Enterprise Risk Management

Enterprise Risk Management (ERM) is a comprehensive approach designed to identify, assess, and manage all types of risks a company may face, including financial, operational, legal, and reputational risks. It encompasses both external risks, which can arise from unpredictable events, and manufactured risks, which are generated by the organization's own practices and technology choices. The process is data-intensive, requiring extensive data collection and analysis to inform decision-making and risk mitigation strategies.

The implementation of ERM often involves the adoption of frameworks, such as the Integrated Framework for ERM established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which outlines essential components and objectives for effective risk management. Challenges may arise from organizational culture, data integration issues, and the need for proper alignment of analytical methods with the organization's goals and size.

Stakeholders, including corporate executives and risk managers, must cultivate a shared understanding of risks and maintain communication across departments to enhance collaboration and effectiveness. As organizations face increasing regulatory pressures and economic uncertainties, the importance of robust ERM systems continues to grow, emphasizing the need for ongoing education, adaptability, and a commitment to integrating risk management into the broader strategic framework of the business.

Published in: 2021

By: Erbschloe, Michael

Subject Terms

Enterprise Risk Management

This article examines the development of Enterprise Risk Management (ERM) processes and systems. The types of risks addressed by ERM are explained along with how enterprise risk analysis can assist boards of directors, corporate managers, investors, and industry analysts. The Integrated Framework for ERM of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is also reviewed. The processes and challenges of implementing ERM and information systems to support ERM are examined along with steps that stakeholders can take to address technical and cultural issues. Past experiences in developing and implementing large-scale systems that drive organizational change are also reviewed.

Keywords: Data Analysis; Decision Support Systems; Enterprise Resource Planning (ERP); Executive Information Systems (EIS); External Risk; Information System Development Life Cycle (ISDLC); Manufactured Risk; Organization Change; Public Company Accounting Oversight Board (PCAOB); Risk Analysis; Risk Mitigation; Sarbanes-Oxley Act; Technological Risk

Overview

Enterprise Risk Management (ERM) is a data intensive process that measures all of a company's risks. This includes providing managers with an understanding of the full array of a company's risks including financial risks, investment oriented risks, operations based risks, and market risks, as well as legal and regulatory risks for all of the locations in which a company operates or invests (Peterson, 2006). Risk can also be a result of political or social conditions in locations where a company has operations, suppliers, or customers (Woodard, 2005). Risk to a company's reputation is also an important aspect and element of ERM (Ruquet, 2007).

In each of the risk areas there are two primary types of risks that companies face:

External Risk
Manufactured Risk

External risk is the risk of events that may strike organizations or individuals unexpectedly (from the outside) but that happen regularly enough and often enough to be generally predictable. Manufactured risk is a result of the use of technologies or even business practices that an organization chooses to adopt. A technological risk is caused or created by technologies that can include trains wrecking, bridges falling, and planes crashing (Giddens, 1999). Business practice risk is caused or created by actions which the company takes which could include investing, purchasing, sales, or financing customer purchases.

ERM analytical models should encompass both external and manufactured risks which can be identified through historical analysis as well as reviews of current operations and exposures ("Expect the Unexpected," 2009). Once identified, risks can be validated through discussions with corporate executives, operations managers, production managers, and business unit executives. In addition to gaining a better understanding of risks these discussions can also provide insight into existing mitigation practices that have been designed to reduce specific risk (Muzzy, 2008).

The data intensity of ERM requires risk managers to obtain data from numerous sources, test the integrity and accuracy of that data, and to assure that the data is being properly applied and interrupted. Assumptions about the models or analytical approaches behind an ERM analysis must also be carefully examined and tested (Cotton, 2009; Vlasenko & Kozlov, 2009). The internal audit department can help validate some of the financial data used in ERM models as well as provide other potentially relevant financial information (Gramling & Myers, 2006).

The 2008 economic downturn caught many corporate executives working with analytical models that assumed that the housing market would not decline so drastically or on such a widespread basis (Korolov, 2009). Clearly the assumptions and the analytical model had not undergone stringent enough testing. However, most risk managers had also not previously seen the convergence of negative economic trends occur so quickly and across so many sectors simultaneously (Morgan, 2009).

