Risk framework

Risk framework

ISO 31000

COSO ERM

King IV: Principle 11

Enterprise risk management

Risk, risk management and IOS31000

Summary

Fundamental concepts

Committee of Sponsoring Organizations of the Treadway Commission
Enterprise Risk Management

The governing body should govern risk in a way that supports the organization in setting and achieving its strategic objectives

Principles of risk management

Review of IOS 31000

Nature and impact of risk

Achieving the benefits of ERM

Implementing and benchmarking

Measuring and monitoring

Planning and designing

Learning and reporting

ERM framework objectives

Enhancing risk response decisions

Reducing operational surprises and losses

Aligning risk appetite and strategy

Identifying and managing multiple and cross-enterprise risks

Seizing opportunities

Improving deployment of capital

Components of ERM

•A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy setting

• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

• Able to provide reasonable assurance to an entity’s management and board of directors

• Geared to achievement of objectives in one or more separate but overlapping categories

• Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – compliance with applicable laws and regulations.

Use of this report

Objective Setting

Event Identification

Internal Environment

Risk Assessment

Risk Response

Control Activities

Information and Communication

Monitoring

Other Entity Personnel

Regulators

Professional Organizations

Educators

Senior Management

Board of Directors

Should evaluate and agree the nature and extent of the risk that the organization should be willing to take in pursuit of its strategic objectives

Should delegate to management the responsibility to implement and execute effective risk management

Should approve the policy that articulates and gives effect to its set direction on risk

Should exercise ongoing oversight of risk management

Should treat risk as integral to the way it makes decisions and executes on risk

Should consider the need to receive periodic independent assurance on the effectiveness of its risk management

The governing body should assume responsibility for the governing of risk by setting the direction for how risk should be approached and addressed in the organization

The nature and extent of the risk and opportunities the organization is willing to take should be disclosed without compromising sensitive information