||February 27, 2006
Guide to Enterprise Risk Management FAQ: Table of Contents
View and download the entire booklet
The COSO Enterprise Risk Management – Integrated Framework
- What is Enterprise Risk Management (ERM)?
- Why implement ERM?
- How does the scope of ERM compare to existing risk management approaches?
- What is the value proposition for implementing ERM?
- Which companies are implementing ERM?
- If companies are not implementing ERM, then what are they doing?
- Who is responsible for ERM?
- What are the steps companies can take immediately to implement ERM?
- Is ERM Applicable to smaller and less complex organizations?
- Why have companies that have tried to implement ERM failed in their efforts?
- Does implementation of ERM ensure the success of a business?
- What is the difference between ERM and management?
- What does it mean to “implement ERM”?
- Generally how long does it take to implement ERM?
- Is there any way to benchmark the level of investment required to implement ERM?
- Don’t successfully run companies already apply ERM?
- How long has ERM been around and why is there a renewed focus on it?
- What percentage of public companies currently have an ERM process or system?
- Is there an example of effective ERM as it is applied in practice?
- How does the application of ERM vary by industry?
- Are there any organizations that need not implement ERM?
- What are the regulatory mandates for implementing ERM?
- Are standards for implementing ERM different for private and public companies?
- Must companies have sophisticated processes in all areas of risk management to realize the benefits of ERM?
The Role of Executive Management
- What is COSO?
- Why was the COSO Enterprise Risk Management – Integrated Framework created?
- What is the COSO Enterprise Risk Management – Integrated Framework?
- How can we obtain the COSO ERM framework?
- How was the COSO ERM framework developed?
- How do we use the COSO ERM framework?
- Are companies required to use the COSO ERM framework?
- Does the COSO Enterprise Risk Management – Integrated Framework replace work supersede the COSO Internal Control – Integrated Framework?
- How does the COSO Enterprise Risk Management – Integrated Framework compare to the COSO Internal Control – Integrated Framework?
- Does the new COSO framework broaden the focus of ERM beyond the traditional risk management model’s focus on insurable risk? If so, how?
- Are there other standards and frameworks in existence and, if so, what do they promulgate and how does the COSO Enterprise Risk Management – Integrated Framework related to them?
- What is the point of view of the Securities and Exchange Commission (SEC) with respect to ERM?
- What are the deliverables when the COSO ERM framework is implemented?
- Can a company “partially” adopt the COSO Enterprise Risk Management – Integrated Framework with success?
The Role of the Director
- Who should participate in the ERM process, and how?
- Must the CEO be fully engaged in the ERM process or system for it to be successful, or can he or she delegate it to someone else?
- How will senior management benefit from supporting ERM implementation?
- How should executive management evaluate ERM?
- What is the role of the CIO in an ERM environment?
- What is the role of the treasury and insurance in an ERM environment?
- Does ERM require reporting to executive management? If so, what types of reports are most suitable for executive management?
The Role of the Chief Risk Officer
- How are ERM and governance related?
- Why should directors be concerned about whether their companies implement ERM?
- How should the audit committee view ERM?
- How should the board exercise oversight of ERM implementation?
The Risk Management Oversight Structure
- Should our organization have a chief risk officer (CRO) and, if so, what is her or her role?
- What are the skill sets of the CRO?
- To whom does the CRO report?
The Role of Internal Audit
- What is the primary purpose of the risk management oversight structure?
- How are compensation issues considered when organizing the risk management oversight structure?
- Is there a recommended organizational oversight structure?
- How does the risk management oversight structure relate to the entity’s existing organizational structure?
- Does implementation of ERM require the identification of individual risk owners?
Risk Management Vision and Objectives
- What role does internal audit play in ERM implementation?
- Should internal audit lead the ERM effort?
- Should internal audit integrate the COSO ERM framework into its work?
- Hasn’t internal audit evaluated the application of ERM within the organization?
- Does the Institute of Internal Auditors (IIA) support the COSO Enterprise Risk Management – Integrated Framework?