Putting ERM to Work

The ERM process is designed to enable corporate executives as well as investors to quantify and compare risks and to gauge the overall health of a company (Coccia, 2006; Panning, 2006). Investment advisors, institutional investors, and credit rating agencies are adding to the pressure for companies to develop ERM systems and disclose their risks (Karlin, 2007). ERM enables top managers of a company to aggregate, prioritize, and effectively manage risks while enabling business-unit managers to improve decision making in operations and product management (Kocourek & Newfrock, 2006). In managing risks there are several options that corporate executives can take including accepting, preventing, mitigating, transferring, sharing, or avoiding the risks (Woodard, 2005).

The ERM process can also support strategic planning activities as well as provide insight into alternative business practices and goals (Millage, 2005). One of the biggest challenges in implementing ERM strategies is to make sure that selected analytical methods are appropriate for the type and size of organization to which they are being applied (Milligan, 2009). ERM strategies and models as well as the utilization of ERM analyses will vary with corporate culture, business goals, and risk management objectives. This means that a one-size-fits-all approach towards ERM is not likely to be successful (Lenckus, 2006).

The Push for ERM

Although many companies have used ERM over the last decade, the economic downturn of 2008 showed that some companies had not done well when it came to managing their risks (Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that corporate executives were not taking newly developed models of risk analysis as seriously as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the ERM concept is changing as more and more companies attempt to recover from the downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy base for using ERM to help manage companies through all phases of business cycles (Van der Stede, 2009)

In addition to pressure from the investment community, corporations also face new legal requirements that have increased the interest in ERM. After Enron, WorldCom, Tyco, and other large business failed, the United States Congress passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM. Section 302 mandates disclosure controls and procedures so that companies could disclose developments and risks of the business and section 404 requires an assessment of the effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).

The United States Securities and Exchange Commission (SEC) has also implemented requirements for publicly traded companies to disclose risk factors in section lA of their 10-Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed Section 404 guidance that supports top-down risk assessment that holds boards of directors more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir & Walker, 2009).

In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Integrated Framework for ERM. The framework identifies four types of objectives for ERM:

Strategic,
Operations,
Reporting, and
Compliance.

In addition, organizations are charged with examining eight components for each of the four objectives:

Internal environment,
Objective setting,
Event identification,
Risk assessment,
Risk response,
Control activities,
Information and communication, and
Monitoring (Bowling & Rieger, 2005a, p. 31; Wheeler, 2009).

A summary as well as detailed information about the COSO framework is available at www.coso.org.

Thus, the stage is set and the pressure is on for organizations to use ERM to gain greater insight into company-wide risk. But it may not all be that easy. Even after ERM systems are in place the analysis they render must then be applied to the business decision making process. Even at that point, it will require an added dose of knowledge, wisdom, and experience to develop a competitive strategy and support that strategy with rational day-to-day business management skills before ERM becomes an integral part of a company's success formula.

Applications

Implementing ERM

As companies begin to implement ERM processes and systems the most important decisions they face is to decide who will be in charge of the ERM processes and systems and where in the organization the structure the ERM function will be placed. Many companies have opted to create a position of chief risk officer (Wheeler, 2009). This trend has created new career paths for those interested in risk management, especially those that are interested in working in the highest levels of organization management (Branham, 2006).

Establishing an effective risk management organizational structure also requires that the risk management department or director be provided an adequate degree of independence similar to that of an internal auditor. This includes the ability and the resources to build an ERM information system that can support data collection, information-gathering, modeling, and risk analysis (Shan, Xin, Xiaoyan & Junwen, 2009).

ERM staff also need to develop a broad knowledge of the company in which they work and cultivate relationships with key players in all parts of the company in order to promote risk management (Loghry & Veach, 2009). Once relationships are established they must be maintained through continuous, meaningful, and understandable communications regarding the company's risks. ERM staff may also need to develop new skills and will always need to keep their skills and knowledge base updated through continuing education and training in the risk analysis and risk management fields (Zaccanti, 2009).

