***

Background and intro

Risk Management has traditionally been an integral, and sometimes implicit, part of an Enterprise’s Business Governance practices. Though there are guidelines for business governance in every country, not all are formulated as regulations; some are only generally accepted norms of conduct1. Some examples of well-known governance and risk frameworks are

  • The BASEL Accord framework (for financial services organizations) used by regulators globally for their specific jurisdiction directives covering management practices around operational, credit and market risks
  • COSO, a private sector initiative (sector agnostic) dedicated to helping organizations improve performance by developing thought leadership that enhances internal control, risk management, governance and fraud deterrence

Enterprises use a variety of internal control systems, both formally and informally, to monitor their governance mechanisms. The COSO-model2, for example, defines internal control as ...designed to provide reasonable assurance of the achievement of objectives in the following categories:

  • Operational Effectiveness and Efficiency
  • Financial Reporting Reliability
  • Applicable Laws and Regulations Compliance

A recent study3 on the practices around ERM has highlighted the following:

  • Effective risk management is a priority among boards of directors; organizations are facing pressures from a number of stakeholders to provide more risk information and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised
  • Most organizations continue to struggle to integrate their risk management and strategic planning efforts; risk tolerances are not formally articulated as part of their strategic management activities
  • There are a number of impediments to advancing an organization’s risk management processes, with the belief that "risks are managed in other ways besides ERM" dominating the list
  • There is a heavy emphasis on risks related to technology, legal/compliance and financial issues, with ERM processes less focused on emerging strategic/market/industry risks or risk related to reputation
  • There are opportunities to reposition an entity's risk management process to ensure risk insights generated are focused on the most important strategic issues

  1. Integration of Risk Management with Business Processes, 2009, European Union Agency for Cybersecurity (ENISA), 

  2. Enterprise Risk Management Integrating with Strategy and Performance, Executive Summary, 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO

  3. 2021 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 12th Edition, 2021, Enterprise Risk Management Initiative Staff}, NC State, Poole College of Management.