You are on page 1of 20

A structured approach to

Enterprise Risk Management (ERM)
and the requirements of ISO 31000

Executive summar y



Part 1: Risk, risk management and ISO 31000

1 Nature and impact of risk

2 Principles of risk management

3 Review of ISO 31000

4 Achieving the benefits of ERM

Part 2: Enterprise risk management

5 Planning and designing

6 Implementing and benchmarking

7 Measuring and monitoring

8 Learning and reporting


A Risk management checklist

B Implementation summary

List of figures

1 Risk architecture, strategy and protocols

2 Framework for managing risk (based on ISO 31000)

3 Risk management process (based on ISO 31000)

4 Risk architecture of a large PLC

5 Drivers of risk management

List of tables

1 Detailed risk description

2 Contents of risk management policy

3 Risk management responsibilities

4 Risk assessment techniques

1 © AIRMIC, Alarm, IRM: 2010

more accurate activities. Risk may be a A successful enterprise risk management (ERM) driver of strategic decisions. Organisations need to understand the enterprise risk management overall level of risk embedded within their processes and activities. The outputs from successful risk management include compliance. Implementing a comprehensive approach will improved perception of the organisation. stakeholders. products and services. as well as embedded in the activities of the organisation. it may be a cause of initiative can affect the likelihood and uncertainty in the organisation or it may simply be consequences of risks materialising. ISO 31000 ‘Risk management – of the guide is to: Principles and guidelines’. include reduced cost of capital. including the international implementation of an ERM initiative. This guide draws  describe the principles and processes of together these developments to provide a risk management structured approach to implementing enterprise risk management (ERM). in the case of public often referred to as the ‘upside of risk’. better result in an organisation benefiting from what is marketplace presence and. the expected benefits of the risk management initiative should be established in advance. effectiveness of tactics (change projects) and the efficacy of the strategy of the organisation. The purpose standard. The global financial crisis in 2008 demonstrated the importance of adequate risk management. An deliver benefits related to better informed strategic enterprise-wide approach to risk management decisions. financial reporting. 2 A structured approach to Enterprise Risk Management . This guide provides a brief commentary on ISO Since that time. competitive advantage. service organisations. These outputs will provide benefits by way of improvements in the efficiency of operations. new risk management standards 31000 as well as setting out advice on the have been published. successful delivery of change and enables an organisation to consider the potential increased operational efficiency. assurance and enhanced decision-making. Executive summar y Risk management is an increasingly important Purpose of this guide business driver and stakeholders have become much more concerned about risk. It is important for organisations to recognise and prioritise significant risks and identify the weakest critical controls. When setting out to improve risk management performance. Other benefits impact of all types of risks on all processes.  provide a brief overview of the requirements of ISO 31000 Intended benefits of risk management  give practical guidance on designing a For all types of organisations. enhanced political and community support. there is a need to suitable framework understand the risks being taken when seeking to achieve objectives and attain the desired level of  give practical advice on implementing reward.

Limited from “Fundamentals of Risk Management” (2010) ISBN 978 0 7494 5942 0 This approach will enable a risk management www. effective tactics and efficacious strategy. In the public sector. Executive or in the United States. the public sector risk the Treadway Commission (COSO) published an management association (Alarm) and the Institute Enterprise Risk Management (ERM) standard in of Risk Management (IRM). A successful risk management initiative BSI Customer Services for hardcopies only: Tel: should be proportionate to the level of risk in the +44 (0)20 8996 9001. the guide places to answer these questions. 2009 as an internationally agreed standard for the implementation of risk management initiative to deliver outputs. it needs to be by the BSI. Importantly. This guide includes a more emphasis on ISO 31000 because it is an brief commentary on ISO 31000. implementing risk management on an enterprise- International Organisation for Standardisation (ISO) wide basis that is compatible with both COSO standard 31000 was published in 2009 and seeks ERM and ISO or by contacting complexity of the organisation). It has gained signify the decision-making body within an considerable influence because it is linked to the organisation.bsigroup. The impact or benefits associated with these outputs include more efficient operations. for use in standards’. assurance to stakeholders regarding the management of risk and improved decision- making. how it should be This guide provides a structured approach to implemented and what it can achieve. Introduction This guide is the result of work by a team drawn COSO ERM framework and ISO 31000 from the main risk management organisations in the UK – the Association of Insurance and Risk The Committee of Sponsoring Organizations of Managers (AIRMIC). British Standards can be obtained in supported by a structure that is appropriate to the PDF or hard copy formats from the BSI online organisation and its external environment or shop: www. However. comprehensive in its scope. These benefits need to be measurable and sustainable. the word Board is used to framework for undertaking ERM. ISO also produced Guide this guide recognises that risk has both an upside 73 ‘Risk management – Vocabulary – Guidelines and downside. Appendix A provides a checklist of actions that should be completed in order to fully satisfy risk management requirements. 3 A structured approach to Enterprise Risk Management . aligned with other corporate activities. management practitioners and it provides a Throughout the guide. this body may Sarbanes-Oxley requirements for companies listed be referred to as the Council. The COSO ERM cube is well known to risk to be applicable to all types of organisations. At the same time as implementation of risk management. Table 3 and Table 4 are embedded into routine activities and dynamic by reproduced with kind permission of Kogan Page being responsive to changing circumstances.koganpage. Figure 4. Also. nature and cservices@bsigroup. Table 2. Figure 1. ISO 31000 was published in Authority. e-mail: organisation (as related to the size. publishing ISO 31000. There are many opinions regarding what risk management involves. Risk management principles Acknowledgements Permission to reproduce extracts from ISO 31000 Risk management is a process that is under- ‘Risk management – Code of practice’ is granted pinned by a set of principles. as well as international standard and many organisations providing further information on the successful have international operations. The guide is intended 2004. including compliance with applicable governance requirements.

