This document provides a structured approach to implementing enterprise risk management (ERM) based on ISO 31000. It discusses key risk management principles, including defining risk, establishing a risk management process, and creating a risk-aware culture. The document advocates developing a risk architecture, strategy, and protocols to provide proper context for risk activities. It also summarizes ISO 31000's risk management process of risk identification, evaluation, response, resourcing, reaction planning, and reporting.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
The Management of Uncertainty
•It has long been recognized that one of the most important competitive factors for any organization to master is the management of uncertainty.
•Uncertainty is the major intangible factor contributing towards the risk of failure in every process, at every level, in every type of business.
•Managing business uncertainty may involve introducing, developing and implementing strategic enterprise management frameworks for –
–Corporate Foresight and Business Strategy
–Business Planning and Forecasting
–Business Transformation
–Enterprise Architecture
–Enterprise Risk Management
–Enterprise Performance Management
–Enterprise Governance, Reporting and ControlsEAEA
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
A new emphasis on enterprise risk management from regulators has heightened awareness among bankers to get educated and adopt these best practices at their institution. In response to this increased focus, the RMA ERM Council developed the ERM framework and associated competencies, which became the foundation for a series of highly practical workbooks for implementing effective ERM.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
The Management of Uncertainty
•It has long been recognized that one of the most important competitive factors for any organization to master is the management of uncertainty.
•Uncertainty is the major intangible factor contributing towards the risk of failure in every process, at every level, in every type of business.
•Managing business uncertainty may involve introducing, developing and implementing strategic enterprise management frameworks for –
–Corporate Foresight and Business Strategy
–Business Planning and Forecasting
–Business Transformation
–Enterprise Architecture
–Enterprise Risk Management
–Enterprise Performance Management
–Enterprise Governance, Reporting and ControlsEAEA
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
Integrating Strategy and Risk ManagementAndrew Smart
"A Holistic Approach to Managing Risk amidst Global Uncertainty"
The RMA/Cass Business School
10–14 February 2013
Advanced Risk Management Programme
Organised by Andrew Smart & Nicholas Hawke
In today’s fast-moving, complex environment, risk executives must cultivate an understanding across all risks and businesses. Business problems are multifaceted, interrelated, and increasingly global. Executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.
The RMA/Cass Advanced Risk Management Programme, led by the faculty at Cass, one of the UK’s top business schools, exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research, instilling knowledge and skills applicable to the real world of global business. In addition to its focus on the known and quantifiable risks of credit, market, and operational, the programme concentrates on the unknowable and difficult to measure risks, including business, strategic, and reputation. Cass has excellent links to the City of London firms and institutions and is able to complement Cass faculty with guest faculty and senior level business practitioners, considered by their peers to be industry thought leaders
Areas of focus for The RMA/Cass Advanced Risk Management Programme include:
• Risk management as a strategic competitive strength
• An integrated approach to risk management
• Fostering a culture and climate that openly communicates risk
• A framework for rapidly responding to known risks and unraveling the complexities of the unknown
• A focus on risk informed by global perspectives.
PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.
The presentation covered:
The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Operational risk management and measurementRahmat Mulyana
a short description in mixed English and Bahasa Indonesia on Operational Risk Management and Measurement, in particular value at risk calculation using Monte carlo Simulation. Another method using EVT (Extree Value Theory) will be delivered shortly. regards
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
Integrating Strategy and Risk ManagementAndrew Smart
"A Holistic Approach to Managing Risk amidst Global Uncertainty"
The RMA/Cass Business School
10–14 February 2013
Advanced Risk Management Programme
Organised by Andrew Smart & Nicholas Hawke
In today’s fast-moving, complex environment, risk executives must cultivate an understanding across all risks and businesses. Business problems are multifaceted, interrelated, and increasingly global. Executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.
The RMA/Cass Advanced Risk Management Programme, led by the faculty at Cass, one of the UK’s top business schools, exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research, instilling knowledge and skills applicable to the real world of global business. In addition to its focus on the known and quantifiable risks of credit, market, and operational, the programme concentrates on the unknowable and difficult to measure risks, including business, strategic, and reputation. Cass has excellent links to the City of London firms and institutions and is able to complement Cass faculty with guest faculty and senior level business practitioners, considered by their peers to be industry thought leaders
Areas of focus for The RMA/Cass Advanced Risk Management Programme include:
• Risk management as a strategic competitive strength
• An integrated approach to risk management
• Fostering a culture and climate that openly communicates risk
• A framework for rapidly responding to known risks and unraveling the complexities of the unknown
• A focus on risk informed by global perspectives.
PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.
The presentation covered:
The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant.
Presentation by: Bob Hirth, Global Chairman of COSO.
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Operational risk management and measurementRahmat Mulyana
a short description in mixed English and Bahasa Indonesia on Operational Risk Management and Measurement, in particular value at risk calculation using Monte carlo Simulation. Another method using EVT (Extree Value Theory) will be delivered shortly. regards
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
This presentation provides you with an overview of how to implement Electronic Records Management (ERM) according to ISO15489. The slides are from AIIM's ERM Specialist and Master Certificate Programs. For more information visit www.aiim.org/training
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
This presentation slides is intended for the training-workshop lead as well as the participants.
Developed based on ISO 31000:2009 – Principles and Guidelines on Implementation, ISO/IEC 31010:2009 – Risk Assessment Techniques, ISO Guide 73:2009 – Vocabulary.
Risk management is an increasingly important
business driver and stakeholders have become
much more concerned about risk. Risk may be a
driver of strategic decisions, it may be a cause of
uncertainty in the organisation or it may simply be
embedded in the activities of the organisation. An
enterprise-wide approach to risk management
enables an organisation to consider the potential
impact of all types of risks on all processes,
activities, stakeholders, products and services.
Implementing a comprehensive approach will
result in an organisation benefiting from what is
often referred to as the ‘upside of risk’.
Presentation of ISO 31000:2009, Risk management, Principles and guidelines. This document explain the standard history, certification & accreditation, main concepts and scope. Implementation and implications are already included. Managing risk is other important topic developed in the document. Finally a short list of related standards are mentioned
Relevance of ISO 31000 for risk professionals.pptxCaptSameerSharma
We live in a complex and dynamic world, and the demands on physical security have increased dramatically.
