3.4 Enterprise Risk Management Framework and Process

Although the ISO 31000:2018 or the COSO ERM Framework can be used by any organization, the ISO 31000:2018 contains a generic risk management framework and process that many organizations feel is easier to implement. This will be used as the model in this course.

The four components of the generic risk management framework supporting the risk management process are:

Establishing Accountability

The first element of the risk management framework is to establish accountability within the ranks of the organization’s senior management. A risk management architecture and structure should be implemented to support management’s commitment to a risk management culture.

Integration

The second element of the risk management framework is to align risk management with the organization’s objectives with the goal of integrating the risk management process into the organization’s processes.

Resource Allocation

The third element of the risk management framework is to receive a commitment from management to provide the necessary resources to implement the risk management process throughout the organization. Management must be prepared to dedicate financial, personnel and training resources to support the implementation of a risk management offering.

Communication and Reporting

The fourth and final element of the risk management framework is the communication of the risk management process across the organization and to stakeholders. Detailed reports containing information on both known and emerging risks should be completed, prepared, and reviewed. Known risks are risks that an organization has knowledge about or that have previously affected the organization. Emerging risks are risks that are not known to an organization, resulting from cycles, technology, global events, or changes to existing processes.