Corporate executives who are responsible for directing risk analysis need to have enough influence in their organization to gain the attention and respect of other executives (Baker, 2008). The quality of risk analysis and the sophistication or risk inventories and projections may help to persuade corporate executives that there is value to the ERM processes, systems, and staff (Johnson & Swanson, 2007).

ERM staff also need tools to help them crunch through the vast amounts of data that can be used to support risk analyses. The marketplace for applications software programs is beginning to emerge and ERM staff are faced with selecting from tools that may have had little actual real world use (Lenckus, 2006; Ramamoorti & Weidenmier, 2006). Tools and people cost money and if ERM programs are not adequately funded results are likely to be anemic at best (Panning, 2006).

Back to Basics in Information Management

The fundamental principle behind ERM is that it is designed to take a broad and comprehensive view of risks and focus on the basic causes and effects that can keep companies from achieving their strategic business goals (Loghry & Veach, 2009). Some analysts view this as a departure from the past when risk management was depicted as a fragmented, silo-ridden function in most organizations (Bowling & Rieger, 2005). However, ERM systems of this scope are largely based in information creation and analysis and thus the basic rules and processes of information management apply to ERM systems just as they do to any other information system.

Database Software

There are four basic steps to business data management:

Data creation,
Data storage,
Data processing, and
Data analysis.

A considerable amount of data is created through every-day business processes such as production of items, consumption of supplies or resources, sales of goods or services, and customer service activities. The primary tool for processing and managing such large amounts of data is database software. Database software is used in virtually all industries especially those that are transaction focused and need to track large quantities of items or activities. Enterprise storage systems are capable of storing vast amounts of data and modern storage management tools have eased many of the problems associated with this task.

Complex data analysis, beyond what database software provides, has become essential to manage large organizations and may be more essential in ERM. This type of data analysis can be performed with a variety data mining, statistical analysis, and decision support software packages. This software helps managers and analysts compile or create statistics on millions of business transactions. These statistics can support business forecasting and planning efforts as well as ERM analysis.

Data analysis software has evolved over the last 60 years. For decades most such software was rather cumbersome and required custom programming. In the 1970s decision support systems (DSS) were introduced that provided assistance for specific decision-making tasks. While DSSs can be developed for and used by personnel throughout the organization, they are most commonly employed by line staff, middle level managers, and functional area specialists. Among the latest developments are expert systems, which capture the expertise of highly trained, experienced professionals in specific problem domains.

In the 1990s executive information systems (EIS) or executive support systems (ESS) were being developed in large organizations. At first these systems were cumbersome and most were stand alone systems requiring time consuming data entry processes. As expected, the technology for EIS has evolved rapidly, and new systems are more integrated with other applications like the DDS or Enterprise Resource Planning (ERP) systems (Watson, Rainer & Koh, 1991).

Information System Development Life Cycle (ISDLC)

Regardless if the ERM team is going to use off-the-shelf products such as DSSs or an EIS or develop their own in-house applications, they still need to apply the Information System Development Life Cycle (ISDLC) model to implementation. The traditional and well established approach to the ISDLC is that a development project has to undergo a series of phases where the completion of each is a prerequisite to the commencement of the next and where each phase consists of a related group of steps. The general scheme for the ISDLC is similar almost everywhere. It typically contains four major phases consisting of several steps each:

Definition Phase: consisting of preliminary analysis, feasibility study, information analysis, and system design.
Construction Phase: consisting of programming, development of procedures, unit testing, quality control, and documentation.
Implementation Phase: consisting of user training, conversion of old systems to new systems, thorough field testing, and then a move to full operations.
Maintenance Phase: after the system is full operation updates are made to assure continued operations as new equipment or upgrades to operating systems occur. Enhancements to the system can also be made to meet changing user requirements.

Effective management of information systems requirements analysis, and thus the design of appropriate systems, is critical to the success of an ERM systems project. Systems development methodologies must be selected and applied based on requirements and goals stated by staff who will ultimately use the system (Avison & Taylor, 1997). ERM practitioners can benefit from these basic information systems practices and should look to traditional development procedures and processes instead of going it alone and trying to reinvent the world of information management.

