The document discusses the role of chartered accountants in enterprise risk management. It begins with defining risk and the types of risks faced by organizations. It then explains what enterprise risk management is, its importance and benefits. It outlines the statutory requirements for ERM in India per the Companies Act and SEBI regulations. Finally, it details the various ways chartered accountants can facilitate the ERM process, such as conducting process audits, developing ERM frameworks, and assisting with implementation.

1. 1
Chartered Accountant’s Role in an Enterprise Risk Management
By
CA. (Dr.) Rajkumar Adukia
Author of more than 300 books,
Business Growth and Motivational Coach,
Member IFRS SMEIG London 2018-2020
Ex director - SBI mutual fund, BOI mutual fund
Ph. D , LL.B, LLM (Constitution), FCA,FCS, MBA, MBF , FCMA, Dip Criminology, Dip in IFR(UK)
Justice (Harvard) , CSR, Dip IPR, Dip Criminology ,dip in CG , Dip Cyber, dip data privacy B. Com , M.
Com., Dip LL & LW
Student of – MA (psychology), MA (Economics), IGNOU PGDCR, PGCAP etc
Chairman western region ICAI 1997, Council Member ICAI 1998-2016
Introduction:
Business and Risk goes hand in hand, the professionals like chartered accountants with the
expertise in finance, management and audit are well suited for the role of forecasting, evaluating
and mitigating prospective risk involve in any organization’s activity and seize opportunities to
take the growth of business on next level.
This article brings you in depth details of role of chartered accountant in an Enterprise Risk
Management.
What is Risk?
Risk implies future uncertainty about deviation from expected earnings or expected outcome.
Like it or not, risk is inevitable part of any organization. Uncertainty presents both risk and
opportunity. It has the potential to erode or enhance the organization’s value. Risk is an event
which can prevent, hinder, fail to further or otherwise obstruct the enterprise in achieving its
objectives. A business risk is the threat that an event or action will adversely affect an
enterprise’s ability to maximize stakeholder value and to achieve its business objectives. Risk

2. 2
can cause financial disadvantage, for example, additional costs or loss of funds or assets. It can
result in damage, loss of value and /or loss of an opportunity to enhance the enterprise operations
or activities. Risk is the product of probability of occurrence of an event and the financial impact
of such occurrence to an enterprise.
What are the Types of Risks?
Risk may be broadly classified into Strategic, Operational, Financial and Knowledge.
Strategic Risks are associated with the primary long-term purpose, objectives and direction of the
business.
Operational Risks are associated with the on-going, day-to-day operations of the enterprise.
Financial Risks are related specifically to the processes, techniques and instruments utilised to
manage the finances of the enterprise, as well as those processes involved in sustaining effective
financial relationships with customers and third parties.
Knowledge Risks are associated with the management and protection of knowledge and
information within the enterprise.
What is Enterprise risk management (ERM)?
Enterprise risk management helps an organization get to where it wants to go and avoid pitfalls
and surprises along the way. In other words, Enterprise risk management in business includes the
methods and processes used by organizations to manage risks and seize opportunities related to
the achievement of their objectives. It is a structured, consistent and continuous process of
measuring or assessing risk and developing strategies to manage risk within the risk appetite.
Enterprise risk management (ERM) is defined by COSO (Committee of Sponsoring
Organizations of the Treadway Commission) as a process designed to:
1. identify potential events that may affect the organization,
2. manage risk to be within the organization's risk appetite, and
3. provide reasonable assurance regarding the achievement of the organization's objectives.

