Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Pillar guide · ~15 min read · Updated May 2026

What is enterprise risk management?

Enterprise risk management (ERM) is the board-led discipline of identifying, assessing, treating, monitoring, and reporting on every material risk an organisation faces as a single portfolio. It replaces the siloed view (cyber, financial, operational, compliance) with one enterprise picture, governed by a board-approved risk appetite. COSO ERM 2017 and ISO 31000:2018 are the two reference frameworks.

Reading level
Practitioner
Frameworks
COSO · ISO · NIST
Audience
CRO · Board · IA
Last reviewed
May 2026
See ERM running in RiskWatchRisk management software
01 · Definition

What is enterprise risk management?

Enterprise risk management is the discipline of identifying, assessing, treating, monitoring, and reporting on all material risks an organisation faces as a single portfolio, governed by the board and tied to a documented risk appetite. The phrase distinguishes it from the older silo model, where cyber risk, financial risk, operational risk, and compliance risk were each owned and assessed separately. ERM rolls those silos up.

The term hardened in the early 2000s with the original COSO ERM framework (2004) and the first edition of ISO 31000 (2009). The 2017 COSO update repositioned ERM as integral to strategy and performance, not a parallel compliance exercise, which is the definition most US boards and audit committees work to today. ISO 31000:2018 sharpened the principles and process for use outside the US and in regulated industries internationally.

Portfolio view

One enterprise register that consolidates risks across cyber, financial, operational, compliance, strategic, and physical categories. Dependencies surface explicitly.

Board governance

The board owns the programme, approves the risk appetite statement, and reviews material risks at least quarterly. The CRO or equivalent runs the framework.

Strategy linkage

Risk is considered in strategy formulation, not bolted on after. The default question is how much risk to take in pursuit of objectives, not only how to avoid loss.

“Enterprise risk management is the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”

COSO Enterprise Risk Management: Integrating with Strategy and Performance, 2017 (coso.org)
02 · Comparison

ERM vs traditional risk management

Traditional risk management runs in silos and reports up in separate stacks. ERM is a portfolio view owned by the board. The methodology and the cadence differ accordingly.

Comparison of traditional siloed risk management and enterprise risk management across six dimensions.
DimensionTraditional risk managementEnterprise risk management
ScopeSiloed: cyber risk, financial risk, operational risk, compliance risk each owned and assessed separately, with little consolidation.Portfolio: a single enterprise view of all material risks, owned by the board, with cross-category dependencies surfaced explicitly.
DriverLoss prevention and regulatory compliance. The default question is 'how do we stop the next bad thing'.Strategic value creation. The default question is 'how much risk should we take to achieve this objective, and which risks return the most value per dollar of treatment'.
OwnerFunctional heads (CISO, CFO, Compliance Officer) own their slice. The board sees a stack of separate reports.Board owns the portfolio. CRO or equivalent runs the framework. Three lines of defense organise oversight.
MethodologyMostly qualitative, mostly retrospective. Heat maps per silo. Quantitative work, if any, is local to one silo.Qualitative across the register, quantitative on the top tier (FAIR, Monte Carlo). Forward-looking via scenarios and KRIs.
CadenceAnnual assessment, sometimes shelved between cycles. Updates triggered by incidents or audits.Continuous monitoring with quarterly board cycles. Material change triggers immediate reassessment of affected risks.
OutputMultiple registers and reports, one per function. Often inconsistent in scoring and language.Single enterprise register reconciled to a board-approved appetite. One vocabulary across the firm.

The shift is less a tooling change than a governance change. Most organisations already run risk activity in every silo ERM rolls up. ERM gives those activities a common vocabulary, a board-approved appetite line to compare against, and a single register that survives a board question on a Tuesday morning.

03 · COSO ERM 2017

COSO ERM 2017: five components and 20 principles

The Committee of Sponsoring Organizations published the integrated framework in 2017 as a replacement for the 2004 cube. The 2017 version positions ERM as integral to strategy and performance, with five components and 20 principles distributed across them.