As the world is constantly changing, the challenges faced by security leaders change as well.
Risk management is now at the forefront of discussion and risk analysis has become the basis for strategic security planning in most organizations.
Historical and current security-related data is fundamental.
Capturing current, complete and insightful data from regional, local, and open sources and blending it with data sourced from the organization’s internal security systems aids in designing an effective security operations framework in effective manner.
Experienced security experts who have had meaningful experience in the area of threat and risk assessment for a decade or more recognize the power of harnessing big data to risk analysis and are bringing solutions that do just that in innovative and ground-breaking ways.
Data models have to be built and designed in such a way that can help to derive and produce better intelligence of what is available today. Patterns and behaviors can help understand, manage, or predict the forces that drive them.
Even predictable patterns and behavior can still be challenging to identify consistently. Designing an adequate data model to manage this risk type is a challenge the security industry has long faced.
Now there exist "The Phantom Menace" that are risks that are already materializing but with losses that haven’t been recognized yet, so they are not captured within the ambit of the security operation data model that is being devised.
The nature of a loss can usually be credited to the specific type of risk that has materialized.
If the operational risk data model captures only losses that have arisen in the past, the model will not reflect the current risk exposure of the institution and potential future loss.
So what is the solution? We might have to revisit the foundation of the operational risk data model, including the data we collect to identify patterns and behaviors.
A case in point is marketing research, what does it involve? Collection and assimilation of potential customer’s data which includes basic or identity Data, engagement, behavioral and attitudinal data, for new product or service launch.
In security operations risk management, we should emulate the similar success and begin to collect wide-ranging data through systems, applications, processes, and human interactions, then derive meaningful patterns and behaviors in line with the unique security risk challenges of organizations and lines of business.
Only through the collection of this data at the broadest level can we identify patterns and behaviors and thus determine which data is truly risk-sensitive. We should look beyond losses if we hope to accurately determine the operational risk exp
This Risk Management Standard is the
result of work by a team drawn from the
major risk management organisations in
the UK - The Institute of Risk
Management (IRM),The Association of
Insurance and Risk Managers (AIRMIC)
and ALARM The National Forum for
Risk Management in the Public Sector.
In addition, the team sought the views and
opinions of a wide range of other
professional bodies with interests in risk
management, during an extensive period
of consultation.
This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK, including the Institute of Risk management (IRM).
Furthermore, the group looked for the perspectives and assessments of a large number of other expert bodies with interests in risk the executives, during a broad time of meeting.
Discussion1From time to time most organizations make improvement.docxmadlynplamondon
Discussion1
From time to time most organizations make improvements in their ERM framework to compete with latest trends in market and reduce risk factors, or simply choose best ERM framework which adds more value and powerful when compared to current ERM framework. Before selecting any ERM the organization should understand that no ERM is perfect and organizations should choose the best available tool by considering their requirements and future enhancements. In addition to risk analysis and risk management, these days may organizations choosing best ERM for the purpose of financial investments decisions making (Will kenton, 2018).
The ISO31000 is much simpler and superior to Risk scorecard model to mitigate the risk, According to current situation Edmonton Police Service (EPS) who wants to share their ERM with other city departments where new programs and initiatives are needed to be created, Using ISO 31000 is one of the best frameworks an organization can use to manage their risk because it increases the likelihood of an organization to improve on the identification of objectives of threats, achieving organization aim, and objectives and effective allocation and use of resources in risk treatment. Although, ISO 31000 is not used for certification purposes it provides an organization with the best guidelines for internal and external audit programs. This guideline helps an organization to compare their risks with that of other international benchmarks, which end up in providing sound principles for effective corporate governance and effective management. ISO 31000 risk assessment techniques mainly focus on the risk assessment, which helps different decision, makes to be able to understand the risk that may end up affecting the adequacy of the control that is in place and the achievement of the objectives. Therefore in a situation where an organization wants to develop a new ERM for their organization the best framework to use it the ISO 31000 (John Fraser & Betty Simkins, 2014).
Discussion2
The organization needed an enterprise-wide common risk framework, annual assessment cycle, and integration into the strategic planning process. ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it. This distinction is a crucial one to understand when comparing the two frameworks and understanding how they can be used.ISO 31000’s focus on risk management as a process devotes more attention to implementation, which broadens its appeal for those looking for insights on that subject
“Risk management creates value, is an integral part of organizational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on best available information; is tailored; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement and enhancement of the organization.”Therefore, ISO 31000 is focused on in ...
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB
We will cover:
• Brief overview of the Standard content
• What is Risk Management?
• Guidance on how to position Risk Management in an organization
• Three examples of where Risk Management must be considered
Presenter:
This webinar will be presented by Steve Tremblay, Owner and Executive ITSM/ISO Consultant at Excelsa Tech.
Similar to A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 (20)
3. Executive summar y
Risk management is an increasingly important Purpose of this guide
business driver and stakeholders have become
much more concerned about risk. Risk may be a A successful enterprise risk management (ERM)
driver of strategic decisions, it may be a cause of initiative can affect the likelihood and
uncertainty in the organisation or it may simply be consequences of risks materialising, as well as
embedded in the activities of the organisation. An deliver benefits related to better informed strategic
enterprise-wide approach to risk management decisions, successful delivery of change and
enables an organisation to consider the potential increased operational efficiency. Other benefits
impact of all types of risks on all processes, include reduced cost of capital, more accurate
activities, stakeholders, products and services. financial reporting, competitive advantage,
Implementing a comprehensive approach will improved perception of the organisation, better
result in an organisation benefiting from what is marketplace presence and, in the case of public
often referred to as the ‘upside of risk’. service organisations, enhanced political and
community support.