3. 3
The role of ERM cannot be over stated in modern economy where every choice we make be it in
respect of day to day affairs at an operational level or fundamental trade-offs in the boardroom,
has an element of risk. Every decision taken may have multiple outcomes and that’s where risk
creeps in. These risks must be considered in the formulation of an organization’s strategy and
business objectives and enterprise risk management helps to optimize outcomes. In increasing
volatility, complexity and ambiguity of the world, the margin of error has shrunk, with
stakeholders demanding greater transparency and accountability for managing the impact of risk.
Increasing volatility requires enterprise to be more adaptive to change particularly at the Board
levels where the stakes are highest. COVID19 pandemic has further stressed the need for
effective risk management by an enterprise to ensure the business continuity. By identifying and
proactively addressing risks and opportunities, enterprises can protect and create value for their
stakeholders, including owners, employees, customers, regulators, and overall society.
Benefits of Effective Enterprise Risk Management
Organizations that integrate enterprise risk management throughout the entity can realize many
benefits, including, though not limited to:
 Increasing the range of opportunities:
 Identifying and managing risk entity-wide:
 Increasing positive outcomes and advantage while reducing negative surprises:
 Reducing performance variability:
 Improving resource deployment:
 Enhancing enterprise resilience:
Role of Chartered Accountants in ERM
A Chartered Accountant can facilitate the process of ERM in many ways like:
 Process audit of the risk management processes
 Identify, assess and solve complex business problems, using in-depth data-analysis and
evaluating variable factors

4. 4
 Lead large-to-medium sized teams or projects, delivering valuable insights and advice to
clients on complex enterprise risk management projects across industries
 Help clients develop their own strategies by designing and implementing business and
technology changes
 Establish a clear point of view for enterprise risk assessment, analysis, and delivery of
solutions
 Enhance the Risk and Compliance practice by contributing to ERM thought leadership and
Innovation solutions
 Display a depth of knowledge in ERM by understanding developments in relevant regulatory
guidance, technologies, and innovations
 Preparing comprehensive framework for risk management for an enterprise,
 Assisting in Successful implementation of ERM in the entity.
Brief History of ERM
Management of Risk as a concept is nothing new, even though its formal structure has evolved
over a period in recent times. Most successful kings of past practiced Risk Management in one
form or other by building forts, maintaining secret chambers or keeping additional forces and
stores for grain for crises time. In India, the evidences of ERM can be traced back to around 150
AD, when the famous erstwhile economist Chanakya (Kautilya) devoted a chapter on Risk
Management in Arthashastra, which translates to Calamities of the Population. According to
him, ‘A calamity constituent, of a divine or human origin, springs from ill luck or wrong
policy’. Kautilya in his fourth book, classified the vyasana, into two categories namely Daivam
vyasna (Natural Disasters) and Manusam vyasana (Manmade Disasters). Kautilya in his book
has also suggested ways to manage risk at both at individual level and national level. Kautilya
has clearly stressed that if someone dies on duty, the sons and wife should get food and wages
and their minor children, old and sick persons should be supported. King should grant them
money.
However, the ERM as we understand today can be traced to Early 1970s when Gustav Hamilton
of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all
elements in the risk management process. The following events may be noted thereafter:

5. 5
 1974- Basel Committee on Banking Supervision
 1988- Basel Capital Accord setting forth a new framework for minimum risk based Capital
requirements
 1985- COSO formed an independent commission to undertake a private sector study of
factors that caused fraudulent financial reporting
 1992- Following a series of high profile corporate frauds and accounting scandals, the
London Stock Exchange introduced new regulations covering various aspects of Corporate
governance
 1995- Development of national standards on Risk Management began with Aus/NZ Risk .
Similar standards in Canada (Dey Report 1997) and Japan, and in the UK (2000)
 1996- NAIC (National Association of Insurance Commissioners in United States) introduced
risk based capital requirement for insurance companies.
 2002 - A string of corporate accounting scandals has profound implications in the US and
worldwide and led to the passage of Sarbanes-Oxley Act
 2003- The Casualty Actuarial Society (CAS) defined ERM as the discipline by which an
organization in any industry assesses, controls, exploits, finances, and monitors risks from all
sources for the purpose of increasing the organization's short- and long-term value to its
stakeholders.
 2004- COSO Enterprise Risk Management Integrated Framework
 2009- ISO 31000 is an International Standard for Risk Management which was published by
the International Organization for Standardization and The International Electrotechnical
Commission (IEC).
 2010 –COSO Strengthening Enterprise Risk Management for Strategic Advantage
 2017- COSO Enterprise Risk Management—Integrating with Strategy and Performance
Importance of ERM
Organizations with integrated enterprise risk management throughout the entity realize many
benefits of ERM like:
• Increasing the range of opportunities: In process of ERM entity considers all possibilities
both positive and negative. This help the management to identify new opportunities and
unique challenges associated with current opportunities.

