifying, assessing, treating, monitoring and reporting on the full portfolio of risks that could affect an entity’s ability to meet its objectives. ERM differs from siloed or functional risk management by treating risk as a portfolio: correlated, aggregated and tied to strategy rather than handled department-by-department.

Origins and definition

The phrase came into common use in the late 1990s as boards began to demand a single view of strategic, operational, financial and compliance risk. The two foundational frameworks are:

• ISO 31000:2018 — Risk management — Guidelines, which defines risk as the “effect of uncertainty on objectives” and sets out principles, a framework and a process.
• COSO ERM — Integrating with Strategy and Performance (2017), which embeds risk within strategy-setting and performance management across five components and twenty principles.

UK financial-services firms additionally operate under the PRA’s Senior Management Arrangements, Systems and Controls (SYSC) rules and, for insurers, the PRA Insurance Rulebook and Solvency II (Directive 2009/138/EC), which require a written risk management system covering at least underwriting, reserving, asset-liability management, investment, liquidity, concentration, operational and reinsurance risks.

Core components

A mature ERM programme typically contains a board-approved risk strategy and risk appetite statement, a documented risk taxonomy and risk register, defined risk owners and a three lines of defence governance model, a quantitative or qualitative risk assessment methodology, integration with capital planning (for insurers, the Own Risk and Solvency Assessment — ORSA), key risk indicators (KRIs) and regular reporting to the board and audit/risk committees.

Why ERM matters to an insurance broker’s clients

For Apex’s commercial clients, an articulated ERM programme is not only good governance — it is often commercially valuable:

• Insurers price more favourably where they can see evidence of a structured risk programme (loss control, business continuity, supply-chain mapping, cyber maturity).
• Several lines — D&O, cyber, professional indemnity — explicitly probe ERM maturity at proposal stage.
• Procurement and customer due-diligence questionnaires increasingly request ISO 31000 or COSO alignment.

We frequently help SME and mid-market clients translate the academic framework into a practical one-page risk register and a half-day annual review.

Common pitfalls

ERM fails when it becomes a documentation exercise disconnected from decisions. The most reliable indicators of an effective programme are: the board minutes show risk appetite being actively applied to strategic choices; risk owners are individuals (not committees); and the register is updated more than once a year.

Sources and further reading

• ISO 31000:2018 — Risk management — Guidelines. International Organization for Standardization.
• COSO (2017). Enterprise Risk Management — Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission.
• PRA Insurance Rulebook, Conditions Governing Business, Chapter 3 (Risk management).
• Solvency II Directive 2009/138/EC, Article 44.
• Institute and Faculty of Actuaries (IFoA), Enterprise Risk Management Practitioner’s Handbook.

Cross-references

• ERM (acronym)
• ISO 31000
• COSO ERM framework
• Risk appetite
• Risk register
• Three lines of defence
• Own risk and solvency assessment (ORSA)

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Company No. 07014570. This article is general information, not regulated advice on a specific transaction.