Enterprise Risk Management: Framework, Assessment, Mitigation, and Board Oversight (2026)
schema: | { “@context”: “https://schema.org”, “@graph”: [ { “@type”: “Article”, “headline”: “Enterprise Risk Management: Framework, Assessment, Mitigation, and Board Oversight (2026)”, “description”: “Complete guide to enterprise risk management including COSO ERM framework, risk identification, assessment, governance, and board/committee oversight. Essential for managing organizational risks across functions.”, “image”: “https://bato.com.np/assets/images/enterprise-risk-management.jpg”, “datePublished”: “2026-02-20”, “dateModified”: “2026-02-21”, “author”: { “@type”: “Person”, “name”: “David Torres” }, “publisher”: { “@type”: “Organization”, “name”: “BATO - Business Audit & Tax Organization”, “logo”: { “@type”: “ImageObject”, “url”: “https://bato.com.np/assets/images/logo.png” } } }, { “@type”: “FAQPage”, “mainEntity”: [ { “@type”: “Question”, “name”: “What is Enterprise Risk Management (ERM)?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “ERM is a framework that organizations use to manage risks and seize opportunities related to the achievement of their objectives.” } }, { “@type”: “Question”, “name”: “What are the components of the COSO ERM framework?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “The COSO ERM framework consists of five components: Governance & Culture, Strategy & Objective-Setting, Performance, Review & Revision, and Information, Communication, & Reporting.” } }, { “@type”: “Question”, “name”: “How does ERM differ from traditional risk management?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Traditional risk management often focuses on specific risks in silos (like insurance), whereas ERM takes a holistic, organization-wide view of all risks and their interdependence.” } } ] } ] }
Enterprise risk management (ERM) is the systematic process of identifying, assessing, and mitigating risks across an organization. This guide covers ERM frameworks, governance, and best practices in 2026.
Enterprise Risk Management Fundamentals
What Is Enterprise Risk Management?
Definition:
Enterprise Risk Management is the organization-wide approach to:
1. Identifying: Potential risks affecting business
2. Assessing: Likelihood and potential impact
3. Prioritizing: Which risks matter most
4. Planning: Mitigation or acceptance strategies
5. Monitoring: Ongoing tracking and response
Difference from Traditional Risk Management:
Traditional (Siloed) Risk Management:
- Separate departments manage specific risks
- Example: Finance manages credit risk, Operations manages safety risk, IT manages cybersecurity
- Problems:
* Duplicative efforts across departments
* Gaps where no one owns certain risks
* No holistic view of risk exposure
* Risk conflicts (mitigating one risk increases another)
Enterprise-Wide Risk Management:
- Centralized function coordinating risk across organization
- Chief Risk Officer position (or equivalent, reports to CEO/Audit Committee)
- Integrated risk assessment (all major risks in single framework)
- Benefits:
* Holistic view of total risk exposure
* Eliminating duplicative mitigation efforts
* Identifying correlated risks (which risks affect each other)
* Optimizing risk/return tradeoff
* Board visibility of top risks
COSO ERM Framework:
Committee of Sponsoring Organizations (COSO):
- COSO ERM 2017 framework (updated version)
- Eight integrated components for managing enterprise risk:
1. Governance and Culture
- Tone at top (CEO/board commitment to risk management)
- Board oversight (ERM governance, accountability)
- Culture of risk awareness (employees understand risk)
2. Strategy and Objective-Setting
- Risk appetite: How much risk will organization accept?
- Strategic planning: Risks affecting business strategy
- Objective definition: Specific goals considering risk tolerance
3. Performance
- Risk assessment: Identify potential risks
- Risk response: Mitigate, accept, or transfer risks
- Control activities: Specific controls reducing risk
4. Review and Revision
- Ongoing monitoring of risk controls
- Performance evaluation (are controls working?)
