Page 24 - Insurance Times August 2023
P. 24
Components of ERM:
The COSO framework for ERM identifies eight
components:
Internal environment, Objective setting, Event
identification, Risk assessment, Risk response, Control
activities, Information & communication, and Monitoring.
Internal Environment:The elements that make up the
internal environment include things as "an entity's ethical
values, competence and development of personnel,
management's operating style and how it assigns authority
and responsibility." As part of this internal environment, a
company will establish its philosophy of risk management.It Risk Response: Leadership's response or action towards the
Establishes a philosophy regarding risk management. It existence of a risk. There are different approaches,
recognizes that unexpected as well as expected events may including: Avoidance - eliminate the conditions that allow
occur. This includes activities like a risk management policy, the risk to exist. Reduction/mitigation - minimize the
setting of risk appetite and risk tolerance levels. probability of the risk occurring and/or the likelihood that it
will occur.Since project managers and risk practitioners are
Objective Setting: Involves identifying or understanding used to the four common risk response strategies (for
what an organization or a division or a department is threats) of avoid, transfer, mitigate and accept, it seems
expected to achieve in long term and its related short term sensible to build on these as a foundation for developing
or operational objectives that would enable achieving the strategies appropriate for responding to identified
strategic objectives.Determine the organization's risk opportunities.
appetite. Identify and prioritize risks through risk
assessment. Prioritize risks based on their potential likelihood Control Activities: Control activities are performed at all
and impact. Develop a plan for risk mitigation or levels of the entity, at various stages within the business
acceptance. processes, and over the technology environment. They may
encompass a range of manual and automated activities such
Event Identification: During event identification, as authorizations and approvals, verifications,
management identifies potential events that could affect an reconciliations, and business performance reviews. Control
entity's ability to achieve its objectives. An event is an activities are the policies, procedures, techniques, and
incident or occurrence that emanates from either internal mechanisms that help ensure that management's response
or external sources.Internal and external events affecting to reduce risks identified during the risk assessment process
achievement of an entity's objectives must be identified, is carried out. In other words, control activities are actions
distinguishing between risks and opportunities. taken to minimize risk.
Opportunities are channelled back to management's
strategy or objective-setting processes. Information & Communication: Information,
communication, and reporting is one of the key components
Risk Assessment: Risk assessment is the iterative process of the COSO ERM framework. Enterprise risk management
of risk identification, analysis, and evaluation. The objective requires a continual process of obtaining and sharing
is to provide sufficient information at appropriate intervals necessary information, from both internal and external
for risk-informed management decisions. The steps to access sources, which flows up, down, and across the organization.
the risk are: Internal communication is the means by which information
Identify hazards. is disseminated throughout the organization, flowing up,
down, and across the entity. It enables personnel to receive
Assess the risks.
a clear message from senior management that control
Control the risks.
responsibilities must be taken seriously.
Record your findings.
Review the controls. Monitoring: Ongoing monitoring includes regular
The Insurance Times August 2023 19