ERMA EBA

Exam-Based Assessment
READING MATERIAL SERIES
the principles of

RISK MANAGEMENT
Module 1

INTRODUCTION TO
ENTERPRISE RISK
MANAGEMENT
www.erm-academy.org
This document is intended to be available
only to the persons entitled to receive the
confidential information and legal privileges
it may contain.

The copyright of this document is owned by

ERMA. Any duplication, reproduction, or
modification in any form, in whole or in part,
without prior written consent of ERMA is
strictly prohibited.

We thank you for your understanding.

ERMA EBA
Exam-Based Assessment
READING MATERIAL SERIES
The EBA reading material series is consisted of the following modules:

1 - Introduction to ERM
2 - Introduction to ISO 31000
3 - Principles of Risk Management
4 - Framework of Risk Management
5 - Process of Risk Management
6 - ISO 31000 Glossary
We strongly recommend you to read the complete ERMA EBA reading
material series to prepare yourself for the EBA you are participating in.
Module 1

INTRODUCTION TO
ENTERPRISE RISK
MANAGEMENT
 A. What is ERM?
Enterprise risk management (ERM) is

the leading approach to managing and optimizing

risks, enabling a company to determine how much
uncertainty and risk are acceptable to an
organization.
With a company-wide scope, ERM serves as a strategic analysis of risk throughout
an organization, cutting across business units and departments, and considering
end-to-end processes. In adopting an ERM approach, companies gain the ability to
align their risk criteria to business strategy by identifying events that could have an
adverse effect on their organizations and then developing an action plan to manage
them.

Furthermore, by applying ERM in conjunction with other operational elements in the

current business environment, companies can also accomplish many of their
governance-related tasks. Specifically, ERM can help organizations:
๏ Identify strategic risk opportunities that, if undertaken, can facilitate
achieving organizational goals.
๏ Provide senior management with the most up-to-date information regarding
risk that may be used in the decision-making process.
๏ Establish co-dependency between the ERM initiative and considerations for
capital market reporting disclosures and other laws and regulations.
๏ Align annual performance goals with risk identification and management.
๏ Encourage and reward upstream reporting of business-risk opportunities
and challenges.

ERMA EBA Reading Material Series 1

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 B. ERM Frameworks
There are various ERM frameworks that a company could potentially follow –
all of which should define the essential components, suggest a common language
and provide clear guidance for enterprise risk management. In addition, each
framework that is implemented should also describe an approach for identifying,
analyzing, responding to, and monitoring risks and opportunities facing the
enterprise.

Among the more widely known frameworks and/or standard, and the related ERM
definitions that they promulgate are:

๏ COSO ERM framework, published in 2004 by the Committee of

Sponsoring Organizations of the Treadway Commission (COSO). It defines
ERM as “ .. a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives”.

๏ ISO 31000 Risk Management Standard, published in 2009 by the

International Standard Organization ((ISO). It defines the risk management
process as “coordinated activities to direct and control an organization with
regard to risk”. It also provides a definition of the risk management
framework as “set of components that provide the foundations and
organizational arrangements for designing, implementing, monitoring,
reviewing and continually improving risk management throughout the
organization”.

ERMA EBA Reading Material Series 2

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 B. ERM Frameworks

COSO ERM framework has its own merits and legacy in United States of America
especially after the Sarbanes-Oxley Act was in effect. It originates from COSO
Internal Control Framework, published in 1992 which had been used widely
throughout the world by many large organizations in managing their internal control
framework. Some have seen COSO ERM framework is the expansion of COSO
internal control framework, a thought that deserves on its own standing especially
from the accounting and auditing professionals’ point of view.

ISO 31000 as an International Standard, gains a very wide acceptance in many

countries and large corporations as it is practical and business oriented. It consists
of three components: principles of managing risks, framework of managing risk,
and process of managing risks. Therefore, ISO 31000 captures ERM as an
integrated way of managing risk.

Furthermore, its universal characteristics make them applicable for any type of
organization, public or private, large-size corporations or small-size corporations.
And yet, it is built not from the drive of being compliance to certain regulations, but
more on addressing the uncertainty of business challenges and how to deal with
them. Some have seen ISO 31000 is developed from the AUS/NZS 4360 Risk
Management Standard originating from Australia, especially in the part of ‘risk
management process’. It is true, but ISO 31000 is much more comprehensive,
systematic, and universal.

