Enterprise Risk Management (ERM)

ERM is firm-wide, multi-domain risk

Strategic, operational, financial, technology, people, reputational. Different owner, different cadence to compliance risk.

Enterprise Risk Management (ERM) is the firm-wide register of all material risks — strategic, operational, financial, technology, people, reputational — assessed against a board-approved risk appetite. It is aligned to COSO ERM 2017 and ISO 31000:2018. Per those standards and the three-lines model, the ERM register is prepared by the CRO / Risk function (2LoD), aggregating risk inputs from business owners (1LoD) per category, and approved by the Board or Board Risk Committee. It reports on a different cadence to compliance risk.

RegAlign is a compliance risk operating system. Its shipped risk surfaces are the BRA (AML/CFT/CPF firm-wide Business Risk Assessment under JFSC AML/CFT/CPF Handbook §2 — business-prepared, MLRO-challenged, board-approved — see /risk/bra), the CRA (Compliance Risk Assessment, prepared by the Compliance function — see /risk/compliance), RCSA (process-owner self-assessment), and Risk Appetite (compliance-scoped thresholds drafted by Risk, approved by the Board).

The ERM register itself is a different artefact for a different buyer and lives in our sister product RiskAlign (or in the Spine bundle, which is RegAlign + RiskAlign on a single rail). Until you license RiskAlign, ERM work belongs in your existing enterprise risk tooling. RegAlign exposes the ERM category taxonomy below as read-only context, so compliance risks identified here can be cross-tagged to the category they ultimately roll up under.

Terminology note. "EWRA" is overloaded. In AML practice (JFSC, FCA, JMLSG, FATF) "EWRA" is a synonym for the firm-wide Business Risk Assessment — that's the BRA and it's shipped today in RegAlign. In enterprise-risk practice "EWRA" sometimes refers to ERM. To avoid the collision, RegAlign uses BRA for the AML artefact (matching the JFSC's own published terminology) and ERM for the COSO/ISO 31000 artefact (which lives in RiskAlign).

ERM category taxonomy (read-only)

COSO ERM 2017 / ISO 31000:2018 category structure. Compliance and AML financial-crime risk are inputs to ERM, not separate top-level categories — they feed in from the CRA and BRA.

Strategic
Risks to the firm's strategic objectives — market shift, competitor moves, M&A, business-model disruption.
Operational
Process failures, third-party / outsourcing risk, business-continuity, change-management risk.
receives compliance / AML inputs
Financial
Liquidity, credit, market, capital adequacy, treasury and FX exposures.
Technology & Cyber
Information-security, data-protection, resilience, cloud / SaaS concentration, AI-system risk.
People & Culture
Key-person dependency, conduct, talent, succession, workforce risk.
Reputational
Brand, stakeholder-trust, media and regulator-perception exposure.
receives compliance / AML inputs
Regulatory / Compliance (input)
Compliance risk and AML/CFT/CPF financial-crime risk feed in as inputs from the CRA and BRA — they are not separate ERM categories under COSO ERM 2017.
receives compliance / AML inputs

The ERM register itself (rows, ratings, treatments, appetite breaches per category) is built in RiskAlign. This page only shows the taxonomy so the two products' linkage spine has a shared vocabulary.

Compliance Risk Assessment Business Risk Assessment (BRA)RegAlign vs RiskAlign See roadmap

Standards & roles — ERM

Three Lines Model overlay (IIA 2020)

Prepared by (1LoD): Business owners (1LoD) draft their category entries; the CRO / Risk function (2LoD) aggregates, normalises and maintains the register. Drafting of an entry may be delegated to Risk as a task, but ownership of the underlying risk stays with the business.

[Standard cited, text not reproduced: COSO ERM 2017; ISO 31000:2018 §6] + [Industry practice — IIA Three Lines Model 2020]

Input from: Business owners per ERM category (strategic, operational, financial, technology, people, reputational; compliance & AML as inputs)

[Industry practice]

Reviewed & challenged by (2LoD): CRO / Risk function (2LoD) reviews and challenges; Internal Audit (3LoD) provides independent assurance

[Industry practice — IIA Three Lines Model 2020]

Approved by: Board / Board Risk Committee

[Standard cited: ISO 31000:2018 §5.2]

Governing standards: COSO ERM 2017 · ISO 31000:2018 · IIA Three Lines Model (2020) · Full roles table

Delegation of task ≠ delegation of responsibility or oversight. The business (1LoD) always owns the underlying risk, even when a 2LoD function drafts the artefact. The Three Lines Model (IIA 2020) overlay is governance framing, not a JFSC Handbook or MLR2017 requirement.

RegAlign® supports compliance governance. It does not provide legal or regulatory advice. Decisions, approvals and overrides remain the responsibility of identified humans in the audit trail.