GRC - Driving Performance with Effective Enterprise Risk Management Program

    The uncertain environment in which businesses operate today - constantly changing regulations, expanding global footprints, volatile market conditions, unpredictable socio-economic upheavals as well as natural disasters - has made it increasingly necessary for organizations to ensure they have a robust and effective system to manage risks. Further businesses are also under attack from internet hackers and others seeking to steal their confidential and proprietary information- the cost of ignoring them can be catastrophic in terms of reputational and financial damage. This article describes how to implement ERM strategies effectively across the organization to anticipate and manage risk better.

    What is ERM?

    ERM is a process designed to identify and assess potential events affecting the entity and manage risk within its risk appetite. ERM is applied in strategy-setting and across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk. It is able to provide reasonable assurance regarding the achievement of the entity objectives.

    COSO ERM Framework

    The COSO ERM framework has eight interrelated components, which represents what is needed to achieve the entities objectives. The eight components are:

    Internal environment

    The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity's people,

    including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

    Objective setting

    Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.

    Event identification

    Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities.

    Opportunities are channeled back to management's strategy or objective-setting processes.

    Risk Assessment

    Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

    Risk response

    Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

    Control activities

    Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

    Information and communication

    Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.


    Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree.

    Why Do We Need ERM?

    While traditional risk management focused on asset-protection, ERM offers a more holistic approach, integrating all departments and functions into a single program towards managing risk. A comprehensive ERM program will:

    • Align firm's risk appetite with business objectives.
    • identify/manage multiple and cross-enterprise risks.
    • Reduce frequency and severity of operational surprises.
    • Enhance the rigor of risk-response decisions.
    • Build confidence of investment community and stakeholders.
    • Enhance corporate governance.
    • Successfully respond to a changing business environment.
    • Proactively seize on the opportunities presented to the firm.
    • Improve effusiveness of capital deployment.

    What Risk to Manage?

    The main types of risk a business is likely to face includes:

    Regulatory risk

    The risk that a change in laws and regulations will materially impact the business operations. e.g., changes to municipal codes, tax code changes etc.

    Operational risks

    The risk of loss resulting from inadequate or failed internal processes, people and systems and from external events such as employee theft, customer theft, vendor theft, technology intrusions etc.

    Financial risk

    The risk that the company will not be able to secure finances to continue operations including market risk, credit risk and liquidity risk.

    Strategic risks

    These are risks that involve the organization's direction such as governance, strategic objectives, business model and external forces.

    How to Create an Effective ERM Program?

    ERM is now the hallmark of a good compliance program. An effective ERM program is designed to identify potential events affecting the entity and manage risk within its risk appetite. Consequently, it is important to know how to create an effective ERM program to drive business performance and build the confidence of the investment community and stakeholders. The steps to create an effective ERM program includes:

    Conduct an enterprise risk assessment

    The first step in building an effective program is to conduct an enterprise risk assessment including all stakeholders. Risk assessment requires qualitative and quantitative techniques prioritizing the significance, likelihood, and timing of risk events so that the various risks can be rolled up effectively. The following are the benefits of conducting risk assessments:

    • Identify business objectives which may not be achieved due to current level of risk exposure
    • Recognize top risks which may need management attention
    • Identify changes in level of risk exposure
    • Ascertain strengths and weaknesses within the current control environment
    • Identify risks which may need further risk treatments
    • Recognize new/emerging risks
    • Identify risk treatments (e.g., controls) which may no longer be required
    • Develop common and correct understanding of risks.

    Following should be considered in conducting the risk assessment:

    • the context and objectives of the organization,
    • the extent and type of risks that are tolerable, and how unacceptable risks are to be treated,
    • how risk assessment integrates into organizational processes,
    • methods and techniques to be used for risk assessment, and their contribution to the risk management process,
    • accountability, responsibility and authority for performing risk assessment,
    • resources available to carry out risk assessment,
    • how the risk assessment will be reported and reviewed

    Articulate the risk management vision

    It is important to understand the goals, plans the strategies of the company and managing the risk that affects those plans and strategies. Hence it is essential to identify risk management capabilities. Organizations should have a holistic risk management plan and it have to include policies, processes, oversight and reporting. The elements of an enterprise risk management include:

    • Commitment at all levels
    • Underpinning principles and values - e.g., accountability, transparency within the organization
    • Reliable information and effective communication
    • Risk register and reports
    • Integration within the business
    • Continuous monitoring both of risks and risk management processes
    • Implementation and development plans
    • Guidance and procedures
    • Independent review and assurance
    • ERM Policy

    Pick one or two key risks and address them:

    The next step in creating the effective ERM program is to choose the key risks that need to be addressed. Once the risks are picked:

    • Create the control and ensure the proper program is in place for these risks
    • Test the program using internal auditors or external auditors to ensure that it works
    • Finally evaluate the program for success and make appropriate changes if required

    Expand the program for other risks in order of priority

    Finally implement the program in the order of the priority of the risk. The key components of risk management program are:

    • Internal controls
    • Process for monitoring, testing and auditing the program
    • Involvement of risk managers
    • Senior management control
    • Board oversight independent of management

    Enterprise Risk Management versus Traditional Risk Management

    Traditional risk management strategies from a decade ago focused entirely on segmenting and compartmentalizing risk to fit into its own nook. We've stepped much ahead now, with a clearer understanding of how Enterprise Risk Management works cohesively, uniting every level and unit within an organization to anticipate and manage risk better. This approach works well in keeping chaos at bay; it helps manage risk well within its risk appetite, and provides reasonable assurance regarding the achievement of organizational objectives.

    How can compliance training help?

    The areas highlighted above are just a small part of the wide range of practices and processes for enterprise risk management compliance. Subjects such as risk management compliance are multi-faceted and complex and can be better understood after attending a training course such as the ones offered by ComplianceOnline. Our courses are available as live webinars, training recordings and seminars. We also offer customized training courses developed in conjunction with organizations that wish to train large groups of their employees.

    We offer training in other areas device compliance such as the GRC areas such corporate governance, anti-money laundering controls, anti-bribery and so on.

    If you need customized training courses or specialist medical device compliance consulting services, please contact us through email [email protected] or call us at this toll-free number: +1-888-717-2436.