ERMA EBA Reading Material Series 3

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 C. The Value of ERM
There is a lot of benefits that ERM brings to the organization. The followings are
some of the most tangible value of ERM for organization, especially corporations:

1. ERM increases the credit rating

A company’s credit rating has become vital to the borrowing power of
organization, which is where ERM comes into play. Starting 2005, Standard &
Poor’s (S&P) began analyzing the industry’s ERM practices, developing
criteria for assessing the ERM procedures.

They started with financial institutions and insurance companies, then energy
companies, and now all type of industries. In this regard, the ERM analysis
provides insight into those companies’ management capabilities and
corporate governance. In evaluating the credit ratings, S&P will focus on two
universal components of ERM i.e. risk management culture and strategic risk
management.

Risk management culture includes:

• Risk management organizational and governance structure;
• Roles, capabilities and accountability of risk management staff;
• Risk management communications and transparency;
• Risk management policies and metrics; and
• The influence of risk management on budgeting and management
compensation.

ERMA EBA Reading Material Series 4

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 C. The Value of ERM

Strategic risk management includes:

• Management’s view of the most consequential risks, including their
likelihood and potential effect on credit;
• Frequency with which top risks are identified and how often the
identification is examined and updated;
• Influence of risk sensitivity on liability management and financing
decisions; and
• The role of risk management in strategic decision making.

2. ERM creates stronger governance and

compliance
Stakeholders – especially the shareholders and regulators are now
demanding greater corporate transparency, making strong corporate
governance a necessary component to almost every business. ERM can
contribute to successful compliant and effective governance enabling
companies to better understand and measure those risks that threaten
strategic objectives.

Moreover, ERM provides information that helps quantify business

performance, narrow the focus of controls and streamline compliance efforts.
As a part of this process, some organizations have begun to use their risk
objectives to create an integrated governance, risk and compliance (GRC)
management framework. By establishing a GRC framework, companies are
able to set their governance and enterprise risk objective first, and then use
these objectives to define compliance control requirements including a
conducive corporate control environment and culture.

ERMA EBA Reading Material Series 5

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 C. The Value of ERM

Furthermore, the integration of governance, risk management, compliance

and ethics can also help an organization more effectively and efficiently drive
performance. Governance establishes objectives and, at a high level, the
boundaries inside of which an entity must operate. Risk management helps a
company identify and address potential obstacles to achieving objectives.
Compliance management ensures that the boundaries are well set, and that
the organization does indeed conduct business within those boundaries.

Finally, a strong culture provides a safety net when formal controls and
structures are weak or nonexistent while, at the same time, providing an
environment that helps the workforce reach its highest level of productivity.

3. ERM helps organization identify and

exploit strategic opportunities
Successful companies need a complete understanding of ERM, which
analyzes what risks to avoid and what risks to exploit. Companies must view
risk as potential opportunity while also understanding there are possible
undesirable outcomes.

The future success of companies will depend on the ability to weigh the
expected risks versus rewards on an ongoing basis. By accepting and
managing risk, companies have the ability to measure the likely reward for
taking on some risk. They have the ability to maximize profit and increase
shareholder value by limiting some risks and exploiting others. Therefore, the
risk criteria and related risk profiles should be established to meet
organizational strategic objectives, and they should be promulgated
throughout organizations.

ERMA EBA Reading Material Series 6

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM
using ISO 31000

Any entity that is currently operational has some form of risk management activities
in place. However, these risk management activities are often ad hoc, informal and
uncoordinated. And, they are often focused on operational or compliance-related
risks and fail to focus systematically on strategic and emerging risks, which are
most likely to affect an organization’s success. As a result, they fall short of
constituting a complete, robust risk management process. In addition, existing risk
management activities often lack transparency.

The approaches described below are based on successful practices that

organizations have used to develop an incremental, step-by-step methodology to
start ERM disregard their specific ERM framework being used. Therefore, these
approaches are also valid to be used as reference for organizations that intend to
implement ERM using ISO 31000.

While this is not the only way to start an ERM initiative, this incremental approach is
designed to be very adaptable, flexible, and budget friendly. The following are two
sections that can be used by organization to get their ERM started effectively:

๏ Keys to Success
๏ Initial Action Steps

ERMA EBA Reading Material Series 7

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

D.1. Keys to Success

Start with overreaching themes to provide management with a strong foundation for
an effective ERM program as they develop and tailor their specific approach to
implementing ERM. These themes “Keys to Success” for organizations that are now
starting ERM initiatives and provide a useful foundation for specific actions detailed.
These keys also help company’s board to address some of the recognized barriers
and resistance points to ERM adoption.

