Ask the Experts

The COSO ERM – Integrated Framework identifies three approaches to communicating an organization’s risk appetite (e.g., through general statement, by organization objectives, or by risk types identified by the organization). What organizational characteristics would benefit from each of these methods?

Risk appetite denotes the level and nature of risk that is acceptable.  Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand.  Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should (more…)

[More]

How do you maintain precise risk trigger descriptions when you aggregate risk profiles from low organizational levels to higher level summary risks? It becomes difficult to know which trigger event is monitored to determine when a risk response should be executed.

A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans.  Risk thresholds define the boundaries of fluctuation for those triggers. This is a difficult challenge.  It is almost impossible without first defining an actual risk event scenario, (more…)

[More]

I have yet to hear of anyone’s risk profile, including my own, that includes opportunities, even though A123 requires risk profiles to include opportunities. Why is that?

Because of the Federal government’s unique position, in comparison to perhaps a commercial entity, the Federal government tends to lean towards stability instead of volatility. This places more emphasis on managing downside risks, or threats, and seeking to monitor or minimize the accompanying risk exposure. Identifying and seeking to exploit opportunities involves numerous constraints in the Federal space…

[More]

Considering the current market for Federal ERM Professionals, would it be highly unlikely to find a 10yr professional within a salary range of $95K – $105K?

Like any professional, the salary range for an ERM professional with 10 years of working experience will depend on many factors.  Formal education, relevant peripheral experience (e.g., strategic planning, performance management, internal controls, audit, etc.),  closely aligned experience (i.e., risk management and ERM), and specific familiarity with the organization and/or similar projects all play into (more…)

[More]

I am drafting a risk assessment report and want to understand whether exclusion of current risk reports should be excluded. Am I just identifying issues, or also giving credit for planned or in process work?

There is no standard form for developing a risk assessment report.  While various sources indicate elements that may find a home in such a report, one might expect no standard exists because assessment reports can be written for different audiences with different information needs. Understanding what might go into a risk assessment report should thus (more…)

[More]

What thoughts do you have on rationalizing and aligning the concepts and terminology of the internal control community with the risk management community?

Rationalizing and aligning the concepts and terminology of the internal control community with the risk management community is an ongoing challenge for many in the public sector and beyond. This is in part because these two communities come from a history relying on similar terms to mean different things. Take for example the concepts of (more…)

[More]

Is ERM only applicable at the Departmental level?

David, thank you for your question.  In my view, ERM is intended to be forward thinking/scanning the horizon, while the existing internal controls only measure how well we are executing measurable components towards our strategic goals.  ERM looks at what could keep us from accomplishing our goals, so it would seem that ERM would have (more…)

[More]