What is enterprise risk management?

Abstract

Enterprise risk management (ERM) is the set of activities used to affect the management of risk across the whole institution, as opposed to discrete risks inside business silos. Most financial institutions have highly developed, specialised risk functions or ‘risk stripes’ that focus on the key individual risk types. Historically, these risk stripes have concentrated on financial threats like credit risk and market risk. More recently, nonfinancial risks like operational, compliance and cyber risk have captured the attention of risk managers. For the most part, risk stripes address the risks of the individual business silos, which typically include deposit taking, lending and trading. This overview paper seeks to explain the objectives of an enterprise approach to risk management as distinct from a purely risk-stripe and silo-based approach. What are some of the recent trends that make the ERM aspect of risk management more important than ever, and what does a good ERM framework look like, given the comparative advantage of ERM, namely the enterprise-wide view (the E in ERM)? This paper presents the four pillars of ERM: a coordinating role through the ownership of the risk management framework; the creation of the risk appetite statement, a foundational element of that framework; development of aggregating risk measures; and rounding up of cross-cutting risks – the stuff that is hard to identify and quantify. In addition to these core pillars, The paper describes a set of ‘nice-to-have’ functions, such as stress testing and risk data ownership, and we discuss some organisational features and capabilities one looks for in an effective ERM group.