6. 6
• Identifying and managing risk entity-wide: In an organization there are many risks that affect
more than one parts of the organization. Effective ERM ensures that the management
identifies and manages these entity-wide risks to sustain and improve performance.
 Increasing positive outcomes and advantage while reducing negative surprises: The changes
around an enterprise may be a challenge or an opportunity. Enterprise risk management
allows entities to improve their ability to identify risks and establish appropriate responses,
reducing surprises and related costs or losses, while profiting from advantageous
developments.
 Reducing performance variability: Often challenge or risk is leads to variability in
performance rather than the loss to the enterprise. Effective Enterprise risk management
allows organizations to anticipate the risks that would affect performance and enable them to
put in place the actions needed to minimize disruption and maximize opportunity.
 Improving resource deployment: Every risk could be considered a request for resources.
Obtaining robust information on risk allows management, in the face of finite resources, to
assess overall resource needs, prioritize resource deployment and enhance resource
allocation.
 Enhancing enterprise resilience: An entity’s medium- and long-term viability depends on its
ability to anticipate and respond to change, not only to survive but also to evolve and thrive.
This is, in part, enabled by effective enterprise risk management. It becomes increasingly
important as the pace of change accelerates and business complexity increases.
Statutory Requirement for Enterprise Risk Management in India
Even though there is no formal Enterprise Risk Management framework in India, there are
certain requirements in Companies Act 2013 and Securities and Exchange Board of India
(Listing Obligations and Disclosure Requirements) Regulations, 2015, that needs to be
complied with respect to Risk Management.
The Companies Act, 2013
The Companies Act 1956 did not contain any mandatory provisions relating to Risk
Management, whereas the Companies Act 2013 placed specific expectations on important

7. 7
stakeholders in a company, namely, the Board of Directors, Audit Committee and the
Independent Directors in relation to Risk Management.
As per the Section 134(3) of the Companies Act 2013, the Board of Directors in its report
attached to financial statements laid in general meeting, include a statement indicating
development & implementation of Risk Management Policy for company including
identification therein of elements of risk, if any, which in the opinion of the Board may threaten
the existence of the company.
A per the Schedule IV framed under Section 149(8) of the Companies Act 2013, the
Independent Directors of the company must:
(1) Help in bringing an independent judgment to bear on the Board’s deliberation especially on
issues of strategy, performance, risk management, resources, key appointments and
standards of conduct;
(2) Satisfy themselves on the integrity of financial information and that financial controls and
the systems of risk management are robust and defensible.
As per Section 177(4) of the Companies Act, the Audit Committee must act in accordance
with the terms of reference specified in writing by the Board which shall, inter alia, include
evaluation of internal financial controls and risk management systems.
Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements)
Regulations, 2015 (LODR) on ERM
The board and audit committee have been vested with specific responsibilities as per SEBI
(LODR) Regulations 2015, in assessing the robustness of Risk Management policy, process and
systems. Some of the main provisions in this respect are:
As per the Regulation 4(2)(f)(ii) of LODR, key functions of the board of directors include
reviewing and guiding and risk policy; Ensuring appropriate systems of control are in place, in
particular, systems for risk management, financial and operational control, and compliance with
the law and relevant standards.
As per the Regulation 4(2)(f)(iii) of LODR, the board of directors shall have ability to ‘step
back’ to assist executive management by challenging the assumptions underlying: strategy,

8. 8
strategic initiatives (such as acquisitions), risk appetite, exposures and the key areas of the listed
entity’s focus.
As per the Regulation 17(9) of LODR, the listed entity shall lay down procedures to inform
member of board about risk assessment & minimization procedures and the board shall be
responsible for framing, implementing and monitoring the risk management plan for the listed
entity.
As per the Regulation 21 of LODR a amended .e.f., the top 1000 listed entities, determined on
the basis of market capitalization as at the end of the immediate preceding financial year; and
‘high value debt listed entity’, should have a Risk Management Committee which shall have
following key features –
(1) The board of directors shall constitute a Risk Management Committee.
(2) The Risk Management Committee shall have minimum three members with majority of
them being members of the board of directors, including at least one independent director
and in case of a listed entity having outstanding SR equity shares, at least two thirds of the
Risk Management Committee shall comprise independent directors.
(3) The Chairperson of the Risk management committee shall be a member of the board of
directors and senior executives of the listed entity may be members of the committee.
(4) The risk management committee shall meet at least twice in a year. The quorum for a
meeting of the Risk Management Committee shall be either two members or one third of the
members of the committee, whichever is higher, including at least one member of the board
of directors in attendance. The meetings of the risk management committee shall be
conducted in such a manner that on a continuous basis not more than one hundred and eighty
days shall elapse between any two consecutive meetings
(5) The board shall define role & responsibility of the Risk Management Committee & may
delegate monitoring and reviewing of the risk management plan to the committee and such
other functions as it may deem fit such function shall specifically cover cyber security
(6) The provisions of this regulation shall be applicable to top 500 listed entities, determined on
the basis of market capitalization, as at the end of immediate previous financial year.