the system will be vulnerable to operational risks. loss of data. the objectives themselves need to be for an organisation will typically be 3. Part 1: Risk. Once the new hardware and software has been installed. 4 A structured approach to Enterprise Risk Management . acquisitions and product developments. within budget and to specification. Risks within the project need to be managed. The definition set out in ISO Guide consistent and this part reflects on these 73 is that risk is the “effect of uncertainty on difficulties. Guide 73 also states that an ensure good standards of risk governance are effect may be positive. For example. so that the project is delivered on time. it is possible to achieve an upside in the execution of the project. The associated risks are strategic risks and these risks will be taken with the intention of achieving benefits. These risks are related to this definition of risk can most easily be applied operations. and the strategic planning horizon stated. typically associated with projects. when the objectives of the organisation are Strategy sets out the long-term aims of the comprehensive and fully stated. and that risk is often described by an event. The project to install the new hardware and software will be a change initiative that represents the tactics by which strategy will be implemented. medium and long term. Even when fully organisation. and correct procedures will need to be designed and implemented to minimise potential disruption. Correct strategic decisions deliver benefits that result in achievement of the upside of risk. consider the infrastructure of an organisation and the implementation of a new IT system. Tactics define how an organisation intends are based should be tested. Risks can impact an organisation in the short. 5 or more challenged and the assumptions on which they years. as part of the risk to achieve change. It is also possible that the IT hardware and software will deliver greater benefits than anticipated. whereby the project is delivered early and below budget. In order to assist with the application requirements that should be in place in order to of this definition. These operational risks may be very significant. the consequences will not be obvious for some time. respectively. negative or a deviation presented by way of a checklist in Appendix A. The terminology used to describe the There are many definitions of risk and risk steps in the risk management process is not management. risk management and ISO 31000 Part 1 provides an overview of risk and risk Definition of risk management with particular reference to ISO 31000. tactical risks are management process. virus attacks and operator errors. If these choices are incorrect. Operations are the routine activities of the organisation. Again. including computer breakdown. Therefore. mergers. from the expected. A summary of the risk management objectives”. Nature and impact of risk consequence. a change in circumstances or a 1. tactics and strategy. Therefore. The choice of hardware and software are strategic decisions. This definition links risks to objectives.