The global financial crisis in 2008 demonstrated
the importance of adequate risk management. This guide provides a brief commentary on ISO
Since that time, new risk management standards 31000 as well as setting out advice on the
have been published, including the international implementation of an ERM initiative. The purpose
standard, ISO 31000 ‘Risk management – of the guide is to:
Principles and guidelines’. This guide draws G describe the principles and processes of
together these developments to provide a risk management
structured approach to implementing enterprise
risk management (ERM). G provide a brief overview of the
requirements of ISO 31000
Intended benefits of risk management
G give practical guidance on designing a
For all types of organisations, there is a need to suitable framework
understand the risks being taken when seeking to
achieve objectives and attain the desired level of G give practical advice on implementing
reward. Organisations need to understand the enterprise risk management
overall level of risk embedded within their
processes and activities. It is important for
organisations to recognise and prioritise significant
risks and identify the weakest critical controls.
When setting out to improve risk management
performance, the expected benefits of the risk
management initiative should be established in
advance. The outputs from successful risk
management include compliance, assurance and
enhanced decision-making. These outputs will
provide benefits by way of improvements in the
efficiency of operations, effectiveness of tactics
(change projects) and the efficacy of the strategy
of the organisation.
2 A structured approach to Enterprise Risk Management
4. Introduction
This guide is the result of work by a team drawn COSO ERM framework and ISO 31000
from the main risk management organisations in
the UK – the Association of Insurance and Risk The Committee of Sponsoring Organizations of
Managers (AIRMIC), the public sector risk the Treadway Commission (COSO) published an
management association (Alarm) and the Institute Enterprise Risk Management (ERM) standard in
of Risk Management (IRM). The guide is intended 2004. The COSO ERM cube is well known to risk
to be applicable to all types of organisations. management practitioners and it provides a
Throughout the guide, the word Board is used to framework for undertaking ERM. It has gained
signify the decision-making body within an considerable influence because it is linked to the
organisation. In the public sector, this body may Sarbanes-Oxley requirements for companies listed
be referred to as the Council, Executive or in the United States. ISO 31000 was published in
Authority. 2009 as an internationally agreed standard for the
implementation of risk management principles.
There are many opinions regarding what risk
management involves, how it should be This guide provides a structured approach to
implemented and what it can achieve. implementing risk management on an enterprise-
International Organisation for Standardisation (ISO) wide basis that is compatible with both COSO
standard 31000 was published in 2009 and seeks ERM and ISO 31000. However, the guide places
to answer these questions. This guide includes a more emphasis on ISO 31000 because it is an
brief commentary on ISO 31000, as well as international standard and many organisations
providing further information on the successful have international operations. At the same time as
implementation of risk management. Importantly, publishing ISO 31000, ISO also produced Guide
this guide recognises that risk has both an upside 73 ‘Risk management – Vocabulary – Guidelines
and downside. for use in standards’.
Risk management principles Acknowledgements
Permission to reproduce extracts from ISO 31000
Risk management is a process that is under-
‘Risk management – Code of practice’ is granted
pinned by a set of principles. Also, it needs to be
by the BSI. British Standards can be obtained in
supported by a structure that is appropriate to the
PDF or hard copy formats from the BSI online
organisation and its external environment or
shop: www.bsigroup.com/shop or by contacting
context. A successful risk management initiative
BSI Customer Services for hardcopies only: Tel:
should be proportionate to the level of risk in the
+44 (0)20 8996 9001, e-mail:
organisation (as related to the size, nature and
cservices@bsigroup.com
complexity of the organisation), aligned with other
corporate activities, comprehensive in its scope, Figure 1, Figure 4, Table 2, Table 3 and Table 4 are
embedded into routine activities and dynamic by reproduced with kind permission of Kogan Page
being responsive to changing circumstances. Limited from “Fundamentals of Risk Management”
(2010) ISBN 978 0 7494 5942 0
This approach will enable a risk management
www.koganpage.com
initiative to deliver outputs, including compliance
with applicable governance requirements,
assurance to stakeholders regarding the
management of risk and improved decision-
making. The impact or benefits associated with
these outputs include more efficient operations,
effective tactics and efficacious strategy. These
benefits need to be measurable and sustainable.
Appendix A provides a checklist of actions that
should be completed in order to fully satisfy risk
management requirements.
3 A structured approach to Enterprise Risk Management
5. Part 1: Risk, risk management and ISO 31000
Part 1 provides an overview of risk and risk Definition of risk
management with particular reference to ISO
31000. The terminology used to describe the There are many definitions of risk and risk
steps in the risk management process is not management. The definition set out in ISO Guide
consistent and this part reflects on these 73 is that risk is the “effect of uncertainty on
difficulties. A summary of the risk management objectives”. In order to assist with the application
requirements that should be in place in order to of this definition, Guide 73 also states that an
ensure good standards of risk governance are effect may be positive, negative or a deviation
presented by way of a checklist in Appendix A. from the expected, and that risk is often described
by an event, a change in circumstances or a
1. Nature and impact of risk consequence.
Risks can impact an organisation in the short, This definition links risks to objectives. Therefore,
medium and long term. These risks are related to this definition of risk can most easily be applied
operations, tactics and strategy, respectively. when the objectives of the organisation are
Strategy sets out the long-term aims of the comprehensive and fully stated. Even when fully
organisation, and the strategic planning horizon stated, the objectives themselves need to be
for an organisation will typically be 3, 5 or more challenged and the assumptions on which they
years. Tactics define how an organisation intends are based should be tested, as part of the risk
to achieve change. Therefore, tactical risks are management process.
typically associated with projects, mergers,
acquisitions and product developments.
Operations are the routine activities of the
organisation.
For example, consider the infrastructure of an organisation and the implementation of a new IT
system. The choice of hardware and software are strategic decisions. If these choices are
incorrect, the consequences will not be obvious for some time. The associated risks are strategic
risks and these risks will be taken with the intention of achieving benefits. Correct strategic
decisions deliver benefits that result in achievement of the upside of risk.
The project to install the new hardware and software will be a change initiative that represents the
tactics by which strategy will be implemented. Risks within the project need to be managed, so
that the project is delivered on time, within budget and to specification. Again, it is possible to
achieve an upside in the execution of the project, whereby the project is delivered early and below
budget. It is also possible that the IT hardware and software will deliver greater benefits than
anticipated.
Once the new hardware and software has been installed, the system will be vulnerable to
operational risks, including computer breakdown, loss of data, virus attacks and operator errors.
These operational risks may be very significant, and correct procedures will need to be designed
and implemented to minimise potential disruption.
