Much of ERM consists of qualitative discussion of the risks facing a business and controls over them. It is difficult to identify in the literature a clear body of theory to provide the foundation for the subject, integrating a business's objectives with its risk controls.The present paper...