Table 1: Detailed risk description 1 Name or title of risk  Unique identifier or risk index 2 Scope of risk  Scope of risk and details of possible events. both internal and external. Although a simple description of a risk is Risk classification systems sometimes sufficient. By considering the shows the range of information that may need to likelihood and consequences of each risk. It is 3 risk matrix is adequate. measures of likelihood of occurrence and there is no risk classification system that is consequences. A risk classification need to establish appropriate definitions for the system will also enable an organisation to identify different levels of likelihood and consequences which strategies. spreadsheet or a computer-based system. reputational Organisations will need to define their own exposure and commercial activities. timescale of potential impact and description as hazard. treatment  Existing control mechanisms and activities and controls  Level of confidence in existing controls  Procedures for monitoring and review of risk performance 9 Potential for risk improvement  Potential for cost-effective risk improvement or modification  Recommendations and deadlines for implementation  Responsibility for implementing any improvements 10 Strategy and policy  Responsibility for developing strategy related to the risk developments  Responsibility for auditing compliance with controls 5 A structured approach to Enterprise Risk Management . can be quantitative. Table 1 5 risk matrix is required. The objective of a template is to possible to prioritise or rank the key risks for enable the information to be recorded in a table. Evaluation of risks in this way may be assessment process. opportunity or uncertainty 4 Stakeholders  Stakeholders. type and number 3 Nature of risk  Classification of risk. appetite  Loss potential and anticipated financial impact of the risk or attitude  Target for control of risk and desired level of performance  Risk attitude. control. However. there are circumstances An important part of analysing a risk is to where a detailed risk description may be required determine the nature. source or type of impact of in order to facilitate a comprehensive risk the risk. many organisations find that assessing likelihood and consequences as high. with the results presented on a 3 x followed by their evaluation or ranking. it will be be recorded. universally applicable to all types of organisations. enhanced by the use of a risk classification The consequences of a risk materialising may be system. their size. risk register. appetite. Risk classification systems are important negative (hazard risks). and their expectations 5 Risk evaluation  Likelihood and magnitude of event and possible impact or consequences should the risk materialise at current level 6 Loss experience  Previous incidents and prior loss experience of events related to the risk 7 Risk tolerance. tolerance or limits for the risk 8 Risk response. positive (opportunity risks) because they enable an organisation to identify or may result in greater uncertainty. Organisations accumulations of similar risks. including description of the events. Risk assessment involves the identification of risks medium or low. further analysis. tactics and operations are most associated with these different risks. operational efficiency. semi-quantitative or qualitative Risk classification systems are usually based on in terms of the likelihood of occurrence and the the division of risks into those related to financial possible consequences or impact. Other organisations find important to have a template for recording that more options are necessary and a 4 x 4 or 5 x appropriate information about each risk. Risk ranking vulnerable.Recording risk assessments For example.

for  reporting and monitoring risk performance outsourced service providers. However. management: Context for risk management  recognition or identification of risks Risk management should be a continuous  ranking or evaluation of risks process that supports the development and implementation of the strategy of an organisation. scope. Risk management enhances the understanding of the potential upside and The risk management process can be presented downside of the factors that can affect an as a list of co-ordinated activities.  resourcing controls It is often argued that. nature and complexity of the organisation. The objective is to achieve management process. It should support accountability. strategy and protocols. management of any organisation. maximum sustainable value from all the activities Risk management process of the organisation. It must translate risk strategy into tactical size.  responding to significant risks It should methodically address all the risks associated with all of the activities of the  tolerate organisation. threats to  transfer success (downside) or an increased degree of  terminate uncertainty. setting good  reviewing the risk management standards of health and safety may be part of framework winning contracts and this demonstrates that there is an upside to safety risk management. the consequences can only be negative and the  reaction planning management of safety risk should focus on prevention and mitigation of harm. Risk management must be integrated into the culture of the organisation and this will include There are many risk classification systems mandate. The focus of risk management is the assessment This structure is designed to give context to risk of significant risks and the implementation of management activities and support the risk suitable risk responses.This may be especially true for organisations Risk aware culture operating in the public sector and those involved in the delivery of services to the public. There are organisation. It increases the probability of alternative descriptions of this process. performance measurement and reward. for health and safety risks. leadership and commitment from the available and the one selected will depend on the Board. ISO 31000 does not recommend a specific risk and operational objectives. and assign risk classification system and each organisation will management responsibilities throughout the need to develop the system most appropriate to organisation. It is the process strategy and protocols. support and management initiative should be proportionate to sustain the risk management process. ISO 31000 refers to this structure as other corporate activities. comprehensive in its the risk management context. there is  treat the potential for events that constitute opportunities for benefit (upside). whereby organisations methodically address the risks attached to their activities. In all types of undertaking. 2: Principles of risk management Achieving a good risk aware culture is ensured by Risk management is a central part of the strategic establishing an appropriate risk architecture. the range of risks that it faces. thus promoting operational efficiency at all levels. but the success and reduces both the probability of failure components listed below are usually present. embedded into routine activities and Figure 1 illustrates a suitable structure in terms of dynamic by being responsive to changing the risk architecture. a structure the level of risk in the organisation. This and the level of uncertainty associated with list represents the 7Rs and 4Ts of (hazard) risk achieving the objectives of the organisation. briefly describes the key features of each element. A successful risk In order to successfully implement. aligned with is required. and circumstances. 6 A structured approach to Enterprise Risk Management .

