Enterprise risk management (ERM) is a strategic approach to risk management that looks at each business function to determine how to achieve objectives while minimising risk. It looks at risk appetite, the risk environment, governing, reporting and responding to risk. Enterprise risk management is supported by internal audits, self-assessments and risk assessments. It is a process, it does not have an end date and it is a continuous responsibility the business has to meet in order to grow and gain a competitive advantage.

One risk could impact more than one part of the business. For example financial, market and strategic risks apply to various departments. One part of the business may consider one risk more serious than the other, so enterprise risk management ensures a clear and holistic analysis of each threat. By preparing to deal with risks, the business has the ability to protect itself while taking advantage of opportunities.

Enterprise risk management involves embedding risk management into every business activity. When making decisions and strategies the risks associated with the action need to be managed. It is advisable that an enterprise risk management team is built and each member is aware of their duties and responsibilities. This will lead to thorough risk assessments and a more organised approach.

Enterprise risk management standards

Businesses have to follow government laws and regulations but there are risk management standards that they can follow willingly. Each standard is developed by a worldwide organisation and offers guidance on how businesses can manage risk and develop strategies to cover it. The standards include:

  • International Organization for Standardization (ISO) 31000
  • Committee of Sponsoring Organizations (COSO)
  • Casualty Actuarial Society (CAS)

International Organization for Standardization (ISO) 31000

ISO 31000 is a very popular framework that is frequently compared with COSO ERM.  The organisation was founded in 1947 by 25 countries and aims to help businesses of any size handle threats and implement successful risk management. It covers risk broadly and leaves it up to the organisations to adapt the framework to their company. This framework can not be used for certification but ISO offers other options for businesses who want to be certified. Compliance with this framework is not mandatory, managers can decide what applies to their organisation and what does not. 

Committee of Sponsoring Organizations (COSO)

COSO ERM was initially introduced in 1992 before being updated in 2013 and then in 2017 as an ERM framework. It has five components that include:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

Control environment looks at the structure of the business. How responsibilities are delegated and what the reporting procedures are along with the commitment of the business to being ethical. Risk assessment involves the identification of risks or potential fraud so objectives can be achieved. Once objectives are set changes related to them are analysed. Control activities depend on the type of risk and could include the measures that are implemented to manage risks.

Information and communication refer to how information is communicated to staff. The better communication, the better the organisation will be able to respond to threats. Monitoring activities include the actions taken by the company to evaluate the effectiveness of the five components. COSO stresses the importance of reviewing business strategies regularly to ensure they are working as planned.

enterprise risk management

Casualty Actuarial Society (CAS)

CAS was founded in 1914 and the framework focuses on casualty and property risks as part of the enterprise risk management. It aims to protect the organisation from losses related to hazards, financial risk, strategic risk and operational risk. CAS has seven steps:

  1. Establish context
  2. Identify risks
  3. Analyse risks
  4. Integrate risks
  5. Prioritise risks
  6. Exploit risks
  7. Monitor risks

The first step looks at the environment the business is operating in. It is followed by risk identification and analysis so organisations can understand the risks they are facing and measure their likelihood and impact. Integrating risks involves looking at how a risk may be affecting more areas than one in multiple ways. Once the severity of the risks has been determined then they can be ranked in order of importance.

To exploit a risk a business has to view it as an opportunity that can benefit it. A threat may seem harmful but can provide the company with many advantages. Risk monitoring refers to the reviews conducted to oversee the effectiveness of the framework’s steps.

Benefits of Enterprise risk management

Enterprise risk management can create a risk-aware culture that focuses on continuous improvement. Continuous improvement can refer to goal achievement. By implementing an effective enterprise risk management process, the organisation will be able to achieve all its objectives and grow as it is facing less uncertainty. Even though the process can be costly and requires a company’s commitment and investment, the company will be more likely to succeed as the decision-making will improve and it will be prepared to face the unexpected. 

 Polonious offers organisations a digital approach to enterprise risk management. It makes the process simple and easier for employees to navigate. Polonious saves time as all risk assessments can be filled out online and it calculates the risk ratings for your business. We are ISO27001 and ISO9001 certified as we prioritise compliance to help your business succeed. Polonious also discourages poor enterprise risk management by making all decision processes transparent and systematic.

 A poor enterprise risk management can lead to increased lawsuits and subsequently costs for a business as more risks are materialising. The company will also experience costs because of its lack of forecasting and its inability to keep up with changing market conditions and trends. It will miss opportunities and may face fines and a damaged reputation if it is unable to manage compliance risk. 


Enterprise risk management is essential for protecting your organisation while taking advantage of risks. There are standards that businesses can follow and they set the base for effective risk management. However, it is important to remember that all decisions, activities and strategies need to reviewed regularly to stay updated with the changing risk environment.

Do you want to manage risk from a single place? Polonious offers its customers support with compliance, health and safety, audits as well as investigations. Polonious offers quick results, efficiency and effectiveness as it makes the whole process of risk management simple for employees and employers.  Find out more here!