The document provides an overview of risk management and enterprise risk management (ERM). It discusses how ERM involves a comprehensive framework for identifying, prioritizing, mitigating, and monitoring risks across an entire organization. The key steps in developing an ERM program include choosing a risk management framework, identifying risks, prioritizing them based on likelihood and impact, developing risk mitigation strategies, implementing controls, and ongoing monitoring and reporting of risks. Popular frameworks mentioned are COSO and ISO 31000. Benefits of implementing a formal ERM program include improved risk awareness and decision making, a standardized approach to managing risks, and potential cost savings.
Enterprise risk management is an underutilized management practice that allows community-based financial institutions to become more efficient, smarter, and better able to compete in an increasingly complex environment.
WolfPAC Solutions Group Director Michael Cohn creates a strong case on why community-based financial institutions should implement an enterprise risk management program to reduce costs and successfully achieve business goals in an increasingly competitive and regulated environment.
Enterprise risk management is an underutilized management practice that allows community-based financial institutions to become more efficient, smarter, and better able to compete in an increasingly complex environment.
WolfPAC Solutions Group Director Michael Cohn creates a strong case on why community-based financial institutions should implement an enterprise risk management program to reduce costs and successfully achieve business goals in an increasingly competitive and regulated environment.
It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Enterprise Architectures
- Enterprise Security Architectures
- Capability Maturity Model Integration (CMMI)
Enterprise risk management has become a vital component to cyber security, logistics management, asset management and supply chain management. As organizations continue to rely on data to drive workforce automation, Industrial IoT and process automation, it is becoming necessary to analyze data to discover risk before it occurs and implement effective remediation practices and processes. Seminar participants will collaborate and explore the emerging new use cases for enterprise risk management that addresses the need to better understand how to leverage critical data to predict and understand how data analytics can support risk management and mitigation in an increasingly data-dependent workforce environment.
During this seminar, participants will:
a. Explore new innovations in enterprise risk management that will provide new career opportunities for STEM professionals
b. Examine the skills and experiences necessary to take advantage of risk management career opportunities
c. Discern the applicable areas for enterprise risk management
d. Determine the importance of addressing enterprise risk management in all digital transformation initiatives
e. Identify the market growth and consulting opportunities in enterprise risk management
All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While “risk” is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems.
Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities.
In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.
Abstract: Risk management is an activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. Objective of risk management is to reduce different risks related to a pre-selected domain to an acceptable. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. The paper describes the different steps in the risk management process which methods are used in the different steps, and provides some examples for risk and safety management.
Case study in Enterprise Risk Management (ERM) showing paired comparison method to evaluate risk, allocate ERM resources and to highlight the different perspective or context for different levels of company management.
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks. This program will provide an overview of Enterprise Risk Management (ERM) best practices and current emerging risks that should be on your radar for 2018.
Watch the complete webinar here: https://aronsonllc.com/c-suites-guide-to-enterprise-risk-management-and-emerging-risks/?sf_data=all&_sft_insight-type=on-demand-webinar
It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Enterprise Architectures
- Enterprise Security Architectures
- Capability Maturity Model Integration (CMMI)
Enterprise risk management has become a vital component to cyber security, logistics management, asset management and supply chain management. As organizations continue to rely on data to drive workforce automation, Industrial IoT and process automation, it is becoming necessary to analyze data to discover risk before it occurs and implement effective remediation practices and processes. Seminar participants will collaborate and explore the emerging new use cases for enterprise risk management that addresses the need to better understand how to leverage critical data to predict and understand how data analytics can support risk management and mitigation in an increasingly data-dependent workforce environment.
During this seminar, participants will:
a. Explore new innovations in enterprise risk management that will provide new career opportunities for STEM professionals
b. Examine the skills and experiences necessary to take advantage of risk management career opportunities
c. Discern the applicable areas for enterprise risk management
d. Determine the importance of addressing enterprise risk management in all digital transformation initiatives
e. Identify the market growth and consulting opportunities in enterprise risk management
All organisations, whatever their size or market, face a range of risks affecting the achievement of their objectives. While “risk” is commonly regarded as negative, risk management is as much about exploiting potential opportunities as preventing potential problems.
