Embracing Enterprise Risk Management: Practical - Coso

More documents

Recommendations

Info

8 | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | Thought Leadership in ERM As the organization considers next steps, it should also evaluate the need for further developing and broadening the organization’s risk culture and practices. Here is a working list of activities to consider that will strengthen an organization’s risk culture and practices: • A program of continuing ERM education for directors and executives • ERM education and training for business-unit management • Policies and action plans to embed ERM processes into the organization’s functional units such as procurement, IT, or supply chain units • Continuing communications across the organization on risk and risk management processes and expectations • Development and communication of a risk management philosophy for the organization • Identification of targeted benefits to be achieved by the next step of ERM deployment • Development of board and corporate policies and practices for ERM Summary Boards of directors and senior management need to challenge critically their organization’s risk management practices and take the opportunity to enhance their processes and improve their ability to meet their organizations’ objectives. The concepts, techniques, and tools outlined in this thought paper, coupled with COSO’s Enterprise Risk Management - Integrated Framework and other COSO thought papers, are intended to provide a strong foundation and effective starting point for pursuit of ERM benefits. Collectively, these resources provide a robust source of information and knowledge of ERM practices and processes. The ideas and recommendations presented in this paper are neither intended to be, nor are they, the only way to enter the ERM arena. Ultimately, every organization must develop its own approach to ERM, one that best suits its particular culture and circumstances. w w w . c o s o . o r g • Further discussion and articulation of a risk appetite for the organization and /or significant business units, including quantification • Establishment of clear linkage between strategic planning and risk management • Integration of risk management processes into an organization’s annual planning and budgeting processes • Expansion of the risk assessment process to include assessments of both inherent and residual levels of risk • Exploration of the need for a dedicated Chief Risk Officer or ERM functional unit The specific next steps to be taken should be implemented by continuing the incremental approach, taking small, tangible steps rather than attempting to implement the complete ERM framework. The primary objective is to keep the momentum moving and to continue to evolve, expand and deepen the organization’s ERM capabilities. Above all, keep in mind the benefits of taking small, incremental steps on the path toward full ERM rather than attempting to implement the complete ERM framework all at once. The goal is to keep the momentum for ERM that will continue to expand and deepen the organization’s ERM capabilities on a continual basis.
Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | 9 Appendix A – COSO’s Enterprise Risk Management – integrated Framework ERM - Integrated Framework Components of Enterprise Risk Management – Enterprise risk management consists of eight interrelated components. These components are derived from the way management runs a business and are integrated with the management process. For more detailed information on enterprise risk management, the COSO Enterprise Risk Management - Integrated Framework, and related practices and activities, see the following COSO publications, available through the COSO website at COSO.org/guidance. • Enterprise Risk Management - Integrated Framework • Effective Enterprise Risk Oversight: The Role of the Board of Directors • Strengthening Enterprise Risk Management for Strategic Advantage Appendix b – Where to Start: Draft Action Plan for an ERM initiative Outlined below is an initial high-level draft of an action plan for ERM. This draft plan highlights key events and actions that organizations should consider in starting an ERM initiative. The draft is not intended to be viewed as a complete plan; furthermore, it requires careful tailoring and expansion prior to use. However, we believe it reflects useful information and is a practical draft plan as a basis to start. 1. Seek Board and Senior Management Involvement and Oversight a. Set an agenda item for the board and executive management to discuss ERM and its benefits b. Agree on high-level objectives and expectations regarding risk management c. Understand the process to communicate and set the tone and expectations of ERM for the organization d. Agree on a high-level approach, resources and target dates for the initial ERM effort 2. Identify and position a leader to drive the ERM Initiative a. Identify a person with the right attributes to serve as the risk management leader i. Does not have to be a CRO (Chief Risk Officer) ii. Use existing resources b. Set objectives and expectations for the leader c. Allocate appropriate resources to enable success Strategic Operations Reporting Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Compliance 3. Establish a Management Working Group a. Establish a management working group to support the risk leader and drive the effort across the organization b. Have the right, key people in the group i. Sufficient stature ii. “C-suite” representation iii. Business unit management c. Look at using cross-functional teams d. Agree on objectives for the working group i. Build ERM using incremental steps ii. Define some sought-after benefit to evaluate each step iii. Establish reporting process for management and the board 4. Conduct an Initial Enterprise-wide Risk Assessment and Action Plan a. Focus on identifying the organization’s most significant risks b. Look for risks at the strategic level c. Consider risk factors beyond just probability and impact, e.g. i. Velocity of risk ii. Preparedness iii. Other factors d. For the most significant risks; i. Assess exposure to the risk ii. Assess adequacy of existing risk mitigation or monitoring iii. Identify opportunities to enhance mitigation or monitoring activities Subsidiary Business Unit Division Entity-Level w w w . c o s o . o r g
Page 1 and 2: C o m m i t t e e o f S p o n s o r
Page 3 and 4: T h o u g h t L e a d e r s h i p i
Page 5 and 6: Thought Leadership in ERM | Embraci
Page 7 and 8: i. keys to Success Thought Leadersh
Page 13: Example Strategic Risk Profile Thou
Page 19 and 20: T h o u g h t L e a d e r s h i p i

Embracing Enterprise Risk Management: Practical - Coso

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?