๏ Theme 1: Support from the Top is a Necessity

To successfully manage risk, an ERM initiative must be enterprise wide and
viewed as an important and strategic effort. Support from the company board
is needed to get the right focus, resources and attention for ERM.

Although it is not the job of the company’s board to manage the ERM
activities, they do need to demonstrate clear support for the ERM initiative as
well as oversee what senior management has designed and implemented to
manage top risk exposures. Thus, ERM must be enterprise wide, and
understood and embraced by its personnel, and driven from the top down
through clear and consistent communication and messaging from the
company’s board to senior management and to the whole organization as a
whole.

It is the responsibility of company’s board to set the right tone for ERM, and
ensure that management is devoting the right attention and resources to
ERM.

What’s more, the company board needs to put in place an effective ERM
leader who is widely respected across the organization and who has
accepted responsibility for overall ERM leadership, resources and support to
accomplish the effort.

ERMA EBA Reading Material Series 8

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏ Theme 2: Build ERM Using Incremental Steps

One perceived barrier to launching ERM is the perception that ERM is overly
complex and requires a major and costly effort to implement. Related to this
perception is the belief that an organization must implement all of the
components of ERM in one single effort for it to work and bring any tangible
value to the organization. Experience suggests otherwise.

In practice, some organizations, especially smaller organizations, have

achieved ERM successes by taking an incremental, step-by-step approach to
enhancing their risk management capabilities to provide a more enterprise-
wide view over time rather than undertaking one massive launch effort. They
start with a simple process and build from there using incremental steps
rather than trying to make a quantum leap to fully implement a complete ERM
process. By doing so, they are able to:

๏ Identify and implement key practices to achieve immediate,

tangible results.
For example, they may start by completing and sharing with their
company board for the first time a short list of enterprise wide risks with
certain action steps to address the risks identified. This initial step would
be followed by a more detailed risk assessment that looks deeper into
other risks the organization faces.
๏ Provide an opportunity to change and further tailor ERM
processes.
As the organization and its executives and directors expand their
knowledge of ERM, they have the opportunity to make additional
requests to broaden or deepen the organization’s risk management
activities.

ERMA EBA Reading Material Series 9

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏ Facilitate the identification and evaluation of benefits at each

step.
This can be an effective way to respond to another possible barrier, the
question of “What value do we derive from ERM?”.

๏! Theme 3: Focus Initially on a Small Number of Top

Risks
For an organization just starting out with ERM, it might make sense to first
identify a small number of critical risks that can be managed, and then evolve
from this starting point. For some organizations, such an approach might
mean keeping the initial ERM focus on only those strategic risks that are
deemed critical to the organization achieving its strategic business objectives.

Focusing initially on a smaller, manageable number of key risks would also be

beneficial in developing related processes such as monitoring and reporting
for those specific risks. This focused approach also keeps the developing
ERM processes simple and lends itself to subsequent incremental steps to
expand the risk universe and ERM processes.

Another way to keep ERM manageable is to focus initially on a few top risks
in just one critical business unit. This limited focus could be used to develop
initial risk management processes that can be expanded across the
enterprise to other business units. And when dealing with much smaller
organizations, it can be useful to start things off by identifying just one critical
risk or risk category and building ERM processes around that one risk.

Whichever specific risk approach is utilized, the critical success factor is to

focus attention on a manageable number of key risks and then apply the
lessons learned to identifying and managing additional critical risks across the
enterprise.

ERMA EBA Reading Material Series 10

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏! Theme 4: Leverage Existing Resources

Another possible barrier to initiating an ERM process may be the view that
significant resources including investments or outside expertise are needed to
undertake an ERM project. For example, some directors or senior executives
might think that they would need to hire an experienced Chief Risk Officer or
make significant investments in new technologies or automated tools.

Such a viewpoint could prove to be a significant barrier to smaller

organizations, in particular, which might have a strong desire to move ahead
with ERM but have limited resources for making it happen. Many
organizations have successfully entered the ERM arena by leveraging their
existing risk management resources.

