There is no clear-cut definition of what enterprise risk management (ERM) is or what it entails, because the field is evolving.
The general definition is the assessment and management of the entirety of a corporation’s risk spectrum in a unified fashion.This definition is in contrast to traditional corporate risk management, which focuses on individual risk areas such as insurance and finance.
In most organizations dealing with these risk areas, risk management practices operate as silos, with little interplay among those responsible for managing these risks.
Additionally, financial and insurance risks are assessed only periodically rather than continuously. This approach leads corporations to be both under and overexposed to risk as specific financial/insurance risks can’t be traded off against one another or hedged effectively, and the level of risk could change dramatically in between assessment periods without being noticed.
Since the early 1990s, there has been a realization not only that managing financial and insurance risks separately and periodically was inefficient but also that many other types of corporate risk were going completely unmanaged. For instance, operational risks — those risks that are created by a company’s dependence on its systems, processes, and staff — were causing measurable losses of shareholder value in corporations, yet they weren’t being actively managed.
Similarly, strategic risks — those risks that can cause a corporation to stagnate or collapse because of a failure to adapt — were also not managed formally, yet as management professors Gary Hamel and Liisa V