Enterprise risk management (ERM) is equivalent to the ISO definition of “risk management framework.” The ISO definition of a risk management framework, and thus an ERM framework is:
risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. (ISO Guide 73 “Risk Management—Vocabulary” 2009, Geneva)
In the ISO definition, the foundations include the policy, objectives, mandate, and commitment to manage risk and the arrangements include plans, resources, processes, relationships, accountabilities, and activities.
An organization’s risk management framework exists only to facilitate the Risk Management Process (RMP), which should be used for any decision in the organization. The RMP identifies the associated risks, assesses the risks, treats the risks within an appropriate context, and is supported by risk communication and consultation as well as monitoring and review.
The ERM framework is integrated into the organization’s overall strategic and operational policies and practices. There is one ERM framework at the organizational level and as many RMPs as there are decision/management positions—hundreds or even thousands. RMP is specified by the ERM framework and is the key risk management process. ...