GRC: How to Create an Effective ERM Program

1
GRC How to Create an Effective ERM Program
2
What is Enterprise Risk Management ?

• Enterprise Risk Management (ERM) establishes a
  framework to identify, measure, monitor and
  manage risk.
• ERM is
• Designed to identify and assess potential events
  affecting the entity and manage risk within its
  risk appetite.
• Effected by the Board, Management and other
  personnel.
• Applied in strategy setting, across the
  enterprise.
• Able to provide reasonable assurance regarding
  the achievement of the entity objectives .
• Applied across the enterprise, at every level and
  unit, and includes taking an entity-level
  portfolio view of risk.

3
Why Do We Need ERM?

• While traditional risk management focused on
  asset-protection, ERM offers a more holistic
  approach, integrating all departments and
  functions into a single program towards managing
  risk.
• A comprehensive ERM program will
• Align firms risk appetite with business
  objectives.
• Identify/manage multiple and cross-enterprise
  risks.
• Reduce frequency and severity of operational
  surprises.
• Enhance the rigor of risk-response decisions.
• Build confidence of investment community and
  stakeholders.
• Enhance corporate governance.
• Successfully respond to a changing business
  environment.
• Proactively seize on the opportunities presented
  to the firm.
• Improve effectiveness of capital deployment.

4
The COSO ERM Framework

• The COSO ERM framework has eight interrelated
  components, which represents what is needed to
  achieve the entities objectives.
• Entity objectives can be viewed in the context of
  four categories
• Strategic
• Operations
• Reporting
• Compliance

5
Embracing ERM

• The implementation of ERM involves
• Retaining the need for risks to be managed and
  owned at the business function level.
• A shift in processes and culture of the
  organization.
• Strengthened communication, training, and
  awareness.
• Building processes to track risks.
• Building an enterprise-wide analysis of risks for
  senior executive and Board review.

6
Creating an Effective ERM Program

• Conduct an enterprise risk assessment
• Include all stakeholders
• Prioritize the risks
• Articulate the risk management vision
• Identify risk management capabilities be
  specific
• Have a holistic plan
• The plan includes policies, processes, oversight
  and reporting
• Pick one or two key risks and address them
• Ensure the proper program is in place for these
  risks
• Test the program
• Evaluate the program for success
• Expand the program for other risks in order of
  priority
• Components
• Internal Controls
• Monitor, Test and Audit
• Risk Managers
• Senior Management Control
• Board oversight independent of management

7
Common Issues in Creating Effective ERM Program

• Inconsistent use of risk definitions and
  terminologies
• Lack of risk awareness throughout the
  organization
• Inadequate focus on how to identify risk
• Lack of clarity on responsibilities for risk
  who
• Insufficient rigor / consistency in risk
  evaluation
• Lack of structure in risk decisions right
  people / right data / right time
• Inability / lack of effective self-assessment

8

• Want to learn more about ERM, and best practices
  to implement effective ERM program?
  ComplianceOnline webinars and seminars are a
  great training resource. Check out the following
  links
• How to conduct a Compliance Gap Analysis for ERM?
• Establishing Effective Enterprise Risk Management
  (ERM) for Achieving Good Compliance
• COSO ERM Simplified-Implementation for Government
  and small businesses
• Internal Audit's Role in Enterprise Risk
  Management
• Essentials of ERM and Assessing its Effectiveness
  Using ISO 31000
• Integrating Ethics and Compliance Risks into your
  Enterprise Risk Management Program