Enterprise risk management: Your top questions and our answers

An emerging risk is a new or developing risk that can be difficult to accurately or objectively assess, but has the potential to significantly impact an organization in the future. Emerging risks are often characterized by rapid evolution and may be difficult to identify, define and/or quantify due to their unpredictable nature. 

Conducting a risk assessment annually, or on a regular cadence, is recommended for most organizations, although this may not mean a full, enterprise-wide, risk assessment is needed every year. There are many factors to consider with an ERM specialist to determine what the optimal cadence may be for your organization. 

Common risk information used in strategic planning includes an organization’s overall risk profile, which outlines current exposures across operations; emerging risks, which highlight new or evolving threats that may impact future strategies; risk scenarios, which explore hypothetical events to test resilience; and risk tolerance and appetite, which define how much risk the organization is willing and able to accept. Together, these elements help leaders make informed decisions, prioritize resources, and build adaptable, forward-looking strategies. 

ERM value is enhanced when all risk stakeholders, including internal audit, play active roles. Collaboration and information sharing foster improved communication, transparency and accountability. 

If risks are identified and assessed in the context of the organization’s long-range plan, the resulting risk profile can be demonstrated as a valuable input to strategic planning, ensuring the strategy accounts for the risks that may impact the performance the long-range plan is intended to deliver.  

Risk appetite is used to define an organization’s approach to managing risk within acceptable limits. Risk appetite is defined as the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value. 

The use of AI can be a risk and/or an opportunity. Ensuring appropriate protocols are in place is key. Explore more on this topic. 

A practical translation of strategy or mission into risk management is aligning risk priorities with strategic goals. This report highlights many great strategies.  

Risk appetite: The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.

Risk tolerances: The acceptable level of variation an organization is willing to accept regarding a specific risk. 

Internal audit can help drive ERM maturity through coordinated efforts. For example, creating more opportunities to share knowledge, such as job swaps, guest auditor support or reciprocal training programs.  

To gain C-Suite buy-in and demonstrate ERM’s ROI beyond compliance, position ERM as a strategic value driver. Quantify its impact by translating avoided losses, improved risk-adjusted returns and enhanced resilience into measurable business outcomes. Align ERM with organizational priorities — showing how it supports growth, efficiency and informed decision-making. Finally, ensure the tone comes from the top, embedding ERM into the culture as a leadership-driven initiative that protects and creates shareholder value. 

To help organizations confront today’s risks and seize tomorrow’s opportunities, Baker Tilly developed a suite of proprietary, AI-enabled enterprise risk management tools that help clients better understand and manage uncertainty. These solutions go beyond traditional risk assessments, leveraging advanced analytics and real-time collaboration to improve decision-making and enhance business resilience. Our ERM toolkit includes: RiskScan™, RiskSynergy™, RiskDiagnostic™ and RiskQuantification™. Explore more about Baker Tilly’s ERM services, AI-enabled tools and other resources.