Definitions Edit

Enterprise risk management (ERM) is a

comprehensive approach to risk management that engages organizational systems and processes together to improve the quality of decision making for managing risks that may hinder an organization's ability to achieve its objectives.[1]
[a]n effective agency-wide approach to addressing the full spectrum of the organization's significant risks by considering the combined array of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides improved insight about how to more effectively prioritize and manage risks to mission delivery.[2]

Overview Edit

"Enterprise risks may arise from internal and external sources. Examples of internal sources include issues such as financial stewardship, personnel reliability, and systems reliability. Where internal risks threaten successful mission execution, enterprise risk management seeks to ensure that internal systems and processes are tailored to minimize the potential for mission failure. Examples of external factors include, but are not limited to, global, political, and societal trends. An organization will modify its enterprise risk management approach to take these risks into account."[3]

Enterprise risk management "[i]nvolves identifying mission dependencies on enterprise capabilities, identifying and prioritizing risks due to defined threats, implementing countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and assessing enterprise performance against threats and adjusts countermeasures as necessary."[4]

References Edit

  1. DHS Risk Lexicon, at 12.
  2. Playbook: Enterprise Risk Management for the U.S. Federal Government, at 104.
  3. DHS Risk Lexicon, at 12.
  4. NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).