After attending several workshops on enterprise risk management (ERM) I became somewhat disallusioned by what I saw, and backed off from that marketplace.  But the update to the COSO ERM framework indicates that the weaknesses I saw may have been recognized by others.

All too often ERM seemed to be the process of creating a list of risks and monitoring whether they were getting worse, better or staying the same.  But very seldom was there any mention of organizational objectives, yet that is what risk management is all about.

So the simple lesson should be that risks are not the primary topic in ERM (or any level of risk management).  Objectives, whether they be strategic, operational or product/process focused are primary.  Risk management is simply effective consideration, and management, of the risks that can subvert or support those objectives.