Page 678 - COSO Guidance
P. 678
Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | 9
Appendix A – COSO’s Enterprise Risk Management – integrated Framework
ERM - Integrated Framework
Components of Enterprise Risk Management –
Enterprise risk management consists of eight interrelated
components. These components are derived from the way
management runs a business and are integrated with the
management process. Strategic Operations Reporting Compliance
For more detailed information on enterprise risk Internal Environment
management, the COSO Enterprise Risk Management -
Integrated Framework, and related practices and activities, Objective Setting Subsidiary
see the following COSO publications, available through the Event Identification Business Unit
COSO website at COSO.org/guidance. Risk Assessment Entity-Level Division
Risk Response
• Enterprise Risk Management - Integrated Framework
Control Activities
• Effective Enterprise Risk Oversight: The Role of the Information & Communication
Board of Directors Monitoring
• Strengthening Enterprise Risk Management for
Strategic Advantage
Appendix b – Where to Start: Draft Action Plan for an ERM initiative
Outlined below is an initial high-level draft of an action plan 3. Establish a Management Working Group
for ERM. This draft plan highlights key events and actions that a. Establish a management working group to support the
organizations should consider in starting an ERM initiative. risk leader and drive the effort across the organization
The draft is not intended to be viewed as a complete plan; b. Have the right, key people in the group
furthermore, it requires careful tailoring and expansion prior i. Sufficient stature
to use. However, we believe it reflects useful information and ii. “C-suite” representation
is a practical draft plan as a basis to start. iii. Business unit management
c. Look at using cross-functional teams
1. Seek Board and Senior Management d. Agree on objectives for the working group
Involvement and Oversight i. Build ERM using incremental steps
a. Set an agenda item for the board and executive ii. Define some sought-after benefit to evaluate each step
management to discuss ERM and its benefits iii. Establish reporting process for management and
b. Agree on high-level objectives and expectations the board
regarding risk management
c. Understand the process to communicate and set the 4. Conduct an Initial Enterprise-wide
tone and expectations of ERM for the organization Risk Assessment and Action Plan
d. Agree on a high-level approach, resources and target a. Focus on identifying the organization’s most significant risks
dates for the initial ERM effort b. Look for risks at the strategic level
c. Consider risk factors beyond just probability and impact, e.g.
2. Identify and position a leader to drive the ERM Initiative i. Velocity of risk
a. Identify a person with the right attributes to serve as ii. Preparedness
the risk management leader iii. Other factors
i. Does not have to be a CRO (Chief Risk Officer) d. For the most significant risks;
ii. Use existing resources i. Assess exposure to the risk
b. Set objectives and expectations for the leader ii. Assess adequacy of existing risk mitigation or monitoring
c. Allocate appropriate resources to enable success iii. Identify opportunities to enhance mitigation or
monitoring activities
w w w . c o s o . o r g
