This publication includes invaluable guidance for anyone responsible for or advising on an enterprise risk management process (ERM), whether the process is in its early stages or is already well established. This resource will help ensure the ERM process is well designed, well executed, and ultimately successful. Global, economic, and regulatory conditions as well as everyday internal risks can affect business operations, so it is important to have a process in place that identifies these events and manages risks. This guide leverages the concepts of existing frameworks as a foundation for providing illustrative examples, best practices, and guidance for implementing or assessing an enterprise risk management process.
Table of Contents
1 Overview of the Enterprise Risk Management Publication 1
I. Introduction 1
II. Who Should Use This Publication 2
III. Conceptual Basis for This Publication 2
2 ERM Benefits, Concepts, and Components 3
I. Benefits of a Successful ERM Program 3
II. ERM Concepts 4
Definition of ERM 4
Risks and Opportunities 4
Risk in Strategy and Objective-Setting 4
The Importance of Taking an Enterprise or Portfolio View of Risk 5
Risk Appetite, Risk Tolerance, and Risk Profile 5
Risk Inventory 6
Emerging Risks 6
Integration and Embeddedness 6
III. Components of an ERM Program 6
1.0 Governance and Culture 7
2.0 Strategy and Objective Setting 8
3.0 Performance 9
4.0 Review and Revision 13
5.0 Information, Communication, and Reporting 13
3 ERM Roles and Responsibilities 15
I. Organization Roles 15
Board or Equivalent Roles 15
Organization Management 16
Internal Auditors 16
II. The Role of External Parties in the ERM Process 17
4 ERMProgramDevelopment 19
I. Mobilize 19
Establishing Appropriate Sponsorship and Resourcing 20
ERM Sponsorship 20
Commitment of Resources 20
Establishing Roles and Responsibilities 21
Program Governance 21
Planning and Launch for an Initial Program Development Phase 21
Timeline 21
II. Current State Analysis 22
Current State Considerations 22
Creating an Initial Inventory of Activities and Outcomes and Gather Documentation 23
Timeline 24
III. Future State Operating Model Design 24
Peer and Industry Analysis 24
Developing a Target ERM Operating Model and Framework 25
Developing the ERM Risk Appetite and Risk Tolerances 25
Linking Current ERM Activities to the ERM Program Plan 27
Documenting ERM Policies 27
ERM Program Scalability and Related Considerations 27
ERM Program Technology Considerations 27
Timeline 28
IV. Gap Analysis 28
Preliminary Observations 28
Recommendations 29
Timeline 29
V. Implementation and Reporting 29
Developing Implementation Roadmap and Project Plan 30
Designing Program Performance Measures and Reporting 30
Communication and Training 30
Changes to the Implementation Plan 30
Timeline 31
5 ERM Program Evaluation and Continuous Improvement. 33
I. ERM Program Evaluation 33
Approach to an ERM Program Evaluation 33
II. Continuous Improvement 34
Approach to Continuous Improvement 34
Commitment to Continuous Improvement 36
Glossary of Terms 37
Appendix A - COSO and ISO 31000 Framework Mapping 39
Appendix B - Example ERM Program Maturity Self-Assessment 45
Appendix C - References 51