1 minute read
Risk Management Standard Frameworks
Enterprise Risk Management
Enterprise Risk Management (ERM) is the continuous, coordinated process used to identify, quantify, manage, and monitor corporate risks within a unified framework for an organization. ERM is a structured approach which provides the methodology to consistently consider the uncertainty involved with the organization’s ability to meet its strategic and operational objectives. Due to the integrated approach, each department’s staff would be responsible for identifying and mitigating organizational risks. Effectively, making all staff at the company aware of risk management and looking for risks in their day-to-day efforts.
It is recommended for an ERM department to adopt an existing industry framework from a recognized standards body to implement and follow.
Electricity Canada completed a benchmarking survey with Canadian utility ERM departments in 2021 and found 41% were following COSO, 41% were following ISO 31000 and the remaining 18% applied a different framework .
Risk Management Standard Frameworks
ERM frameworks analyse risks to consider their likelihood and impact as a basis for determining how they should be managed.
Two of the more widely adopted industry frameworks include:
• Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated
Framework
• International Organization for Standardization (ISO) 31000.
Where COSO defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives”; and enterprise risk management as a “process effected by an entity’s Board of Directors, management and other personnel, applied in strategy and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objective.” 1
ISO defines risk as the “effect of uncertainty on objectives”, and risk management as “the coordinated activities to direct and control an organization with regard to risk”. 2
Both frameworks highlight potential impact to objectives and the way to manage those impacts are considered the founding principles of a good enterprise risk management system.
