How ERM helps drive competitive advantage

Link risk more closely to business strategy

In September 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management (ERM) framework.¹ And that new framework underscores Deloitte's Strategic Risk practice's point of view: Considering risk when setting strategy, and when executing on that strategy, is critical to business performance.

Why is enterprise risk management so important in an increasingly volatile world?

Changes in consumer preferences, technology, and the competitive environment are posing new challenges. These challenges have the potential to disrupt your business—and to threaten the very survival of your organization.

In addition, boards are placing greater focus on reporting, transparency, and culture. They’re also seeking comfort that the most relevant emerging risks and uncertainties have been identified and the potential impacts have been considered, both positive and negative.

How can organizations effectively anticipate and act on risks related to these new challenges in spite of uncertainty? By linking strategy and risk. When these areas are tightly connected, identifying and managing risks becomes an integral part of strategy setting and execution. This level of integration can help your organization more effectively achieve its intended business objectives and get better value from its ERM program.

ERM can inform and facilitate risk-based strategic decision-making informally and formally. It can enable organizations to embrace complexity and seize opportunities to grow, effectively navigate emerging risks, and disrupt through innovation.

Back to top


What new insights does COSO’s updated ERM framework provide?

In recognition of the increasing complexity of risk, COSO released Enterprise risk management—Integrating with strategy and performance in September 2017. COSO's updated framework highlights ERM as a key component of strategic planning and draws a stronger line between ERM and decision-making.

A few of the key changes include a focus on:

  • The value of integrating ERM for setting and carrying out strategy
  • Greater alignment between performance and ERM, to better understand the impact of risk on strategy execution and to improve performance targets
  • Stronger emphasis on culture and its importance in helping shape decisions
  • Reporting that meets expectations for increased stakeholder transparency
  • Evolving technologies and the growing use of data and analytics to support decision-making

Deloitte has long understood that risk should help inform organizations' strategies so they can be more effective in developing and executing those strategies.

COSO’s new definition of ERM:

“The culture, capabilities, and practices integrated with strategy setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”

Source: Enterprise risk management—Integrating with strategy and performance, Committee of Sponsoring Organizations of the Treadway Commission, 2017.

What are some of the key ERM challenges organizations face?

Many organizations still view ERM as an administrative process, as opposed to one that adds value. Some also consider it a once-a-year compliance task. A risk assessment or heat map is completed, the board and senior management review and agree with the findings, and then the report sits on a shelf.

But ERM should be a "living," interactive activity. Risks should be identified on an ongoing basis, and they should be considered when making decisions, prioritizing initiatives, and allocating—or reallocating—resources.

Another obstacle to effective risk management is that ERM programs typically haven't focused on the right risks. Over the past decade, traditional risk management has spent more than 94 percent of its time on legal, compliance, financial reporting, and operational risks—despite the fact that 86 percent of significant losses in market value were associated with strategic risks.

Is your ERM program focusing on the right risks?

Click on image for enlarged version

Source: Reducing risk management’s organizational drag, CEB, 2015, and “How to live with risks,” Harvard Business Review, July-August 2015.

Some organizations may still view ERM solely as a means to ensure compliance and protect value, overlooking the benefits it can provide by identifying strategic risks and opportunities that can create value. But even when organizations do see ERM as a strategic program that can help generate value—as most do—that doesn't mean implementing or integrating ERM is easy.

Back to top

What benefits can organizations realize from an integrated ERM program?

An integrated ERM program can help organizations elevate risk management, taking it from a functional capability to an enterprise responsibility. Specifically, ERM creates a risk-Intelligent enterprise that can:

  • Enhance the development and effective execution of an organization's strategy and reputation, including turning challenges into opportunities to achieve competitive advantage
  • Inform development of new products and services
  • Offer an external perspective on potential emerging risks and whether business assumptions supporting your strategies are holding true
  • Reallocate resources to their highest and most efficient use
  • Provide improved risk analytics and reporting to management and the board
  • Prioritize an internal audit plan

How does Deloitte’s ERM framework help organizations integrate ERM?

Our framework consists of four components. Key questions that organizations should consider on their path to more effective ERM integration are aligned with each component.

Governance and culture

How is risk oversight managed/achieved/handled? And how are risk behaviors guided by the risk culture?

Business and operating model

How are existing and emerging risks identified, assessed, managed, and monitored?

Reporting and analytics

How are trending risks recognized, measured, and reported?


  • Will the strategic choices achieve the business mission and objectives?
  • Are the assumptions behind the strategy sound and likely to be true for the foreseeable future?
  • Are the strategic objectives still meaningful—and achievable?
  • Are early warning signs monitored and emerging trends and uncertainties explored?

Risk should be integrated across the entire organization when making decisions on new products and services, geographies, acquisitions, and strategic initiatives. Integrating ERM both formally and informally throughout a business encourages a risk-aware culture and enhances alignment between strategy setting, execution, and performance.

What does the evolution of ERM mean for organizations?

COSO has recognized it, and many companies have realized it as well: Organizations must elevate their approach to risk management—linking risk more closely to business strategy—to meet the evolving demands and the increasing complexity of business today. Doing so can help organizations turn challenges into opportunities to achieve competitive advantage.

Back to top

More from The flip side series

Let's talk

If you’re interested in learning more, please contact us. We’d be happy to schedule a meeting with you and your team.

Keri Calagna
Principal | Risk Intelligence
Deloitte Risk and Financial Advisory
+1 212 492 4461

Jacqi Fifield
Specialist Leader | Risk Intelligence
Deloitte Risk and Financial Advisory
+1 503 727 5302

Back to top

Footnote: Enterprise Risk Management—Integrating With Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, 2017

talking bubbles
Did you find this useful?