How ERM scope, processes, tolerance, exposure, response strategies, and monitoring support strategy.
Enterprise risk management connects risk to strategy. The goal is not to eliminate every risk; it is to identify the risks that matter, decide how much risk the entity can accept, choose a response, assign ownership, and monitor whether residual exposure stays within tolerance.
Enterprise risk management belongs in Strategy and Governance because risk choices affect strategy, resources, accountability, and monitoring. The Performance Management response should connect risk exposure to tolerance, response, owner, and follow-up.
| Coverage area | Performance Management question |
|---|---|
| Risk scope | Which strategic, operational, financial, compliance, reporting, technology, people, or reputation risks matter? |
| Risk process | Does the process identify, assess, respond, assign ownership, monitor, and report risks? |
| Risk assessment | How do likelihood, impact, velocity, detectability, or other case criteria rank the risks? |
| Tolerance and exposure | Is residual exposure within tolerance, or does management need a stronger response? |
| Recommendation | Should management avoid, transfer, mitigate, accept, monitor, or escalate the risk? |
ERM scope should reflect the entity’s strategy and environment. A narrow scope can miss risks that cross functions.
| Risk category | Examples |
|---|---|
| Strategic | Wrong market position, failed acquisition, mission drift, weak value proposition, or competitor response. |
| Operational | Process failure, capacity shortage, quality defects, supply disruption, or safety issue. |
| Financial | Liquidity pressure, covenant breach, interest rate exposure, credit risk, or cost escalation. |
| Compliance | Regulatory breach, funding condition failure, privacy issue, or ethics violation. |
| Reporting and data | Poor KPI quality, unreliable system reports, weak forecasting, or incomplete board information. |
| Technology | Cybersecurity, system implementation failure, downtime, data loss, or automation error. |
| People and culture | Skill shortage, turnover, incentive conflict, resistance, or succession gap. |
| Reputation and stakeholder | Public trust, customer confidence, funder concern, community impact, or media scrutiny. |
A risk process should be continuous, not a yearly list of concerns.
| ERM step | What good practice shows |
|---|---|
| Identify | Risks are linked to objectives, processes, stakeholders, and environmental changes. |
| Assess | Likelihood, impact, speed, existing controls, and residual exposure are evaluated. |
| Prioritize | Management focuses on the risks that matter most to strategy and mandate. |
| Respond | Avoid, transfer, mitigate, or accept is chosen deliberately. |
| Own | Each significant risk has an accountable owner with authority to act. |
| Monitor | Key risk indicators, limits, exceptions, and mitigation status are reported. |
| Update | New internal or external changes refresh the risk assessment. |
Risk tolerance describes how much risk the entity is willing to accept. Exposure is the risk currently faced. Residual risk is what remains after responses.
| Situation | Interpretation | Response |
|---|---|---|
| Exposure below tolerance and controls operating | Risk may be accepted and monitored. | Continue monitoring and update if conditions change. |
| Exposure above tolerance but response plan exists | Risk is not yet fully controlled. | Track mitigation owner, deadline, and residual exposure. |
| Exposure above tolerance and no owner | Accountability gap. | Assign owner, response strategy, and board reporting. |
| Tolerance is undefined | Management cannot decide whether exposure is acceptable. | Establish risk appetite or tolerance thresholds. |
| Risk is low likelihood but high impact | May need contingency planning despite low probability. | Add response plan, insurance, continuity plan, or escalation trigger. |
| Controls reduce likelihood but not impact | Residual impact may remain high. | Add response for consequence management. |
Risk response should fit the objective, cost, capability, and residual exposure.
| Strategy | Use when | Example |
|---|---|---|
| Avoid | Activity is outside tolerance or not strategically necessary. | Exit a high-risk market that conflicts with mandate. |
| Transfer | Another party can bear or share risk more effectively. | Insurance, outsourcing with safeguards, hedging, or contractual indemnity. |
| Mitigate | Risk is worth taking but needs controls or process changes. | Add monitoring, training, system controls, supplier redundancy, or quality review. |
| Accept | Risk is within tolerance and response cost exceeds benefit. | Monitor low-impact risks with periodic review. |
| Escalate | Risk exceeds management authority or affects strategy. | Report to board or committee for decision. |
ERM should respond when the environment changes.
| Change | Risk implication |
|---|---|
| New regulation | Compliance obligations, reporting, penalties, and control needs change. |
| New system | Data, cybersecurity, implementation, training, and process risks change. |
| New supplier or outsourcing | Dependency, service quality, confidentiality, and continuity risks change. |
| Economic stress | Liquidity, demand, credit, cost, and fraud risks may increase. |
| Growth or acquisition | Integration, capacity, culture, controls, and financing risks increase. |
| Public commitment | Reputation and accountability risk increase if evidence is weak. |
Use this order: objective, risk event, cause, impact, existing controls, exposure versus tolerance, response, owner, key risk indicator, and reporting. If the case supplies a risk matrix, use it but do not stop at ranking. Recommend the response and monitoring action.
When tolerance is missing, recommend defining tolerance before choosing aggressive growth, cost reduction, or risk acceptance.
| Pitfall | Correction |
|---|---|
| Listing risks without ranking or response. | Assess likelihood, impact, tolerance, owner, and response. |
| Treating ERM as annual paperwork. | Show how risks are monitored and updated as conditions change. |
| Ignoring risk tolerance. | Compare exposure to tolerance before recommending acceptance or mitigation. |
| Recommending controls without owner. | Assign accountable owner, due date, and monitoring measure. |
| Missing strategic upside. | ERM supports informed risk-taking, not risk elimination. |