Enterprise business risk is defined as threats to the organization’s capability to achieve its objectives and execute its business strategies successfully. The organization’s value creation objectives define the context for management’s determination of risk management goals and objectives which, in turn, drive and focus the process of managing business risk.
Through an integrated business risk management process, senior management determines how much risk they are willing to accept when balancing risks and rewards, and allocating resources. They communicate to operating managers, risk managers and process/activity owners the level of acceptable risk (which is often described as risk appetite, risk tolerance or risk threshold).
Enterprise business risk management is illustrated broadly in the diagram below. It is a continuous process of:
- Establishing risk management objectives, tolerances and limits for all of the enterprise’s significant risks
- Assessing risks within the context of established tolerances
- Developing cost-effective risk management strategies and processes consistent with the overall goals and objectives
- Implementing risk management processes
- Monitoring and reporting upon the performance of risk management processes
- Improving risk management processes continuously
- Ensuring adequate communication and information for decision making