Scribd
Upload
188 views4 pages

ERM Dimension Focus Area Target State

The document summarizes the maturity levels of an organization's enterprise risk management program across 20 dimensions. It finds the program to be established or advanced in most areas, including risk strategy, governance, processes, tools and culture. However, it notes some dimensions are only developing or basic, including fully integrating risk management into strategic planning and ensuring clear risk ownership accountability. The summary identifies gaps that could lead to suboptimal resource allocation and unmanaged risks if not addressed.

Uploaded by

CISA PwC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
188 views4 pages

ERM Dimension Focus Area Target State

The document summarizes the maturity levels of an organization's enterprise risk management program across 20 dimensions. It finds the program to be established or advanced in most areas, including risk strategy, governance, processes, tools and culture. However, it notes some dimensions are only developing or basic, including fully integrating risk management into strategic planning and ensuring clear risk ownership accountability. The summary identifies gaps that could lead to suboptimal resource allocation and unmanaged risks if not addressed.

Uploaded by

CISA PwC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Summary

ERM Dimension Focus Area Target State


1 Linkage to Strategic Objectives Established
Risk Strategy 2 Risk Management strategy Advanced
3 Risk Tolerance / appetite Advanced
Governance, 4 Governance, Oversight and Accountability Established
Accountability and 5 Risk Ownership Established
Ownership 6 Alignment to standard & Guidelines Advanced
7 Risk Policy Advanced
8 Common Risk Framework Advanced
9 Risk Assessment Procedure Advanced
Risk Process 10 Risk Escalation Procedure Advanced
11 Treatment of Risk Advanced
12 Monitoring and Reporting Advanced
13 Risk Registers Advanced
14 Tone from the top / executive support Advanced
15 Communication, education and Training Established
Culture and Capability
16 Performance Management Established
17 Behaviour Advanced
18 Early Warning System Established
Tools and Technology 19 Risk Management Information System Advanced
20 Risk Repository Established

Maturity Level Key Words


Basic Ad Hoc, Reactionary, Functional Silos
Developing Documented Planned, Repeatable
Established Integrated, Measured, Managed
Advanced Proactive, Cross Functional integration, KPI centric
Leading Benchmarking continuous improvement adaptive to change.
Detail

Embedding risk management in every Key risks relating to strategic and operational objectives may not be
corporate strategic objective setting process. appropriately identified, monitored and managed.

A long-term plan of implementing and In absence of risk management strategy, strategic and operational risks may
Risk Strategy sustaining enterprise risk management not be monitored and managed effectively.

Risk statements outlining the levels of


Strategic decisions may be made without assessing the capacity of PSDF to
uncertainty the organization can accept/
cater the risk implications related to these decisions.
tolerate.

Defining the Risk Management governance Accountabilities and responsibilities for assessing, managing and monitoring
structure, responsibilities and communication risks may not be adequately performed and coordinated in pursuit of strategic
Governance, processes. objectives.
Accountabilit
Assignment of responsible officers on each of Accountabilities associated with risk ownership may not be clearly and
y and
the key risks consistently defined.
Ownership
Compliance with leading ERM standards and All risk-related regulatory requirements and expectations may not be met by
guidelines. PSDF.

Guidelines for implementing and sustaining


May lead to unstructured and improper management of risks.
enterprise risk management.

Common approach to risk management Risks faced by PSDF may not be timely identified and managed resulting in
process/ activities. loss to the company.

In absence of risk assessment procedures, following implications may arise:


 Risks may not be assessed across the organization and for all levels of risk;
Adequacy of procedures for assessing risk. and
 Inability to anticipate the impact of risks and slowness in responding to
risks.

In absence of escalation procedures, following implications may arise:


 Risk escalation, decision making and approval requirements may not be
Adequacy of procedures for escalating risk. clearly defined for each level of risk and for broader organizational risk
activities; and
 Multiple communications to executive management may overlap, may be
inconsistent and cause confusion.
Risk Process The identified gaps above may lead to:
 Potential sub optimal allocation of resources with different risk
stakeholders working in silos in terms of risk treatment activities;
Adequacy of guidance for treating risk.  Risk response alternatives and cost benefits (financial and non-financial)
may not be considered when identifying risk response options (particularly
risk treatments); and
 Undetected pockets of unmanaged risk, duplication of risk coverage in
other areas persists, and strategies to treat risk are obscure.

In absence of risk assessment procedures, following implications may arise:


 Inability to determine bottlenecks/ inefficiencies in the risk process which
Adequacy of guidelines for monitoring and may cause delays in the review of existing risks and discussion of emerging
reporting risk. risks by nominated delegates;
 Silos in risk monitoring with minimal interaction, shared reporting, data
exchange or coordination; and
 Risk monitoring functions disconnected from the wider business strategy.

Maintenance of risk descriptions, risk In absence of updated risk register, strategic and operational risks may not be
responses, and risk owners. timely identified and managed resulting in loss to the PSDF.

The level of commitment and involvement of the senior executives to risk


Level of senior management communication of
management may not be adequate to reduce the risks to a level that is within
risk management objectives.
PSDF’s appetite.

The staff may not be aware of their role in enterprise-wide risk management
Establishment of risk management training
activity and how to contribute towards effective implementation of the activity
plan and its implementation.
in day-to-day operations.
Culture and
Capability Lack of clarity over management’s expectations could lead to inadequate
Development and integration of risk evaluation of the management and staff performance to monitor risks and
management key performance indicators to complete risk treatment actions; and  Prevent management from identifying
business units. weak points which may negatively affect PSDF’s performance management
plans.

Level of risk awareness and control There may be no prevalent and uniform awareness and understanding of the
consciousness across the organization expected risk culture across PSDF.
Tools and technology – Early warning systems Risk trends may not be detected and escalated in a timely manner.

Complete spectrum of strategic and operational risks may not be properly


Leveraging technology in supporting risk
Tools and stored. Effective and efficient translation of risk data and information may not
management objectives.
Technology be available between systems.

Utilization of central online repository of risk


PSDF’s employees may not have access to relevant risk information.
management related documentation

You might also like