1) The document discusses the process of establishing an enterprise risk management (ERM) system based on the ISO 31000 standard, including obtaining management commitment, designing an ERM framework, and implementing, monitoring, and improving the system. 2) Key steps in designing an ERM framework include understanding the organization's context, determining where ERM should be positioned, developing a risk management policy, and assigning roles and responsibilities. 3) Internal audit can play an important role in establishing the ERM system by leading implementation, providing consulting support and assurance services, and helping to identify, analyze, and evaluate risks.

1. ENTERPRISE RISK MANAGEMENT
ISO 31000 - 2009
MOHAMAD HASSAN AK., MAFIS, QIA, CRMP, CRMA

2. ERM - ISO 31000

3. GETTING STARTED
Obtain Mandate
& Commitment
Building
Start ERM
Implementation
a Framework
IA Role
in getting started
Design
Framework
Implement,
Monitor, &
Improve System

4. Building a Framework
a set of components that provide the foundations
and organizational arrangements for designing,
implementing, monitoring, reviewing, and
continually improving risk management
throughout the organization

5. Building a Framework
Obtain ERM Mandate and Commitment
Design
Framework
Continuously
Improve ERM
System
Implement
ERM System
Monitor &
Review ERM
System

6. Obtain ERM Mandate & Commitment
Define & endorse the risk management policy
Ensure organization’s culture and RM policy aligned
Align RM object. with organization object. & strategies
Determine RM performance align with performance indicators organization
Assign accountabilities & responsibilities at appropriate levels within organization
Ensure necessary resources are allocated to risk management
Ensure legal and regulatory compliance
Communicate benefits of risk management to shareholders
Ensure framework for managing risk continues to remain appropriate

7. Some Considerations
Why are we
choosing implement
ERM at this time?
Where do we start?
What outcome do
we expect?
What does success
look like?
What is our scope
for implementation?
How will we roll
ERM out
enterprisewide?

8. Design ERM Framework
Understand the organization, its business, & context for ERM
Frameworks
Designing
Determine organizational positioning of ERM
Develop risk management policy
Assign accountability and authority
Allocate resources
Establish internal & external reporting mechanisms
Link ERM to performance appraisal process

9. Understanding organization, business, & context ERM
• External Factors:
– Social and cultural, political, legal, regulatory, financial,
technological, economic, natural, & competitive environment
(international, national, regional, or local).
– Key driver and trends affecting the objectives of the organization.
– Relationship with, and perception and values of, external
stakeholders.

10. Understanding organization, business, & context ERM
• Internal Factors:
– Governance, organizational structure, roles, & responsibilities.
– Policies, objectives, and strategies in place to achieve them.
– Capabilities & knowledge (capital, time, people, processes,
systems, and technologies).
– Information systems, information flows, & decision making
process.
– Relationship with, and perceptions and values of, internal
stakeholders.
– Organizational cultures.
– Standards, guidelines, and models adopted.

11. Determine organizational positioning of ERM
• No single best practices
• Challenges in perception:
– ERM reports too low; therefore no have senior management full
commitment.
– ERM focuses primarily on financial reporting risks and excludes
other important areas of risk.
• Establish a risk committee
• Key considerations:
– Reporting line should be high enough
– Sufficient span of responsibility to oversee ERM activities
– Report directly to the board

12. Develop Risk Management Policy
• Important elements include in policy:
– Overall rationale and objectives for, and commitment to,
implementing an effective ERM System.
– Governance responsibilities, include tone and attitude board.
– Application/scope across the organization
– Framework used that provide support ERM approach
– Authority and responsibilities for overseeing and executing ERM
System
– Commitment of Resources
– Key terms and definitions
– Limit and risk tolerance levels
– Risk management performance measures and metrics
– Expectations & practices to periodically review and update.

13. Implement, Monitor, & Improve
ERM System
Implement
Monitor
Improve

14. INTERNAL AUDIT’S ROLE IN
GETTING STARTED
Lead
ERM
Implementation
Play
Prominent
Role
• More experience, skill, & organizational perspective.
• Understand value ERM & push to get implementation.
• Steps to avoid impairment objectivity: (1) well-understood
situation & agreed, (2) involve appropriate member of
management as much as possible, (3) formal plan should be
developed, & (4) hired outside resource for assurance
• Implementing ERM; knowledge of a good ERM system looks
like.
• Conducting risk assessment; identifying, analyzing, &
evaluating risks.
• Considering risk treatment options.
• Designing risk management activities.
• Determining next steps to make ERM sustainable.

15. INTERNAL AUDIT’S ROLE IN
GETTING STARTED
Provide
Consulting
Support
Provide
Assurance
Implementation
• Advisory services of ERM
• Facilitation of ERM Workshops
• Instructional Services
• Coaching management risk management process
• Championing establishment of ERM
• Giving assurance of risk management process
• Giving assurance that risks correctly evaluated
• Review management of Keys Risks
• Evaluating reporting of key risks
• Evaluating risk management process