Much of this book has focused on understanding and quantifying different types of risk: market risk, credit risk, operational risk, and so on. An important part of a risk manager’s job is to ensure that these risks are correctly evaluated. But it is also important for the risk management function to take a holistic, big-picture view of risk. It should identify potential adverse events and their full consequences. The total exposure to an adverse event can be greater than (or less than) the result obtained by considering each risk type separately. Enterprise risk management (ERM) is the name given to this holistic approach to risk management.

In understanding ERM, it is important to distinguish top-down and bottom-up approaches to risk management. Bottom-up approaches are concerned with assessing the different types of risk borne by different business units and combining them. We discussed how this can be done in the previous chapter. In top-down approaches, the overall risk appetite of the organization is defined, and this is then used to define risk limits for different parts of the organization. In practice, a financial institution needs to use both top-down and bottom-up approaches. A top-down approach is necessary to define the overall risk appetite, and a bottom-up approach is necessary to evaluate whether the risks being taken by business units are consistent with this risk appetite.

In 2004, the Committee of Sponsoring Organizations ...