- Information and communication of risks
5. Policies and Procedures
- Risk management policies (risk tolerance, procedures)
- Documentation (risk register, control procedures)
- Communication (training, awareness)
Risk Appetite vs. Risk Tolerance:
Risk Appetite:
- Definition: Amount of risk organization is willing to accept
- Set by: Board of directors and executive leadership
- Application: Strategic decision-making (which business to pursue)
- Example: Financial services company risk appetite
* "We will maintain capital ratio >10% (regulatory minimum is 8%)"
* "We will not have single customer >5% of loan portfolio"
* "Credit loss provisions will not exceed 1.5% of total loans"
Risk Tolerance:
- Definition: Acceptable variance from risk appetite objectives
- More specific than risk appetite
- Applied to: Operational decisions, control requirements
- Example: Operational risk tolerance
* IT system uptime minimum: 99.5% (tolerance: 99.0%-99.9%)
* Customer complaint resolution: 95% within 30 days (tolerance: 90%-98%)
* Audit finding remediation: 100% within agreed timeline (tolerance: 95%+)
Risk Types and Categories
Strategic Risk:
- Definition: Risk to business strategy/model
- Examples: Market disruption (e.g., streaming disrupting cable TV),
competitive entry, regulatory changes affecting entire industry,
macroeconomic downturn impacting demand
- Mitigation: Scenario planning, diversification, strategic innovation
- Monitoring: Board oversight (strategic committee), annual review
Operational Risk:
- Definition: Risk to day-to-day operations
- Examples: Process failures (order fulfillment delays), service outages
(IT system down), employee fraud, safety incidents, supply chain
disruption (key supplier bankruptcy)
- Mitigation: Process controls, backup systems, insurance, training
- Monitoring: Operations committee, quarterly reviews
Compliance/Regulatory Risk:
- Definition: Risk of non-compliance with laws/regulations
- Examples: Environmental violations (EPA penalties), labor law violations
(wage/hour lawsuits), data privacy violations (GDPR fines, CCPA
penalties), financial reporting violations (SOX violations)
- Mitigation: Compliance monitoring, training, legal review, internal audit
- Monitoring: Audit committee, legal/compliance function
Financial Risk:
- Definition: Risk to financial performance/stability
- Examples: Liquidity risk (insufficient cash), credit risk (customer default),
interest rate risk (rising rates increase debt cost), currency risk (foreign
exchange impacts), fraud/embezzlement (internal theft)
- Mitigation: Liquidity management, credit analysis, hedging, segregation
of duties, internal controls
- Monitoring: CFO/finance, audit committee quarterly
Technology/Cybersecurity Risk:
- Definition: Risk from technology failures or cyber attack
- Examples: System outage (ecommerce site down), data breach (customer
data stolen), ransomware (system locked, demands ransom), supply chain
compromise (third-party vendor compromised), legacy system failure
(old system can't be maintained)
- Mitigation: Cybersecurity investment, backup systems, disaster recovery,
vendor management, system upgrades
- Monitoring: CIO/security, audit committee, quarterly assessments
Talent/Human Capital Risk:
- Definition: Risk from key employee departure, turnover, engagement
- Examples: CEO departure (loss of leadership), key technical talent departure
(product development delayed), engineering shortage (can't hire needed talent),
culture issues (high turnover, low engagement)
- Mitigation: Succession planning, competitive compensation, culture investment,
retention programs
- Monitoring: Chief HR Officer, board discussions, annual review
Reputational Risk:
- Definition: Risk to company reputation/brand
- Examples: Product quality failure (safety incident, recalls), executive
misconduct (#MeToo, SEC violation), customer service failure (negative media
coverage), environmental compliance failure (pollution incident)
- Mitigation: Quality management, ethics/conduct training, customer service
excellence, environmental compliance
- Monitoring: PR function, executive leadership, ongoing awareness
Crisis/Disaster Risk:
- Definition: Risk of major catastrophic event
- Examples: Facility fire/destruction, major natural disaster (hurricane, earthquake),