Issue: Overcoming the Hurdles

The last several years have been a rocky road for many ERM programs and many have been viewed as failures in their early stages. When ERM programs are driven by individuals, single divisions or business units, or function as silos they do not have the ability to bridge with other parts of the company and become integrated into the management process. In addition, ERM has often been viewed as a costly program that takes years to implement and years can pass before any real benefits are derived from the expenditure of time and money (Chase-Jenkins & Shimpi, 2006).

When looking at ERM from the inside, such an evolutionary process can be appreciated. However, when looking at ERM from the outside, the evolutionary process may be viewed as a lack of maturity and easily become a reason for skepticism and mistrust by corporate executives (McDonald, 2008; Schanfield, 2008). Adding to the turmoil is that many of the risk analysis software tools that have come to market during the last few years are in their infancy and many risk analysts remain skeptical about the usability and reliability of the tools (Downes, 2006; Leopoulos, Kirytopoulos & Malandrakis, 2006).

There are many nuts and bolts to implementing an ERM information system especially when it comes to obtaining the data required for risk analysis. In many companies silos of data and information have evolved in various business units. Some of these business units may have been acquired and never fully integrated into a company's overall data infrastructure. In other cases distance from headquarters or levels of contribution to the overall revenue of a corperation may have resulted in a lack of attention about the quality and quantity of data a business unit may possess (Hershman, 2007). In many cases it is likely that data policies and the development of centralized data controls have just not matured (Bryce, 2007).

Another common data and information management scenario is that data control, and thus data management, is much more important in some parts of a corporation than it is in other parts. In a diversified business environment, for example, some business activities may be regulated and have external reporting or control requirements (Psica, 2008). Thus those responsible for implementing ERM information systems need to understand how a company's history, culture, and business sector involvement may impact the existence, management, and availability of data that is needed for risk analysis (Wu, 2004).

The problems ERM practitioners may face when it comes to identifying, collecting, cleansing, and analyzing data may be frustrating to them but the problems are not new to the realm of information management. Often adding to this frustration is a lack of guidance on how to create an information infrastructure to accomplish their goals. ERM practitioners also face the challenge of dealing with cultural, organizational, and political obstacles to data transformation efforts that seem to be almost universal in organizations of all types (Fraser, Schoening-Thiessen & Simkins, 2008).

ERM information systems are facing the same hurdles as other systems that have required changes in procedures, processes, or culture, There are many lessons to be learned from the past implementation of other large systems. Above all, patience and persistence are keys to the process of implementation. The people that have worked on prior large implementations and who have led change in their organizations in the past may very well be among those that can help ease the way for the development or acquisition and the launch of new information systems to support ERM.

Conclusion

Over the last decade there have been several corporate financial scandals which were followed shortly thereafter by a widespread economic downturn that many believe resulted from inaccurate forecasting and inadequate risk management. As the age of corporate social responsibility dawns elected officials, regulators, and individual citizens all feel a sense of rage, partially because many people that were in trusted positions did not follow their long-standing professional codes of conduct to guide their ethics and their behavior.

Elected officials responded by passing new laws, many regulators remain unspoken about their actions or inaction, and citizens voiced their opinions at the polling place and in the marketplace bringing political change and drastic declines in consumer spending. The professional organizations, which set the codes of ethics for the trusted, also responded by supporting a change, in fact almost a revolution in how risk will be managed in the business arena.

ERM as a discipline is evolving as tools improve, best practices are developed, and staff gain more experience (Zaccanti, 2009). It is now widely accepted that thorough risk management analysis combines the best of quantitative and qualitative methods and models. Among other things, this approach allows analysts to develop and test scenarios that can address specific concerns and test specific assumptions. However, these methods only work when the company culture encourages alternative perspectives to management assumptions and prevailing strategic thinking (Rudolph, 2009). To maintain momentum ERM staff and corporate executives need a common view of the state of ERM as well as a common language to discuss risks. This means ERM terms must be defined and concepts explained and illustrated as the processes and systems evolve ("How Do We Broaden…," 2008).

