Enterprise risk management (ERM) refers to a set of processes that enables the effective management of the risks, opportunities, and expected and unexpected events that may affect the enterprise. The successful implementation of ERM is a challenging task in part because it requires collaboration among multiple business units of different sizes, scope, and capability, each facing what it perceives as unique risks. Other difficulties with ERM implementations include lack of adoption of an enterprise-wide governance model, lack of a common risk language (e.g., taxonomy), and uneven levels of maturity within an organization regarding the management of risks. This paper establishes three conceptual frameworks that provide a basis for an enterprise embarking on ERM: 1) a risk management cycle; 2) a risk-related taxonomy; and 3) an ERM maturity model. The risk management cycle provides a discipline to consistently and coherently manage virtually all risks in the enterprise. The risk taxonomy provides a foundation for clear and concise communication about risk across the enterprise to enable better risk management. The ERM maturity model, and its associated capability assessment, allows an organization to determine gaps in its current risk management processes and define ways to improve those ERM capabilities. Together, these three frameworks are key enablers for a successful ERM implementation and ongoing operation.
Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.