9. 9
(7) The Risk Management Committee shall have powers to seek information from any
employee, obtain outside legal or other professional advice and secure attendance of
outsiders with relevant expertise, if it considers necessary.
The Part C of Schedule II of LODR framed under Regulation 18(3) that deals with the role of
the Audit Committee and review of information by Audit Committee states that the role of the
audit committee shall include evaluation of internal financial controls and risk management
systems.
Further w.e.f. 5.5.2021, a new Clause C has been inserted in Part D of Schedule II of LODR,
which deals with the role of Risk Management Committee. The clause is being reproduced
below:
Risk Management Committee
The role of the committee shall, inter alia, include the following:
(1) To formulate a detailed risk management policy which shall include:
(a) A framework for identification of internal and external risks specifically faced by the
listed entity, in particular including financial, operational, sectoral, sustainability
(particularly, ESG related risks), information, cyber security risks or any other risk as
may be determined by the Committee.
(b) Measures for risk mitigation including systems and processes for internal control of
identified risks.
(c) Business continuity plan.
(2) To ensure that appropriate methodology, processes and systems are in place to monitor and
evaluate risks associated with the business of the Company;
(3) To monitor and oversee implementation of the risk management policy, including evaluating
the adequacy of risk management systems;
(4) To periodically review the risk management policy, at least once in two years, including by
considering the changing industry dynamics and evolving complexity;
(5) To keep the board of directors informed about the nature and content of its discussions,
recommendations and actions to be taken;

10. 10
(6) The appointment, removal and terms of remuneration of the Chief Risk Officer (if any) shall
be subject to review by the Risk Management Committee.
The Risk Management Committee shall coordinate its activities with other committees, in
instances where there is any overlap with activities of such committees, as per the framework
laid down by the board of directors.
Clause C of the Schedule V of LODR, which deals with the disclosure requirements in Annual
Report in respect of Corporate Governance Report requires following disclosures in respect to
Risk management committee:
(a) brief description of terms of reference;
(b) composition, name of members and chairperson;
(c) meetings and attendance during the year
It is pertinent to note that, even prior to LODR, the clause 49 of the Listing Agreement by SEBI
mandated every Company to constitute a Risk Management Committee. Board Disclosures as
per Clause 49 of the Listing Agreement required every Company to lay down procedures to
inform Board members about the risk assessment and minimization procedures. These
procedures were required to be periodically reviewed to ensure that executive management
controls risk through means of a properly defined framework.
Standards on Auditing Pronounced by the Auditing and Assurance Standards Board
(AASB) and Internal Audit Standards Board of ICAI on Enterprise Risk Management
As Institute of Chartered Accountants of India is primary body in India, that regulates Auditing
Profession, it sets standards for conducting the statutory or other audits. In case of Internal
Audits too if member of ICAI conducts an Internal Audit he should follow Internal Audit
Standard prescribed by it. Even though some other professionals are also permitted to perform
Internal Audit function by MCA, Internal Audit standards set by ICAI are recommendatory for
them. Discussed below are standards set by the two boards that is relevant for ERM.
Standard on Auditing (SA) 315, “Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment” deals with the auditor's
responsibility to identify and assess the risks of material misstatement in the financial statements,

