Who is ultimately responsibility for the effectiveness and success of ERM in an organization?

Enterprise risk management isn't a list of worst case scenarios.  It's looking at what we could do a little differently to generate a positive result.

"The practices used in enterprise risk management are applied from the highest levels of an entity and flow down through [divisions/units] and functions.  The practices are intended to help people within the entity better understand its strategy, what business objectives have been set, what risks exist, what the acceptable amount of risk is, how risk impacts performance, and how they are expected to manage risk."

"Enterprise risk management helps an organization better understand:

• How mission, vision, and core values form the initial expression of what types and amount of risk are acceptable to consider when setting strategy.
• The possibility that strategy and business objectives may not align with the mission, vision, and core values.
• The types and amount of risk the organization potentially exposes itself to by choosing a particular strategy.
• The types and amount of risk inherent in carrying out its strategy and achieving business objectives and the acceptability of this level of risk, and ultimately, value."

- COSO Enterprise Risk Management, Integrating with Strategy and Performance, June 2017

"Management holds overall responsibility for managing risk to the entity, but it is important for management to go further: to enhance the conversation with the board and stakeholders about using enterprise risk management to gain competitive advantage.  That starts by deploying enterprise risk management capabilities as part of selecting and refining a strategy.

Most notably, through this process, management will gain a better understanding of how the explicit consideration of risk may impact the choice of strategy.  Enterprise risk management enriches management dialogue by adding perspective to the strengths and weaknesses of a strategy as conditions change, and to how well a strategy fits with the organization's mission and vision.  It allows management to feel more confidant that they've examined alternative strategies and considered the input of those in their organization who will implement the strategy selected.

Once strategy is set, enterprise risk management provides an effective way for management to fulfill its role, knowing that the organization is attuned to risks that can impact strategy and is managing them well.  Applying enterprise risk management helps to create trust and instill confidence in stakeholders in the current environment, which demands greater scrutiny than ever before about how (management) is actively addressing and managing these risks."

"Enterprise risk management is not a function or department.  It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

Enterprise risk management is more than a risk listing.  It requires more than taking an inventory of all the risks within the organization.  It is broader and includes practices that management puts into place to actively manage risk.

Enterprise risk management addresses more than internal control.  It also addresses other topics such as strategy-setting, governance, communicating with stakeholders, and measuring performance.  Its principles apply at all levels of the organization and across all functions.

Enterprise risk management is not a checklist.  It is a set of principles on which processes can be built or integrated for a particular organization, and it is a system of monitoring, learning and improving performance."

"Organizations that integrate enterprise risk management throughout the entity can realize many benefits, including, though not limited to:

• Increasing the range of opportunities:  By considering all possibilities - both positive and negative aspects of risk - management can identify new opportunities and unique challenges associated with current opportunities.
• Identifying and managing risk entity-wide.
• Increasing positive outcomes and advantage while reducing negative surprises.
• Reducing performance variability.
• Improving resource deployment.
• Enhancing enterprise resilience."

- COSO Enterprise Risk Management, Integrating with Strategy and Performance, Executive Summary, June 2017

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO Enterprise Risk Management (Revised - June 2017)

"The Framework itself is a set of principles organized into five interrelated components.

(Components:)

1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

4. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

(Principles:)

1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.

3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.

4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.

5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.

6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.

7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.

8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.

9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.

10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.

11. Assesses Severity of Risk—The organization assesses the severity of risk.

12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.

13. Implements Risk Responses—The organization identifies and selects risk responses.

14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.

15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.

16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.

17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.

18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.

19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.

20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity."

- COSO Enterprise Risk Management, Integrating with Strategy and Performance, Executive Summary, June 2017

- COSO Enterprise Risk Management, Integrating with Strategy and Performance, June 2017

Who is responsible for the ERM?

Who is responsible for affirming the effectiveness of the enterprise risk management framework to the board level risk committee and how often is this done?

Who is responsible for risk management and what are their roles?

Who is responsible for developing the risk framework?