  1. Component 01

    Governance and culture

    Principles 1–5

    The board oversees risk. The operating model defines authority and reporting lines. Core values, desired culture, and the talent pipeline get explicit attention. Without governance the rest of the framework is decorative.

    Artefacts
    Board risk charter, risk committee terms of reference, code of conduct, RACI for risk decisions.
  2. Component 02

    Strategy and objective-setting

    Principles 6–9

    Risk is considered in strategy formulation, not bolted on after. Business context is analysed. Risk appetite is defined in board-approved statements. Alternative strategies and business objectives are stress-tested against the appetite line.

    Artefacts
    Risk appetite statement, strategy risk assessment, business-context analysis.
  3. Component 03

    Performance

    Principles 10–14

    Risks are identified, assessed for severity, prioritised, treated, and the portfolio view is developed. This is the analytical core: the register, the heat map, the loss-exceedance curve, the residual-versus-appetite gap.

    Artefacts
    Enterprise risk register, top-risk dashboard, treatment plans, KRI library.
  4. Component 04

    Review and revision

    Principles 15–17

    Substantial change is assessed for its impact on the risk profile. ERM performance itself is reviewed. The framework is improved on a defined cadence so it does not ossify around the first design choices.

    Artefacts
    Quarterly risk reviews, post-incident reviews, framework maturity assessments.
  5. Component 05

    Information, communication, reporting

    Principles 18–20

    Relevant information is gathered. Communication channels are defined for upward, downward, and lateral flow. Risk, culture, and performance are reported to the board and management on a schedule the board can rely on.

    Artefacts
    Board risk pack, audit-committee report, internal-communications calendar, KRI thresholds.

The 20 principles are not optional bullets; they are the audit-committee checklist. Internal audit reviews against them, the SEC references them in disclosure rules, and the big four use them as the structure for ERM maturity assessments. A programme that cannot map its activity to all five components is a programme an auditor can pick apart.

04 · ISO 31000:2018

ISO 31000:2018: principles, framework, process

The 2018 revision shortened the document, sharpened the principles, and made the framework consciously generic. Eight principles sit at the front; the framework and the process follow. Useable in any sector, at any scale.

Principle 01

Integrated

Risk management is integral to all organisational activities, not a parallel discipline that runs alongside.

Principle 02

Structured and comprehensive

A structured and comprehensive approach contributes to consistent and comparable results across the enterprise.

Principle 03

Customized

The framework and process are customized and proportionate to the organisation's external and internal context related to its objectives.

Principle 04

Inclusive

Appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered.

Principle 05

Dynamic

Risks emerge, change, and disappear as context changes. Risk management anticipates, detects, acknowledges, and responds to those changes.

Principle 06

Best available information

Inputs are based on historical and current information and on future expectations, with limitations and assumptions stated.

Principle 07

Human and cultural factors

Human behaviour and culture significantly influence all aspects of risk management at each level and stage.

Principle 08

Continual improvement

Risk management is continually improved through learning and experience.

How ISO 31000 sits next to COSO ERM

COSO is governance-heavy and well-suited to US public companies and SOX-regulated entities. ISO 31000 is principles-led and easier to localise into international or non-listed organisations. Both describe the same underlying process. Mature programmes borrow the governance scaffolding from COSO and the methodology vocabulary from ISO 31000, then add ISO/IEC 27005 or NIST 800-30 for the cyber sub-portfolio and FAIR for quantitative depth.

05 · The process

The 8-step ERM process

COSO ERM 2017 distributes the work across its five components. ISO 31000:2018 lists six process steps. Practitioners usually run an eight-step version that pulls the governance and reporting work into named stages, so every artefact has a home.

  1. Step 01

    Establish internal environment and context

    Document the organisation's mission, strategy, structure, external regulatory landscape, and internal operating model. Capture the risk culture honestly. The work below depends on this scoping being defensible.