strategy and protocols 3: Review of ISO 31000 shown in Figure 1 represent the internal arrangements for communicating on risk issues. Reaction planning includes business strategy and protocols for the organisation. continuity planning and disaster recovery planning. The initial component of the risk protocols describe the procedures by the ISO 31000 framework is ‘mandate and which the strategy will be implemented and risks commitment’ by the Board and this is followed by: managed. rather than a scope of risk responses available for hazard risks framework for supporting the risk management includes the options of tolerate. The key stages in the  improve framework process are represented as risk assessment and risk treatment. The implementing risk management. the risk. An organisation will be applied in combination. these responses may set out in detail in ISO 31000. Figure 2 individuals and committees that support the risk provides a simplified version of this implementation management process. It includes the essential steps in the out the objectives that risk management activities implementation and ongoing support of the risk in the organisation are seeking to achieve. attitudes roles. appetite. management process.  design of framework 4: Achieving the benefits of ERM  implement risk management Figure 3 provides a simplified version of the risk  monitor and review framework management process from ISO 31000 using the terminology of Guide 73. tools and techniques that should be used Recognition and ranking of risks together form the Framework for managing risk risk assessment activity. The risk architecture. as well as specifying the risk management methodologies. 7 A structured approach to Enterprise Risk Management . treat.Figure 1: Risk architecture. Information on designing the framework or terminate the risk or the activity that gives rise to that supports the risk management process is not the risk. For many risks. ISO 31000 describes the components of a risk It also sets out the roles and responsibilities of the management implementation framework. describe its framework for supporting risk the range of available options includes exploiting management by way of the risk architecture. ISO 31000 uses the phrase ‘risk treatment’ to include all of the 4Ts ISO 31000 describes a framework for included under the heading ‘risk response’. The risk strategy should set framework. transfer process. strategy and protocols Risk architecture Risk strategy  Risk architecture specifies the  Risk strategy. For opportunity risks. responsibilities. Figure 3 also indicates that the risk management process takes place within the risk management context of the organisation. Finally. and philosophy are defined in the communication and risk reporting Risk Management Policy structure Risk management process Risk protocols  Risk protocols are presented in the form of the risk guidelines for the organisation and include the rules and procedures.

However. The range of available risk response 8 A structured approach to Enterprise Risk Management . The cost- The result of the risk analysis can be used to effectiveness of internal control relates to the cost produce a risk profile that gives a rating of of implementing the control compared to the risk significance to each risk and provides a tool for reduction benefits achieved. This Compliance with laws and regulations is not an process allows the risks to be mapped to the option. risks is through risk financing. but extends further to. political and cultural environment in which it exists. the legal. organisation to risk and uncertainty. This will facilitate the ability to prioritise risk control actions in terms of their potential to benefit the organisation. Risk treatment is presented in ISO 31000 as the as well as an understanding of strategic and activity of selecting and implementing appropriate operational objectives. risk transfer and risk methodical way to ensure that all value-adding financing. This will include knowledge control measures to modify the risk. risk and opportunities related to the achievement of control (or mitigation). it should be recognised that some The risk analysis activity assists the effective and losses or elements of a loss may be uninsurable.Figure 2: Framework for managing risk (based on ISO 31000) Mandate and commitment Design of framework  Organisation and its context  Risk management policy  Embedding risk management Implement risk management Improve framework  Implement framework  Implement RM process Monitor and review framework Risk assessment treatments include tolerate. social. evaluated and all the risks flowing from these Effectiveness of internal control is the degree to activities defined. efficient operation of the organisation by identifying such as uninsured costs and damage to employee those risks that require attention by management. An organisation must understand the business area affected. An organisation may decide that there Risk identification establishes the exposure of the is also a need to improve the control environment. including insurance. It should be approached in a example. the Risk treatment market in which it operates. describes the primary applicable laws and must implement a system of control mechanisms in place and indicates where controls that achieves compliance. This requires an intimate knowledge of the organisation. morale and the reputation of the organisation. which the risk will either be eliminated or reduced by the proposed control measures. risk avoidance. transfer and terminate. treat. One method of the level of investment in controls might be obtaining financial protection against the impact of increased. decreased or reapportioned. prioritising risk treatment efforts. This ranks the relative importance of each identified risk. Any system of risk treatment should activities within the organisation have been provide efficient and effective internal controls. Risk of the factors critical to success and the threats treatment includes as its major element. for objectives.

the by way of two mechanisms. but it may also be considered to be part of the supporting framework. These are monitoring monitoring and review feedback activities set out and review of performance and communication in ISO 31000 do not explicitly mention the tasks of and consultation. Communication and consultation is presented in ISO 31000 as part of the risk management process. Monitoring and review ensures monitoring risk performance and reviewing the risk that the organisation monitors risk performance management framework. Figure 3: Risk management process (based on ISO 31000) Establish context Communication and consultation Risk assessment Monitoring and review Risk identification Risk analysis Risk evaluation Risk treatment 9 A structured approach to Enterprise Risk Management . Also.Feedback mechanisms Reporting and disclosure are only very briefly mentioned in ISO 31000 and they are not included ISO 31000 recognises the importance of feedback in the process shown in Figure 3. and learns from experience.

