TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
6 min read

Enterprise Risk Management: A Framework for Executives

Troy Sander
Troy SanderConsultant
April 14, 2024
Enterprise Risk Management: A Framework for Executives

Table of contents

The COSO ERM FrameworkCategories of Risk Relevant to ExecutivesExecutive Responsibility for Risk CultureERM and Internal InvestigationsBuilding a Practical Risk RegisterVendor, Counterparty, and Third-Party RiskIntegrating Investigative Capability Into ERMBoard Oversight and Reporting CadenceTranslating Framework Into Action

Categories

Corporate InvestigationsExecutive MisconductRisk Management

Enterprise risk management (ERM) is a systematic approach to identifying, assessing, and managing the full range of risks that could affect an organization's objectives. For executives, ERM is both a governance duty and a practical operational tool. Done well, it surfaces risks before they become crises. It also helps organizations make better decisions about risk tolerance and investment.

The COSO ERM Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the most widely used ERM framework. The 2017 update integrates ERM with strategy and performance. It recognizes that risk management is most valuable when embedded in strategic planning rather than treated as a separate compliance activity.

The COSO framework organizes risk management around five components:

Governance and culture. The tone set by the board and senior leadership defines the organization's risk culture. Risk culture is the values, beliefs, and behaviors that shape how risk is identified, communicated, and managed across the organization.

Strategy and objective-setting. Risk should be built into strategic planning, not addressed after strategy is set. Understanding the risk profile of strategic options is part of choosing the right strategy.

Performance. Identify and assess risks based on how they affect performance objectives. This includes ranking risks by likelihood and impact and designing responses to manage the most significant ones.

Review and revision. ERM is a continuous process. It requires monitoring emerging risks, checking how well existing controls work, and revising responses when conditions change.

Information, communication, and reporting. Effective ERM requires that risk information flows to the people who need it. The board needs to understand the organization's risk profile. Business unit leaders need to understand the risks tied to their operations. Employees need to understand their role in managing risk.

Categories of Risk Relevant to Executives

Strategic risk. Risks that affect strategy or its underlying assumptions: competitive dynamics, technological disruption, regulatory change, and major customer or partner dependencies.

Operational risk. Risks from the organization's operations: supply chain disruption, technology failure, process breakdowns, and talent loss.

Financial risk. Market risk, credit risk, liquidity risk, and risks created by the organization's financial structure.

Compliance and regulatory risk. Risks of legal violations or regulatory enforcement that could lead to penalties, reputational damage, or operational restrictions.

Reputational risk. The risk that events or conduct damage stakeholder perceptions in ways that affect revenue, talent, and business relationships.

Integrity risk. The risk of fraud, misconduct, and corruption inside the organization. This category gets too little attention in many ERM programs despite being a major source of actual loss.

Executive Responsibility for Risk Culture

Executives bear direct responsibility for risk culture. Some leaders communicate clearly that managing risk is everyone's job. They take risk concerns from employees seriously. They hold people visibly accountable for risk failures. These organizations have better risk outcomes than those that treat risk management as the compliance department's problem.

Specific executive behaviors shape risk culture:

  • How leadership responds to unwelcome information (do messengers get shot?)
  • Whether risk management is resourced adequately
  • Whether accountability for risk failures is consistent and proportionate

ERM and Internal Investigations

When executive misconduct or organizational fraud occurs, ERM failure is often part of the root cause. Common failures include:

  • Inadequate segregation of duties
  • Absence of effective whistleblower mechanisms
  • Weak internal audit functions
  • Insufficient board oversight of management

Each of these gaps can enable misconduct.

Our corporate investigation team investigates executive misconduct and helps organizations understand the risk management failures that allowed it. Corporate clients retain us alongside audit committees and outside counsel for ERM program reviews. Our security consulting team handles the operational-risk and business-continuity work that ERM frameworks often surface. Contact us for a confidential consultation.

Building a Practical Risk Register

A risk register is the operational backbone of any ERM program. It is the document, often a structured database, that captures each identified risk with its owner, likelihood, potential impact, current controls, residual risk rating, and planned response. Without a register, risk management drifts into generalities. With one, leadership has a concrete artifact that can be reviewed, updated, and tied to budget and accountability.

Effective risk registers share several traits:

  • Each entry has a single named owner, typically a senior leader with the authority to allocate resources to the response.
  • Likelihood and impact ratings use consistent scales across the organization so risks from different business units can be compared.
  • Each entry references specific controls in place, distinguishing preventive controls (which reduce likelihood) from detective controls (which reduce time to discovery).
  • The register is reviewed on a defined cadence. High-priority risks are revisited quarterly and the full register at least annually.

