The term of Enterprise Risk Management “ERM” is being discussed these days a lot. (Traditional) Risk Management by itself is not new. However it has been evolved. The main difference between both is that the traditional risk management is considering risk to be managed separately , each business unit, department or project by itself as silos. Another point , in traditional risk management , the assessment, identification of risk is taken bottom up until it is summarized up in the management level.
As said, this has been evolved to form the new concept of Enterprise risk management which take a wider view of risk to include the whole organization or cooperation. Another point, Enterprise Risk Management start from up to bottom, as it starts on the strategic level by the corporate objectives and strategic directions. The game changer here is changing the mind set to focus on what could impact the organization from achieving its strategic goals. This can be achieved by creating Key Risk Indicators (KRIs) that are linked to the organization goals and objectives. These KRIs are monitored closely to ensure the organization decision makers that their decisions are still within the organization risk appetite.
I will give some details on the basic concepts of the ERM in later articles, while in this article I will only focus on different definitions of the Enterprise Risk Management.
ISO31000:2009 has defined the Risk Management as “Coordinated activities to direct and control an organization with regard to risk” and defined Risk itself by “Effect of uncertainty on objectives” where the effect is a deviation from the expected positive and/or negative.
COSO broadly defines enterprise risk management (ERM) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
According to the Project Management Institute’s PMBOK . Project risk is defined by PMI as, “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
IT Management Professional 