the risk management initiative will be unsuccessful. Part 2: Enterprise risk management Part 2 provides an overview of the steps involved in Board mandate and commitment the implementation of an enterprise risk management (ERM) initiative. Table 2 Mandate and commitment from the Board is provides information on the contents of a typical critically important and it needs to be continuous risk management policy. strategy architecture of a large listed company. and protocols should be recorded in a risk management policy for the organisation. The There are a number of factors that should be policy should also describe the risk architecture of considered when designing and planning an ERM the organisation. This risk management. It also gives the organisation the opportunity to focus on the intended benefits for the coming year. Details of the risk architecture. Table 2: Contents of risk management policy A risk management policy should include the following sections:  Risk management and internal control objectives (governance)  Statement of the attitude of the organisation to risk (risk strategy)  Description of the risk aware culture or control environment  Level and nature of risk that is acceptable (risk appetite)  Risk management organisation and arrangements (risk architecture)  Details of procedures for risk recognition and ranking (risk assessment)  List of documentation for analysing and reporting risk (risk protocols)  Risk mitigation requirements and control mechanisms (risk response)  Allocation of risk management roles and responsibilities  Risk management training topics and priorities  Criteria for monitoring and benchmarking of risks  Allocation of appropriate resources to risk management  Risk activities and risk priorities for the coming year 10 A structured approach to Enterprise Risk Management . 5: Planning and designing identify the risk priorities and ensure that appropriate attention is paid to emerging risks. Figure 4 illustrates a typical risk initiative. A brief description of the steps ensures that the overall risk management approach involved in the implementation of an ERM initiative is in line with current best practice. Keeping the risk management policy up to date demonstrates that risk management is a dynamic activity fully supported by the Board. and high-profile. is provided in Appendix B. The terminology used Many organisations issue an updated version of in this part is based on the 7Rs and 4Ts of (hazard) their risk management policy each year. Unless this mandate and commitment are forthcoming.

The Figure 4: Risk architecture of a large PLC The Board Audit Committee  Overall responsibility for risk  Receive routine reports from GRMC management  Set annual audit programme and priorities  Ensure risk management is  Monitor progress with audit recommendations embedded into all processes and activities  Provide risk assurance to the Board  Review group risk profile  Oversee RM structures and processes Group Risk Management Committee (GRMC)  Formulate strategy and policy based on risk appetite. However. introducing enhanced stakeholders in the organisation. review risk controls and procedures management activities and compile the group risk register  Consider materiality of information disclosed to external parties  Receive reports from business units and make reports and recommendations to the Board  Track RM activity in the business units and keep the risk management context under review Business units  Produce specific policy statements. it is necessary for an organisation to decide the scope of the ERM initiative. Therefore. the ERM initiative needs to will be influenced by the expectations of the various be comprehensive. standards of risk management is a progressive process that cannot be achieved instantaneously. Disclosures Committee risk attitudes and risk exposures  Review and evaluate disclosure  Receive reports from business units.Scope of the initiative scope of the initiative will be defined by the range of benefits the organisation is seeking to achieve and this In order to be successful. as necessary Direct and monitor  Prepare and update the business unit risk register Reports for evaluation  Set risk priorities for business unit  Monitor projects and risk improvements  Prepare reports for GRMC  Manage control risk self-certification activities 11 A structured approach to Enterprise Risk Management . as it develops.

RM responsibilities for individual employees:  Understand. In determining the most appropriate role for management. RM responsibilities for the risk manager:  Develop the risk management policy and keep it up to date  Document the internal risk policies and structures  Co-ordinate the risk management (and internal control) activities  Compile risk information and prepare reports for the Board 5. Table 3 sets out examples of the risk management function may range from a part-time risk management responsibilities that may be allocated in a manager. manager. accept and implement RM processes  Report inefficient. to a full-scale risk typical large organisation. RM responsibilities for internal audit manager:  Develop a risk-based internal audit programme  Audit the risk processes across the organisation  Receive and provide assurance on the management of risk  Report on the efficiency and effectiveness of internal controls 12 A structured approach to Enterprise Risk Management . the organisation needs to ensure that the to achieve continuous improvement in performance independence and objectivity of internal audit are not and this responsibility is likely to be allocated to the risk compromised. the risk extensive. RM responsibilities for specialist risk management functions:  Assist the company in establishing specialist risk policies  Develop specialist contingency and recovery plans  Keep up to date with developments in the specialist area  Support investigations of incidents and near misses 6. Table 3: Risk management responsibilities 1. to a single risk champion.Risk management framework The range of risk management responsibilities that need to be allocated in the policy will be broad and Depending on the nature of the organisation. There need to be arrangements in place internal audit. RM responsibilities for the business unit manager:  Build risk aware culture within the unit  Agree risk management performance targets  Ensure implementation of risk improvement recommendations  Identify and report changed circumstances / risks 3. RM responsibilities for the CEO / Board:  Determine strategic approach to risk and set risk appetite  Establish the structure for risk management  Understand the most significant risks  Manage the organisation in a crisis 2. unnecessary or unworkable controls  Report loss events and near miss incidents  Co-operate with management on incident investigations 4. The role of the internal audit for determining the strategic direction of the function will also differ from one organisation to organisation and creating the context for risk another. The Board has responsibility management department.