11. 11
through understanding the entity and its environment, including the entity's internal control. It
defines the term Business Risk, Internal Control, Risk assessment procedures and significant risk
a follows:
 Business risk as a risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entity’s ability to achieve its objectives and execute
its strategies, or from the setting of inappropriate objectives and strategies.
 Internal control as the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the
achievement of an entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, safeguarding of assets, and compliance with
applicable laws and regulations. The term “controls” refers to any aspects of one or more of
the components of internal control.
 Risk assessment procedures as the audit procedures performed to obtain an understanding of
the entity and its environment, including the entity’s internal control, to identify and assess
the risks of material misstatement, whether due to fraud or error, at the financial statement
and assertion levels.
 Significant risk as an identified and assessed risk of material misstatement that, in the
auditor’s judgment, requires special audit consideration.
The standard requires the auditor to perform risk assessment procedures to provide a basis for the
identification and assessment of risks of material misstatement at the financial statement and
assertion levels including inquiries of management, of appropriate individuals within the internal
audit function and of others within the entity who in the auditor’s judgment may have
information that is likely to assist in identifying risks of material misstatement due to fraud or
error, Analytical procedures and observation and inspection.
Standard on Auditing (SA) 330, “The Auditor’s Responses to Assessed Risks” deals with the
auditor’s responsibility to design and implement responses to the risks of material misstatement
identified and assessed by the auditor in accordance with SA 315. It states Nature, timing and the
extent of the audit procedures are to be based on and are responsive to the assessed risk of
material misstatement at the assertion level. It defines the term Test of Control as an audit
procedure designed to evaluate the operating effectiveness of controls in preventing, or

12. 12
detecting and correcting, material misstatements at the assertion level and Substantive Procedure
as an audit procedure designed to detect material misstatements at the assertion level.
Substantive procedures comprise tests of details and substantive analytical procedures.
Any significant risk in auditor’s opinion should be tested in the current period. During this
process, evaluate whether there are any misstatements detected by substantive procedure
indicates the control are not operated effectively. If there are deviations, the auditor should
understand its potential consequences through specific inquiries and determine:
 Test of controls performed to provide an appropriate basis for reliance
 If an additional test is necessary
 If the potential risk of misstatement is to be addressed using substantive procedures
ISA 330 requires that the auditor shall always carry out substantive procedures on material items
irrespective of the assessed risks of material misstatement, and that the auditor shall design and
perform substantive procedures for each material class of transactions, account balance, and
disclosure. ISA 330 indicates that the auditor may perform tests of control or substantive
procedures at an interim date or at the period end. The standard also indicates that, in general, the
extent of audit procedures increases as the risk of material misstatement increases. The
standard lists the following overall responses that may be used by auditors in order to address the
assessed risks of material misstatement at the financial statement level:
 Emphasizing to the audit team the need to maintain professional scepticism.
 Assigning more experienced staff, those with special skills, or using experts.
 Providing more supervision.
 Incorporating additional elements of unpredictability in the selection of further audit
procedures to be performed.
 Making general changes to the nature, timing or extent of audit procedures.
Standard on Internal Audit (SIA) 13, Enterprise Risk Management,
Standard on Internal Audit issued by the “Internal Audit Standards Board” of the Institute of
Chartered Accountants of India, apply to all members of the ICAI while performing internal
audit of any entity or body corporate, irrespective of whether the internal audit is conducted by

13. 13
them in the capacity of an employee of the entity or as a representative of an external agency.
SIA 13, Enterprise Risk Management, establishes standards and provide guidance on review of
an entity’s risk management system during an internal audit. An Internal Auditor is expected to
provide assurance to management on the effectiveness of risk management. The standard says
that the nature of internal auditor’s responsibilities should be adequately documented and
approved by those charged with governance and the internal auditor should not manage any of
the risks on behalf of the management or take risk management decisions. The internal auditor
should not assume any accountability for risk management decisions taken by the management.
It is the responsibility of the internal auditor to review the maturity of an enterprise risk
management structure by considering whether the framework so developed, inter alia:
a) protects the enterprise against surprises;
b) stabilizes overall performance with less volatile earnings;
c) operates within established risk appetite;
d) protects ability of the enterprise to attend to its core business; and
e) creates a system to proactively manage risks.
The internal auditor should also review whether the enterprise risk management coordinators in
the entity report on the results of the assessment of key risks at the Risk Management
Committee, Enterprise Business and Unit Heads and Audit Committee levels.
The internal audit plan, approved by the audit committee, should be based on risk assessment as
well as on issues highlighted by the audit committee and senior management. The risk
assessment process should be of a continuous nature so as to identify both existing and emerging
risks. The risk assessment should be conducted formally at least annually, but more often in
complex enterprises. To serve this objective, the internal auditor should design the audit work
plan by aligning it with the objectives and risks of the enterprise and concentrate on those issues
where assurance is sought by those charged with governance.

