Page 674 - COSO Guidance
P. 674
Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | 5
organization’s business strategy and its components and The organization also needs to assess its risk responses
then identifying the principal risks that would impede its related to identified risks and develop action plans to
ability to achieve its strategic objectives. An alternative is to address any gaps that are beyond those acceptable.
discuss the strategies and risks of each of its major business Typically, action plans stemming from the initial risk
units. To aid in these discussions, some organizations assessment would identify gaps in the existing risk
prepare a list of major risk categories, such as operational, management processes related to the risks identified and
financial, legal, market and then discuss exposures to that detail specific ways to address those gaps.
risk category for the business overall or each significant
business unit. The initial risk assessment exercise is also a time to initiate
discussions about the organization’s risk appetite relative
It is often simplest and most effective for an organization to to the risks identified. Some executives find it difficult to
conduct this initial, top-down risk assessment with a handful articulate, much less discuss, their organization’s risk appetite.
of key business-unit leaders and members of the “C-suite.” To overcome this challenge, consider focusing initially on
More individuals across and further within the organization qualitative or narrative descriptions of the risk appetite, (e.g.
can be added later as the risk assessment process the organization may have zero tolerance for anything related
matures. This data gathering could be accomplished to customer or employee safety). Management can facilitate
through interviews, surveys, facilitated discussion groups the discussion of the risk appetite by identifying types of
or committee meetings. (See Appendix D to this paper for activities or products that they will or will not undertake
some examples of questions to consider for this initial risk because of the perceived risks. Alternatively, they may
assessment.) discuss how risk aggressive or conservative they want to be
compared to their peers or competitors.
The organization should then consider prioritizing or ranking
the risks identified. This step could be accomplished by a Step 5.
simple ranking of the perceived level of inherent risk or by inventory the Existing Risk Management Practices
a more detailed assessment of the probability and impact During the risk assessment process, the organization should
of each risk. Consider using a basic scale of high, medium also be taking an inventory of its current risk management
and low for each inherent risk as a starting point rather practices to determine areas of strength to build upon and
than quantification or modeling. Again, during this initial areas of weakness to address. This inventory becomes
assessment, many organizations find good discussion and valuable information for management to assist in enhancing
simple classifications helpful. the risk management processes.
As a result of some of the large and unexpected risks that First, it enables the organization to identify gaps in its current
have manifested themselves lately, some organizations are risk management processes relative to its most important
now expanding their impact and probability assessments to and significant risks as they are identified. Oftentimes risk
include other factors. Examples of these new factors include management activities are focused on existing operations
assessing the velocity of a risk or the level of preparedness and compliance risks, as opposed to significant external,
of the organization for that risk. For an example of an emerging or strategic risks. As new risks are identified in
expanded risk assessment, see the Example Strategic Risk the risk assessment process, the knowledge gained from
Profile following Step 6. a comprehensive inventory of existing risk management
activities will help the organization assess the connections
Whatever specific approach is taken, the information between existing risk management processes and the
gathered should be compiled into an initial list with a most critical enterprise level risks so that management can
manageable number of risks or potential risk events. As determine if there are any gaps in how they are managing
the organization matures its ERM processes, it can probe the most important risks. Further, it assists the organization
into finer levels of detail on other risks or, with enhanced in mapping risks to underlying objectives.
knowledge of risk management activities, evolve its risk
assessment from inherent risks to residual risks. Keep in Second, the inventory forms a baseline for the organization
mind, however, that focusing on too much detail or too as it continues to develop and enhance its ERM processes.
many risks in the early stages of ERM adoption can impede It helps management demonstrate progress and the benefits
progress on the broader ERM effort. of ERM by serving as a point of comparison as the processes
mature.
w w w . c o s o . o r g