- Do The IIA Standards require the use of the COSO Enterprise Risk Management – Integrated Framework? For example, what is the relationship of ERM to IIA Standard 2010.A1 (which required internal audit to undertake an annual risk assessment) and 2110.A2 (which requires a broad risk assessment aligned with the COSO framework)?
Conducting Risk Assessments
- How does management develop a shared vision for the role of risk management in the organization? What is the practical use of a shared vision?
- How does management define the entity’s risk management goals and objectives?
- What is “risk appetite” and how is it different from “risk thresholds,” “tolerances” or limits?”
- Is there a defined methodology for calibrating performance with risk tolerances?
- How are the risk management vision and objectives translated into the appropriate ERM infrastructure?
Getting Started – Set the Foundation
- What is the relationship between risk assessment and risk management?
- What is the relationship between risk assessment and performance assessment?
- What are the components of an effective objective statement and why are objectives important to an effective risk assessment?
- What is the difference between an event and a risk?
- Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as well as downside?
- How do we articulate the concept of inherent risk so that it can be effectively used as risk assessment criteria?
- Is there an officially endorsed risk language we can use for our organization?
- To what extent does the organization strictly define risk for the enterprise as a whole, when the organization has a variety of different businesses?
- What are risk maps and how are they used appropriately during the risk assessment process?
- What’s an effective way for an organization to conduct a risk assessment?
- What are the common mistakes and pitfalls during the risk assessment process?
- How do we identify, understand an apply interrelationships among risks?
- What is the appropriate level of depth when assessing risk?
- Who should participate during the risk assessment process?
- How is risk assessment related to risk quantification and should risk quantification be used during risk assessment?
- Is there value in using qualitative information when assessing risk?
Taking a Process View – Building Capabilities
- What are the best steps to take when getting started?
- Is ERM another “project”?
- Are there specific things an organization should accomplish the first year?
- Who is responsible for “leading the charge” to implement ERM?
- Who should sponsor ERM implementation?
- How is buy-in obtained from key senior executives?
- How do we obtain buy-in among our operating managers?
- Can we leverage existing infrastructure so that we don’t create more overhead?
- What types of skills are needed to implement ERM?
- Do we need to put a name on an ERM initiative, I.e., isn’t ERM just good business practice with another name?
- Do companies typically add full-time personnel to successfully develop and roll out an ERM process and system, or do they ordinarily use existing personnel who devote their efforts to this initiative on a part- or full-time basis?
- What steps does management take to set the foundation?
- How does management decide on the appropriate foundation capabilities?
- Why have a common language and are there examples?
- Are there examples of a process classification scheme?
- How is dialogue about risk and its root causes, drivers and sources improved?
- How is knowledge sharing about risk management improved?
- What does it mean to increase an organization’s awareness of or sensitivity to risk?
Taking it to the Next Level – Enhancing Capabilities
- What steps does management take to build risk management capabilities?
- How does management decide on the appropriate risk management capabilities?
- How does management improve the organization’s risk assessments?
- How are objective-setting, event identification and risk assessment related?
- How important is risk assessment to ERM effort?
- What alternative responses are available to manage risk?
- What factors must management consider when evaluating alternative risk responses?
- What are the elements of risk management infrastructure, why are they important and how are they considered?
- Is there a model to help us set our priorities when implementing ERM and monitor our progress as we improve our risk management capabilities?
- What are alternative techniques for measuring risk and when are they deployed?
- How does ERM influence management reporting?
- What risk management software products are currently available to assist companies with implementing ERM?
- Has the ERM software market reached maturity such that there are established solutions and clear leaders?
- What criteria should we use to evaluate the software alternatives? Are there different prioritizations of functionality?
- Is specialized ERM software preferable to broader plat forms for compliance, governance and risk management?
- How does software functionality support the goals of ERM?
- What are the primary categories and characteristics of successful ERM software vendors?
- Is it better to design an ERM process first and then select the appropriate ERM software, or vice versa?
- What is dashboard or scorecard reporting and how is it used in an ERM environment?
