|
Much has been written and discussed about Enterprise Risk Management (ERM) as it relates to compliance, corporate governance, financial controls and the Sarbanes-Oxley Act of 2002 (SOX). Until now, there was very little available to the risk manager on how to apply ERM to day-to-day operations, with even less focus on your most vulnerable assets: people, facilities and IT systems.
In developing operational risk strategies, you need to be proactive and not reactive; the approach needs to be a continuous process and not a project. Automation ensures consistency and this reduces liability and ensures compliance.
For risk and compliance to be consistently managed, a framework is necessary to provide context and a consistent language within the organization. In response to SOX, most organizations have used the Internal Control Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) at www.coso.org. Recently, this organization has developed a de facto standard
Enterprise Risk Management - Integrated Framework as an overarching approach to building an enterprise risk management process.
When managing risk, the first and often the hardest step is to understand what threats or hazards (i.e., "events") may impact your business operation. When an event is presented, you need to quickly determine the level of exposure that may exist and what actions may be taken to mitigate the event to an acceptable level of risk for the company or employee. In this paper, we present two solutions that provide real-time support for this critical, operational risk management process.
The Preventsys system covers most of your critical assets with continuous threat assessment, prioritization, proactive mitigation and real-time notification. This approach will give you a solid foundation as you build an effective operational risk management component within your overall ERM program.
Enterprise Risk Management Defined
Enterprise Risk Management deals directly with risks and opportunities affecting value creation or preservation for an organization. From the COSO model:
"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of company objectives."
At a fundamental and broad level, Enterprise Risk Management is:
- A process, ongoing and flowing through an entity - Effected by people at every level of an organization - Applied in strategy setting
- Applied across the enterprise, at every level and unit, and includes an entity-level view of risk - Designed to identify potential events that, if they occur, will affect the entity and to manage risk within an organization's risk appetite - Able to provide reasonable assurance to an entity's management and board of directors - Geared to achievement of objectives in one or more separate but overlapping categories - strategic, operations, reporting and compliance
Dynamic business processes, workforces, partners, and IT systems require that risk and compliance be measured, monitored and managed on an ongoing basis.
Operational Risk Management
The COSO ERM framework is comprised of four distinct but overlapping categories: Operations, Strategic, Reporting and Compliance. As such, any objective can fall into more than one category. Operational Risk addresses the effective and efficient use of resources, including the safeguarding of those resources. Strategic represents high-level goals, aligned to support the overall mission. Compliance focuses on adherence to applicable laws and regulations and Reporting focuses on the reliability of measuring risk management through reports.
The COSO framework depicts the interconnected relationships between the objectives the entity strives to achieve, and the enterprise risk management components needed to meet them. This relationship is depicted in a three-dimensional matrix, in the form of a cube.
As depicted in the matrix representation above, Enterprise Risk Management consists of eight interrelated components that are derived from the way management runs an enterprise. These components are integrated within the risk lifecycle process:
Internal Environment - encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
|
