Enterprise Risk Management, ERM, is simple and straight forward.
In plain and simple English, it it management of all risks across the organization that can disrupt "business as usual".
Unlike Business Continuity (BC) which, as I understand it, is concerned with "the usual suspects" of environmental events, human error, and technology error or malfunction, ERM is concerned with ALL threats, including those not directly under the auspices or control of the organization.
The following graphic is NOT "all-inclusive."
A practitioner should always have input from both internal and external Subject Matter Experts (SMEs) to (a) identify potential threats, (b) provide input to help prioritize the threats, and (c) identify ways to avoid or mitigate the threats.
The "Ubiquitous Other" in the graphic is NOT a "Black Swan"; it simply represents the threats I overlooked while creating this document; threats that SME input would make obvious. As I write this management malfeasance and misfeasance come to mind, also stock values and bond ratings.
Although I've been involved in risk management for more years than I care to count, alone I cannot think of every potential risk or risk management measure. Practitioners MUST have input from as many sources as possible, both internal and external.
For ERM, "no man is an island."
In the Business Continuity world, SMEs typically are the folks working within the organization and, again, "typical," IT and critical process personnel with, perhaps, input from the local police and fire departments.
In the ERM world, SMEs can include historians and librarians, geologists, futurists, economists, lawyers, financiers . . . the list is nearly endless, and the expertise of all should at least be considered if not solicited.
Just as Disaster Recovery (D/R) is part of Business Continuity, so too is Business Continuity part of Enterprise Risk Management.
Separating the various functions of ERM is, to this scrivener, counter-productive.
To be effective, all functions must be integrated into one cohesive process.
To whom should the ERM practitioner report? Assuming the practitioner is less than a vice president, then the best person is any vice president with enterprise fiduciary responsibilities.