Winning over corporate executives may require continuous communication of examples of the cost of risk management failures as well as the potential returns from managing business opportunities in manners that reduce risk but still enable success (Baker, 2008). Corporate executives need to be shown that ERM investments are worthwhile and they need to be shown in ways that they understand and which they can relate (Panning, 2006). However, communication is not an end in of itself. To maximize the benefits gained from ERM risk analysis should be embedded into the strategic planning process and hold a firm place along with market share and profitability analysis (Paladino, 2008).

To some extent ERM is a cultural shift (Coccia, 2005). But the near-term goal is to move executives and boards of directors to the point where they are convinced that they need ongoing analyses of current and future risks (Dickhart, 2008). Beyond that, the long-term goal is the development and perpetuation of a risk management culture (Jones, Santori & Ingram, 2006). ERM staff should recognize that resistance to change in business practices has occurred in the past and it is likely that it will occur in the future (Ballou & Heitger, 2005; Hampton, 2006).

The responsibility for risk management, the methods of analyzing and managing risk, and the information systems to support risk management are all undergoing a radical change. ERM is rapidly emerging but in many places it still flounders in need of both leadership and tools. The complexity of ERM has shocked many boards of directors, corporate managers, and industry analysts. The responsibility for ERM is overwhelming for some and the complexity, detail, and expense is overwhelming for others. ERM is not a quick fix. It is a change that will take time and results will only be accomplished over the long term. To achieve the promise of ERM will require patience and persistence.

Terms & Concepts

Data Analysis: The process of extracting or compiling data from business data management systems that can help guide managers in making decisions or planning strategies.

Decision Support Systems (DSS): Applications software packages designed to provide assistance for specific decision-making tasks. While DSSs can be developed for and used by personnel throughout an organization and middle and lower managers most commonly employ them.

Enterprise Resource Planning (ERP) Systems: An integrated set of software applications that support an array of business activities including accounting, finance, human resource management, logistics, inventory control, manufacturing, marketing, planning, service and maintenance, and transportation.

Executive Information Systems (EIS): Applications software packages designed to provide assistance for executives in making high-level management decisions.

External Risk: The risk of events that may strike individuals unexpectedly (from the outside, as it were) but that happen regularly enough and often enough in a whole population of people to be broadly predictable, and so insurable.

Information System Development Life Cycle (ISDLC): The multi step structured process in which an information system is developed and maintained.

Manufactured Risk: Risk that is created by organizations through the selection of technologies or business practices.

Technological Risks: Risks caused or created by technologies which can include trains wrecking, bridges falling, and planes crashing.

Bibliography

Avison, D., & Taylor, V. (1997). Information systems development methodologies: a classification according to problem situation. Journal of Information Technology (Routledge, Ltd.), 12, 73-81. Retrieved August 4, 2009, from EBSCO online database, Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=6270862&site=ehost-live

Baker, N. (2008). Real-world ERM. (cover story). Internal Auditor, 65, 32-37. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=35654519&site=ehost-live

Ballou, B., & Heitger, D. (2005). A building-block approach for implementing COSO's enterprise risk management — integrated framework. Management Accounting Quarterly, 6, 1-10. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16939145&site=ehost-live

Barton, T., Shenkir, W., & Walker, P. (2009). ERM: The evolution of a balancing act. Financial Executive, 25, 30-33. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=41326828&site=ehost-live

Bowling, D., & Rieger, L. (2005a). Making sense of COSO's new framework for enterprise risk management. Bank Accounting & Finance (08943958), 18, 29-34. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19726851&site=ehost-live

Bowling, D., & Rieger, L. (2005b). Success factors for implementing enterprise risk management. Bank Accounting & Finance (08943958), 18, 21-26. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19726858&site=ehost-live

Branham, J. (2006). ERM: A fork in the road for risk mgrs. National Underwriter / Life & Health Financial Services, 110, 31-31. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20843766&site=ehost-live

Bryce, T. (2007). What is information resource management? AIIM E-DOC, 21, 46-47. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=25162378&site=ehost-live

Chase-Jenkins, L., & Shimpi, P. (2006). ERM helps RMs cope with wider risks. National Underwriter / Property & Casualty Risk & Benefits Management, 110, 28-29. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19986599&site=ehost-live

Coccia, R. (2005). Enterprise risk management must be part of companies' culture: Panel. Business Insurance, 39, 37-39. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19067106&site=ehost-live

