The key to an effective communication program is choosing the right communication model for a particular agency, depending on where the organization is in its ERM maturity curve.
[More]Ask the Experts
How do you consider existing controls in establishing the likelihood of the risk? Are risk responses by default internal controls?
When comparing risk responses and internal controls to the construction of a building, one could say that the risk response is more of the “blueprint” or “architectural diagram” and the internal control is the “engineered solution.”
[More]What are some effective methods to report the status and/or results of ERM activities to management?
Reporting will vary depending on leadership and how the audience best receives information. However, reporting will likely focus on the accomplishments of the ERM program, particularly as it relates to enabling an agency effectively managing risk tolerances at the goal and objective levels and risk appetite at the agency level. To accomplish this, agency leadership (more…)
[More]How long does it take to implement a fully compliant ERM program?
There is a significant difference between a fully compliant ERM program and a fully capable ERM program. Compliance focuses on the contents of an ERM program, while capability focuses on what an ERM program can achieve.
[More]If agency executives view ERM as an administrative burden, what’s the best way to approach ERM at that agency?
Successfully implementing ERM requires the ERM team to focus on change management in conjunction with developing the program processes, policies, and procedures.
[More]Where should the ERM process/program reside within the agency to include who should oversee the program?
… agencies are best served by a strong and independent risk management function positioned as high in the organizational structure as possible.
[More]How will auditors audit ERM, since this is different than regulation and procedure compliance? What conversations are happening with IGs to ensure they understand how ERM works?
… starting with foundational ERM program elements with a clear direction for program development and maturity will compel the audit team to consider how the agency is approaching its ERM program…
[More]How can the OIG’s risk assessment process for audit planning purposes coexist with the ERM program’s assessment for risk management purposes? Where is the line drawn for collaboration?
When it comes to discussing matters of risk management within an organization, there will always be some overlap. However, the Risk Manager should remain focused on the primary business/mission objective, the risk created from executing toward that objective, and what responses the organization would have for the risk created. When discussing the OIG and an (more…)
[More]The COSO ERM – Integrated Framework identifies three approaches to communicating an organization’s risk appetite (e.g., through general statement, by organization objectives, or by risk types identified by the organization). What organizational characteristics would benefit from each of these methods?
Risk appetite denotes the level and nature of risk that is acceptable. Risk tolerance refers to the degree of variability in Return on Investment (ROI) in programmatic execution or administration that an Agency is willing to withstand. Risk appetites and tolerances should be set at the Governance level, Executive level, and Operational level and should (more…)
[More]How do you maintain precise risk trigger descriptions when you aggregate risk profiles from low organizational levels to higher level summary risks? It becomes difficult to know which trigger event is monitored to determine when a risk response should be executed.
A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans. Risk thresholds define the boundaries of fluctuation for those triggers. This is a difficult challenge. It is almost impossible without first defining an actual risk event scenario, (more…)
[More]