A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization's objectives.

IIA Glossary—Risk Management


The risk community is now using a new term to describe its common ground. This term is what we have referred to so far as Enterprise Risk Management, which has been defined as follows:

Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.1

The background to this development is summarized in IIA guidance:

Over the last few years, the importance to strong corporate governance of managing risk has been increasingly acknowledged. Organizations are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and operational, and to explain how they manage them to an acceptable level. Meanwhile, the use of enterprise-wide risk management frameworks has expanded, as organizations recognize their advantages over less coordinated approaches to risk management.2

ERM is a wide concept that has several key features, as it is:3

  • A process, ongoing and flowing through an entity
  • Affected by people at every level of an organization
  • Applied in a strategy setting
  • Applied across the enterprise, ...

Get Auditing the Risk Management Process now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.