4 A structured approach to Enterprise Risk Management
6. Recording risk assessments For example, many organisations find that
assessing likelihood and consequences as high,
Risk assessment involves the identification of risks medium or low, with the results presented on a 3 x
followed by their evaluation or ranking. It is 3 risk matrix is adequate. Other organisations find
important to have a template for recording that more options are necessary and a 4 x 4 or 5 x
appropriate information about each risk. Table 1 5 risk matrix is required. By considering the
shows the range of information that may need to likelihood and consequences of each risk, it will be
be recorded. The objective of a template is to possible to prioritise or rank the key risks for
enable the information to be recorded in a table, further analysis.
risk register, spreadsheet or a computer-based
system. Although a simple description of a risk is Risk classification systems
sometimes sufficient, there are circumstances
An important part of analysing a risk is to
where a detailed risk description may be required
determine the nature, source or type of impact of
in order to facilitate a comprehensive risk
the risk. Evaluation of risks in this way may be
assessment process.
enhanced by the use of a risk classification
The consequences of a risk materialising may be system. Risk classification systems are important
negative (hazard risks), positive (opportunity risks) because they enable an organisation to identify
or may result in greater uncertainty. Organisations accumulations of similar risks. A risk classification
need to establish appropriate definitions for the system will also enable an organisation to identify
different levels of likelihood and consequences which strategies, tactics and operations are most
associated with these different risks. Risk ranking vulnerable.
can be quantitative, semi-quantitative or qualitative
Risk classification systems are usually based on
in terms of the likelihood of occurrence and the
the division of risks into those related to financial
possible consequences or impact.
control, operational efficiency, reputational
Organisations will need to define their own exposure and commercial activities. However,
measures of likelihood of occurrence and there is no risk classification system that is
consequences. universally applicable to all types of organisations.
Table 1: Detailed risk description
1 Name or title of risk G Unique identifier or risk index
2 Scope of risk G Scope of risk and details of possible events, including description of
the events, their size, type and number
3 Nature of risk G Classification of risk, timescale of potential impact and description
as hazard, opportunity or uncertainty
4 Stakeholders G Stakeholders, both internal and external, and their expectations
5 Risk evaluation G Likelihood and magnitude of event and possible impact or
consequences should the risk materialise at current level
6 Loss experience G Previous incidents and prior loss experience of events related to the
risk
7 Risk tolerance, appetite G Loss potential and anticipated financial impact of the risk
or attitude G Target for control of risk and desired level of performance
G Risk attitude, appetite, tolerance or limits for the risk
8 Risk response, treatment G Existing control mechanisms and activities
and controls G Level of confidence in existing controls
G Procedures for monitoring and review of risk performance
9 Potential for risk improvement G Potential for cost-effective risk improvement or modification
G Recommendations and deadlines for implementation
G Responsibility for implementing any improvements
10 Strategy and policy G Responsibility for developing strategy related to the risk
developments G Responsibility for auditing compliance with controls
5 A structured approach to Enterprise Risk Management
7. This may be especially true for organisations Risk aware culture
operating in the public sector and those involved in
the delivery of services to the public. Risk management must be integrated into the
culture of the organisation and this will include
There are many risk classification systems mandate, leadership and commitment from the
available and the one selected will depend on the
Board. It must translate risk strategy into tactical
size, nature and complexity of the organisation.
ISO 31000 does not recommend a specific risk and operational objectives, and assign risk
classification system and each organisation will management responsibilities throughout the
need to develop the system most appropriate to organisation. It should support accountability,
the range of risks that it faces. performance measurement and reward, thus
promoting operational efficiency at all levels.
2: Principles of risk management
Achieving a good risk aware culture is ensured by
Risk management is a central part of the strategic establishing an appropriate risk architecture,
management of any organisation. It is the process strategy and protocols.
whereby organisations methodically address the
risks attached to their activities. A successful risk In order to successfully implement, support and
management initiative should be proportionate to sustain the risk management process, a structure
the level of risk in the organisation, aligned with is required. ISO 31000 refers to this structure as
other corporate activities, comprehensive in its the risk management context.
scope, embedded into routine activities and
Figure 1 illustrates a suitable structure in terms of
dynamic by being responsive to changing
the risk architecture, strategy and protocols, and
circumstances.
briefly describes the key features of each element.
The focus of risk management is the assessment This structure is designed to give context to risk
of significant risks and the implementation of management activities and support the risk
suitable risk responses. The objective is to achieve management process.
maximum sustainable value from all the activities
Risk management process
of the organisation. Risk management enhances
the understanding of the potential upside and The risk management process can be presented
downside of the factors that can affect an as a list of co-ordinated activities. There are
organisation. It increases the probability of alternative descriptions of this process, but the
success and reduces both the probability of failure components listed below are usually present. This
and the level of uncertainty associated with list represents the 7Rs and 4Ts of (hazard) risk
achieving the objectives of the organisation. management:
Context for risk management G recognition or identification of risks
Risk management should be a continuous G ranking or evaluation of risks
process that supports the development and
implementation of the strategy of an organisation. G responding to significant risks
It should methodically address all the risks
associated with all of the activities of the N tolerate
organisation. In all types of undertaking, there is N treat
the potential for events that constitute
opportunities for benefit (upside), threats to N transfer
success (downside) or an increased degree of
N terminate
uncertainty.
G resourcing controls
It is often argued that, for health and safety risks,
the consequences can only be negative and the G reaction planning
management of safety risk should focus on
prevention and mitigation of harm. However, for G reporting and monitoring risk performance
outsourced service providers, setting good
G reviewing the risk management
standards of health and safety may be part of
framework
winning contracts and this demonstrates that
there is an upside to safety risk management.