pandemic (COVID-type event), war/geopolitical (supply chain disruption), financial
market collapse (business impact)
- Mitigation: Business continuity planning, disaster recovery, insurance,
geographic diversification
- Monitoring: Chief Risk Officer, board review, annual updates
Risk Interdependencies:
Correlated Risks (One Affects Another):
- Economic downturn → Increases credit risk (more customers default),
increases operational risk (cost-cutting pressure), impacts talent retention
(lower compensation budgets)
- Cybersecurity breach → Increases compliance risk (regulatory investigation),
reputational risk (media coverage), financial risk (legal costs, customer
attrition)
- Key person departure → Talent retention risk (others may follow), operational
risk (knowledge loss), strategic risk (if key to strategy execution)
Management Approach:
- Map risk relationships (which risks correlate)
- Manage risk portfolio holistically (not independently)
- Recognize correlation in mitigation planning
- Example: Technology modernization effort
* Reduces legacy system failure risk (operational)
* Increases cybersecurity risk in migration (temporary)
* Reduces technology skill shortage (talent risk)
* Net benefit outweighs temporary migration risk
Risk Governance and Assessment
Risk Governance Structure
Board and Committee Oversight:
Board Responsibilities:
- Risk appetite approval: Confirms risk appetite statement
- Top risk review: Quarterly/annual review of top 5-10 risks
- Risk framework: Approves ERM framework and policies
- Executive compensation: Ensures compensation structure doesn't encourage
excessive risk-taking
Audit Committee Role:
- Internal control oversight: Reviews [internal audit](/audit/internal-audit-framework-guide/) findings
- Financial risk: Quarterly review of financial risks (liquidity, credit,
accounting)
- Compliance: Legal/compliance function reports on regulatory risks
- Fraud: Reviews [fraud risk assessment](/audit/fraud-prevention-detection-guide/) and prevention controls
Risk Committee (if appointed):
- Enterprise risk: Dedicated oversight of top risks
- Risk ranking: Quarterly review of risk heat map (probability × impact)
- Mitigation plans: Monitors progress on risk reduction initiatives
- Risk appetite: Recommends risk appetite adjustments to board
Compensation/Governance Committee:
- Executive compensation risk: Ensures compensation doesn't encourage
excessive risk (See Executive Compensation article for details)
Executive Leadership:
Chief Executive Officer (CEO):
- Overall accountability: Final approval of risk appetite and strategy
- Culture: Tone at top (emphasizes risk awareness)
- Execution: Ensure risk mitigation programs funded and executed
Chief Risk Officer (CRO):
- Owns ERM function: Reports to CEO and Audit Committee
- Risk assessment: Conducts enterprise risk assessments
- Monitoring: Tracks risk mitigation progress
- Reporting: Quarterly reports to audit committee/board
- Independence: Must be independent (not under operational leadership
conflicted with risk management)
Chief Financial Officer (CFO):
- Financial risk: Manages liquidity, credit, accounting risks
- Capital allocation: Ensures risk mitigation investments prioritized
- Quarterly reporting: Financial risk update to audit committee
Chief Information Officer (CIO) / Chief Information Security Officer (CISO):
- Cybersecurity risk: Primary responsibility for IT/security risks
- Oversight: Reports to CRO and Audit Committee on critical risks
- Incident response: Manages breach response if incident occurs
Chief Compliance Officer / General Counsel:
- Regulatory/compliance risk: Ensures legal/regulatory compliance
- Policy development: Compliance policies and training
- Litigation: Manages legal disputes and claims
Risk Governance Organization Chart (Sample):
Board of Directors
└─ Audit Committee
└─ Chief Risk Officer
├─ Financial Risk Officer
├─ Operational Risk Officer
├─ Compliance Officer
└─ Technology Risk Officer (reports to CIO)
└─ Chief Financial Officer
└─ Chief Compliance Officer
└─ Chief Information Security Officer
Risk Assessment Process
Annual Risk Assessment Cycle:
Process Steps:
1. Risk Identification (Month 1):
- Workshops: Facilitated sessions with executive leadership, business unit heads
- Process: "What are the top risks to achieving our strategy?"