Risk management comprises a framework and process that enable organisations to manage uncertainty in an effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement. Risk management applies at all levels of an organisation and to all activities.
In this A to Z, I’d like to cover some of the key areas of Risk Management and Treatment and give you a better understanding of this broad topic that underpins multiple quality and ISO standards.
Abstract: Risk management is an activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, death). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. Objective of risk management is to reduce different risks related to a pre-selected domain to an acceptable. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. The paper describes the different steps in the risk management process which methods are used in the different steps, and provides some examples for risk and safety management.
Case study in Enterprise Risk Management (ERM) showing paired comparison method to evaluate risk, allocate ERM resources and to highlight the different perspective or context for different levels of company management.
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Significant opportunities remain for organizations to continue to strengthen their approaches to identifying and assessing key risks. This program will provide an overview of Enterprise Risk Management (ERM) best practices and current emerging risks that should be on your radar for 2018.
Watch the complete webinar here: https://aronsonllc.com/c-suites-guide-to-enterprise-risk-management-and-emerging-risks/?sf_data=all&_sft_insight-type=on-demand-webinar
When Senator Marco Rubio was a member of the Florida state legislature he introduced a bill that would have forced most Florida travel agencies that sell trips to Cuba to close due to draconian seller of travel licensing requirements imposed under the legislation. At the time Governor Charlie Christ signed the bill into law. The affected Florida travel agencies sued the state and eventually succeeded in blocking the legislation. In the case, I submitted this amicus curaie brief which helped convince a federal judge to strike down the law on constitutional grounds.
This white paper explains the concepts, legal requirements, strategies, and global framework for the implementation of risk management. It also deals with fraud and reputation risk management and how the negative reputation of an entity may harm the operations and profitability.
This white paper may be useful in performing the advisory role in Risk Management and Risk Governance.
“Today’s fast-paced business environment encounters a complex and ever-changing risk landscape that may negatively impact organizational value. The only way to respond to it is by having a dynamic and holistic perspective of the risk management approach to ensure business continuity.”
– Jack Zahran, President, Pinkerton
Implementing an Enterprise Risk Management Program | Cyberroot Risk AdvisoryCR Group
Enterprise risk management (ERM) is a critical component of any successful business strategy. It involves identifying, assessing, and prioritizing potential risks that could impact an organization's ability to achieve its objectives.
This presentation provides a comprehensive plan for implementing an enterprise risk management program. It covers the costs/benefits of an ERM program, the critical knowledge, skills and abilities of a Chief Risk Officer, a risk taxonomy for insurance firms, a hypothetical organizational structure for an electric utility, a sample risk register, and other useful information.
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
Risck intelligence in the energy and resources industry Franco Ferrario
DELOITTE TECHNOLOGIES
Risk Intelligence in the Energy & Resources Industry
Enterprise Risk Management Benchmark Survey Report
Upload by Franco Ferrario CIO Temporary Manager
Discussion1From time to time most organizations make improvement.docxmadlynplamondon
Discussion1
From time to time most organizations make improvements in their ERM framework to compete with latest trends in market and reduce risk factors, or simply choose best ERM framework which adds more value and powerful when compared to current ERM framework. Before selecting any ERM the organization should understand that no ERM is perfect and organizations should choose the best available tool by considering their requirements and future enhancements. In addition to risk analysis and risk management, these days may organizations choosing best ERM for the purpose of financial investments decisions making (Will kenton, 2018).
The ISO31000 is much simpler and superior to Risk scorecard model to mitigate the risk, According to current situation Edmonton Police Service (EPS) who wants to share their ERM with other city departments where new programs and initiatives are needed to be created, Using ISO 31000 is one of the best frameworks an organization can use to manage their risk because it increases the likelihood of an organization to improve on the identification of objectives of threats, achieving organization aim, and objectives and effective allocation and use of resources in risk treatment. Although, ISO 31000 is not used for certification purposes it provides an organization with the best guidelines for internal and external audit programs. This guideline helps an organization to compare their risks with that of other international benchmarks, which end up in providing sound principles for effective corporate governance and effective management. ISO 31000 risk assessment techniques mainly focus on the risk assessment, which helps different decision, makes to be able to understand the risk that may end up affecting the adequacy of the control that is in place and the achievement of the objectives. Therefore in a situation where an organization wants to develop a new ERM for their organization the best framework to use it the ISO 31000 (John Fraser & Betty Simkins, 2014).