14. 14
The internal auditor should submit his report to the Board or its relevant Committee, delineating
the Assurance rating (segregated into High, Medium or Low), Tests conducted, Samples covered
and Observations and recommendations.
COSO Enterprise Risk Management—Integrating with Strategy and Performance (2017)
COSO stands for ‘Committee of Sponsoring Organizations’. The COSO Board commissioned
and published in 2004 Enterprise Risk Management-Integrated Framework. To keep pace with
increasing complexities and evolving risks it revised it in 2017 and named it Enterprise Risk
Management—Integrating with Strategy and Performance. The Framework highlights the
importance of considering risk in both the strategy-setting process and in driving performance.
The document is divided into two parts. The first part offers a perspective on current and
evolving concepts and applications of enterprise risk management. The second part of the
Framework is organized into five easy-to-understand components encompassing 20 principles,
that accommodate different viewpoints and operating structures, and enhance strategies and
decision-making. It provides a Framework for boards and management in entities of all sizes. It
builds on the current level of risk management that exists in the normal course of business.
Further, it demonstrates how integrating enterprise risk management practices throughout an
entity helps to accelerate growth and enhance performance. It also contains principles that can be
applied—from strategic decision-making through to performance.
Management holds overall responsibility for managing risk to the entity, but it is important for
management to go further: to enhance the conversation with the board and stakeholders about
using ERM to gain a competitive advantage. ERM allows management to feel more confident
that they’ve examined alternative strategies and considered the input of those in their
organization who will implement the strategy selected.
The Framework supplies important considerations for boards in defining and addressing their
risk oversight responsibilities. These considerations include governance and culture; strategy and
objective-setting; performance; information, communications and reporting; and the review and
revision of practices to enhance entity performance. The five components in the updated
Framework are supported by a set of principles.
The components with related principles are as follows:

15. 15
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the
importance of, and establishing oversight responsibilities for the enterprise risk management.
Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
The related principle are:
 Exercises Board Risk Oversight
 Establishes Operating Structures
 Defines Desired Culture
 Demonstrates
 Commitment to Core Values
 Attracts, Develops, and Retains Capable Individuals
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting
work together in the strategic-planning process. A risk appetite is established and aligned
with strategy; business objectives put strategy into practice while serving as a basis for
identifying, assessing, and responding to risk.
 Analyzes Business Context
 Defines Risk Appetite
 Evaluates Alternative Strategies
 Formulates Business Objectives
3. Performance: Risks that may impact the achievement of strategy and business objectives
need to be identified and assessed. Risks are prioritized by severity in the context of risk
appetite. The organization then selects risk responses and takes a portfolio view of the
amount of risk it has assumed. The results of this process are reported to key risk
stakeholders.
 Identifies Risk
 Assesses Severity of Risk
 Prioritizes Risks
 Implements Risk Responses
 Develops Portfolio View
4. Review and Revision: By reviewing entity performance, an organization can con sider how
well the enterprise risk management components are functioning over time and in light of
substantial changes, and what revisions are needed.