    Output
    Context document with stakeholder map, regulatory inventory, and operating-model diagram.
  2. Step 02

    Set objectives and risk appetite

    Translate strategy into specific, measurable objectives. The board approves a risk appetite statement that names tolerated exposure by category. Without appetite, the assessment has no decision line.

    Output
    Board-approved risk appetite statement; per-category tolerance thresholds.
  3. Step 03

    Identify events and risks

    Interview business owners, review incident history, run scenario workshops, scan external threat intel. Each risk gets a one-sentence statement (threat, vulnerability, consequence) and an accountable owner from the business.

    Output
    Working enterprise risk register with named owners; no scoring yet.
  4. Step 04

    Assess likelihood and impact

    Score each risk on a consistent scale (most teams start with a 5x5 ordinal matrix). For the top 10 to 20 risks, run a quantitative pass in monetary terms using FAIR or a Monte Carlo simulation.

    Output
    Inherent score per risk; quantitative loss-exceedance curve for the top tier.
  5. Step 05

    Respond and treat

    For each risk above appetite, choose to accept, treat, transfer (insurance, contractual shift), or avoid (exit the activity). Treatment plans name the controls, the owner, the deadline, and the target residual score.

    Output
    Treatment plan with owners, deadlines, controls mapped, and target residuals.
  6. Step 06

    Implement control activities

    Stand up the preventative, detective, and corrective controls the treatment plan calls for. Map each control to the risk it reduces and to the compliance obligations it also satisfies so evidence collected once is credited many times.

    Output
    Live control library cross-mapped to risks and to compliance frameworks.
  7. Step 07

    Monitor and review continuously

    Key risk indicators (KRIs) carry the watch between assessments. Control tests run on schedule. Incidents and audit findings feed the register without waiting for the next cycle. The fifth COSO component (review and revision) lives here.

    Output
    KRI dashboard with thresholds; current residual scores reconciled to evidence.
  8. Step 08

    Communicate and report

    Board pack on a fixed cadence. Audit-committee deep-dive each quarter. Internal communications to risk owners and to the workforce on culture and incidents. Reporting is a feature of the framework, not an afterthought.

    Output
    Quarterly board risk pack; audit-committee report; KRI watchlist; named-incident lessons.

Steps seven and eight are where programmes that look good in the binder fail in practice. Continuous monitoring keeps the register honest between cycles; reporting keeps the board engaged. A programme that runs steps one through six well and then drops the last two has produced a snapshot, not a framework.

06 · Roles & governance

Roles, governance, and the three lines of defense

ERM accountability is not flat. The board owns the portfolio. The CRO runs the framework. The business owns the risks it generates. Internal audit provides assurance. The IIA three lines model gives the structure.

Board of directors

Ultimate accountability for the risk programme. Approves the risk appetite statement and reviews material risks at least quarterly. Signs off on the framework and on changes to it.

Audit committee

Oversees the integrity of risk reporting, the independence of internal audit, and the effectiveness of the framework. Reviews internal-audit findings and follow-through on management actions.

CEO and executive committee

Owns the risks of executing the strategy. Allocates capital to treatment plans. Ensures risk owners across the business have the resources and authority their role requires.

Chief risk officer (CRO)

Designs and runs the framework. Owns the methodology, the enterprise register, the aggregation up to portfolio view, and the board reporting cadence. Reports to the CEO or the audit committee, ideally both.

Risk owners (1st line)

Business heads who own the risks generated by their activity. They identify, assess, treat, and monitor their risks day to day. The first line of defense.

Risk and compliance functions (2nd line)

CRO function, compliance officer, BCM, information security, and similar oversight functions. Set policy, methodology, and independent challenge. The second line of defense.

Internal audit (3rd line)

Independent assurance to the board on the effectiveness of lines one and two. Reports functionally to the audit committee. The third line of defense per the IIA model.

The IIA refreshed the model in 2020 as the “Three Lines Model” to emphasise collaboration over rigid separation. Lines do not work in isolation; they coordinate. What survives the refresh is the principle that the third line (internal audit) reports to the audit committee, not into the management chain it audits.

