Enterprise Risk Management (ERM): What It Is and Why You Should Care

Written by Marko Petric | Published on May 13, 2020 | 0 Comments

Every decision we make involves some sort of risk. People take a risk every time they cross a busy street without waiting for the light to turn green, when they lift a heavy piece of furniture, or when they make an investment decision.

But what makes something an enterprise-level risk?

In this article, we will examine the nature and implications of enterprise risk for modern organizations. We’ll describe the underlying goals and objectives of enterprise risk management (ERM), explore some ways your organization can benefit from it, and consider steps you can take to implement it.

We will also look into how an automated software escrow solution can not only help you minimize enterprise risk, but also improve your processes and cut back on costs.

So let’s get into it!

What is Enterprise Risk?

Enterprise-level risks generally have to do with a company’s financial, strategic, operational, and even customer-facing functions.

All organizations have to manage risks to stay in business. Most business leaders would say that managing risks is just a normal part of running a business. So if risk management is already occurring in these organizations, what’s the point of ERM (enterprise risk management) as a standalone business unit or initiative?

To answer this question, first, we have to look into how risk management is traditionally addressed in companies.

The traditional approach to risk management

Traditionally, organizations manage risks by requiring business unit leaders to manage distinct risks within their areas of responsibility. So for example, the CTO is responsible for managing risks related to the organization’s IT operations, the CFO is responsible for managing risks related to financing and cash flow, the COO is responsible for managing risks in production and distribution, the CMO is responsible for risks as they relate to customer relationships and sales, and so on. This approach is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing or elevating risks within their respective silo.


Though this approach may make perfect sense in theory, in practical application, it has many limitations. This, in turn, may mean that there are significant risks on the horizon that may go undetected by management and that might affect the organization.

So let’s take a look at some of the limitations of traditional approaches to risk management:

Limitations of the traditional approach to risk management

One of the limitations of the silo or stove-pipe approach is that, quite often, the focus of traditional risk management is centered around identifying and responding to risks of operational nature internally. As a result, there is minimal focus on risks that might emerge externally from outside the business. For example, a business may not be monitoring a competitor’s move to develop a new technology that has the potential to significantly disrupt how products are used by consumers. This would affect their bottom-line and market share in the long run, putting them way behind their competitors.

Another limitation is that risks don’t follow your business’ organizational chart and, as a result, there may be risks that “fall between the silos”. In other words, in case there’s ever a risk that does not capture the attention of any of the silo leaders, this risk will go unnoticed until it triggers a catastrophic risk event. Needless to say, this is not a great strategy.

Then there are, of course, the risks that affect multiple silos in different ways. So while a silo leader might recognize potential risk and take the necessary steps to remedy it, he or she might not realize the significance of that risk to other aspects of the business. In the long run, this can have a catastrophic effect on the organization if it were to occur and remain unaddressed, thus impacting several business functions simultaneously.

Or consider there’s a risk that gets recognized by a silo owner on time. In good faith, the silo owner logically decides to respond in a particular manner to a certain risk affecting his or her silo; however, in doing so, that response triggers a significant risk in another part of the business. For example, your IT function may decide to tighten IT security protocols to respond to certain cyber risks in a way that customers find confusing and frustrating, which may ultimately lead to loss of business.

These are just some of the many risks that a company’s traditional approach to risk management may very well fail to foresee. And unfortunately, some organizations still fail to recognize these limitations in their approach before it’s too late.

So the question now is: What can you do about it?

Why is ERM becoming more prominent?

As technology becomes an indispensable part of running a business, different organizations are becoming more connected in cyberspace — both with each other, as well as their customers and clients. This brings inherent risks to organizations both large and small — not only in terms of potential cyber-attacks but also loss of data and source code access. And in response, investors and regulatory bodies are increasingly mandating companies throughout many industries to scrutinize and report on the effectiveness and efficiency of their risk-management policies and procedures.

Modern businesses need an ERM mentality shift

Many of the pitfalls of ERM stem from the culture within companies. Instead of treating the reduction of enterprise risks as something that needs to be approached systematically and strategically, most companies brush it off as an IT compliance obligation. Too often, the only times this is discussed is when a CTO discusses compliance issues in jargon-speak that nobody understands. Not surprisingly, this is part of the reason why it tends not to be seen as a strategic priority.

Such a mentality obfuscates and complicates ERM.

By its very nature, the key objective of enterprise risk management is to develop a holistic, top-down view of the most significant risks to the organization’s most important business objectives.

Given this objective, the responsibility for setting the tone and leadership for ERM resides with executive management and the board of directors. Not only are they the ones who have the enterprise view of the organization, but they are also viewed as being ultimately responsible for understanding, managing, and monitoring the most significant risks affecting the enterprise.

In 2020, companies can’t just aim to meet ERM standards as a check-all-the-boxes kind of thing. Decision-makers and leaders must prioritize overall risk reduction and boost visibility into the total security of the organization. This in turn will aid in catalyzing new, transparent dialogue surrounding ERM.

The good news, however, is that over the past decade or so, an ever-growing number of business leaders have realized that waiting until a risk event occurs is way too late for effectively addressing significant risks. They have also come to recognize and accept the shortcomings of the traditional approach to risk management on the enterprise level. And as a result, they are now increasingly and proactively embracing ERM as a business process to enhance how they manage risks to the enterprise.

What exactly comprises ERM and how does it work?

