This quick reference guide discusses what is Enterprise Risk Management(ERM), its importance, the COSO framework and steps to create and implement an effective ERM program.
2. Enterprise Risk Management (ERM) establishes a framework to identify, measure,
monitor and manage risk.
ERM is:
Designed to identify and assess potential events affecting the entity and manage
risk within its risk appetite.
Effected by the Board, Management and other personnel.
Applied in strategy setting, across the enterprise.
Able to provide reasonable assurance regarding the achievement of the entity
objectives .
Applied across the enterprise, at every level and unit, and includes taking an
entity-level portfolio view of risk.
3. While traditional risk management focused on asset-protection, ERM offers a more holistic
approach, integrating all departments and functions into a single program towards managing
risk.
A comprehensive ERM program will:
Align firm’s risk appetite with business objectives.
Identify/manage multiple and cross-enterprise risks.
Reduce frequency and severity of operational surprises.
Enhance the rigor of risk-response decisions.
Build confidence of investment community and stakeholders.
Enhance corporate governance.
Successfully respond to a changing business environment.
Proactively seize on the opportunities presented to the firm.
Improve effectiveness of capital deployment.
4. The COSO ERM framework has eight
interrelated components, which represents
what is needed to achieve the entities
objectives.
Entity objectives can be viewed in the
context of four categories:
Strategic
Operations
Reporting
Compliance
5. The implementation of ERM involves:
Retaining the need for risks to be managed and owned at the business
function level.
A shift in processes and culture of the organization.
Strengthened communication, training, and awareness.
Building processes to track risks.
Building an enterprise-wide analysis of risks for senior executive and Board
review.
6. 1. Conduct an enterprise risk assessment
◦ Include all stakeholders
◦ Prioritize the risks
2. Articulate the risk management vision
◦ Identify risk management capabilities – be specific
◦ Have a holistic plan
◦ The plan includes policies, processes, oversight and reporting
3. Pick one or two key risks and address them
◦ Ensure the proper program is in place for these risks
◦ Test the program
◦ Evaluate the program for success
4. Expand the program for other risks in order of priority
◦ Components
Internal Controls
Monitor, Test and Audit
Risk Managers
Senior Management Control
Board oversight independent of management
7. Inconsistent use of risk definitions and terminologies
Lack of risk awareness throughout the organization
Inadequate focus on how to identify risk
Lack of clarity on responsibilities for risk – ‘who’
Insufficient rigor / consistency in risk evaluation
Lack of structure in risk decisions – right people / right data / right time
Inability / lack of effective self-assessment
8. Want to learn more about ERM, and best practices to
implement effective ERM program? ComplianceOnline
webinars and seminars are a great training resource. Check
out the following links:
How to conduct a Compliance Gap Analysis for ERM?
Establishing Effective Enterprise Risk Management (ERM)
for Achieving Good Compliance
COSO ERM Simplified-Implementation for Government
and small businesses
Internal Audit's Role in Enterprise Risk Management
Essentials of ERM and Assessing its Effectiveness Using
ISO 31000
Integrating Ethics and Compliance Risks into your
Enterprise Risk Management Program