cisa-d2-governance-management-enterprise-risk-management-erm

Enterprise Risk Management (ERM)

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Enterprise Risk Management (ERM)

Enterprise Risk Management (ERM) is a structured, organization-wide discipline that identifies, assesses, prioritizes, responds to, and continuously monitors risks that could prevent an organization from achieving its strategic, operational, reporting, and compliance objectives. In the CISA/IT governance context, ERM integrates IT risk — cyber threats, technology failures, data breaches, third-party dependencies — into the broader enterprise risk picture, ensuring technology risks receive the same governance rigor as financial or legal risks. ERM is not a one-time audit activity, a standalone security program, or a compliance checklist; it is an ongoing management process that connects risk intelligence to strategic decision-making and resource allocation. A mature ERM program produces a living risk register, a board-approved risk appetite statement, defined escalation paths, and quantified risk exposure that informs investment and operational decisions.

Where it stops · what it isn't

—ERM IS: An integrated governance process connecting strategy, operations, compliance, and reporting risks across the enterprise — including IT and third-party risks.
—ERM IS NOT: A replacement for individual security controls, IT audit procedures, or compliance-specific frameworks (e.g., SOX ITGC testing) — those feed INTO ERM but are not ERM itself.
—ERM IS: A living, adaptive cycle of risk identification → assessment → response → monitoring, governed at the board and executive level.
—ERM IS NOT: A point-in-time risk assessment or an annual exercise — modern ERM combines continuous monitoring with periodic structured reviews.
—ERM IS: A decision-support framework that translates risk data into board- and executive-level actionable intelligence, including risk appetite statements and risk dashboards.
—ERM IS NOT: A purely qualitative heat-map exercise — advanced ERM applies quantitative methods (Monte Carlo simulation, scenario analysis) to produce financial exposure estimates boards and CFOs can act on.
—ERM scope extends beyond IT: supply chain, third-party vendors, AI/ML model risk, climate-related operational disruption, and geopolitical risk are now standard ERM categories.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IT Governance and Management (CISA Domain 2)

REQUIRES

Risk Identification and ClassificationRisk Appetite and Tolerance FrameworksIT Controls and Control Frameworks (COBIT, NIST)

ENABLES

Security Investment PrioritizationBoard-Level Risk Reporting and DisclosureThird-Party and Vendor Risk Management

RELATED TO

Data Governance and Privacy Risk ManagementIT Project Governance and Risk

CONSTRAINS

Digital Transformation and New Product Launch Decisions

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.