The most common failure of risk registers is staleness. A document built during a consulting engagement and then archived provides no protection. Risk registers must be living tools, maintained by people whose performance is judged in part on the quality of that work.

Vendor, Counterparty, and Third-Party Risk

Modern organizations operate through extended networks of vendors, contractors, joint venture partners, distributors, and outsourced service providers. Each relationship introduces risk the organization cannot directly control but remains accountable for, both to regulators and to stakeholders. A data breach at a payroll provider, a corruption issue at a foreign distributor, or a quality failure at a contract manufacturer becomes the principal's problem regardless of where the fault started.

A mature third-party risk program begins with tiering. Not every vendor needs the same level of scrutiny. An office supply vendor and a cloud infrastructure provider present very different risk profiles. High-tier relationships warrant formal due diligence before contract execution. That review should verify:

  • Corporate registration
  • Ownership
  • Litigation history
  • Regulatory standing
  • Reputation in the market

For acquisitions, joint ventures, and major commercial partnerships, our due diligence team for businesses conducts the deeper investigative work that public records and questionnaires alone cannot deliver.

Onboarding diligence is only the beginning. A defensible third-party risk program also includes periodic reassessment, contract clauses requiring notice of material changes, audit rights, and right-to-investigate provisions. When red flags appear during a relationship, organizations need the ability to escalate quickly to a fact-finding investigation, rather than waiting for a regulator or plaintiff to surface the issue first.

Integrating Investigative Capability Into ERM

Most ERM programs are heavy on assessment and light on response capacity. The framework identifies risks and assigns owners. But when an actual incident occurs, the organization scrambles to assemble the resources needed to investigate, contain, and remediate. That gap between identification and response is where preventable damage builds up.

Integrating investigative capability means having pre-established relationships with the specialists an organization will need when a serious incident surfaces:

These relationships should be documented in the incident response plan, with clear escalation criteria and decision rights about who can engage outside resources without further approval.

The investigative function also feeds back into ERM. Each significant investigation generates findings about control weaknesses, cultural problems, and process gaps. Those findings should flow into the risk register and into remediation plans. Organizations that treat each investigation as a one-off lose the institutional learning that turns incidents into systemic improvement.

Board Oversight and Reporting Cadence

Board oversight of ERM has tightened over the past decade. Courts, regulators, and institutional investors have raised expectations. Directors are increasingly expected to show they actively oversee management's risk processes, not just receive periodic presentations. Caremark-style litigation has reinforced the legal exposure that follows from board-level inattention to mission-critical risks.

Effective board reporting on ERM covers several areas:

  • A current view of the top enterprise risks, trends over time, and the status of major mitigation efforts
  • Direct reporting from the chief risk officer, general counsel, and head of internal audit, not only the CEO
  • Whistleblower and ethics hotline volume, the categories of complaints received, and the disposition of substantiated allegations
  • Significant investigations, regulatory inquiries, and material litigation, while preserving appropriate privilege

Audit committees and risk committees should also commission independent assessments of the ERM program itself on a periodic basis. An external review, conducted by parties without ongoing operational responsibility, can identify gaps that internal stakeholders have grown used to ignoring.

Translating Framework Into Action

ERM frameworks are useful only when they shape decisions and behavior. The organizations that get real value from ERM are those whose executives use it to ask better questions:

  • What assumptions underlie this strategy, and what would we do if they proved wrong?
  • Which of our controls would actually have detected the last industry incident we read about?
  • Where in our operations would a determined insider find the easiest opportunity to commit fraud, and what would slow them down?

When those questions surface concerns that exceed internal capacity, bringing in experienced outside investigators, fraud examiners, and security consultants is not an admission of weakness. It is the framework in action. Reach out to our team to discuss how investigative and risk advisory support can strengthen your enterprise risk management program before, during, and after the events you are working to prevent.

Related posts

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

The Art of Tailing: How Professional Investigators Conduct Mobile Surveillance

Troy NewtonTroy Newton
Apr 23, 2026
Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Asset Searches: How to Find Hidden Assets in Legal and Financial Disputes

Jeremy MasonJeremy Mason
Dec 10, 2024
How Much Does a Background Check Cost? A Complete Pricing Guide

How Much Does a Background Check Cost? A Complete Pricing Guide

Craig BiggsCraig Biggs
Oct 14, 2025