Page 675 - COSO Guidance
P. 675
6 | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | Thought Leadership in ERM
A Risk Management Alignment Guide, such as the The last three columns would include information about any
example depicted below, can help facilitate compiling and needed actions required to strengthen risk oversight and
documenting a high level inventory of the organization’s pinpoint management and board oversight related to the
risk management activities. The guide can be developed in risk. In practice, organizations have found the completion
two steps. First, management would list the top risks in the of the column on the Risk Owner to be a useful exercise
Risk Category column, which would be identified during to ensure that they have a risk owner identified and
its initial risk assessment as described on the prior page. acknowledged for each major risk. The Risk Management
Next, management would ensure that they have pinpointed Alignment Guide, once completed, also serves as a concise
an owner of the risk, articulated some form of risk appetite and useful way to communicate the organization’s overall
relevant to that risk, and have considered what existing risk management practices at a high level for the board and
processes are in place to monitor the risk over time, if any. senior management.
Risk Management Alignment Guide Example
Risk Risk Risk Action Company board
Category Owners(s) Appetite Metrics Monitoring Plans Oversight Oversight
Reputation CEO Policy including Corporate Approved & Executive Full
Risk specific metrics Communications Updated Committee Board
approved xx/xx/xx
xx/xx/xx
Operations COO Daily operations Operations Plans in place Risk Risk
Risk metrics in place Management for each Management Committee
in all operating daily monitoring trigger point
divisions and reporting Internal Audit
Information CTO Policies including Daily monitoring Contingency Operating Audit
Technology daily performance against and back-up Committee Committee
Risk metrics in place established plans in place
for security, performance and Internal Audit Full
back-up and standards periodically Board
recovery tested
Risk 4
Step 6. The following example of a Strategic Risk Profile (see next
Develop Your initial Risk Reporting page) includes three major strategic risk categories in the
The organization next needs to develop its initial approach to rows of the table (Operations, Reputation, and Information
risk reporting including its communication processes, target Technology) and four possible risk factors in the columns
audiences, and reporting formats. Organizations should start of table (Likelihood, Impact, Velocity and Readiness). The
by keeping things simple, clear and concise. Make it a point, strategic risks are then listed in order of their overall priority
however, that regardless of what specific reporting format and the red, yellow, and green readiness symbols help
employed, the reporting must reflect clearly the relative readers focus on risks that are most critical (e.g. those
importance or significance of each risk. To this end, many highlighted in red).
organizations use simple lists, with their top risks listed in
rank order. Others use colors or graphics along with their This example of a Strategic Risk Profile is presented for
ranking to help focus attention on the most significant of the illustrative purposes only. Organizations should test various
risks being reported. Also consider what status reporting risk-reporting formats, approaches and risk factors in
and tracking you need to monitor progress on your action addition to talking with directors and executives about the
plans in order to address gaps in risk processes or risk level of detail needed and formats they find most useful.
responses identified during the ERM implementation.
w w w . c o s o . o r g