Coccia, R. (2006). ERM plans cut costs, help risk managers bring added value. Business Insurance, 40, 4-4. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=21129654&site=ehost-live

Cotton, B. (2009). Seven sins of risk management. Chartered Accountants Journal, 88, 68-69. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=43091253&site=ehost-live

Dickhart, G. (2008). Risk: Key to governance. Internal Auditor, 65, 27-30. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=35654518&site=ehost-live

Downes, D. (2006). Risk management software solutions it's a fragmented marketplace. Accountancy Ireland, 38, 22-24. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=21901189&site=ehost-live

Expect the unexpected. (2009). Best's Review, 110, 62-62. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=42430727&site=ehost-live

Fraser, J., Schoening-Thiessen, K., & Simkins, B. (2008). Who reads what most often? A survey of enterprise risk management literature read by risk executives. Journal of Applied Finance, 18, 73-91. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=34667282&site=ehost-live

Giddens, A. (1999). Risk and responsibility. Modern Law Review, 62, 1. Retrieved July 29, 2009, from EBSCO online database, Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=10453500&site=ehost-live

Gramling, A., & Myers, P. (2006). Internal auditing's role in ERM. (cover story). Internal Auditor, 63, 52-58. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20500886&site=ehost-live

Hampton, J. (2006). Reducing the complexity of ERM might give system more traction. Business Insurance, 40, 33-33. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22478014&site=ehost-live

Hershman, R. (2007). Insurers eye road map for ERM highway. National Underwriter / Property & Casualty Risk & Benefits Management, 111, 26-27. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=27392868&site=ehost-live

Hofmann, M. (2009). Interest in enterprise risk management is growing. Business Insurance, 43, 14-16. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=40628117&site=ehost-live

How do we broaden our awareness of incidents and risks? (2008). Directorship, 34, 12-13. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=35905103&site=ehost-live

Johnson, K., & Swanson, Z. (2007). Quantifying legal risk: A method for managing legal risk. Management Accounting Quarterly, 9, 22-30. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=30046154&site=ehost-live

Jones, R., Santori, L., & Ingram, D. (2006). Credit FAQ: Enterprise Risk Management one year on. Reactions, 26, 66-68. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22552799&site=ehost-live

Karlin, B. (2007). Sweating out the ERMs. Treasury & Risk, (Dec/Jan). Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=28144191&site=ehost-live

Kocourek, P., & Newfrock, J. (2006). Are boards worrying about the wrong risks? Corporate Board, 27, 6-11. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19887261&site=ehost-live

Korolov, M. (2009). Enterprise Risk Management: Getting holistic. (cover story). Securities Industry News, 21, 1-6. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=43249547&site=ehost-live

Lenckus, D. (2006). RIMS launches online tool to advance ERM. Business Insurance, 40, 2-31. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=23455515&site=ehost-live

Lenckus, D. (2006). No two approaches to ERM the same. Business Insurance, 40, 15-18. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20876684&site=ehost-live

Lenckus, D. (2009). Demonstration of ERM's usefulness key to winning over management. Business Insurance, 43, 16-17. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=41880299&site=ehost-live

Leopoulos, V., Kirytopoulos, K., & Malandrakis, C. (2006). Risk management for SMEs: Tools to use and how. Production Planning & Control, 17, 322-332. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20855872&site=ehost-live

Loghry, J., & Veach, C. (2009). Enterprise risk assessments. (cover story). Professional Safety, 54, 31-35. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=36616707&site=ehost-live

McDonald, C. (2008). Insurer ERM falling short, survey finds. National Underwriter/ Property & Casualty Risk & Benefits Management, 112, 28. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=34359846&site=ehost-live

McDonald, C. (2009). Will ERM survive the economic meltdown? National Underwriter / Property & Casualty Risk & Benefits Management, 113, 27-34. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=40085724&site=ehost-live

Millage, A. (2005). ERM still in its infancy. Internal Auditor, 62, 16-17. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=18520854&site=ehost-live

Milligan, J. (2009). Adopting an approach to ERM. Community Banker, 18, 34-37. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=41037778&site=ehost-live