The nature of these benchmark risk is part of business decision-making is to tests will depend on the type of risk. risk assessments are also required in that the report of the event would receive. the relation to routine operations. Establish risk assessment procedures Undertake risk assessments Risk assessment will be required as part of the An organisation should develop benchmarks to decision-making processes intended to exploit determine the significance (or materiality) of the business opportunities. stakeholder expectations or key dependencies  Inspections and audits Physical inspections of premises and activities and audits of compliance with established systems and procedures  Flowcharts and dependency Analysis of processes and operations within the analysis organisation to identify critical components that are key to success  HAZOP and FMEA approaches Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques  SWOT and PESTLE analyses Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses offer structured approaches to risk recognition 13 A structured approach to Enterprise Risk Management . organisation. an organisation needs to undertake description.6: Implementing and benchmarking Other considerations relevant to undertaking risk assessments include decisions on how the risk Risk assessment is a fundamentally important part assessments will be recorded. Reputational should be undertaken throughout the project. A range assessment procedures will be the identification of of the most common risk assessment techniques the risk classification system to be used by the is set out in Table 4. benchmark test of significance. the length of be undertaken and further risk assessments disruption may be a suitable test. It is at this stage of the risk management process. likely impact of the event on share price. Another important part of the risk suitable and sufficient risk assessments. In order to that an organisation will decide the level of detail achieve a comprehensive risk management that will be recorded about each risk in the risk approach. risks can be benchmarked in terms of the profile Finally. One way of ensuring that identified risks. a sum of money can be used as the strategy papers presented to the Board. For risks that can risk assessment of all proposed projects should cause disruption to operations. For financial ensure that a risk assessment is attached to all risks. Likewise. Table 4: Risk assessment techniques Technique Brief description  Questionnaires and checklists Use of structured questionnaires and checklists to collect information to assist with the recognition of the significant risks  Workshops and brainstorming Collection and sharing of ideas and discussion of the events that could impact the objectives. or the impact on the political and financial support received from key stakeholders.

However. Finally. the separate category. Some risk that type of risk. procedures and decided the benchmark test of Figure 5 is based on the FIRM Risk Scorecard risk significance for different classes of risks. Figure 5: Drivers of risk management FINANCIAL RISKS INFRASTRUCTURE RISKS ACCOUNTING STANDARDS COMMUNICATIONS INTEREST RATES TRANSPORT LINKS FOREIGN EXCHANGE SUPPLY CHAIN FUNDS AND CREDIT TERRORISM NATURAL DISASTERS PANDEMIC INTERNAL CONTROL FRAUD RECRUITMENT HISTORICAL LIABILITIES PEOPLE SKILLS INVESTMENTS HEALTH AND SAFETY CAPEX DECISIONS PREMISES LIQUIDITY AND CASHFLOW IT SYSTEMS M&A ACTIVITY BRAND EXTENSIONS R&D ACTIVITIES BOARD COMPOSITION INTELLECTUAL PROPERTY CONTROL ENVIRONMENT CONTRACTS ECONOMIC ENVIRONMENT PRODUCT RECALL TECHNOLOGY DEVELOPMENTS CSR COMPETITION PUBLIC PERCEPTION CUSTOMER DEMAND REGULATOR ENFORCEMENT REGULATORY REQUIREMENTS COMPETITOR BEHAVIOUR MARKETPLACE RISKS REPUTATIONAL RISKS 14 A structured approach to Enterprise Risk Management . well as tactical and operational) risks should be identified under all four headings.Having identified suitable risk assessment Internal and external factors can give rise to risks. the FIRM Risk organisation can determine the overall exposure to Scorecard approach suggests that strategic (as the particular type of risk under consideration. it will then classification system and it provides examples of be possible to identify the appetite or attitude to internal and external key risk drivers. together with the capacity of the classification systems have strategic risk as a organisation to withstand that risk.

