Full Text

FROM ITS INSURANCE ORIGINS, enterprise risk management (ERM) has developed into a full-fledged management function that has progressed into business areas that were originally considered unrelated. This evolution toward a portfolio approach to risk recognizes that risks are interrelated and that significant benefits can be achieved from evaluating and monitoring risk on an organizationwide basis.

In recent years, it has become a best practice for organizations to provide more information in corporate reports about their progress in implementing ERM. These organizations are showing how risk management is integrated into their organizational structure and its interface with assurance activities such as internal auditing. Areas disclosed in corporate reporting on EElM include:

* Defining how ERM is linked to international best practice frameworks.

* Explaining the role of the organization's chief risk officer (CRO).

* Offering a high-level explanation of the ERM process within the context of strategy setting.

* Summarizing overall business objectives alongside external and internal risk factors.

* Providing information on the quantification technique for each risk category and details associated with key performance areas and indicators.

* Setting out the organization's risk appetite and tolerance ranges for strategic objectives.

As champion of the ERM process, the CRO plays a key part in bringing together disparate risk management processes to ensure that limited company resources are applied effectively (see "The CRO's Key Duties" on page 53). The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework defines the CRO's role as working with other managers to establish effective risk management, monitoring progress, and assisting other managers in reporting relevant risk information up, down, and across the organization.

Internal auditors should work with the CRO as part of their risk management duties. In this role, internal auditors are responsible for evaluating the accuracy of ERM reporting and providing independent and value-added recommendations to management about its ERM approach. The IIA's International Standards for the Professional Practice of Internal Auditing specifies that the scope of internal auditing should encompass risk management and control systems. This includes evaluating the reliability of reporting effectiveness, efficiency of operations, and compliance with laws and regulations.

ERM TOUCHSTONES