Enterprise Risk Management Framework development & Implementation

ERM Framework Development

Irisk builds ERM Framework for clients based on ISO:31000 ERM methodology, COSO ERM, COBIT 5 ERM and many other risk methodologies and partners with leading vendors worldwide to offer automated ERM solutions to corporates. The following represents typically the ERM process which Irisk’s consultants adopt in their framework development:

Risk Identification

The first step in the ERM Framework development is to gain an understanding of the current risk profile of the organisation. This would typically involve an early and continuous identification of events which could, if they occur, have a detrimental impact on the organisation’s processes. Further, risk categorisations (Strategic, operational, IT, financial, credit, compliance, reputational, etc) must be developed more in line with the organisation’s critical business verticals. The root causes and the outcomes of such risks, both internal and external must be researched.

Risk Assessment & Measurement

Risk Assessment examines the likelihood of a risk occurrence and its impact of such risk on the organisation’s business. The likelihood of risk occurrence is then assigned probabilities and their frequency is analysed usually done within a specific timeframe. A risk is said to frequently occur if it has a higher frequency or a greater probability. The impact of such risk could be quantitative (loss of sales, etc.) or qualitative (loss of reputation, etc.).

Risk Response & Action

Each risk must have a response. The risk response strategy must be built in a way where threats are mitigated and the opportunities are enhanced for the organisation. Risk Owners must be assigned actions on how to reduce the probabilities of each risk and the documentation of the best risk response strategy adopted.

Generally, the strategy is centred on four risk responses:

  • Accept
  • Mitigate
  • Transfer
  • Avoid

Risk Monitoring

Post development of the risk response strategy, the respective manager must continuously monitor the same so as to check whether risk remain within the organisation’s risk appetite. Risks which are falling outside the organisation’s risk appetite must be alerted to the management and proper control mechanisms must be implemented to bring back the risk within acceptable limits.

Risk Reporting

 The top management and Audit Committee must periodically review the risk registers/reports documented during the ERM process and satisfy themselves that the risks are within acceptable limits.