- Participants: CEO, CFO, COO, Chief Risk Officer, business unit heads
- Output: List of 20-30 potential risks identified
- Documentation: Risk identification template (risk description, affected area)
2. Risk Prioritization (Month 2):
- Assessment: Estimate probability and impact for each risk
- Probability scale:
* Remote (0-10%): Low likelihood
* Low (10-30%): Possible but unlikely
* Moderate (30-50%): Realistic possibility
* High (50-70%): Likely to occur within 3 years
* Very high (>70%): Almost certain
- Impact scale:
* Minor ($<1M, <5% EBITDA): Manageable
* Moderate ($1-10M, 5-25% EBITDA): Significant but recoverable
* Major ($10-50M, 25-75% EBITDA): Serious impact
* Severe ($>50M, >75% EBITDA): Existential threat
- Heat map: Plot risks on probability × impact matrix
3. Heat Map Analysis:
- High probability + High impact: Top tier (must mitigate aggressively)
- High probability + Low/Moderate impact: Monitor (mitigate if cost-effective)
- Low probability + High impact: Contingency plan required
- Low probability + Low impact: Accept or monitor
4. Risk Ranking (Select Top 10):
- Committee: CRO, CFO, COO, CEO determine top risks
- Rationale: Which risks most threaten strategy/financial performance?
- Documentation: Risk register listing top 10 risks with descriptions
Risk Register Example:
| Risk ID | Risk Description | Category | Probability | Impact | Score | Owner | Mitigation |
|---------|------------------|----------|-------------|--------|-------|-------|-----------|
| R1 | Market disruption from new competitor | Strategic | High | High | 100 | CEO | Product innovation, market monitoring |
| R2 | Key customer loss (>10% revenue) | Operational | Moderate | High | 70 | VP Sales | Customer diversification, account management |
| R3 | Data breach exposing customer data | Cybersecurity | Moderate | High | 70 | Chief CISO | Enhanced cybersecurity, encryption, monitoring |
| R4 | Supply chain disruption (key supplier) | Operational | Low | High | 40 | VP Operations | Diversify suppliers, safety stock, contracts |
| R5 | Regulatory violation (environmental) | Compliance | Low | Moderate | 30 | Chief Compliance | Compliance monitoring, training, audits |
| R6 | Economic recession impacting sales | Strategic | Moderate | Moderate | 50 | CFO | Cost management, debt reduction, diversification |
| R7 | Executive departure (CEO) | Talent | Low | High | 40 | Chief HR | Succession planning, compensation, culture |
| R8 | Fraud/embezzlement | Financial | Low | Moderate | 30 | CFO | Internal controls, audit, segregation of duties |
| R9 | IT system outage | Technology | Low | Moderate | 30 | Chief CIO | System redundancy, disaster recovery, backup |
| R10 | Product liability lawsuit | Compliance | Low | Moderate | 30 | General Counsel | Product testing, insurance, quality control |
3. Mitigation Planning (Month 3):
Control Design:
- For each top risk, design mitigation control(s)
- Control types:
* Preventive: Stop risk from occurring (e.g., backup supplier contracts)
* Detective: Detect if risk occurs (e.g., system monitoring for data breach)
* Corrective: Respond if risk materializes (e.g., crisis response plan)
Mitigation Example - Customer Concentration Risk:
- Risk: Single customer = 15% of revenue, customer contracts terminable annually
- Impact: Loss of customer = 15% revenue loss = $15M impact (assume $100M revenue)
- Mitigation controls:
* Preventive:
- Diversify sales to reduce single-customer concentration below 10%
- Expand product offering (increase switching cost)
- Long-term contracts (>1 year commitment)
* Detective:
- Customer health monitoring (quarterly account reviews)
- Early warning system (customer issues escalated immediately)
* Corrective:
- Contingency sales plan (how to replace customer revenue)
- Cost reduction plan (if customer loss occurs, reduce costs proportionately)
Owner: VP Sales (responsible for execution)
Timeline: 12-month reduction plan (quarterly milestones)
Measurement: Customer concentration % (target <10%)
Mitigation Example - Cybersecurity Breach Risk:
- Risk: Data breach exposing customer data (regulatory, reputational, financial impact)
- Impact: $5-50M (regulatory fines, litigation, customer attrition)
- Mitigation controls:
* Preventive:
- Encryption of data at rest and in transit
- Access controls (role-based access, multi-factor authentication)
- Vendor security assessments (third-party security reviews)
- Regular security training (phishing awareness, password management)
* Detective:
