Enterprise Risk Management (ERM) is a process performed by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise. The ERM is designed to identify events that may affect the enterprise, manage risk to be within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives.
The ERM framework consists of eight (8) components:
Internal Control Environment – Encompasses the tone of an organization and sets the basis for how risk is viewed and addressed; including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.
Objective Setting – This must occur before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives – the chosen objectives should support and align with the company’s mission and be consistent with its risk appetite.
Event Identification – Both internal and external events affecting achievements of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
Risk Assessments – Consider the likelihood and impact as a basis for determining how risks should be managed. Risks should be assessed on an inherent and a residual basis.
Risk Response – Management should develop a set of actions (avoiding, accepting, sharing, or reducing) to align risks with the company’s risk tolerance and risk appetite.
Control Activities – Establishing and implementing policies and procedures to help ensure the risk responses are effectively carried out.
Communication of Relevant Information – Identified, captured and communicated in a format and timeframe that enables people to carry out their responsibilities.
Monitoring – The ERM should be observed and, if necessary, modified. Monitoring is accomplished though ongoing management activities, separate evaluations, or both.
The capabilities inherent in ERM help management achieve the company’s performance and profitability targets and prevent loss of resources. EMR helps a company get to where it wants to go and avoid pitfalls and surprises along the way.