GRC: How to Create an Effective ERM Program
What is Enterprise Risk Management ?
Enterprise Risk Management (ERM) establishes a framework to identify, measure, monitor and manage risk.
ERM is: Designed to identify and assess potential events affecting the entity and manage risk within its risk appetite. Effected by the Board, Management and other personnel. Applied in strategy setting, across the enterprise. Able to provide reasonable assurance regarding the achievement of the entity objectives . Applied across the enterprise, at every level and unit, and includes taking an entitylevel portfolio view of risk.
Why Do We Need ERM? While traditional risk management focused on asset-protection, ERM offers a more holistic approach, integrating all departments and functions into a single program towards managing risk. A comprehensive ERM program will:
Align firm’s risk appetite with business objectives. Identify/manage multiple and cross-enterprise risks. Reduce frequency and severity of operational surprises. Enhance the rigor of risk-response decisions. Build confidence of investment community and stakeholders. Enhance corporate governance. Successfully respond to a changing business environment. Proactively seize on the opportunities presented to the firm. Improve effectiveness of capital deployment.
The COSO ERM Framework
The COSO ERM framework has eight interrelated components, which represents what is needed to achieve the entities objectives. Entity objectives can be viewed in the context of four categories: –
Strategic
–
Operations
–
Reporting
–
Compliance
Embracing ERM The implementation of ERM involves: Retaining the need for risks to be managed and owned at the business function level. A shift in processes and culture of the organization. Strengthened communication, training, and awareness. Building processes to track risks. Building an enterprise-wide analysis of risks for senior executive and Board review.
Creating an Effective ERM Program 1. Conduct
an enterprise risk assessment
◦ Include all stakeholders ◦ Prioritize the risks 2. Articulate
the risk management vision
◦ Identify risk management capabilities – be specific ◦ Have a holistic plan ◦ The plan includes policies, processes, oversight and reporting 3. Pick
one or two key risks and address them
◦ Ensure the proper program is in place for these risks ◦ Test the program ◦ Evaluate the program for success 4. Expand
the program for other risks in order of priority
◦ Components ●
Internal Controls
●
Monitor, Test and Audit
●
Risk Managers
●
Senior Management Control
●
Board oversight independent of management
Common Issues in Creating Effective ERM Program
Inconsistent use of risk definitions and terminologies Lack of risk awareness throughout the organization Inadequate focus on how to identify risk Lack of clarity on responsibilities for risk – ‘who’ Insufficient rigor / consistency in risk evaluation Lack of structure in risk decisions – right people / right data / right time Inability / lack of effective self-assessment
Want to learn more about ERM, and best practices to implement effective ERM program? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: How to conduct a Compliance Gap Analysis for ERM? Establishing Effective Enterprise Risk Management (ERM) for Achieving Good Com COSO ERM Simplified-Implementation for Government and small bus Internal Audit's Role in Enterprise Risk Management Essentials of ERM and Assessing its Effectiveness Using ISO 31000 Integrating Ethics and Compliance Risks into your Enterprise Risk Man