Morgan, J. (2009, May 7). Firms adjust to new world of risk. Investment Management Weekly, Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=40730215&site=ehost-live

Muzzy, L. (2008). Approaching Enterprise Risk Management. Financial Executive, 24, 59-61. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=34736453&site=ehost-live

Paladino, B. (2008). Strategically managing risk in today's perilous markets. (Cover Story). Strategic Finance, 90, 27-33. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=35127283&site=ehost-live

Panning, W. (2006a). ERM report card. Best's Review, 107, 112. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=22884933&site=ehost-live

Panning, W. (2006b). Making ERM happen. Best's Review, 106, 88. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19773391&site=ehost-live

Perera, H., & Costa, W. (2008). Analytic hierarchy process for selection of ERP software for manufacturing companies. Vision (09722629), 12, 1-11. Retrieved August 4, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=36659221&site=ehost-live

Peterson, J. (2006). Ready for ERM. (Cover Story). ABA Banking Journal, 98, 19-23. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19357897&site=ehost-live

Psica, A. (2008). The right fit auditing ERM frameworks. Internal Auditor, 65, 50-56. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=31639592&site=ehost-live

Ramamoorti, S., & Weidenmier, M. (2006). Is IT next for ERM? (cover story). Internal Auditor, 63, 45-50. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=20500885&site=ehost-live

Rudolph, M. (2009). Do firms need a chief skeptical officer? National Underwriter / Property & Casualty Risk & Benefits Management, 113, 23. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=37563028&site=ehost-live

Ruquet, M. (2007). Firms unprepared for reputational risks. National Underwriter / Property & Casualty Risk & Benefits Management, 111, 25-26. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=27889675&site=ehost-live

Schanfield, A. (2008). 12 top ERM implementation challenges. Internal Auditor, 65, 41-44. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=35654520&site=ehost-live

Shan, H., Xin, G., Xiaoyan, L., & Junwen, F. (2009). A study on the integration risk management for the insurance enterprises. Management Science & Engineering, 3, 41-50. Retrieved July 29, 2009, from EBSCO online database, Academic Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=42512669&site=ehost-live

Songini, M. (2004). S50M SAP rollout runs into trouble in Tacoma. Computerworld, 38, 1-52. Retrieved August 4, 2009, from EBSCO online database, Academic Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=15277720&site=ehost-live

Stein, R. (2005). ERM: An indispensable tool. Best's Review, 106, 76. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=18534036&site=ehost-live

Van der Stede, W. (2009). Enterprise governance: Risk and performance management through the business cycle. CMA Management, 83, 24-27. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=40208368&site=ehost-live

Vlasenko, O., & Kozlov, S. (2009). Choosing the risk curve type. Technological & Economic Development of Economy, 15, 341-351. Retrieved July 29, 2009 from EBSCO online database, Business Source Premier http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=43181065&site=ehost-live

Watson, H., Rainer Jr., R., & Koh, C. (1991). Executive information systems: A framework for development and a survey of current practices. MIS Quarterly, 15, 13. Retrieved August 4, 2009, from EBSCO online database, Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=9604086246&site=ehost-live

Wheeler, J. (2009). The rise of the Chief Risk Officer. Internal Auditor, 65, 55-57. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=41566021&site=ehost-live

Woodard, M. (2005). Measuring the payoffs of strategic risk management. CMA Management, 79, 30-35. Retrieved July 30, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=19666922&site=ehost-live

Wu, J. (2004). The information repository. DM Review, 14, 74-77. Retrieved August 3, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14532935&site=ehost-live

Zaccanti, B. (2009). ERM bolsters evolution of insurance RM. National Underwriter / Property & Casualty Risk & Benefits Management, 113, 29-35. Retrieved July 29, 2009, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=40085726&site=ehost-live

Enterprise Risk Management

On this Page

Subject Terms

Enterprise Risk Management

Overview

Putting ERM to Work

The Push for ERM

Applications

Implementing ERM

Back to Basics in Information Management

Database Software

Information System Development Life Cycle (ISDLC)

Issue: Overcoming the Hurdles

Conclusion

Terms & Concepts

Bibliography

Suggested Reading