6 A structured approach to Enterprise Risk Management
8. Figure 1: Risk architecture, strategy and protocols
Risk architecture Risk strategy
G Risk architecture specifies the G Risk strategy, appetite, attitudes
roles, responsibilities, and philosophy are defined in the
communication and risk reporting Risk Management Policy
structure
Risk management process
Risk protocols
G Risk protocols are presented in the form of the risk guidelines for the
organisation and include the rules and procedures, as well as specifying the
risk management methodologies, tools and techniques that should be used
Recognition and ranking of risks together form the Framework for managing risk
risk assessment activity. ISO 31000 uses the
phrase ‘risk treatment’ to include all of the 4Ts ISO 31000 describes a framework for
included under the heading ‘risk response’. The implementing risk management, rather than a
scope of risk responses available for hazard risks framework for supporting the risk management
includes the options of tolerate, treat, transfer process. Information on designing the framework
or terminate the risk or the activity that gives rise to that supports the risk management process is not
the risk. For many risks, these responses may set out in detail in ISO 31000. An organisation will
be applied in combination. For opportunity risks, describe its framework for supporting risk
the range of available options includes exploiting management by way of the risk architecture,
the risk. Reaction planning includes business strategy and protocols for the organisation.
continuity planning and disaster recovery planning.
The risk architecture, strategy and protocols
3: Review of ISO 31000 shown in Figure 1 represent the internal
arrangements for communicating on risk issues.
ISO 31000 describes the components of a risk
It also sets out the roles and responsibilities of the
management implementation framework. Figure 2
individuals and committees that support the risk
provides a simplified version of this implementation
management process. The risk strategy should set
framework. It includes the essential steps in the
out the objectives that risk management activities
implementation and ongoing support of the risk
in the organisation are seeking to achieve. Finally,
management process. The initial component of
the risk protocols describe the procedures by
the ISO 31000 framework is ‘mandate and
which the strategy will be implemented and risks
commitment’ by the Board and this is followed by:
managed.
G design of framework
4: Achieving the benefits of ERM
G implement risk management
Figure 3 provides a simplified version of the risk
G monitor and review framework management process from ISO 31000 using the
terminology of Guide 73. The key stages in the
G improve framework process are represented as risk assessment and
risk treatment. Figure 3 also indicates that the risk
management process takes place within the risk
management context of the organisation.
7 A structured approach to Enterprise Risk Management
9. Figure 2: Framework for managing risk (based on ISO 31000)
Mandate and commitment
Design of framework
G Organisation and its context
G Risk management policy
G Embedding risk management
Implement risk
management
Improve framework G
Implement framework
G
Implement RM process
Monitor and review framework
Risk assessment treatments include tolerate, treat, transfer and
terminate. An organisation may decide that there
Risk identification establishes the exposure of the
is also a need to improve the control environment.
organisation to risk and uncertainty. This requires
an intimate knowledge of the organisation, the Risk treatment
market in which it operates, the legal, social,
political and cultural environment in which it exists, Risk treatment is presented in ISO 31000 as the
as well as an understanding of strategic and activity of selecting and implementing appropriate
operational objectives. This will include knowledge control measures to modify the risk. Risk
of the factors critical to success and the threats treatment includes as its major element, risk
and opportunities related to the achievement of control (or mitigation), but extends further to, for
objectives. It should be approached in a example, risk avoidance, risk transfer and risk
methodical way to ensure that all value-adding financing. Any system of risk treatment should
activities within the organisation have been provide efficient and effective internal controls.
evaluated and all the risks flowing from these Effectiveness of internal control is the degree to
activities defined. which the risk will either be eliminated or reduced
by the proposed control measures. The cost-
The result of the risk analysis can be used to effectiveness of internal control relates to the cost
produce a risk profile that gives a rating of of implementing the control compared to the risk
significance to each risk and provides a tool for reduction benefits achieved.
prioritising risk treatment efforts. This ranks the
relative importance of each identified risk. This Compliance with laws and regulations is not an
process allows the risks to be mapped to the option. An organisation must understand the
business area affected, describes the primary applicable laws and must implement a system of
control mechanisms in place and indicates where controls that achieves compliance. One method of
the level of investment in controls might be obtaining financial protection against the impact of
increased, decreased or reapportioned. risks is through risk financing, including insurance.
However, it should be recognised that some
The risk analysis activity assists the effective and losses or elements of a loss may be uninsurable,
efficient operation of the organisation by identifying such as uninsured costs and damage to employee
those risks that require attention by management. morale and the reputation of the organisation.
This will facilitate the ability to prioritise risk control
actions in terms of their potential to benefit the
organisation. The range of available risk response
8 A structured approach to Enterprise Risk Management
10. Feedback mechanisms Reporting and disclosure are only very briefly
mentioned in ISO 31000 and they are not included
ISO 31000 recognises the importance of feedback in the process shown in Figure 3. Also, the
by way of two mechanisms. These are monitoring monitoring and review feedback activities set out
and review of performance and communication in ISO 31000 do not explicitly mention the tasks of
and consultation. Monitoring and review ensures monitoring risk performance and reviewing the risk
that the organisation monitors risk performance management framework.
and learns from experience. Communication and
consultation is presented in ISO 31000 as part of
the risk management process, but it may also be
considered to be part of the supporting
framework.
Figure 3: Risk management process (based on ISO 31000)
Establish context
Communication and consultation
Risk assessment
Monitoring and review
Risk identification
Risk analysis
Risk evaluation
Risk treatment
9 A structured approach to Enterprise Risk Management
11. Part 2: Enterprise risk management
Part 2 provides an overview of the steps involved in Board mandate and commitment
the implementation of an enterprise risk
management (ERM) initiative. The terminology used Many organisations issue an updated version of
in this part is based on the 7Rs and 4Ts of (hazard) their risk management policy each year. This
risk management. A brief description of the steps ensures that the overall risk management approach
involved in the implementation of an ERM initiative is in line with current best practice.
is provided in Appendix B. It also gives the organisation the opportunity to
focus on the intended benefits for the coming year,
5: Planning and designing identify the risk priorities and ensure that
appropriate attention is paid to emerging risks. The
There are a number of factors that should be policy should also describe the risk architecture of
considered when designing and planning an ERM the organisation. Figure 4 illustrates a typical risk
initiative. Details of the risk architecture, strategy architecture of a large listed company.
and protocols should be recorded in a risk
management policy for the organisation. Table 2 Mandate and commitment from the Board is
provides information on the contents of a typical critically important and it needs to be continuous
risk management policy. and high-profile. Unless this mandate and
commitment are forthcoming, the risk management
initiative will be unsuccessful. Keeping the risk
management policy up to date demonstrates that
risk management is a dynamic activity fully
supported by the Board.