Organizations often discover that they have the personnel on their existing
staffs, with the knowledge and capabilities relating to risks and risk
management that can be effectively used to start. For example, some
organizations have used their Chief Audit Executive or their Chief Financial
Officer as the catalyst to begin an ERM initiative. In other instances,
organizations have appointed a management committee, sometimes headed
by their Chief Finance Office (CFO), to bring together a wide array of
personnel from across the entity who collectively have sufficient knowledge of
the organization’s core business model and related risks and risk
management practices to get ERM moving.

In addition, most organizations start their ERM effort without any specific
enabling technology or automated tools other than basic spreadsheets and
word-processing capabilities.

ERMA EBA Reading Material Series 11

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏ ! Theme 5: Build on Existing Risk Management

Activities
Any organization with current operations has some form of risk management
activities or risk related activities already in place. These might include
activities such as risk assessments performed by the internal audit, insurance
or compliance functions, fraud prevention or detection measures, or certain
credit or treasury activities.

By leveraging, aligning and subsequently enhancing these existing risk related

activities, the organization can achieve immediate and tangible benefits. For
example, a company might implement a common set of risk definitions or a
common risk framework across the organization. Others have conformed
their risk assessment methodologies so that all areas of the organization
performing a risk assessment do so using the same methodology.

Although it makes sense to build upon existing risk related activities, it must
be done with the recognition that the existing activities probably do not
constitute ERM. ERM requires risk management processes that ultimately are
applied across the enterprise and represent an entity-wide portfolio view of
risk, which is often missing from these existing functions.

๏ Theme 6: Embed ERM into the Business Fabric of the

Organization
ERM is a management process, ultimately owned by the board of directors
and involves people at every level of the organization. The comprehensive
nature of the ERM process and its pervasiveness across the organization and
its people provides the basis for its effectiveness.

ERMA EBA Reading Material Series 12

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

ERM cannot be viewed or implemented as a stand-alone staff function or unit

outside of the organization’s core business processes. In some companies
and industries, such as large banks, it is common to see a dedicated
enterprise risk management unit to support the overall ERM effort including
establishing ERM policies and practices for their business units.

However, because ERM is a process, organizations may or may not decide

that they need dedicated, stand-alone support for their ERM activities.
Whether a risk management unit exists or not, a key to success is linking or
embedding the ERM process into its core business processes and structures
of the organization. Some organizations, for example, have expanded their
strategic plans and budgeting processes to include the identification and
discussion of the risks related to their plans and budgets.

๏ Theme 7: Provide Ongoing ERM Updates and

Continuing Education for Directors and Senior
Management
ERM practices, processes and information continue to evolve. Thus, it is
important for directors and senior executives to ensure that they are receiving
appropriate updates, new releases and continuing education on ERM,
including information about regulatory requirements and best practices. This
information provides the opportunity for directors and senior management to
update their risk management processes as they become aware of new or
developing practices. This ongoing improvement process is particularly
important with the increased focus on ERM by regulators, rating agencies,
and the capital market authorities.

ERMA EBA Reading Material Series 13

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

D.2. Initial Action Steps

Building off the theme of “Keys to Success,” above, we need to plan the initial
actions, and steps to support the development of a tailored ERM initiative. The plan
reflects some simple, basic steps for implementing ERM, including the key step of
performing an initial risk assessment.

๏! Step 1: Seek Board of Directors (BOD) and Senior

Management leadership, Involvement and Oversight
The BOD and senior management set the tone for the organization’s risk
culture. Their involvement, leadership and oversight are essential for the
success of any ERM effort. The BOD and senior management should agree
on their initial objectives regarding ERM, its benefits and their expectations for
successful ERM.

At a high level, there should be clear agreement and alignment of the BOD’s
and senior management’s expectations, timing and expected results. This
should include agreement on the resources to be made available and targets
dates for the effort. The BOD should also consider the timing and level of
status reporting that will be required to effectively monitor and oversee the
ERM effort.

๏ ! Step 2: Select a Strong Leader to Drive the ERM

Initiative
Finding a leader to head the initial ERM project is also critical for success.
BOD should identify a leader with the right attributes to head the ERM effort.
This person does not need to be a “CRO” (Chief Risk Officer).

ERMA EBA Reading Material Series 14

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

Often, it is best to initially use existing resources, for example the Chief Audit
Executive or Chief Financial Officer, for this role to get ERM started. This
leader will not necessarily be the person to head ERM in long term, but the
person to get the initiative started and to take responsibility for moving the
organization’s ERM activities to the next level.