Changes within the organisation and the external business environment must be identified. organisations have produced a risk appetite Additionally. It should be viewed as a risk action should be recorded in the risk register by way of a plan that includes details of the current controls risk action plan. Risk Monitoring activities should provide assurance that management should be embedded within the there are appropriate controls in place and that the strategic planning and budget processes. and assessment of the has no appetite for causing injury and ill health. This will enable the internal audit function to monitor the Embed risk aware culture existing controls and monitor the implementation of any necessary additional controls. into a set of targets for health and safety performance. risk appetite activities covered by monitoring and measuring translates into a set of procedures to ensure that also includes monitoring of risk improvement risk receives adequate attention when making recommendations and evaluation of the tactical decisions. however. defined timescale by identified individuals. It evaluation of the risk aware culture and the risk is fairly easy for an organisation to confirm that it management framework. This activity normally extends to the development and testing of business continuity 7. that the concept of risk appetite is not mentioned in ISO 31000. format for a risk register and the organisation should establish a suitable format for this important Evaluation of the existing controls will lead to the document. The risk register should not become a identification of risk improvement static record of the significant risks faced by the recommendations. as well as routine monitoring of risk activities. and some existing controls should also be monitored. risk appetite embedding of risk management activities in the dictates operational constraints for routine organisation. The scope of risk decisions. 15 A structured approach to Enterprise Risk Management . management and within each business unit. There is no standard with the identified risk events is assured. the cost-effectiveness of the taking in respect of all types of risk. additional controls. so that existing procedures can be modified. There is an overriding need to keep these plans up to date so It is frequently the case that risk assessments are that the preparedness of the organisation to cope recorded in a risk register. Measuring and monitoring plans and disaster recovery plans. monitoring and measuring includes statement that is applicable to all classes of risk. although it is included in most other Monitoring the preparedness of the organisation to risk management standards and stock exchange cope with major disruption is an important part of listing requirements. These recommendations organisation.Risk appetite and tolerances As well as monitoring the effectiveness of the existing controls and the implementation of It is important that the Board sets rules for risk. and they can constrain behaviour and rapid response. In extent to which risk management tasks are aligned practice. performance and At Board level. Despite its importance. There is a danger that risk appetite Evaluate existing controls statements fail to be dynamic. effectiveness of existing controls is to ensure that there is adequate evaluation of the business These further actions should be written as continuity planning and disaster recovery planning auditable actions that must be completed within a arrangements in place. this may need to be developed with other corporate activities. An important part of evaluating the and details of any further actions that are planned. risk appetite is a driver of strategic preparedness of the organisation. procedures are understood and followed. risk management. The resources Changes in the organisation and the environment required to implement the risk management policy in which it operates must be identified and should be clearly established at each level of appropriate modifications made to protocols. At operational level. At executive level. it is surprising performance indicators. Monitoring and measuring extends to the evaluation of culture.

a major source of risk  lessons can be learned for future assurance for the Board will be self-certification. a culture of learning from experience. Risk reporting provides information on historical Monitor risk performance losses and trends. Increasingly. A initiative should have been clearly established. to stakeholders on the status of risk management and the actions that are being taken to ensure The reasons for undertaking the risk management continuous improvement in performance. External risk reporting is of learning from experience and reporting on designed to provide external stakeholders with performance. have been selected.Any monitoring and measuring process should also An annual review of the risk management determine whether: framework will be necessary. If company needs to report to its stakeholders on a this has not been done. Learning from lessons can be learned that will assist with improving experience requires more than evaluation of the the design of the support framework and the risk performance indicators.  the procedures adopted were efficient Other features of learning from experience include  sufficient information was available for the evaluation of audit reports and an assessment of risk assessments the sources of risk assurance available to the Board and the audit committee. senior management. However. strategy and protocols. involvement of staff at all levels. implementation framework. the opinion of internal audit and steps to learn from experience to improve the risk evaluation of risk management activities at audit management process and framework. stakeholders look to performance indicators should include an organisations to provide evidence of appropriate evaluation of the contribution being made by risk corporate behaviour in such areas as community management. It is  the measures adopted achieved the important that the organisation has a risk-based intended result audit plan and undertakes appropriate risk reviews. as well environment that can demonstrate leadership from as information about learning from incidents. risk disclosure is a more Learning the lessons from risk management also forward-looking activity that anticipates emerging requires investigation of the opinions of key risks. Report risk performance appropriate accountability for actions (without In addition to internal communication and developing an automatic blame culture) and good reporting. assessments and controls such as a Control Risk Self Assessment process that provides assurance regarding risk Embedding risk management involves an management. an assurance that risks have been adequately organisation needs to review risk performance managed. including evaluation of the risk architecture. Increasingly. 8. risk reporting and disclosure. there will be an obligation on communication on risk issues. the organisation will be regular basis. human rights. Often. employment practices. setting out its risk management unable to evaluate whether the contribution was in policies and the effectiveness in achieving its line with expectations. and the environment. Learning and reporting these external reports are produced in response to mandatory requirements related to risk Completing the feedback loop on the risk management and internal control. such as Turnbull management process involves the important steps and Sarbanes-Oxley. organisations to report externally. An evaluation of  improved knowledge would have helped the level of assurance that has been obtained is to reach better decisions also necessary. 16 A structured approach to Enterprise Risk Management . There is a clear difference between measuring stakeholders both internally and externally. indicators and measure the contribution that enterprise risk management has made to the External reporting should provide useful information success of the organisation. In and monitoring risk performance and undertaking particular. as well as an evaluation of the affairs. In order to learn from experience. Important committee will be vitally important. health appropriateness of the control mechanisms that and safety. Monitoring of risk objectives.