Table 2: Contents of risk management policy
A risk management policy should include the following sections:
G Risk management and internal control objectives (governance)
G Statement of the attitude of the organisation to risk (risk strategy)
G Description of the risk aware culture or control environment
G Level and nature of risk that is acceptable (risk appetite)
G Risk management organisation and arrangements (risk architecture)
G Details of procedures for risk recognition and ranking (risk assessment)
G List of documentation for analysing and reporting risk (risk protocols)
G Risk mitigation requirements and control mechanisms (risk response)
G Allocation of risk management roles and responsibilities
G Risk management training topics and priorities
G Criteria for monitoring and benchmarking of risks
G Allocation of appropriate resources to risk management
G Risk activities and risk priorities for the coming year
10 A structured approach to Enterprise Risk Management
12. Scope of the initiative scope of the initiative will be defined by the range of
benefits the organisation is seeking to achieve and this
In order to be successful, the ERM initiative needs to will be influenced by the expectations of the various
be comprehensive. However, introducing enhanced stakeholders in the organisation.
standards of risk management is a progressive
process that cannot be achieved instantaneously.
Therefore, it is necessary for an organisation to decide
the scope of the ERM initiative, as it develops. The
Figure 4: Risk architecture of a large PLC
The Board Audit Committee
G Overall responsibility for risk G Receive routine reports from GRMC
management G Set annual audit programme and priorities
G Ensure risk management is G Monitor progress with audit recommendations
embedded into all processes and
activities
G Provide risk assurance to the Board
G Review group risk profile
G Oversee RM structures and processes
Group Risk Management Committee (GRMC)
G Formulate strategy and policy based on risk appetite, Disclosures Committee
risk attitudes and risk exposures
G Review and evaluate disclosure
G Receive reports from business units, review risk controls and procedures
management activities and compile the group risk
register
G Consider materiality of information
disclosed to external parties
G Receive reports from business units and make reports
and recommendations to the Board
G Track RM activity in the business units and keep the risk
management context under review
Business units
G Produce specific policy statements, as necessary
Direct and monitor G Prepare and update the business unit risk register
Reports for evaluation G Set risk priorities for business unit
G Monitor projects and risk improvements
G Prepare reports for GRMC
G Manage control risk self-certification activities
11 A structured approach to Enterprise Risk Management
13. Risk management framework The range of risk management responsibilities that
need to be allocated in the policy will be broad and
Depending on the nature of the organisation, the risk extensive. Table 3 sets out examples of the risk
management function may range from a part-time risk management responsibilities that may be allocated in a
manager, to a single risk champion, to a full-scale risk typical large organisation. The Board has responsibility
management department. The role of the internal audit for determining the strategic direction of the
function will also differ from one organisation to organisation and creating the context for risk
another. In determining the most appropriate role for management. There need to be arrangements in place
internal audit, the organisation needs to ensure that the to achieve continuous improvement in performance
independence and objectivity of internal audit are not and this responsibility is likely to be allocated to the risk
compromised. manager.
Table 3: Risk management responsibilities
1. RM responsibilities for the CEO / Board:
G Determine strategic approach to risk and set risk appetite
G Establish the structure for risk management
G Understand the most significant risks
G Manage the organisation in a crisis
2. RM responsibilities for the business unit manager:
G Build risk aware culture within the unit
G Agree risk management performance targets
G Ensure implementation of risk improvement recommendations
G Identify and report changed circumstances / risks
3. RM responsibilities for individual employees:
G Understand, accept and implement RM processes
G Report inefficient, unnecessary or unworkable controls
G Report loss events and near miss incidents
G Co-operate with management on incident investigations
4. RM responsibilities for the risk manager:
G Develop the risk management policy and keep it up to date
G Document the internal risk policies and structures
G Co-ordinate the risk management (and internal control) activities
G Compile risk information and prepare reports for the Board
5. RM responsibilities for specialist risk management functions:
G Assist the company in establishing specialist risk policies
G Develop specialist contingency and recovery plans
G Keep up to date with developments in the specialist area
G Support investigations of incidents and near misses
6. RM responsibilities for internal audit manager:
G Develop a risk-based internal audit programme
G Audit the risk processes across the organisation
G Receive and provide assurance on the management of risk
G Report on the efficiency and effectiveness of internal controls
12 A structured approach to Enterprise Risk Management
14. 6: Implementing and benchmarking Other considerations relevant to undertaking risk
assessments include decisions on how the risk
Risk assessment is a fundamentally important part assessments will be recorded. It is at this stage
of the risk management process. In order to that an organisation will decide the level of detail
achieve a comprehensive risk management that will be recorded about each risk in the risk
approach, an organisation needs to undertake description. Another important part of the risk
suitable and sufficient risk assessments. A range assessment procedures will be the identification of
of the most common risk assessment techniques the risk classification system to be used by the
is set out in Table 4. organisation.
Establish risk assessment procedures Undertake risk assessments
Risk assessment will be required as part of the An organisation should develop benchmarks to
decision-making processes intended to exploit determine the significance (or materiality) of the
business opportunities. One way of ensuring that identified risks. The nature of these benchmark
risk is part of business decision-making is to tests will depend on the type of risk. For financial
ensure that a risk assessment is attached to all risks, a sum of money can be used as the
strategy papers presented to the Board. Likewise, benchmark test of significance. For risks that can
risk assessment of all proposed projects should cause disruption to operations, the length of
be undertaken and further risk assessments disruption may be a suitable test. Reputational
should be undertaken throughout the project. risks can be benchmarked in terms of the profile
Finally, risk assessments are also required in that the report of the event would receive, the
relation to routine operations. likely impact of the event on share price, or the
impact on the political and financial support
received from key stakeholders.
