In a 2014 survey of public sector risk professionals, 56 percent of respondents indicated that the scope of the ERM effort within their organization cuts across the entire organization.¹ This response is consistent with the COSO definition of ERM, which emphasizes the broad-based application of risk management throughout an organization. Through ERM, risk management is not treated as a compliance issue but rather creates an environment in which the proactive identification and management of risk is communicated at all levels of the organization.

The context in which risk is communicated depends on how risk management functions are structured at an organization. A common approach is to manage and ...