Organizations address risk from many perspectives, including internal and external financial risks, infrastructure, reputation, and markets (IRM, 2010). Risks with positive impacts are known as opportunities, while risks with negative consequences are called hazards (ISO/IEC, 2008). Risk can impact a business at all levels: strategic, tactical (also known as program or project risk), and operational (IRM, 2010). Proactive risk management allows companies to reduce uncertainty, leading to better business decisions aligned with strategy. Managers can systematically exploit opportunities and reduce the negative consequences of risks. ERM provides insights to answer three simple business questions: “Should we do this? Can we do it? Did we do that?” (RMA, 2015). Additionally, ERM helps ensure compliance with Sarbanes-Oxley requirements for external reporting by providing the information necessary for historical risk reporting and prospective risk disclosure (IRM , 2010).In contrast, companies that do not practice risk management still ultimately have to respond to risk requirements (Kendrick, 2009). Over time, ignoring risks often leads to missed opportunities and failure to achieve risk management objectives