07 · Frameworks

ERM frameworks compared

No mature programme picks one framework and lives there forever. ERM in practice is a stack: an enterprise wrapper (COSO or ISO 31000), a cyber methodology (ISO 27005 or NIST 800-30), and sector-specific frameworks (Basel III for banks, Solvency II for insurers, NIST RMF for federal).

COSO ERM 2017
Enterprise risk for US public companies

The Committee of Sponsoring Organizations framework, integrated with strategy and performance. Five components and 20 principles. Widely referenced by US public companies, SOX internal controls work, and the SEC.

Best for
US public companies, SOX-regulated entities, strategy-led ERM programmes
Run on RiskWatch
ISO 31000:2018
Enterprise-wide risk, international

The international standard for risk management principles, framework, and process. Sits above any specific domain. The reference boards and regulators outside the US most often cite.

Best for
International organisations, regulated industries, programmes that need a single risk vocabulary
Run on RiskWatch
ISO/IEC 27001
Information security management

An ISMS standard, not an enterprise framework, but the methodology in ISO/IEC 27005 plugs into ERM as the cyber risk engine. 93 Annex A controls. Certifiable. Required by many enterprise customers.

Best for
Cyber risk as a sub-portfolio inside ERM; international certification requirements
Run on RiskWatch
NIST RMF (SP 800-37)
US federal information systems

Risk Management Framework for federal information systems. Seven steps from prepare to monitor. Pairs with NIST 800-30 for assessment and NIST 800-53 for the control catalogue. Default for federal and defence contractors.

Best for
Federal agencies, FedRAMP, CMMC, defence supply chain
Run on RiskWatch
Basel III / SR 11-7
Banking and model risk

Sector-specific frameworks for banking capital, liquidity, and model risk. ERM at a bank inherits these and adds the rest of the enterprise picture on top.

Best for
Banks, broker-dealers, large asset managers
Run on RiskWatch
Solvency II / ORSA
Insurance

EU prudential regime for insurers. The Own Risk and Solvency Assessment (ORSA) is the insurer's annual ERM exercise. US equivalents are the NAIC ORSA Guidance Manual and the Insurance Holding Company Act.

Best for
Insurers, reinsurers, captive insurance entities
Run on RiskWatch
08 · 90-day plan

How to build an ERM program in 90 days

A credible first cycle is achievable in a quarter, provided the board mandate is in place and risk activity already runs in silos that can be consolidated. Below is the cadence that holds up at audit-committee level.

  1. Phase 01
    Days 1–15
    Mandate and scope
    • Confirm board mandate and ERM sponsor (CEO or audit-committee chair)
    • Inventory existing risk activity across cyber, compliance, finance, operations, and BCM
    • Choose the wrapper framework (COSO ERM 2017 or ISO 31000) and document the choice
    • Stand up the working group: CRO lead, second-line function heads, one first-line champion per business unit
  2. Phase 02
    Days 16–35
    Appetite and taxonomy
    • Run a board workshop to draft the risk appetite statement (per category, qualitative + quantitative thresholds)
    • Agree the risk taxonomy: 6 to 8 top-level categories with second-level sub-categories
    • Document the scoring methodology (5x5 ordinal scale, scoring criteria per likelihood and impact band)
    • Publish the appetite statement and taxonomy in a one-page reference for risk owners
  3. Phase 03
    Days 36–60
    Identify and assess
    • Interview 12 to 20 risk owners across the business; capture risk statements in threat-vulnerability-impact form
    • Score the register qualitatively in scoring workshops; identify the top 10 to 20 for quantitative deep-dive
    • Run FAIR on the top tier; produce a loss-exceedance curve for the consolidated portfolio
    • Map controls already in place to each risk; calculate residual scores
  4. Phase 04
    Days 61–80
    Treat and instrument
    • Agree treatment decisions per risk above appetite (accept, treat, transfer, avoid)
    • Name an owner, a deadline, and a target residual for every treatment in flight
    • Define KRIs for the top 10 risks with thresholds aligned to the appetite statement
    • Cross-map controls to compliance obligations (ISO 27001, SOC 2, HIPAA, PCI DSS, NIST) so evidence is reused
  5. Phase 05
    Days 81–90
    Report and embed
    • Build the first board risk pack: top 10 risks, residual versus appetite, treatment progress, KRI watchlist
    • Present to the audit committee; capture the brief from the chair on what the next cycle should add
    • Agree the cadence: continuous KRI monitoring, monthly working group, quarterly board review, annual full reassessment
    • Embed the framework in operating routines (change management, vendor onboarding, M&A diligence, strategy reviews)