Table 4: Risk assessment techniques
Technique Brief description
G Questionnaires and checklists Use of structured questionnaires and checklists to collect
information to assist with the recognition of the significant risks
G Workshops and brainstorming Collection and sharing of ideas and discussion of the events that
could impact the objectives, stakeholder expectations or key
dependencies
G Inspections and audits Physical inspections of premises and activities and audits of
compliance with established systems and procedures
G Flowcharts and dependency Analysis of processes and operations within the
analysis organisation to identify critical components that are key to
success
G HAZOP and FMEA approaches Hazard and Operability studies and Failure Modes Effects
Analysis are quantitative technical failure analysis techniques
G SWOT and PESTLE analyses Strengths Weaknesses Opportunities Threats (SWOT) and
Political Economic Social Technological Legal Environmental
(PESTLE) analyses offer structured approaches to risk recognition
13 A structured approach to Enterprise Risk Management
15. Having identified suitable risk assessment Internal and external factors can give rise to risks.
procedures and decided the benchmark test of Figure 5 is based on the FIRM Risk Scorecard risk
significance for different classes of risks, it will then classification system and it provides examples of
be possible to identify the appetite or attitude to internal and external key risk drivers. Some risk
that type of risk, together with the capacity of the classification systems have strategic risk as a
organisation to withstand that risk. Finally, the separate category. However, the FIRM Risk
organisation can determine the overall exposure to Scorecard approach suggests that strategic (as
the particular type of risk under consideration. well as tactical and operational) risks should be
identified under all four headings.
Figure 5: Drivers of risk management
FINANCIAL RISKS INFRASTRUCTURE RISKS
ACCOUNTING STANDARDS COMMUNICATIONS
INTEREST RATES TRANSPORT LINKS
FOREIGN EXCHANGE SUPPLY CHAIN
FUNDS AND CREDIT TERRORISM
NATURAL DISASTERS
PANDEMIC
INTERNAL CONTROL
FRAUD RECRUITMENT
HISTORICAL LIABILITIES PEOPLE SKILLS
INVESTMENTS HEALTH AND SAFETY
CAPEX DECISIONS PREMISES
LIQUIDITY AND CASHFLOW IT SYSTEMS
M&A ACTIVITY BRAND EXTENSIONS
R&D ACTIVITIES BOARD COMPOSITION
INTELLECTUAL PROPERTY CONTROL ENVIRONMENT
CONTRACTS
ECONOMIC ENVIRONMENT PRODUCT RECALL
TECHNOLOGY DEVELOPMENTS CSR
COMPETITION PUBLIC PERCEPTION
CUSTOMER DEMAND REGULATOR ENFORCEMENT
REGULATORY REQUIREMENTS COMPETITOR BEHAVIOUR
MARKETPLACE RISKS REPUTATIONAL RISKS
14 A structured approach to Enterprise Risk Management
16. Risk appetite and tolerances As well as monitoring the effectiveness of the
existing controls and the implementation of
It is important that the Board sets rules for risk- additional controls, the cost-effectiveness of the
taking in respect of all types of risk, and some existing controls should also be monitored.
organisations have produced a risk appetite Additionally, monitoring and measuring includes
statement that is applicable to all classes of risk. It evaluation of the risk aware culture and the risk
is fairly easy for an organisation to confirm that it management framework, and assessment of the
has no appetite for causing injury and ill health. In extent to which risk management tasks are aligned
practice, however, this may need to be developed with other corporate activities.
into a set of targets for health and safety
performance. There is a danger that risk appetite Evaluate existing controls
statements fail to be dynamic, and they can
constrain behaviour and rapid response. Monitoring and measuring extends to the
evaluation of culture, performance and
At Board level, risk appetite is a driver of strategic preparedness of the organisation. The scope of
risk decisions. At executive level, risk appetite activities covered by monitoring and measuring
translates into a set of procedures to ensure that also includes monitoring of risk improvement
risk receives adequate attention when making recommendations and evaluation of the
tactical decisions. At operational level, risk appetite embedding of risk management activities in the
dictates operational constraints for routine organisation, as well as routine monitoring of risk
activities. Despite its importance, it is surprising performance indicators.
that the concept of risk appetite is not mentioned
in ISO 31000, although it is included in most other Monitoring the preparedness of the organisation to
risk management standards and stock exchange cope with major disruption is an important part of
listing requirements. risk management. This activity normally extends to
the development and testing of business continuity
7. Measuring and monitoring plans and disaster recovery plans. There is an
overriding need to keep these plans up to date so
It is frequently the case that risk assessments are that the preparedness of the organisation to cope
recorded in a risk register. There is no standard with the identified risk events is assured.
format for a risk register and the organisation
should establish a suitable format for this important Evaluation of the existing controls will lead to the
document. The risk register should not become a identification of risk improvement
static record of the significant risks faced by the recommendations. These recommendations
organisation. It should be viewed as a risk action should be recorded in the risk register by way of a
plan that includes details of the current controls risk action plan. An important part of evaluating the
and details of any further actions that are planned. effectiveness of existing controls is to ensure that
there is adequate evaluation of the business
These further actions should be written as continuity planning and disaster recovery planning
auditable actions that must be completed within a arrangements in place.
defined timescale by identified individuals. This will
enable the internal audit function to monitor the Embed risk aware culture
existing controls and monitor the implementation of
any necessary additional controls. The resources Changes in the organisation and the environment
required to implement the risk management policy in which it operates must be identified and
should be clearly established at each level of appropriate modifications made to protocols.
management and within each business unit. Risk Monitoring activities should provide assurance that
management should be embedded within the there are appropriate controls in place and that the
strategic planning and budget processes. procedures are understood and followed. Changes
within the organisation and the external business
environment must be identified, so that existing
procedures can be modified.
15 A structured approach to Enterprise Risk Management
17. Any monitoring and measuring process should also An annual review of the risk management
determine whether: framework will be necessary, including evaluation
of the risk architecture, strategy and protocols. It is
G the measures adopted achieved the
important that the organisation has a risk-based
intended result
audit plan and undertakes appropriate risk reviews.