Discussion2
The organization needed an enterprise-wide common risk framework, annual assessment cycle, and integration into the strategic planning process. ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it. This distinction is a crucial one to understand when comparing the two frameworks and understanding how they can be used.ISO 31000’s focus on risk management as a process devotes more attention to implementation, which broadens its appeal for those looking for insights on that subject
“Risk management creates value, is an integral part of organizational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on best available information; is tailored; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement and enhancement of the organization.”Therefore, ISO 31000 is focused on in ...
This Risk Management Standard is the
result of work by a team drawn from the
major risk management organisations in
the UK - The Institute of Risk
Management (IRM),The Association of
Insurance and Risk Managers (AIRMIC)
and ALARM The National Forum for
Risk Management in the Public Sector.
In addition, the team sought the views and
opinions of a wide range of other
professional bodies with interests in risk
management, during an extensive period
of consultation.
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxketurahhazelhurst
CHAPTER 34
Turning Crisis into Opportunity
Building an ERM Program at General Motors
MARC S. ROBINSON
Assistant Director, Enterprise Risk Management, GM
LISA M. SMITH
Assistant Director, Enterprise Risk Management, GM
BRIAN D. THELEN
General Auditor, GM
This case study chronicles the ground-up implementation of enterprise riskmanagement (ERM) at General Motors Company (GM), starting in 2010through the first four years of implementation. Discussion topics include
lessons learned during implementation and some of the unique approaches, tools,
and techniques that GM has employed. Examples of senior management reporting
are also included.
I think risk management is an element of all good executive management teams
and boards. It will ensure viability in downturns and high-risk periods. I think if
that is done not only within the automotive industry, but on a global and specif-
ically on a national scale, economies will be in better shape because it is additive.
If everybody is doing their job in assessing and understanding risk, the ultimate
outcome will be much more positive for our national economy and society, and it
is incumbent that corporate leadership understands that responsibility.
—Daniel F. Akerson, Chairman and Chief Executive Officer,
General Motors, October 2012
BACKGROUND AND IMPLEMENTATION
The enterprise risk management (ERM) program at General Motors was founded
in late 2010 at the direction of GM’s then newly appointed chief executive officer
(CEO), Daniel F. Akerson, who sought to leverage the program as another means to
achieve a competitive advantage in the industry. Having gone through bankruptcy
in 2009 as a new board member, Akerson felt that a more robust risk management
program would help guide the organization around the drivers of killer risks1
going forward. His goal was to help the company ensure that it was prepared,
607
www.it-ebooks.info
608 Implementing Enterprise Risk Management
agile, and fast to respond in an ever-changing world. Perhaps most importantly,
Akerson wanted an ERM program that would focus not only on risks but on oppor-
tunities as well.
A chief risk officer (CRO) was selected and appointed from within, and the
Finance and Risk Policy Committee of the board of directors was chartered to over-
see risk management as well as financial strategies and policies. In support of the
program, a senior manager and director joined the team. Risk officers were also
identified and aligned to all direct reports of the CEO; this helped to ensure that
all aspects of the business were covered. The CEO is the ultimate chief risk officer,
and his direct reports are the ultimate risk owners. Members of the risk officer team
were carefully selected by senior leadership based on their strong business expe-
rience, financial acumen, and most of all their ability to lead in the identification
and discussion of risk in an objective and transparent manner. These representa-
tives were expected to actively p ...
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Similar to STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter (20)
1. Risk Management Newsletter
What Is Your Risk Management IQ?
Risk Management Overview
As the global economic crisis and the subsequent recovery
lingers on, many organizations have been forced to ponder the
many risks lurking in their corridors, or in their data center, or
with third party service providers. Perhaps it was an adverse
event by one of their competitors that made the news and ended
up becoming a public relations nightmare. Or maybe it was an
emerging industry trend that got the Board of Directors’
attention? Maybe it is a new technological innovation that has
the potential to be a disruptive competitive force? Perhaps it was
a minor operational issue that escalated to catastrophic levels.