- Security monitoring (24/7 security operations center)
- Intrusion detection system (automated threat detection)
- Quarterly penetration testing (ethical hacking, vulnerability discovery)
* Corrective:
- Incident response plan (documented procedures)
- Breach notification plan (legal, regulatory notification requirements)
- Cyber insurance ($10-50M coverage)
Owner: Chief CISO (responsible for execution)
Timeline: Ongoing (quarterly testing, continuous monitoring)
Measurement: No material breaches, < X security findings annually
4. Monitoring and Reporting (Quarters 1-4):
- Quarterly: CRO reports on top 10 risks and mitigation progress
- Metrics:
* Risk ranking changed (probability/impact reassessed)
* Mitigation progress (% complete for each initiative)
* New risks emerged (additions or removals from top 10)
* Control effectiveness (are controls working as designed?)
- Reporting: Risk committee receives quarterly heat map updates
Risk Response and Control
Choosing the Right Risk Response
Four Response Types:
1. Mitigate (Reduce):
- Reduce probability or impact of risk
- Implement controls to lower risk
- Cost: Ongoing control costs (operationally expensive)
- Appropriate: For high probability or high impact risks
- Example: Cybersecurity controls reduce probability of data breach from 40% to 5%
2. Avoid:
- Eliminate activity/business causing risk
- Exit market, divest business, cancel product
- Cost: Lost opportunity/revenue
- Appropriate: For unacceptable risks company cannot mitigate
- Example: Company decides pharmaceutical manufacturing is too risky (regulatory),
divests division and exits market
3. Transfer:
- Shift risk to third party via insurance, contracts, hedges
- Insurance: Cyber insurance, product liability, D&O
- Contracts: Indemnification clauses, warranties, SLAs
- Financial hedges: Commodity hedges, currency hedges
- Cost: Insurance premiums, contract terms less favorable
- Appropriate: For catastrophic risks or financial risks
- Example: Product liability insurance transfers lawsuit risk to insurer
4. Accept:
- Acknowledge risk and accept consequences
- No mitigation effort
- Cost: Potential impact to earnings/operations
- Appropriate: For low probability or low impact risks
- Example: Accept risk of minor office equipment failure (low impact)
Response Decision Framework:
For each risk, evaluate:
- Can we afford the cost of mitigation? (Budget constraint)
- Is mitigation cost < potential impact? (Cost-benefit analysis)
- Can insurance/hedging transfer the risk effectively? (Market availability)
- Is the business activity core to strategy? (Strategic importance)
- What's risk tolerance for this category? (Risk appetite)
Example Decision:
Executive Team Evaluates Quarterly Revenue Forecast Accuracy Risk:
Risk: Quarterly revenue forecast misses actual by >10% (causes earnings surprise)
Current probability: 40% (history shows frequent forecast misses)
Impact: Stock price volatility, analyst disappointment, guidance credibility
Mitigation Option 1 (Improve forecasting):
- Cost: Hire forecast analyst, enhance ERP system ($500K/year)
- Benefit: Improve forecast accuracy to >95% (reduce miss probability to 5%)
- Timeline: 6-month implementation
- Decision: Approved - cost justified by probability reduction
Mitigation Option 2 (Widen guidance):
- Cost: None (give wider guidance = easier to meet)
- Benefit: Easier to beat guidance (10-15% miss now within guidance range)
- Risk: Market may interpret wide guidance as lack of confidence
- Decision: Rejected - better to improve accuracy than hide under wide guidance
Response Chosen: Implement better forecasting (Option 1)
- Owner: VP Finance (hire analyst, implement system)
- Timeline: 6 months to full implementation
- Monitoring: Monthly forecast accuracy tracking
- Success metric: >95% accuracy (forecast actual within ±5%)
Control Testing and Effectiveness
Internal Audit Role:
Function: Independent assessment of control effectiveness
Reporting: Chief Internal Auditor reports to Audit Committee (not CFO)
Scope: Tests key controls across organization
Control Testing Approach:
Sample Testing:
- Internal audit selects random transactions to test
- Sample size: Typically 25-50 transactions (depends on population size)
- Testing: Verify control was operating as designed
- Correlation: If 1 control failure out of 30 tests, assume 3-5% failure rate overall
Design vs. Operating Effectiveness:
Design Testing:
- Question: Is control designed to reduce risk appropriately?
