The term "ERM" refers to two things:
Traditionally, risk managers focus on an organization's "pure" risks, primarily hazard risk. Pure risks present a chance of loss or no loss, but no chance of gain. However, threats to an organization--to its ability to continue operating and achieving its mission and strategic objectives--can arise from other sources. Thus, ERM refers to the broadening of the risk manager’s perspective to focus on all the potential threats to the organization, including financial, operational, and strategic risk.
Included in this broadened perspective, which incorporates those other categories of risk, is the consideration of "speculative" risk. Speculative risk involves a chance of loss, no loss, or of gain. ERM recognizes that to thrive, grow, and remain competitive vis-a-vis its competitors, an organization must take on some level of risk; it must take on speculative risk. This type of risk is desirable, but must be managed to fall within the organization's risk appetite. The quotation above illustrates this concept of risk as being inextricably embedded within opportunity.
2. Second, "ERM" refers to a toolbox for how to achieve the broadened perspective noted above, to effectively identify, assess, and rank all the potential threats to the organization. Such a ranking enables management to make informed decisions about where to focus finite risk mitigation resources.
These toolboxes take the form of the various ERM frameworks available to the risk manager, like COSO, ISO 31000, Deloitte's Risk-Intelligent Enterprise, and others. Selecting an internationally accepted framework serves as a "safe harbor" for an organization's ERM program, being recognized as comprehensive, effective frameworks by governing, regulatory, and rating bodies.