Whatever the motivating factor, it appears that the discipline of
risk management has come of age or at least, it has become part
of the conversation in today’s organizations.
But then, why are so many organizations hesitant to fully
embrace enterprise risk management or ERM as it is frequently
called. Believe me! There is a significant difference between
risk management and enterprise risk management (ERM). Risk
management denotes a single risk mitigation activity.
What is Enterprise Risk Management (ERM)?
In contrast, ERM is a comprehensive and holistic enterprise-
wide risk management activity. ERM is not an ad-hoc decision
to conduct a risk assessment of the operational risks within your
financial services enterprise after hearing about the recent
incident with a leading capital markets firm whose trading
platform went down unexpectedly. ERM is not conducting a
one-off risk assessment of your data security after hearing about
the multiple cyberattacks endured by some large Fortune 500
companies.
ERM is rather, a centralized framework of procedures, tools,
and methodologies that are used to identify, prioritize, remediate
and monitor organizational risks and challenges. The primary
objective of ERM is to provide timely and relevant risk data and
the related control mechanisms in order to facilitate
management decisions. These decisions are made by the Board
of directors, executive management and other stakeholders
regarding the outcome of the risk mitigation strategies that were
used in accordance with the risk appetite of the organization.
Risk Frameworks
The first step in designing and implementing a formal ERM
program is to identify a risk management framework that will
serve as a foundation for identifying and evaluating information.
The next step is to develop an implementation plan.
D. K. Hamilton
Table 1.2—COSO-ERM Framework
Table 1.1—Risk Management Overview
18 February 2015 Volume 2015-01-001
2. While there are many risk management frameworks available in
the market, the most prevalent ones are ISO 31000 and COSO-
ERM. COSO-ERM is a framework that assists the user with
classifying the risk management activities into four domains: (1)
Strategic; (2) Compliance & Legal; (3) Operational; and (4)
Reporting. ISO 31000 is a framework that is used to facilitate
the development and implementation of an ERM program.
ERM Approach & Methodology
ISO 31000 categorizes the core risk management activities into
the following four phases:
1. Risk Identification
2. Risk Prioritization
3. Risk Mitigation
4. Risk Reporting
Risk Identification
Risk Identification is the first phase of the risk management
process and it involves identifying the risks and opportunities
within a business organization, or a governmental institution, a
non-governmental entity, or a project. This process may be
initiated by a management surveys or by live, interactive
workshops. In my opinion, the latter are more effective since
they usually involves having members of management in a
single setting with a facilitator.
The objective is to obtain direct input from various levels of
management as to the population of risks and opportunities
within the organization. The key to success of this process is to
either have the implementation of the program supported by the
highest levels of management or a very influential person or
group within the organization.
Risk Prioritization
Next, the risk population will have to be systematically
evaluated in order to prioritize the risks in terms of magnitude.
The magnitude of the risk is determined by what we call the
threat risk profile. The threat risk profile of each risk is a
quantitative measure that is determined by the likelihood of a
specific threat occurring and the business impact (should the
threat indeed occur). For illustrative purposes, we have chosen
a four-tiered threat risk profile, which include the following risk
classes, in order of severity:
• Class IV (Red)—Severe
• Class III (Orange)—Moderate
• Class II (Yellow)—Low
• Class I (Green)—Very Low
Risk Mitigation
The third step is to develop and implement a risk mitigation
strategy in accordance with the organization’s risk appetite.
The graphic above illustrates that there are four generally-
accepted risk mitigation strategies that organizations may use:
1. Avoiding Risk—changing or re-designing the business
process in order to change the risk pattern.
2. Sharing and Transferring Risk—mitigating the risk by
entering into 3rd
parties contractual relationships who
accept and share part of the risk (e.g. insurance,
outsourcing, etc.)
3. Diversifying Risk—risk mitigation by allocating the
risk over a number of separate operations (e.g. using
multiple vendors for critical supply chain products and
materials).
4. Accepting & Controlling Risk—the organization decides
to allow and manage certain risks and designs and
implements control activities aimed at reducing the
risk to an acceptable and tolerable level.
