Enterprise risk management, also called ERM, is a concept which has a rather simple definition and a much more complex implementation. It is a business financial term which describes the methods of risk management — identifying risks and opportunites — within a company. This concept is broad and can be quite complex for large companies. Prior to the Sarbanes-Oxley Act in the United States and later the International Standard for Risk Management (ISO 31000), enterprise risk management was largely optional and though many businesses employed strategies to manage risks, the guidelines were much more vague. Aspects of enterprise risk management can include identifying business goals and creating a strategic plan to reach them; assessing how likely it is the plan, or parts of the plan, will succeed; and creating a response and progress assessment plan.
Strategic planning can be defined as the formulation and implementation of an organization-wide plan, which enables those within it to make decisions that focus solely on achieving the objectives set forth by the organization. In business, risks typically must be taken to help reach maximum achievement of the goals set forth by the business. Enterprise risk management is how businesses and organizations manage these risks. Part of taking a risk on an opportunity is knowing that it may not pay off; all of the invested time, money, and resources could be lost. The Sarbanes-Oxley Act, for example, puts auditing laws in place so companies can keep in mind what an acceptable level of risk is. The goal of the auditing laws is to protect stakeholders and to help ensure that corruption within an organization could be stopped before causing irreparable harm.
Some examples of common types of risks a business may face include credit, insurance, legal, accounting, auditing, quality, and other types of risks. The Sarbanes-Oxley Act requires U.S. companies to have an enterprise risk management system in place, and thus a number a frameworks were created. The two main frameworks in the United States were put together by the Casualty Actuarial Society (CAS) and the Committee of Sponsoring Organizations (COSO). The COSO's framework is more commonly adopted. It states that enterprise risk management is a process of internal controls that must be shared by the entire company and that the people within the company must know its acceptable risk level. The outline of the CAS is more focused upon the management of risk such that the company's value is increased for its stakeholders. Through many averse events occurring within the business world, legislators and business people alike have come to realize that an enterprise risk management system that includes all departments of an organization is the best way to protect stakeholders and thus protect themselves.