Enterprise Risk Management (ERM)

---

Enterprise risk management (ERM) is the comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

• Most companies will institute ERM policies and procedures
  • based on frameworks such as
    • NIST’s Risk Management Framework (RMF)
    • or ISO 31K
• legislative and framework compliance requirements are often formalized as a Risk and Control Self-Assessment (RCSA)
  • is an internal process undertaken by stakeholders to identify risks and the effectiveness with which controls mitigate those risks
  • performed through questionnaires and workshops with department managers
  • outcome is a report
• may contract an external party to lead the process
  • referred to as a Risk and Control Assessment (RCA)
• should integrate risk management practices into normal business processes

Risk Management Frameworks

Risk management frameworks are designed to assist enterprises in developing sound risk management practices and management.

• ISO 31000 — Risk Management Guidelines
• NIST SP 800-37
• European Union Agency for Network and Information Security (ENISA)