16. 16
 Assesses Substantial Change
 Reviews Risk and Performance
 Pursues Improvement in Enterprise Risk Management
5. Information, Communication, and Reporting: Enterprise risk management requires a
continual process of obtaining and sharing necessary information, from both internal and
external sources, which flows up, down, and across the organization.
 Leverages Information and Technology
 Communicates Risk Information
 Reports on Risk, Culture, and Performance
Standards set by International Organization for Standardization (ISO)
ISO an independent, non-governmental organization with a membership of 162 national
standards bodies has developed over 22000 voluntary, consensus-based, market-relevant
International Standards that support innovation and provide solutions to global challenges. These
Standards are internationally accepted and agreed over, by various experts in functional and
technical fields and adopted by business leaders and executors globally, towards the achieving of
the various objectives for which these standards are developed, laid down and propagated.
Discussed below are its standards dealing with Risk Management in any enterprise.
ISO 31000: Risk Management
ISO 31000:2018 is a Standard, which is a revised version of the earlier Standard of 2009 on
the same issue. 31000 is applicable to all organizations, regardless of type, size, activities and
location, and covers all types of risk. It was developed by a range of stakeholders and is intended
for use by anyone who manages risks, not just professional risk managers. ISO 31000 provides
direction on how companies can integrate risk-based decision making into an organization’s
governance, planning, management, reporting, policies, values and culture. ISO. It provides
overall guidelines and not any certification on managing risk faced by organizations. The
application of these guidelines can be changed, moulded and customized to any organization and
its context, as required, to suit the factors and circumstances prevailing in any business or
organization.
ISO 31000 helps organizations develop a risk management strategy to effectively identify and
mitigate risks, thereby enhancing the likelihood of achieving their objectives and increasing the

17. 17
protection of their assets. Implementing ISO 31000 also helps organizations see both the positive
opportunities and negative consequences associated with risk, and allows for more informed, and
thus more effective, decision making, namely in the allocation of resources.
The principles are the foundation for managing risk and should be considered when establishing
the organization’s risk management framework and processes.. The figure below can provide
guidance on the characteristics of effective and efficient risk management, communicating its
value and explaining its intention and purpose as proposed by ISO 31000.
The ISO 31000 requires entities to develop ERM Framework encompassing following elements:
integrating, designing, implementing, evaluating and improving risk management across the
organization.
Integrating: It states that even though op management is accountable for managing risk and
oversight bodies are accountable for overseeing risk management, they should ensure that risk
management is integrated into all organizational activities. Integrating risk management relies on
an understanding of organizational structures and context and it is a dynamic and iterative
process, and should be customized to the organization’s needs and culture. Risk management
should be a part of, and not separate from, the organizational purpose, governance, leadership
and commitment, strategy, objectives and operations.
Deigning: When designing the framework for managing risk, the organization should examine
and understand its external and internal context. Top management and oversight bodies, where
applicable, should demonstrate and articulate their continual commitment to risk management
through a policy, a statement or other forms that clearly convey an organization’s objectives and

18. 18
commitment to risk management. The risk management commitment should be communicated
within an organization and to stakeholders. Top management should ensure that the authorities,
responsibilities and accountabilities for relevant roles with respect to risk management are
assigned and communicated at all levels of the organization. They should ensure allocation of
appropriate resources for risk management and consider the capabilities of, and constraints on,
existing resources.
The organization should establish an approved approach to communication and consultation in
order to support the framework and facilitate the effective application of risk
management. Communication and consultation should be timely and ensure that relevant
information is collected, collated, synthesized and shared, as appropriate, and that feedback is
provided and improvements are made.
Implementation: The organization should implement the risk management framework by:
 developing an appropriate plan including time and resources;
 identifying where, when and how different types of decisions are made across the
organization, and by whom;
 modifying the applicable decision-making processes where necessary;
 ensuring that the organization’s arrangements for managing risk are clearly understood
and practiced.
Evaluation: In order to evaluate the effectiveness of the risk management framework, the
organization should:
 periodically measure risk management framework performance against its purpose,
implementation plans, indicators and expected behavior;
 determine whether it remains suitable to support achieving the objectives of the
organization.
Improvement: The organization should continually monitor and adapt the risk management
framework to address external and internal changes by improving its value. The organization
should continually improve the suitability, adequacy and effectiveness of the risk management

19. 19
framework and the way the risk management process is integrated. Once implemented, these
improvements should contribute to the enhancement of risk management.
The Process of ERM: The risk management process involves the systematic application of
policies, procedures and practices to the activities of communicating and consulting, establishing
the context and assessing, treating, monitoring, reviewing, recording and reporting risk. This
process is illustrated as:
IEC/ ISO 31010, Risk management — Risk assessment techniques,
It features a range of techniques to identify and understand risk. It has been updated to expand its
range of applications and to add more detail than ever before. It complements
ISO 31000, Risk management.
IEC 31010 describes the process to be followed when assessing risk, from defining the scope to
delivering a report. It introduces a wide range of techniques for identifying and understanding
risk in a business or technical context.