There is no standard form for developing a risk assessment report. While various sources indicate elements that may find a home in such a report, one might expect no standard exists because assessment reports can be written for different audiences with different information needs. Understanding what might go into a risk assessment report should thus (more…)
[More]Ask the Expert
What thoughts do you have on rationalizing and aligning the concepts and terminology of the internal control community with the risk management community?
Rationalizing and aligning the concepts and terminology of the internal control community with the risk management community is an ongoing challenge for many in the public sector and beyond. This is in part because these two communities come from a history relying on similar terms to mean different things. Take for example the concepts of (more…)
[More]Is ERM only applicable at the Departmental level?
David, thank you for your question. In my view, ERM is intended to be forward thinking/scanning the horizon, while the existing internal controls only measure how well we are executing measurable components towards our strategic goals. ERM looks at what could keep us from accomplishing our goals, so it would seem that ERM would have (more…)
[More]Office, Bureau or Agency-wide ERM implementation. Which is best (part 2 of 2)?
As I hopefully conveyed in my prior thoughts on the distinction between ERM and internal controls, it would be a serious mistake for any organization to presume their internal control program will suffice for addressing the risk to their organizational objectives. Hopefully that message will filter down throughout the Department, because all levels of the (more…)
[More]Office, Bureau or Agency-wide ERM implementation. Which is best (part 1 of 2)?
One way of answering this question is to first ask: (1) what is the purpose of ERM? and (2) what is the key mechanism of ERM in accomplishing this goal? ERM seeks to develop an organization-wide, portfolio view of risk that allows balancing results, resources and risks in a manner that maximizes stakeholder value. The (more…)
[More]Is ERM just a more mature way to implement Internal Controls (part 2 of 2)?
Previously, I shared thoughts on the relationship between internal control and risk management. These two terms are not synonyms, and to understand their relationship is important to achieving any organization’s full set of objectives. However, how does Enterprise Risk Management (ERM) factor into this discussion? Is ERM simply a new term for discussing risk management, (more…)
[More]Is ERM just a more mature way to implement Internal Controls (part 1 of 2)?
The distinction between internal control, risk management, and ERM is often a point of confusion. In translating a definition into a working concept, it is often important to understand the application of the concept, and what words in a definition might be lacking to further explain the concept. To start, the full GAO Green Book (more…)
[More]