A blog post by Norman Marks here reminded us that Risk Management for an Enterprise needs a guiding framework, of which there are many sources. Norman refers to the COSO ERM framework which dates back to 2004 and believes that this will be updated soon to reflect the changes that have taken place in regulation and risk technology. The ISO have their own guide to Risk Management (not free unfortunately, see link below) which Norman reduces from eleven principles to six being:
Norman Marks Blog post by Norman Marks
- Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
- Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
- Risk management is dynamic, iterative and responsive to change.
- Risk management is systematic and structured.
- Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
- Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
A paper from McKinsey targets financial organisations such as banks and shows how to put in place an ERM framework, and measure performance. And as a practical example the 2016 annual report from Deutsche Bank (which is fully interactive) shows how they engage everyone from the Board downwards in their ERM approach.
Finally Alex Sidorenko provides an entertaining video explaining that after many years in Risk Management, he still doesn’t know what ERM is and points out there is no single agreed standard in the world. The question for you is, what are your ERM Principles and how do you implement them? We’d be interested in your feedback, use the comments below.