Ninety days produces a defensible first cycle, not a mature programme. Maturity comes from the next four quarters: embedding ERM in change management, vendor onboarding, M&A diligence, strategy reviews, and incident learning loops. The RIMS Risk Maturity Model and ISO 31000 self-assessment tools both give a structured way to score progress.

09 · Pitfalls

Common ERM pitfalls

Most ERM programmes fail in predictable ways. None of these failures are framework choices; they are governance and cadence choices that catch up with the programme inside two cycles.

Building a register the board never reads

If the register lives in a CRO's spreadsheet and only the CRO references it, the framework has not been adopted. Board cadence, board readability, and board questions back to risk owners are the test.

Appetite as a wall plaque

A risk appetite statement that never causes a 'no' or a 'reduce' decision is decorative. Appetite earns its keep when it constrains real choices about strategy, M&A, vendor onboarding, and product launches.

Treating ERM as a compliance project

ERM is not SOX with extra steps. A programme that only counts controls and never weighs strategic risk has missed the value-creation half of the COSO 2017 definition.

One framework, no methodology

Picking COSO or ISO 31000 is the easy bit. Without a documented scoring methodology, calibrated assessors, and a consistent vocabulary, the register reads differently in every business unit.

Annual snapshot, no continuous monitoring

An ERM cycle that runs once a year produces a museum exhibit, not a live picture of exposure. KRIs, control tests, incidents, and audit findings must update the register continuously.

Second line that cannot say no

If the CRO function reports only to the CEO and cannot escalate independently to the audit committee, the second line is structurally weak. The IIA three-lines model exists for a reason.

Authoritative sources
Where to read the primary documents

The frameworks and governance models referenced on this page are published by standards bodies, US federal agencies, and professional institutes. Direct links below.

Connected RiskWatch resources

10 · Frequently asked

Enterprise risk management, answered

Twelve questions that come up on the way to a working programme, with practitioner answers.