It is critical that the risk leader have sufficient stature and be at an appropriate
senior management level in the organization to have a rich strategic
perspective of the organization and its risks and to be viewed as a peer by
other members of senior management. Embedding ERM into the business
fabric of the organization is necessary. Having a risk leader who can be
viewed as a peer by members of senior management is vital for the success
of the ERM initiative.

๏ ! Step 3: Establish a Management Risk Committee or

Working Group
To provide strong backing for its ERM effort, an organization should consider
creating a senior-level Risk Management Committee or Working Group as the
vehicle through which the designated risk leader can implement the ERM
initiative.

While the use of a committee or working group in addition to the risk leader
can be viewed as optional, these committees have been used by risk leaders
as an effective means to engage the right people across the organization to
ensure success of their ERM efforts.

Ideally, such committees or working groups would include Head of

Department as well as key business unit leaders to ensure that the
organization’s ERM efforts are firmly embedded within the organization’s core
business activities.

ERMA EBA Reading Material Series 15

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏! Step 4: Conduct the Initial Enterprise-wide Risk

Assessment & Develop an Action Plan
In many ways, this step is the heart of the initial ERM process. The focus here
is to gain an understanding of and agreement on the organization’s top risks
and how they are managed. The assessment is a top-down look at the risks
that could potentially be most significant to the organization and its ability to
achieve its business objectives. While any organization faces many risks, the
starting point is to get a manageable list of what are collectively seen as the
most significant risks. Here, members of the risk committee or working group
can be most helpful by sharing their views or identifying people in the
organization who should be involved in the risk assessment.

While there is no one best way to conduct a risk assessment, many

organizations start by obtaining a top-down view of the most important risk
exposures from key executives across the organization. This is typically
accomplished by starting with a discussion of the organization’s business
strategy and its components and then identifying the principal risks that
would impede its ability to achieve its strategic objectives. An alternative is to
discuss the strategies and risks of each of its major business units.

The organization should then consider prioritizing or ranking the risks

identified. This step could be accomplished by a simple ranking of the
perceived level of inherent risk or by a more detailed assessment of the
probability and impact of each risk. Consider using a basic scale of high,
medium and low for each inherent risk as a starting point rather than
quantification or modeling. Again, during this initial assessment, many
organizations find good discussion and simple classifications helpful. As a
result of some of the large and unexpected risks that have manifested
themselves lately, some organizations are now expanding their impact and
probability assessments to include other factors. Examples of these new

ERMA EBA Reading Material Series 16

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

factors include assessing the velocity of a risk or the level of preparedness of

the organization for that risk.

The organization also needs to assess its risk responses related to identified
risks and develop action plans to address any gaps that are beyond those
acceptable. Typically, action plans stemming from the initial risk assessment
would identify gaps in the existing risk management processes related to the
risks identified and detail specific ways to address those gaps. The initial risk
assessment exercise is also a time to initiate discussions about the
organization’s risk appetite relative to the risks identified.

Some executives find it difficult to articulate, much less discuss, their

organization’s risk criteria or sometimes called as risk appetite. To overcome
this challenge, consider focusing initially on qualitative or narrative
descriptions of the risk criteria or risk appetite, (e.g. the organization may
have zero tolerance for anything related to customer or employee safety).

Management can facilitate the discussion of the risk criteria or risk appetite by
identifying types of activities or products that they will or will not undertake
because of the perceived risks. Alternatively, they may discuss how risk
aggressive or conservative they want to be compared to their peers or
competitors.

๏! Step 5: Inventory the Existing Risk Management

Practices
During the risk assessment process, the organization should also be taking
an inventory of its current risk management practices to determine areas of
strength to build upon and areas of weakness to address. This inventory
becomes valuable information for management to assist in enhancing the risk
management processes.

ERMA EBA Reading Material Series 17

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

First, it enables the organization to identify gaps in its current risk

management processes relative to its most important and significant risks as
they are identified. Often, risk management activities are focused on existing
operations and compliance risks, as opposed to significant external,
emerging or strategic risks. As new risks are identified in the risk assessment
process, the knowledge gained from a comprehensive inventory of existing
risk management activities will help the organization assess the connections
between existing risk management processes and the most critical enterprise
level risks so that management can determine if there are any gaps in how
they are managing the most important risks. Further, it assists the
organization in mapping risks to underlying objectives.

