This new publication includes invaluable guidance for anyone responsible for or advising on an enterprise risk management process (ERM), whether the process is in its early stages or is already well established. This resource will help you ensure the ERM process is well designed, well executed, and ultimately successful.
Global, economic, and regulatory conditions as well as everyday internal risks can affect business operations, so it s important to have a process in place that identifies these events and manages risks. This guide leverages the concepts of existing frameworks as a foundation for providing illustrative examples, best practices, and guidance for implementing or assessing an enterprise risk management process.
Table of Contents
Recognition iii1 Overview of the Enterprise Risk Management Guide 1
I. Introduction 1
II. Who Should Use this Guide 1
III. Conceptual Basis 2
2 ERM Concepts and Components 3
I. What does ERM Encompass? 3
Events, Opportunities and Risks 3
The Importance of Taking an Enterprise View 3
Risk Appetite, Risk Tolerance, and Risk Attitude 4
II. Components of Enterprise Risk Management 4
1.0 Internal Environment 5
2.0 Objective Setting 5
3.0 Event Identification 6
4.0 Risk Assessment 8
5.0 Risk Response 11
6.0 Control Activities 12
7.0 Information and Communication 13
8.0 Monitoring 13
III. ERM Roles and Responsibilities 14
Entity Roles 14
Board or Equivalent Roles 14
Entity Management 14
Internal Auditors 15
The Role of External Parties in the ERM Process 15
3 ERM Program Development 17
I. Mobilize 17
Establishing Appropriate Sponsorship 18
Project Governance 18
Planning and Launch 18
Timeline 19
II. Current State Analysis 19
Current State Considerations 19
Gather Documentation 20
Timeline 20
III. Future State Operating Model Design 20
Peer and Industry Analysis . 21
Develop a Target ERM Operating Model and Framework 21
Develop the ERM Risk Appetite and Risk Tolerances 21
Link Current ERM Activities to the ERM Program Plan 23
Documenting ERM Policies 23
ERM Program Scalability and Related Considerations 23
3 ERM Program Development continued ERM Program Technology Considerations 23
Timeline 24
IV. Gap Analysis 24
Preliminary Observations 24
Recommendations 24
Timeline 24
V. Implementation 25
Develop Implementation Roadmap 25
Project Planning 25
Communication and Training 25
Design Program Performance Metrics 26
Changes to the Implementation Plan 26
Timeline 27
4 ERM Program Maturity Monitoring and Evaluation 29
I. ERM Program Evaluation 29
Approach to an ERM Program Evaluation 30
II. Keeping Up with Change 30
III. Understanding Continuous Improvement 31
IV. Commitment to Continuous Improvement 32
Glossary of Terms 33
Appendix Page
A COSO and ISO 31000 Framework Mapping 35
B Example ERM Program Maturity Self–Assessment 45
C References 53