ERM (Enterprise Risk Management — acronym)

Category: Risk management frameworks · Reviewed by Tim Roche, Director · PI & Commercial · Last reviewed

ERM

ERM is the standard acronym for Enterprise Risk Management — the integrated, organisation-wide approach to identifying, assessing, treating, monitoring and reporting risk against objectives. The acronym is used throughout PRA correspondence, ratings-agency methodologies (S&P, AM Best, Fitch) and insurer annual reports.

Common variants

• ERM — Enterprise Risk Management (the dominant usage).
• IRM — Integrated Risk Management (sometimes used in technology-focused contexts).
• GRC — Governance, Risk and Compliance (a broader umbrella that includes ERM, internal audit and compliance).
• ORM — Operational Risk Management (a subset of ERM).

Why the acronym matters

Ratings agencies score insurer ERM quality as an explicit input to financial-strength ratings. AM Best’s Building Block Approach assigns an ERM assessment of “Very Strong / Appropriate / Marginal / Weak / Very Weak” that materially affects the headline rating; S&P uses a similar Strong / Adequate / Weak rubric. A weak ERM score can suppress an insurer’s rating below what its capital alone would justify.

Sources and further reading

• AM Best (2023). Best’s Credit Rating Methodology — Risk Management.
• S&P Global Ratings (2013, revised). Enterprise Risk Management.
• COSO (2017). ERM Framework.

Cross-references

• Enterprise risk management
• ISO 31000
• COSO ERM framework

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.