Second, the inventory forms a baseline for the organization as it continues to

develop and enhance its ERM processes. It helps management demonstrate
progress and the benefits of ERM by serving as a point of comparison as the
processes mature

๏! Step 6: Develop Your Initial Risk Reporting

The organization next needs to develop its initial approach to risk reporting
including its communication processes, target audiences, and reporting
formats. Organizations should start by keeping things simple, clear and
concise. Make it a point, however, that regardless of what specific reporting
format employed, the reporting must reflect clearly the relative importance or
significance of each risk.

To this end, many organizations use simple lists, with their top risks listed in
rank order. Others use colors or graphics along with their ranking to help
focus attention on the most significant of the risks being reported. Also
consider what status reporting and tracking you need to monitor progress on
your action plans in order to address gaps in risk processes or risk responses
identified during the ERM implementation.

ERMA EBA Reading Material Series 18

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 D. Getting started - ERM using ISO 31000

๏! Step 7: Develop the Next Phase of Action Plans &

Ongoing Communications
The implementation of ERM is an evolutionary process that takes time to
develop. In the spirit of continual improvement, once the initial ERM action
plan has been completed, the working group or risk leader should conduct a
critical assessment of the accomplishments to date and develop a series of
action plans for the next stage of implementation.

Following the incremental approach, the leader should identify next steps in
the ERM roll-out that will foster additional enhancements and afford tangible
benefits as a result. The completion of the initial ERM action plan is also an
opportunity for the risk leader and the ERM working group to convey the
status and benefits achieved to the BOD and senior management. The risk
leader should also consider what types of ongoing education offerings and
communications should be deployed across the organization to continue to
strengthen the organization’s risk culture and ERM capabilities.

ERMA EBA Reading Material Series 19

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 E. Capacity Building Toward
ERM Implementation Using
ISO 31000

Capacity building to implement ERM using ISO 31000 may start with building the
right understandings about ERM and ISO 31000 fundamentals, and at the same
time to acquire some relevant competencies, both hard competencies and soft
competencies for a group of people who will lead ERM implementation in the
organization.

While to build understanding about ERM using IOS31000 could exercised through
self-studying the ISO 31000 official documents, or taking a discussion with risk
professionals who have experiences in implementing ERM using ISO 31000, or
through systematic courses of ERM using ISO 31000; to build the right
competencies for a group of people who will lead ERM implementation using ISO
31000 need more elaborative efforts. In that regards, ERM Academy provides a
template or standard of ‘competency matrices’, both for hard competency as well
as for soft competency. Those matrices can be used by organization as reference to
build appropriate competencies for their people who will be involved either directly
or indirectly in their ERM implementation.

Once the understanding of ISO 31000 fundamentals have been in place – and there
are sufficient numbers of people have the right competencies, organization may
proceed their initial steps to implement ISO 31000 as suggested in ‘getting started
– ERM using ISO 31000 above’.

ERMA EBA Reading Material Series 20

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
 E. Capacity Building Toward ERM Implementation Using ISO 31000

For the core team members or champions in the ERM - ISO 31000 implementation,
their capacity needs to be enhanced through a mastery of ‘ISO 31000 Risk
Assessment Techniques’ as recommended by ISO 31000. There are 31 risk
assessment techniques – qualitative, semi quantitative, and quantitative – must to
be acquired by them. The details of those techniques are well described in the
complimentary documents to ISO 31000, namely ISO31010.

At a later stage, the core team members and the internal auditors – as an
independent assurance unit of organization – need to acquire a mastery of
‘Assessing the Adequacy of ERM using ISO 31000’. For internal auditors, the
knowledge and skill is critical to equip them with the right competencies in
conducting an independent assurance or review about the adequacy of ERM in the
organization.

Likewise, the core team members would have better understanding about the
required documentation need to be in place and available for any independent
assessment or review, either conducted by internal audit or other independent
assurance providers.

ERMA EBA Reading Material Series 21

Module 1 - Introduction to ERM
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
ERMA EBA - Reading Material Series

Module 1
INTRODUCTION TO ENTERPRISE RISK MANAGEMENT

(c) 2011 ERMA, Enterprise Risk Management Academy

All Rights Reserved
This document is intended to be available only to the persons entitled to receive the
confidential information and legal privileges it may contain. Any duplication,
reproduction, or modification in any form, in whole or in part, without prior written
consent of ERM Academy is strictly prohibited.
For further information, please visit our portal at www.erm-academy.org send an email
to [email protected]