What motivates a different risk assessment from Audit and ERM perspectives respectively? What are common differences in perspectives? E.g. a process where ERM would have a Green and Audit would have a Red RAG? Etc.

The audit risk assessment is more specific, for example, it considers control, process and system changes that could impact the company's financial statements, goals and strategy, as well as compliance with policies and procedures. ERM's risk assessment is broader across the organization, as it considers, for example, future risks and works directly with management to develop actions to mitigate those risks. Regarding risk ratings, this may also differ as both functions can have different methodologies to define thresholds and other qualitative factors that can affect classification and conclusion on risks. I think a good example is digital transformation. ERM may look at this as a strategic risk to meet business goals which could be Green if transformation plan has been timely developed and progress is as expected. However, from the audit perspective, this could be Red if controls supporting this transformation process are not in place. Both functions should work together as one feed the other and vice-versa. 

There should not be a difference in risk assessments if we are utilizing the same evaluation criteria. There is art to the assessment of risk and likelihood so there may be differences in each functions interpretation. A discussion of rationale between both parties should hopefully resolve any difference in assessments. This is ideal but more often than not the experience in reality. 

Our ERM processes, including our rating scale, focus on those risks that pose existential threat to the organization.  While our IA processes could end up looking at something with that level of impact, it is much more common that we're looking at strategic and tactical risks at lower levels, and the rating scale reflects that.  We want, however, to be able to have bi-directional flow of information and knowledge about risks between the two functions.  To address this we've adopted a mapping function that primarily allows ERM to aggregate risks that IA (or compliance, cyber, etc.) identify, in order to determine the aggregate impact of those risks at the enterprise level.  It's a fairly simple mapping currently but at least allows the ERM team to know where they should potentially dig in to better understand implications at the enterprise risk level.