- For financial services companies, is economic capital measurement a prerequisite for adoption of ERM?
- How is continuous improvement applied to risk management?
- What are the synergies and differences between ERM and “quality initiatives” (e.g., Six Sigma, Lean, TQM, etc.)?
Building a Compelling Business Case
- What steps does management take to enhance risk management capabilities?
- How does management decide on the appropriate enhancement capabilities?
- What is a “portfolio view” of risks and how is it practically applied?
- How does management quantify risks enterprisewide?
- How does management use ERM to improve business performance?
- How should we integrate our ERM approach with our strategic planning process?
- Should we complete our strategic planning process prior to conducting our first enterprisewide risk assessment, or vice versa?
- Is it possible to successfully merge together the risk assessments that companies perform as a result of ERM, Sarbanes-Oxley compliance, business continuity planning, internal audit and various compliance activities related to workplace, environmental and other regulations?
- How does management use ERM to establish a sustainable competitive advantage?
Making it Happen
- How do we build a compelling business case for ERM?
- How do we select the appropriate capabilities for our ERM solution?
- What are the key success factors or measures of success when evaluating the effectiveness and impact of ERM implementation, i.e., how can we know whether an ERM approach has been successful?
Relevant to Sarbanes-Oxley Compliance
- What is journey management and why is it relevant to ERM implementation?
- What is program management and why is it relevant to ERM implementation?
- How can we quantitatively and qualitatively evaluate the benefits of implementing ERM in terms of improving performance?
- How is the ERM implementation managed?
- How do we know when we are done?
- Given that we have so many other things going on, how can we take on something like ERM implementation?
- What standards should companies use to evaluate their ERM approach?
- Are there any pitfalls to avoid when implementing an ERM approach?
- Does the Sarbanes-Oxley Act of 2002 (SOX) require companies to adopt ERM? Are there any other laws and regulations mandating ERM?
- Can ERM assist certifying officers with the discharge of the SOX Section 302 certification and Section 404 assessment responsibilities?
- How is ERM related to SOX compliance?
- Should a decision to implement ERM consider the effort to comply with SOX?
- Should management broaden the focus on compliance to managing business risk?
- As a public company, why would we want to take on ERM on the heels of Section 404 compliance?
- How does self-assessment build on Section 404 compliance? Why does self-assessment contribute to the evolution to ERM?
- What does it mean to integrate compliance with Sections 404 and 302? How does such integration build on an established self-assessment process and on Section 404 compliance?
- How does compliance with other applicable laws and regulations build on compliance with Sections 404 and 302? Why does such compliance contribute to the evolution to ERM?
- How does operational effectiveness and efficiency build on compliance initiatives? Why does operational effectiveness and efficiency contribute to the evolution to ERM?
- Will implementation of the COSO Enterprise Risk Management – Integrated framework prevent fraud?
- Have any of the companies that have publicly disclosed their ERM processes received any positive feedback from analysts?
- Have analysts and others within the investment community or rating agencies expressed their views on how an effectively functioning ERM approach would impact their views of a company?
- Can all of the information about risk and risk management be classified as attorney-client privileged information, and therefore not be discoverable?
- Since all of this information is presumed to be discoverable, does ERM create more litigation risk for companies?
- Are there any court cases in which a company’s management or its board was viewed as deficient because they did not have an adequate risk management system in place?
- Are there risks associated with not having an ERM process in place and, if so, what are they?
- Is it possible to link an ERM system to an employee’s performance and compensation? Are any companies doing this?
- Does a third-party certification, rating or other assessment mechanism exist for ERM?
- How does ERM relate to the Basel Capital Accord requiring financial institutions to report on operational risk?
- What is the difference between ERM and an international standard such as ISO?
- How does the COSO Enterprise Risk Management – Integrated Framework integrate with such frameworks such as COBIT, ISO 17799, BITS, NIST Special Publication 800-53 and ITIL?
- What is happening in other countries with respect to risk management? Are these developments positively impacting company performance and corporate governance?
- Is there a format for communicating our risk management process to our customers in order to align and comply with their requirements?