In discussing the Control Environment component, the ERM Framework discusses (in the chapter titled Internal Environment) an entity's risk management philosophy, which is the set of shared beliefs and attitudes characterizing how an entity considers risks, reflecting its values and influencing its culture and operating style. As described above, the Framework encompasses the concept of an entity's risk appetite, which is supported by more specific risk tolerances.

Because of the critical importance of the board of directors and its composition, ERM Framework expands on the call for a critical mass of independent directors (normally at least two) stating that for enterprise risk management to be effective, the board must have at least a majority of independent outside directors.

ERM Framework and Internal Control—Integrated Framework both acknowledge that risks occur at every level of the entity and result from a variety of internal and external factors. And both frameworks consider risk identification in the context of the potential impact on the achievement of objectives.

ERM Framework discusses the concept of potential events, defining an event as an incident or occurrence emanating from internal or external sources that affect strategy implementation or achievement of objectives. Potential events with positive impact represent opportunities, while those with negative impact represent risks. Potential events with an adverse impact represent risks. The Framework focuses on identifying risks and does not include the concept of identifying opportunities as the decision to pursue opportunities as part of the broader strategy-setting process.

While both frameworks call for assessment of risk, ERM Framework suggests viewing risk assessment through a sharper lens. Risks are considered as inherent and residual, preferably expressed in the same unit of measure established for the objectives to which the risks relate. Time horizons should be consistent with an entity's strategies, objectives and, where possible, observable data. ERM Framework also calls attention to interrelated risks, describing how a single event may create multiple risks.

As noted, enterprise risk management encompasses the need for an entity-level portfolio view, with managers responsible for business unit, function, process, or other activities having a composite assessment of risk for individual units.

Like the Internal Control—Integrated Framework, the ERM Framework identifies four categories of risk response: avoid, reduce, share, and accept. However, enterprise risk management requires an additional consideration: potential responses from these categories with the intent of achieving a residual risk level aligned with the entity's risk tolerances. Management also considers as part of enterprise risk management the aggregate effect of its risk responses across the entity and in relation to the entity's risk appetite.

Both frameworks present control activities as helping ensure that management's risk responses are carried out. The Internal Control—Integrated Framework presents a more current view of technology and its impact on the running of an entity.

The ERM Framework takes a broader view of information and communication, highlighting data derived from past, present, and potential future events. Historical data allows the entity to track actual performance against targets, plans, and expectations, and provides insights into how the entity performed in the periods under varying conditions. Current data provides important additional information, and data on potential future events and underlying factors completes the analysis. The information infrastructure sources and captures data in a timeframe and at a depth of detail consistent with the entity's need to identify events and assess and respond to risks and remain within its risk appetite. The Internal Control—Integrated Framework focuses more narrowly on data quality and relevant information needed for internal control.

Both frameworks present monitoring activities as helping to ensure that the components of internal control and enterprise risk management continue to function and remain suitable over time. The Internal Control—Integrated Framework presents a more current view of monitoring using baseline information and the monitoring of external service providers.