Role of leadership in ERM

Top company management is responsible for designing and implementing the enterprise risk management process for the organization. They are the ones who have to determine what process should be in place and how it should function, and they are the ones ultimately tasked with keeping the process active.
The board of director’s role, on the other hand, is to provide risk oversight by approving management’s ERM process, as well as overseeing the risks identified by the ERM process to ensure management’s risk-taking actions are within the investors’ appetite for risk-taking.

Elements of ERM

Because risks constantly emerge and evolve, it is important to understand that ERM is an ongoing process rather than a project that has a beginning and an end.

Enterprise risk management practices center around planning, spearheading, and handling the ongoing operations of an organization. It’s done in a way that offsets the adverse effects that risk can have on your organization’s operations, capital, earnings, reputation, and other critical areas.

ERM should be integrated with business strategy in a way that its existence enhances the strategic value of the company. Having an effective risk management process should ultimately aid in executing the organization’s strategic objectives.

So here are a few key methods that help organizations bolster their ERM practices:

I. Establish a scope

  • Define vital business processes and related risks
  • Then, prioritize processes and risks

II. Define risks

  • Figure out what threatens business objectives and strategies the most
  • Disperse that information to the necessary individuals and establish protocols to mitigate those risks

III. Create an action plan

  • Risk treatment plans will pinpoint unnecessary risks while closing risk gaps

IV. Use metrics get better insights

  • Establish metrics and Key Risk Indicators (KRIs) to identify discrepancies and evaluate the success of your current strategy

V. Establish software escrow

  • Modern, automated source code and data escrow can help you protect your mission-critical systems in case of unexpected events


Minimizing enterprise risk with software escrow

The last recommendation above is an often-overlooked solution that has become critical in today’s age of digitalization.

The advent of the digital age brings a wide range of opportunities, but also many potential pitfalls—namely with source code and data responsible for running these systems. This puts enterprises at tremendous risk that could sink them in the long run. 

Ask yourself: What would happen to your business if you were to suddenly lose access to your software?

We live in unprecedented times, and now it’s more important than ever to ensure that your mission-critical systems are secure and always available. This is why a growing number of companies worldwide are turning to source code escrow to protect themselves from unpredictable events, such as their code suppliers going out of business or discontinuing maintenance and support of software.

Why source code escrow is essential to organizations

Any company that licenses software, outsources software development, or hosts its software on a cloud or external data center should consider securing their source code and related data using escrow.

Here are just some of the potential problems that could have catastrophic consequences on your business with no escrow in place:

  • Counterparty risk
  • Losing data accidentally
  • Supplier going bankrupt 
  • Stolen data
  • Unwanted downtime 
  • Unpredictable external events (e.g., COVID-19)
  • Backup recovery snafus
  • Data and identity theft
  • Hacking ransomware
  • Employee sabotage
  • Senseless and wasteful lawsuits

Unfortunately, this list only scratches the surface. After losing control of data and source code, all the sound business practices in the world won’t save an organization from ultimate doom.

Considering the number of software providers defaulting due to the COVID-19 crisis in 2020, companies around the world are making it a priority to secure their access to source code with an adequate escrow.

With modern escrow solutions such as Codekeeper on the market, you don’t have to choose between quality and price; Codekeeper is a market leader both in terms of technology and price.

How does source code escrow work?

In a nutshell, software escrow is a service that helps protect all parties involved in a software license by having an independent, neutral 3rd party escrow hold source code, data, and documentation until a mutually-agreed-upon event occurs.

This independent and neutral storage is the key to mitigating risk to all parties involved. The process is simple:

I. Execute an escrow agreement with a trusted escrow provider

When deciding which software escrow vendor to use, some important considerations include technology they use, automation capabilities, integrations with developer platforms, legal expertise, and ease of use.

II. Deposit source code and other desired materials to escrow

Source code, data, documentation, and any other important materials are deposited into escrow. You should look for a modern escrow provider that allows for escrow synchronization, automated submission scripts, and deep integrations with developer platforms to ensure efficiency and adequate security.

III. Automatically update escrow as the software product evolves

As software continues to evolve and new versions are developed, source code escrow must be updated simultaneously. Unlike traditional escrow providers, modern solutions automate this process to ensure your materials are always up-to-date.

IV. Release escrow materials in case release events occur

Release terms define the conditions under which the software escrow provider should release escrow materials to the licensee. This ensures that the materials are only released to the licensee after an event that all parties have agreed upon in advance.


Tip: If you want to learn more about what a software or source code escrow is, how it’s used, and how it might benefit your company, check out this guide for everything you need to know to get started.


Setting up source code escrow can seem daunting, especially when it's new to an organization. Our mission here at Codekeeper is to make this process as seamless as possible for your organization.

Our platform seamlessly integrates with developer workflows on SCM-platforms like Github, saving you time and cutting your costs. And unlike traditional escrow providers, Codekeeper ensures your source code and data deposits are encrypted and fully automated, so they’re always up-to-date and in compliance.

Codekeeper also includes official escrow agreements, release terms, beneficiary management, data escrow, and an arsenal of other services. And last but not least, thanks to our unique automation technology, we also offer the best price guarantee. You can learn more about our pricing model here.

Join leading global brands and tech companies, who are ditching traditional escrow providers and turning to modern solutions such as Codekeeper. With our superior technology and pricing, you can ensure that your mission-critical systems remain unaffected through any circumstance.

Scale up your source code and data security with Codekeeper! Automatically deposit materials, streamline your escrowing processes, and cut costs with Codekeeper.


Back to blog