For the population of risks that the organization chooses to
accept and control, the next step is to design and implement the
control mechanisms. But first, the organization must conduct an
assessment of the current environment to identify the controls
that already exist to mitigate the risks.
The COSO Integrated Framework of 2013 (COSO 2013) is a
good internal control framework that is ideal for facilitating the
design, evaluation, and monitoring of internal controls. It is
categorized into five categories and seventeen control
principles. The control categories are: (1) Control Environment;
(2) Risk Assessment; (3) Control Activities; (4) Information &
Communication; and (5) Monitoring. See Table 1.4 below for a
summary of the key elements of the COSO 2013 framework.
RISK
IDENTIFICATION
RISK
PRIORITISATION
RISK
MITIGATION
RISK
REPORTING
Table 1.3—Summary of Risk Mitigation Strategies
3. Risk Reporting & Monitoring
The last phase is to report on the status of the ERM activities,
and monitor the risk profiles for any significant changes that
may require remediation. Now, there are many tools available
to facilitate reporting (e.g. Excel, DOMO, GRC System, etc.),
however it is often best if all ERM activity is tracked and
monitored via a centralized business application having robust
reporting capabilities. Alternatively, you could use a GRC
application and import the data into a separate reporting
application.
You and your organization must decide on the frequency of the
periodic ERM reporting activities (e.g. monthly, quarterly,
annually, etc.). Regardless of the frequency of reporting, the
ERM reports must be consistent and tailored to the specific
audience. As an illustrative example and best practice, there
should be an executive dashboard that is available and
distributed to the executive management; quarterly and annual
updates from the business to the board; and monthly risk
roundtables by the various functional areas.
Risk Updates
Finally, on an annual basis, the existing risk profile must be
reviewed and evaluated to determine any changes therein. The
review should also encompass an evaluation of the lower rated
risks to ensure that their profiles have not changed. Last but not
least, an action plan should be developed and implemented to
remediate the highest level risks (e.g. Top 10 Risks, Top 5 Risks
& Top 5 Opportunities, etc.).
Benefits of a Risk Management Program
There are many benefits to developing and implementing a
formal ERM program, one of which is an overall improvement
in the risk awareness culture of the organization. The mere
process of going through the ERM implementation exercise
improves the overall risk awareness from the Board of
Directors, to executive management, down through the tactical
level, and finally to the business operations. The most
significant benefit, however would be if members of the
organization would view ERM as something more than a
compliance-oriented, “check-the-box” exercise.
Other noteworthy benefits to ERM include:
Strategic Decision-management Tool—useful to
assist members of an organization with executing the
overall strategy of the organization, project, etc. while
minimizing risks and maximizing opportunities.
Improvement in Risk Culture—develops or
enhances the risk culture within an organization.
Integrated Risk Management Approach—a key
benefit of an ERM program is that when implemented
managed, and monitored correctly, the organizational
benefits from having a standardized methodology and
approach for remediation of:
1. Risk Catalog—the existence of an enterprise-wide Risk
Catalog whereby all organizational risks and the
corresponding opportunities are identified, prioritized,
tested, remediated, and tracked and monitored in a clear
and consistent manner ensures that everyone throughout
the organization “speaks the same risk language”.
2. GRC Application—a central repository system to
record, track, monitor and report all risks and
opportunities; record and track the current control
activities and management actions (future controls) will
enhance the overall operational efficiency and cost
effectiveness of the program.
3. Internal Control Framework—the adoption of a uniform
internal control framework (e.g. COSO 2013, Basel,
etc.) ensures that all control activities are standardized
and designed in a cohesive manner.
Governance Risks, and Compliance Cost Savings--
an ERM program that is centrally managed using a
GRC system may results in significant cost savings due
to the elimination of redundant risk and compliance
efforts from multiple risk and compliance activities;
and separate evaluations (External audits, internal
audits, regulatory reviews, etc.).
0 3
17 17
0
2
4
6
8
10
12
14
16
18
Class I Class II Class III Class IV
No.ofRisks
Risk Management Class
Threat Risk Profile
Table 1.5—Threat Risk Profile
Table 1.4—Summary of COSO Integrated Framework (2013)