- Example: Approval process for capital expenditures
* If expense >$50K, requires VP approval
* Is this threshold appropriate? (could be $100K or $25K)
* Is VP approval sufficient authorization? (or need CEO approval?)
Operating Effectiveness Testing:
- Question: Is control actually operating as designed/documented?
- Example: Capital approval process
* Audit selects 30 capex approvals randomly
* Checks: Was expense >$50K? Was VP approval documented? Was approval before spending?
* If 28/30 tests pass (93% pass rate), control is operating effectively
* If 20/30 tests fail (67% pass rate), control deficiency exists (needs remediation)
Control Deficiency Documentation:
Material vs. Non-Material:
Material Weakness:
- Definition: Deficiency unlikely to prevent/detect material error
- Example: Accounts payable fraud (vendor invoice duplicated)
* No segregation of duties (same person approves + pays vendor)
* Fraudster creates duplicate invoice, gets paid twice
* Risk: $1M+ loss possible if undetected
* Action: Management must remediate (public company reporting requirement)
Significant Deficiency:
- Definition: Less than material weakness but more than minor flaw
- Example: AP approval process lacks supervisor review signatures on forms
* Control is missing documentation (approvals not signed)
* But approvals still performed (phone call from supervisor)
* Risk: Limited (someone did approve) but control not documented
* Action: Remediate within 6-12 months
Minor Finding:
- Definition: Low-risk, not requiring immediate remediation
- Example: Travel policy requires 2 quotes for airfare, but not always obtained
* Random testing shows 5/25 expenses lack documentation
* Impact: Potentially 5-10% savings opportunity, but not a control deficiency
* Action: Training/reminder to follow policy
Testing Results Documentation:
Audit Finding Report Example (Control Deficiency):
- Control tested: Segregation of duties - accounts payable
- Population: 500 vendor payments processed (1 year)
- Sample size: 30 transactions (typical audit sample)
- Results:
* Test 1-15: Both approval and check signing required → PASSED (proper segregation)
* Test 16-25: Approval + check signing done by same person → FAILED × 10
* Test 26-30: PASSED
* Pass rate: 20/30 = 67% (below acceptable standard of >95%)
- Conclusion: Material weakness - segregation of duties NOT effective
* Recommendation: Segregate responsibilities (assign signing authority to different person)
* Target remediation: 30 days
* Owner: AP Manager (responsible for reworking process)
Conclusion
Enterprise risk management is essential for:
- Sound governance: Board and executives understanding key risks
- Strategic execution: Identifying threats to strategy achievement
- Regulatory compliance: Demonstrating effective risk processes to regulators
- Shareholder confidence: Transparent risk disclosure and management
Key takeaways:
- COSO ERM provides integrated framework for risk assessment
- Risk governance requires board oversight and executive accountability
- Risk appetite sets tone for risk-taking throughout organization
- Risk assessment identifies top risks requiring mitigation
- Control testing verifies mitigation effectiveness
- Risk portfolio management recognizes interdependencies
Resources
- COSO ERM Framework: Committee of Sponsoring Organizations (COSO ERM 2017)
- Internal Audit Standards: The IIA (Institute of Internal Auditors) Standards
- Risk Management Governance: RIMS (Risk and Insurance Management Society)
- Industry-Specific Risk Frameworks: ISO 31000 (international standard)