What is enterprise risk management in simple terms?
Enterprise risk management (ERM) is the discipline of identifying, assessing, treating, monitoring, and reporting on all material risks across an organisation as a portfolio, governed by the board and led by a chief risk officer or equivalent. It replaces the siloed view (cyber risk, financial risk, operational risk treated as separate disciplines) with a single enterprise picture tied to strategy and to a board-approved risk appetite. The two reference frameworks are COSO ERM 2017 and ISO 31000:2018.
What are the five components of COSO ERM 2017?
Governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. Each component has principles attached, 20 in total. The 2017 update repositioned ERM as integrated with strategy and performance, where the 2004 framework treated risk more narrowly as event identification and response.
What is the difference between ERM and traditional risk management?
Traditional risk management is siloed: cyber risk, financial risk, operational risk, and compliance risk are owned by their respective functions and assessed separately. ERM is a portfolio view that the board owns. It rolls the silos up, surfaces dependencies across them, ties the portfolio to a board-approved risk appetite, and asks how much risk the organisation should take in pursuit of strategy, not only how to avoid loss.
What is COSO ERM versus ISO 31000?
Both are credible enterprise frameworks. COSO ERM 2017 is the framework most US public companies reference, particularly where SOX internal controls work overlaps with risk. ISO 31000:2018 is the international standard, used widely outside the US and in regulated industries that want a shorter, more methodology-led document. Mature programmes often borrow from both: ISO 31000 for principles and process, COSO for the governance and reporting structure.
What does a chief risk officer (CRO) do?
The CRO designs and runs the ERM framework. They own the methodology, the enterprise risk register, the portfolio view, the KRI library, and the board reporting cadence. They convene the risk committee, challenge risk owners in the first line, and escalate independently to the audit committee on material exposures. The role reports to the CEO and ideally has a dotted line to the audit committee chair.
What is the three lines of defense model?
An Institute of Internal Auditors (IIA) governance model. The first line is the business: risk owners who identify, assess, and treat the risks generated by their activity. The second line is the oversight functions (CRO, compliance, BCM, infosec) that set policy, methodology, and independent challenge. The third line is internal audit, which provides independent assurance to the audit committee on the effectiveness of lines one and two. The IIA refreshed it in 2020 as the 'Three Lines Model' to emphasise collaboration over rigid separation.
What is a risk appetite statement?
A board-approved document that names the level of risk the organisation is willing to accept in pursuit of its objectives, expressed per risk category. It contains qualitative statements (low for regulatory and reputational, moderate for operational, higher for innovation) and quantitative thresholds where the data supports them (acceptable cyber loss-exceedance at a defined percentile, credit exposure limits, liquidity ratios). The appetite statement is the decision line every assessment compares residual scores against.
How often should an organisation reassess its enterprise risks?
Continuous for the indicators (KRIs), quarterly for the top tier of risks at the board, annually for the full register. Material change triggers immediate reassessment of affected risks: a new business line, an acquisition, a major system go-live, a regulatory shift, or a sector incident. The honest test is that the register reflects current exposure on any given day, not last quarter's snapshot.
What is the difference between inherent risk and residual risk in ERM?
Inherent risk is the exposure before the controls currently in place are credited. Residual risk is the exposure that remains after those controls do their work. Target residual risk is the level the planned treatment is designed to reach. Boards want all three numbers in the dashboard: where we were, where we are, where we are going. The gap between residual and appetite is the work the framework still owes.
Which frameworks should a US public company use for ERM?
COSO ERM 2017 as the enterprise wrapper. ISO 31000:2018 if the company has international operations and wants a single risk vocabulary across jurisdictions. ISO/IEC 27001 and NIST 800-30 for the cyber sub-portfolio. NIST CSF 2.0 for cyber governance reporting. Sector-specific frameworks layer on top: Basel III for banks, Solvency II / NAIC ORSA for insurers, FERC / NERC CIP for energy. The point is that ERM is the wrapper; specialised frameworks live inside it.
What is the cost of standing up an ERM programme?
It depends on size and starting point. A mid-market company with risk activity already running in silos can stand up a credible programme in 90 days with a part-time CRO, a working group of 6 to 10 people, and a platform that consolidates the register. Annual run-rate for a working programme at a mid-market firm tends to land in the low six figures including software, audit, and partial-FTE time. Larger or regulated firms run multiples of that. The cost of not having one is bigger: SEC enforcement, audit qualifications, insurance non-renewal, and capital that compounds against badly-priced risk.
What software supports enterprise risk management?
A spreadsheet works for the first cycle. The moment the programme adds its second framework, its third assessor, or its fourth business unit, the spreadsheet costs more to keep in sync than a platform costs. A modern risk and compliance platform centralises the enterprise register, the control library, the KRI dashboard, and the board reporting workflow; cross-maps controls so evidence collected once pays off across HIPAA, ISO 27001, SOC 2, PCI DSS, and NIST; and produces the board pack without a manual rebuild every quarter. RiskWatch supports this pattern across 40+ frameworks on a single tenant.
Curious what running ERM on RiskWatch could save? Try the ROI calculator.
From framework to a running portfolio

See how RiskWatch turns ERM into one live portfolio across cyber, financial, operational, and compliance risk.

The enterprise risk register, COSO and ISO 31000 templates, FAIR quantitative engine, KRI library, board reporting workflow, and cross-mapping to 40+ compliance frameworks. 30-day free trial, no credit card.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo