Establishing an enterprise risk management framework will give your organization a structure for your risk management efforts, delivering greater consistency and reliability. It enables you to get a clear picture of the risks you face.
But what is an ERM framework? With a number of enterprise risk management frameworks available, knowing which to choose can be a challenge. How do you determine the best ERM framework? And once you’ve made your assessment, how do you implement your chosen framework?
Defining an Enterprise Risk Management Framework
Before we look at enterprise risk management (ERM) frameworks, we need to define ERM.
What Is Enterprise Risk Management?
What is enterprise risk management? It is a term used to describe how organizations identify and manage their risks. Investopedia defines it as “a methodology that looks at risk management strategically from the perspective of the entire firm or organization.”
It is proactive and forward-looking, rather than reviewing risks that have already happened, as traditional risk management tends to do. Unlike traditional risk management, ERM also looks at the “opportunity” certain risks present rather than focusing on total risk avoidance.
You can read more about enterprise risk management and how it differs from traditional risk management in our article on ERM vs. TRM.
Enterprise risk management has many recognized benefits. You can read more detail on the benefits of ERM in our article on the subject.
What Is an Enterprise Risk Management Framework?
As ERM comes to the fore, and as regulators and ratings agencies consider risk management more closely when evaluating companies, organizations look at ways to standardize and improve their risk management approach.
An enterprise risk management framework puts rigor around your ERM programs, helping you move towards performance-enhancing ERM. It provides structure, consistency and the assurance that you have covered all the issues needed.
An ERM Framework can help leadership understand, prioritize and act on key risks. It can help those on the ground implement risk-management programs in line with regulatory, organizational and best practice guidelines. It can help to drive a consistent risk-management culture, where the chance of risks “slipping through the cracks” is minimized.
Watch this episode of Inside America's Boardrooms as Catherine Hall, Director with PwC's Governance Insights Center, frames the ERM landscape and offers guidance for boards navigating this ever-evolving space.
How To Develop an Enterprise Risk Management Framework
What are the components of an ERM framework? There are a few steps to building an enterprise risk management framework.
1. Set Up a Senior-Level Steering Committee
It’s vital to have senior leadership on board to drive the development of your ERM framework forward. As well as signaling the importance of the project to the rest of the workforce, your committee will play a key role in determining accountabilities and roles within the ERM framework.
2. Ensure Everyone Has a Shared Understanding of Risk
As with all big topics, understanding and terminology around risk can vary widely within a business. Establishing common terms and a consistent frame of reference is an essential early step.
3. Set Out Roles and Responsibilities
Who will take responsibility for what in your enterprise risk management strategy? There are roles not just for your board and senior leaders; management, business unit leaders and people throughout each function all have a part to play, and their roles must be clearly set out.
ERM is far from being the preserve only of your compliance, risk and internal audit teams — but their expertise will mean they have central roles in the process.
4. Identify Your Risks
Your business units need to work with your risk management team to build a comprehensive list of your organizational risks. Review your risks, including their severity and likelihood, the internal controls that manage them and your approach to mitigating them.
5. Document Your Risks and Your Risk Appetite
Once you’ve identified the organization’s risks, ensure every business area captures them in a formal statement. And ensure that this documents not just your risks, but your approach to dealing with them. Which risks must be avoided at all costs, and which risks can be tolerated? Are there risks you should actively take, as the potential opportunity outweighs the threat?
6. Prioritize All Your Risks
Prioritize the risks you face and put mitigation plans in place for those you cannot avoid.
7. Establish an ERM Methodology
This means putting in place consistent and agreed definitions of key terms (does everyone understand the same thing by the word “risk,” for example?), roles and processes to identify, review, measure and report the risks you face.
Many established ERM frameworks exist (and we look in more detail at these below). Explore whether you can draw on, adopt or adapt an existing framework.
8. Monitor and Report on the Risks You Face
ERM — and implementing an ERM framework — isn’t a “once and done” exercise. It involves continuous monitoring of the risks you face; these will change regularly in today’s volatile world. Therefore, your ERM framework needs to be agile, adaptable and reviewed periodically to make sure it still aligns with the threats your business faces.
Examples: Leading Enterprise Risk Management Frameworks
Against the potential benefits of developing a customized ERM framework, organizations need to weigh up the positives of using a tried-and-tested framework. Using an existing framework enables you to draw on the experience of others, so it’s worth exploring some current examples of enterprise risk management frameworks.
What is the best enterprise risk management framework? A number of ERM frameworks exist, including:
The Casualty Actuarial Society (CAS) ERM Framework
Along with the Society of Actuaries (SOA) and Canadian Institute of Actuaries (CIA), the Casualty Actuarial Society (CAS) sponsors a risk management website. The site includes resources companies can access on ERM, including an ERM framework.
The COSO ERM Integrated Framework
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) ERM framework is titled Enterprise Risk Management—Integrating with Strategy and Performance. The COSO enterprise risk management framework incorporates guidelines from the Sarbanes-Oxley Act (SOX), and as such the purpose of the COSO enterprise risk management framework is closely aligned to the needs of businesses that need to comply with SOX; financial institutions, banks and other large corporations in scope of SOX regulation.
The ISO 31000 ERM Framework
The ISO 31000:2018 Risk Management framework is an international standard built by the International Organization for Standardization (ISO). It is a cyclical framework that delivers risk management guidelines and principles.
The framework is reviewed every five years to keep pace with changes in the risk landscape. The organization can customize it using it, making it relevant across sectors and company sizes.
The NIST ERM Framework
The National Institute of Standards and Technology (NIST) framework focuses on cybersecurity, aimed at organizations doing business with U.S. government agencies.
The COBIT ERM Framework
The COBIT ERM Framework was designed by the Information Systems Audit and Control Association (ISACA) to join the dots between technical and strategic risks, recognizing that technology risks now pervade all areas of organizations and are not confined to the IT department.
The RIMS Risk Maturity Model® ERM Framework
The Risk Management Society’s RIMS Risk Maturity Model® provides standardized criteria by which organizations can benchmark risk management strategies, assess the maturity of their risk mitigation programs and identify strengths, weaknesses and next steps.
Frequency of Enterprise Risk Management Framework Review
How often is the enterprise risk management framework reviewed? As we noted above, the environment in which you carry out risk management is constantly evolving. In a volatile world, you need to revisit your approach to risk regularly to ensure it positions you firmly to counter emerging threats.
The same is true of your enterprise risk management framework. As noted above, some of the ERM framework examples are reviewed on a set timeframe. Whether you adopt or draw from existing frameworks or create your own bespoke ERM framework, regular reviews of your framework’s process, structure and steps are essential.
Implementing Better Enterprise Risk Management
A structured ERM framework will help to standardize and strengthen your enterprise risk management approach. We hope this article has given you insight into some of the frameworks available and the benefits of putting in place an enterprise-wide risk management framework.
Enterprise Risk Management from Diligent can help manage the risk that impacts your strategic objectives. Partner with Diligent to build an enterprise risk management framework that accelerates your risk management performance.