risk culture and philosophy  Key dependencies for success identified. including reports on at least the following:  Risk appetite. together with risk escalation procedures  Business continuity plans and disaster recovery plans established and regularly tested  Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant risks  Arrangements in place for mandatory reporting on risk. as appropriate  Necessary resources identified and provided to support the risk management activities Risk protocols  Appropriate risk management framework identified and adopted. together with the matters that should be avoided  Business objectives validated and the assumptions underpinning those objectives tested  Significant risks faced by the organisation identified. together with the critical controls required  Risk management action plan established that includes the use of key risk indicators. with modifications as appropriate  Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner  Procedures to include risk as part of business decision-making established and implemented  Details of required risk responses recorded. tolerance and constraints  Risk architecture and risk escalation procedures  Risk aware culture currently in place  Risk assessment arrangements and protocols  Significant risks and key risk indicators  Critical controls and control weaknesses  Sources of assurance available to the Board 17 A structured approach to Enterprise Risk Management .Appendix A: Risk management checklist Risk architecture  Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the Board  Risk management responsibilities allocated to an appropriate management committee  Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls  Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity  Sources of risk assurance for the Board have been identified and validated Risk strategy  Risk management policy produced that describes risk appetite. together with arrangements to track risk improvement recommendations  Incident reporting procedures established to facilitate identification of risk trends.

Successful implementation of an ERM initiative is an ongoing  Measuring and monitoring process that involves working through the 10 steps  Learning and reporting set out below on a continuous basis. and  Risk register evaluate the existing controls  Risk appetite Measuring and monitoring (see Section 7) 7. Establish risk significance benchmarks and undertake  Risk assessment techniques risk assessments  Benchmark tests of significance 6. Ensure cost-effectiveness of existing controls and introduce  Risk improvement plans improvements  BCP and DRP 8. and  Risk management policy the roles and responsibilities  Risk architecture Implementing and benchmarking (see Section 6) 4. framework. Monitor and review risk performance indicators to measure  Audit plan and risk reviews ERM contribution  Sources of risk assurance 10. Plan the scope of the ERM initiative and develop common  Upside of risk language of risk  Stakeholder expectations 3. Determine risk appetite and risk tolerance levels. Report risk performance in line with legal and other  Risk reporting obligations. Adopt suitable risk assessment procedures and an agreed  Risk description risk classification system  Risk classification systems 5.Appendix B: Implementation summar y The table below provides an overview of the steps  Planning and designing involved in the implementation of an enterprise risk  Implementing and benchmarking management (ERM) initiative. The 10 steps are divided between: Activity Concepts / Tools and techniques Planning and designing (see Section 5) 1. Identify intended benefits of the enterprise risk management  Benefits of ERM initiative and gain Board mandate  Embedding risk management 2. Establish the risk management strategy. Embed risk aware culture and align risk management with  Control environment other management tasks  Risk communications Learning and reporting (see Section 8) 9. and monitor improvement  Legal requirements 18 A structured approach to Enterprise Risk Management .

org www. The Association of 6 Lloyd’s www.Alarm-uk. .org This document is available for download free of charge from the websites of the above Alarm Ashton House The Public Risk Management Association Weston Telephone 0333 1230007 Sidmouth Devon EX10 0PF Facsimile 0333 4560007 Email The Institute of Risk Management 6 Lloyd’s Avenue. Telephone 020 7709 9808 London EC3N 3AX Facsimile 020 7709 0716 Email www. Insurance and Risk Managers London EC3N 3AX Telephone 020 7480 7610 Facsimile 020 7702 3752 Email