The Enterprise Risk Management (ERM) Hierarchy 101

Risk management is something that every organization does. A risk is the combination of the likelihood of an event and its impact (Source: ISACA). Risks are inherent to any business operation, but they are not necessarily negative. Risk can be a powerful tool for identifying areas, projects, and initiatives that are absorbing more risk than acceptable (i.e., exceeding tolerance levels). Highlighting these risks enables organizations to prioritize and address threats effectively before they materialize.

However, there is often a disconnect between the risks faced at the functional level and the strategic risks that impact the organization as a whole. The Enterprise Risk Management (ERM) hierarchy helps organizations visualize how operational and functional risks aggregate to influence enterprise-wide risk. In other words, it illustrates how "smaller" issues can significantly impact an organization’s overall risk profile.

Understanding the ERM risk hierarchy—from broad strategic themes to specific issues—helps businesses gain a deeper understanding of risk placement within the organization. It also allows leadership to assess whether risks are being maintained within acceptable levels, as defined by the organization's risk profile.

The ERM hierarchy maps out how various risks across the business feed into strategic concerns, categorized into four levels:

Enterprise Risk Themes (Top Level)

Enterprise Risks (Second Level)

Functional (Operational) Risks (Third Level)

Issue Management (Lowest Level)

Top Level: Enterprise Risk Themes

At the highest level, Enterprise Risk Themes represent overarching strategic risk categories that impact an organization’s mission and long-term objectives. These themes are broad, cross-functional areas of concern that influence decision-making at the executive and board levels.

Enterprise risk themes should align with organizational goals as well as external challenges in the business environment. A common example of a risk theme is “Cybersecurity Landscape”, which encompasses an organization’s efforts to protect its data and information systems from threats.

By defining enterprise risk themes, organizations can align risk management efforts with business strategy, helping leadership understand the broader risk landscape and identify areas needing increased focus, alignment, or investment.

Second Level: Enterprise Risks

Beneath risk themes are Enterprise Risks, which are significant risks with organization-wide implications. These risks directly impact business objectives, operations, and strategic goals. They require senior leadership oversight and cross-departmental coordination to manage effectively.

Each enterprise risk will directly connect to one or more risk themes. For instance, under the “Cybersecurity Landscape” theme, an enterprise risk might be “Bad Actors Exploiting Vulnerabilities.” This risk further defines specific concerns within the cybersecurity space and helps direct mitigation strategies, such as vulnerability management programs.

Enterprise risks demand structured mitigation strategies, including adherence to industry frameworks like ISO 31000 (Risk Management) and the NIST Cybersecurity Framework. Beyond adopting these frameworks, organizations must establish agreements among stakeholders, risk owners, and mitigation teams to assess and manage these risks effectively.

An enterprise risk management program primarily focuses on addressing and mitigating these risks.

Third Level: Functional (Operational) Risks

Moving down the hierarchy, Functional Risks are specific to business units, assets, or operations. While these risks align with enterprise risks, they are managed at the operational level and address sub-problems derived from broader enterprise risks.

For example, if an enterprise risk is “Bad Actors Exploiting Vulnerabilities,” a related functional risk could be “Product A has unpatched vulnerabilities that could be exploited by attackers.”

Functional risks require targeted risk assessments and controls. Depending on their complexity, they may involve straightforward remediation steps or require collaboration across various teams to resolve interconnected issues.

Lowest Level: Issue Management

At the lowest level, Issues are immediate, specific risk events, nonconformities, or vulnerabilities affecting a specific asset. These risks are often identified through audits, real-time monitoring, or incident reporting. Issues may require immediate action (critical issues) or long-term remediation efforts that demand significant resources or investment. For example, an application within Product A uses a Microsoft component that is end-of-life (EOL), unsupported by the manufacturer, and vulnerable to known security threats.

There is no one-size-fits-all approach to addressing issues. Some will require remediation, while others may necessitate alternative strategies, such as phasing out an asset and implementing an issue acceptance process.

In cases where replacement is cost-prohibitive or resource-intensive, organizations might opt for issue acceptance, where stakeholders formally review the risk, assess controls, and acknowledge the issue’s existence while planning long-term mitigation measures.

Overall, the ERM risk hierarchy ensures that organizations structure risk management efforts efficiently. By categorizing risks into themes, enterprise risks, functional risks, and issues, businesses can allocate resources effectively and mitigate threats appropriately.

Sources

COSO ERM Framework

ISACA Glossary