G the procedures adopted were efficient
Other features of learning from experience include
G sufficient information was available for the evaluation of audit reports and an assessment of
risk assessments the sources of risk assurance available to the
Board and the audit committee. An evaluation of
G improved knowledge would have helped
the level of assurance that has been obtained is
to reach better decisions
also necessary. Often, a major source of risk
G lessons can be learned for future assurance for the Board will be self-certification,
assessments and controls such as a Control Risk Self Assessment process
that provides assurance regarding risk
Embedding risk management involves an management, risk reporting and disclosure, as well
environment that can demonstrate leadership from as information about learning from incidents.
senior management, involvement of staff at all
levels, a culture of learning from experience, Report risk performance
appropriate accountability for actions (without
In addition to internal communication and
developing an automatic blame culture) and good
reporting, there will be an obligation on
communication on risk issues.
organisations to report externally. Increasingly,
8. Learning and reporting these external reports are produced in response to
mandatory requirements related to risk
Completing the feedback loop on the risk management and internal control, such as Turnbull
management process involves the important steps and Sarbanes-Oxley. External risk reporting is
of learning from experience and reporting on designed to provide external stakeholders with
performance. In order to learn from experience, an assurance that risks have been adequately
organisation needs to review risk performance
managed.
indicators and measure the contribution that
enterprise risk management has made to the External reporting should provide useful information
success of the organisation. to stakeholders on the status of risk management
and the actions that are being taken to ensure
The reasons for undertaking the risk management
continuous improvement in performance. A
initiative should have been clearly established. If
company needs to report to its stakeholders on a
this has not been done, the organisation will be
regular basis, setting out its risk management
unable to evaluate whether the contribution was in
policies and the effectiveness in achieving its
line with expectations. Monitoring of risk
objectives. Increasingly, stakeholders look to
performance indicators should include an
organisations to provide evidence of appropriate
evaluation of the contribution being made by risk
corporate behaviour in such areas as community
management, as well as an evaluation of the
affairs, human rights, employment practices, health
appropriateness of the control mechanisms that
and safety, and the environment.
have been selected.
Risk reporting provides information on historical
Monitor risk performance
losses and trends. However, risk disclosure is a more
Learning the lessons from risk management also forward-looking activity that anticipates emerging
requires investigation of the opinions of key risks. There is a clear difference between measuring
stakeholders both internally and externally. In and monitoring risk performance and undertaking
particular, the opinion of internal audit and steps to learn from experience to improve the risk
evaluation of risk management activities at audit management process and framework. Important
committee will be vitally important. Learning from lessons can be learned that will assist with improving
experience requires more than evaluation of the the design of the support framework and the
risk performance indicators. implementation framework.
16 A structured approach to Enterprise Risk Management
18. Appendix A: Risk management checklist
Risk architecture
G Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the
Board
G Risk management responsibilities allocated to an appropriate management committee
G Arrangements are in place to ensure the availability of appropriate competent advice on risks and
controls
G Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk
maturity
G Sources of risk assurance for the Board have been identified and validated
Risk strategy
G Risk management policy produced that describes risk appetite, risk culture and philosophy
G Key dependencies for success identified, together with the matters that should be avoided
G Business objectives validated and the assumptions underpinning those objectives tested
G Significant risks faced by the organisation identified, together with the critical controls required
G Risk management action plan established that includes the use of key risk indicators, as appropriate
G Necessary resources identified and provided to support the risk management activities
Risk protocols
G Appropriate risk management framework identified and adopted, with modifications as appropriate
G Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner
G Procedures to include risk as part of business decision-making established and implemented
G Details of required risk responses recorded, together with arrangements to track risk improvement
recommendations
G Incident reporting procedures established to facilitate identification of risk trends, together with risk
escalation procedures
G Business continuity plans and disaster recovery plans established and regularly tested
G Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant
risks
G Arrangements in place for mandatory reporting on risk, including reports on at least the following:
N Risk appetite, tolerance and constraints
N Risk architecture and risk escalation procedures
N Risk aware culture currently in place
N Risk assessment arrangements and protocols
N Significant risks and key risk indicators
N Critical controls and control weaknesses
N Sources of assurance available to the Board
17 A structured approach to Enterprise Risk Management
19. Appendix B: Implementation summar y
The table below provides an overview of the steps G Planning and designing
involved in the implementation of an enterprise risk
G Implementing and benchmarking
management (ERM) initiative. Successful
implementation of an ERM initiative is an ongoing G Measuring and monitoring
process that involves working through the 10 steps
G Learning and reporting
set out below on a continuous basis. The 10 steps
are divided between:
Activity Concepts / Tools and techniques
Planning and designing (see Section 5)
1. Identify intended benefits of the enterprise risk management G Benefits of ERM
initiative and gain Board mandate G Embedding risk management
2. Plan the scope of the ERM initiative and develop common G Upside of risk
language of risk G Stakeholder expectations
3. Establish the risk management strategy, framework, and G Risk management policy
the roles and responsibilities G Risk architecture
Implementing and benchmarking (see Section 6)
4. Adopt suitable risk assessment procedures and an agreed G Risk description
risk classification system G Risk classification systems
5. Establish risk significance benchmarks and undertake G Risk assessment techniques
risk assessments G Benchmark tests of significance
6. Determine risk appetite and risk tolerance levels, and G Risk register
evaluate the existing controls G Risk appetite
Measuring and monitoring (see Section 7)
7. Ensure cost-effectiveness of existing controls and introduce G Risk improvement plans
improvements G BCP and DRP
8. Embed risk aware culture and align risk management with G Control environment
other management tasks G Risk communications
Learning and reporting (see Section 8)
9. Monitor and review risk performance indicators to measure G Audit plan and risk reviews
ERM contribution G Sources of risk assurance
10. Report risk performance in line with legal and other G Risk reporting
obligations, and monitor improvement G Legal requirements
18 A structured approach to Enterprise Risk Management
20. The Association of 6 Lloyd’s Avenue,
Insurance and Risk Managers London EC3N 3AX
Telephone 020 7480 7610 Facsimile 020 7702 3752
Email enquiries@airmic.co.uk
www.airmic.com
The Public Risk Management Association Ashton House
Telephone 0333 1230007 Weston
Sidmouth
Devon EX10 0PF
Facsimile 0333 4560007
Email admin@Alarm-uk.org
www.Alarm-uk.org
The Institute of Risk Management 6 Lloyd’s Avenue,
Telephone 020 7709 9808 London EC3N 3AX
Facsimile 020 7709 0716
Email enquiries@theirm.org
www.theirm.org
This document is available for download free of charge from the websites of the above organisations.