ERM FRAME WORK

v. Nov 2022
Principles of Risk Management and
Excellence in Risk Management #1
• Risk management should have net value to the organization. Risk management should make
money, enhance reputation, contribute to public safety, improve sustainability, generally
enhance benefits, and reduce harm. It does this by improving the decision makers’
understanding of the effects of uncertainty on objectives, devising risk treatments that are
objective effective, and doing monitoring, review, and improvement of risks and controls.

Illustration
• A study of dams constructed by the U.S. Bureau of Reclamation. The study compared planning estimates prior to
construction with data for the projects once built and in operation.
• The study found that if in the planning period the Benefit to Cost ratio was 1.0 there was only a 17 percent chance the
actual project would break even.
• A prior Benefit to Cost ratio of 4.0 (benefits exceeding costs by 300 percent) was needed to achieve a 95 percent
probability of achieving a Benefit to Cost Ratio of 1.0 or break even.
• The benefits were systematically overestimated and the costs were systematically underestimated (James and Lee
1971).
• Effective risk management should reduce these biases and improve the estimates of actual value.
Principles of Risk Management and
Excellence in Risk Management #2
10 principles for risk management

1. Creates value for objectives of health, reputation, profits, compliance, and so on, less the costs of risk
management.
2. Is an integral part of organizational processes including project management, strategic planning,
auditing, and all other processes.
3. Is part of decision making through analysis and evaluation to understand risk and determine its
acceptability as treated.
4. Explicitly addresses uncertainty and how it can be modified.
5. Is systematic, structured and timely and produces repeatable and verifiable outcomes and decisions.
6. Is based on the best available information including historical data, expert opinion, stakeholder
concerns, and so forth, tempered with the quality and availability of the information.
7. Is tailored to the organization, its objectives, its risks, and its capabilities.
8. Takes human and cultural factors into account in addition to technical and other “hard” factors that
impact the likelihood of consequences.
9. Is transparent and inclusive so that communication and consultation with stakeholders and others
keeps the risk management and risk criteria current and relevant.
10. Is dynamic, iterative and responsive within a “continuous improvement” environment that responds to
changes in context, trends, risk factors and other internal and external factors.
Principles of Risk Management and
Excellence in Risk Management #3
“Risk maturity” characteristic

• Continuous improvement in the

framework using a formal process.
• Accountability for risks with readily
available lists of risk owners.
• Use of the RMP in all decision
making with documentation as
appropriate.
• Constant communications about
risk, risk controls, and other “of
possible interest” aspects of RMP.
• High profile for risk management as
a core commitment in the
organization.
Elements of an ERM Framework
ERM Framework: Concept and Elements
• The underlying concept in ISO 31000 for
an ERM framework is a quality
management approach using the Deming
paradigm of Plan-Do-Check-Act (PDCA)
• The ERM framework in an organization
supports the risk management process
for decision making in the organization.
The Risk Management Process (RMP) is
the key element of the ERM framework.
The RMP ensures that risk management
and the operation of risk controls will
increase good consequences and reduce
bad consequences within a continuous
improvement cycle
RISK MANAGEMENT PROCESS (RMP)

An ISO 31000 Compatible Framework for Implementing ERM Including the Risk Management Process
 Risk Management Process: Context
The context may be organized into three categories:
• The external context—anything outside the organization that must be taken into account in risk
management, including stakeholders, regulations, contracts, trends in business drivers, local culture
and social norms, employment situations, and competition.
• The internal context—anything inside the organization that must be considered in the RMP,
including capabilities, resources, people and their skills, systems and technologies, information
flows, decision-making processes (formal and informal), internal stakeholders, policies and
strategies within the organization, and other constraints and objectives.
• The risk management context—any activity in the RMP that requires attention in seeking to find the
appropriate level of risk and associated risk treatments, controls, monitoring, and review. This
includes responsibility for the risk, scope of the RMP, linkages of the product or service to other
products and services in the organization, risk assessment methods to use (may be specified by
regulations, industry norms, stakeholder requirements such as business plan formats, etc.), the time
available for the RMP, background studies that may be needed, coordination with communication
and consultation task as well as the monitoring and review task, and other processes and procedure
matters.
Risk Management Process: Risk Assessment
• Risk identification. Risks associated with any decision must be
identified and placed in a risk register or risk log before they can be
treated, even if it is later determined that the risk levels with existing
controls are acceptable.
• Risk analysis. The purpose of risk analysis is to provide the decision
maker with sufficient understanding of the risk, that they are satisfied
they have the appropriate level of knowledge about the risk to make
decisions on risk treatment and acceptance.
• Risk evaluation. Each risk, if identified and analyzed, is evaluated by
comparing the residual risk after risk treatment (or with existing
controls) against the risk criteria.
Risk Management Process: Risk Treatment

• Risk treatment includes

the identification of
control options, selection
of a control option, and
implementation of the
selected control.
Risk Management Process: Monitoring and
Review
Monitoring and review along with risk communication and consultation are two RMP
activities that are applied to the three “line” activities of context, assessment, and
treatment. Monitoring and review are key to the continuous improvement of risk
management.
Has the risk changed in character due to trends? Are there new risks evolving
or emerging?
• Has the context for the risk management changed, as for example after events
• such as the October 2008 financial crisis?
• Is the risk treatment plan being implemented? As planned?
• Are controls effective?
• What is the appropriate frequency of monitoring?
• Should monitoring be done by internal audit, third party, or self-assessment?
• Based on actual outcomes for objectives was the risk assessment accurate?
• Can monitoring be improved by identifying better key performance
• indicators?
Risk Management Process: Communication
and Consultation
• Because risk is uncertainty
about effects on objectives
there is a strong incentive for
communication and
consultation.
• There must be extensive
communications among team
members, and consultations
with other experts in the
organization to ensure the
accuracy and effectiveness of
activities in the RMP
Risk Management Process:
Recording the Risk Management Process
• Records created as an integral part of Two possible levels of documentation Risk
assessments may be recorded at two different
the RMP provide for traceability of levels: Generic and visitspecific. Whether both of
decisions, continuous improvement in these are used, how, and in what combination, is
risk management, data for other the choice of an employer or establishment. What
matters is that for any activity or visit:
management activities, legal and • The documents, individually or in combination,
regulatory requirements, and so forth. record any significant findings for the specific
• Systems for record keeping, storage, group, and the particular venue(s) to which they
will be taken, and address the ‘SAGE’ variables
protection, retrieval, and disposal need (Staff, Activity, Group, Environment).
to be carefully designed, implemented, • All involved understand the plan as much as they
monitored, and reviewed. need to, particularly their role and responsibilities
within it and what they need to do. • What is
recorded happens in practice.
MANDATE AND COMMITMENT
TO THE ERM FRAMEWORK
• Risk management should be fully integrated into the management of the
organization, which will require mandate and commitment.
• There are three steps in the organization’s mandate and commitment
1. Decision to undertake a review of the risk management framework,
assignment of a champion, and resources.
2. Champion conducts and reports on:
a. Gap analysis of existing ERM framework and other risk management processes in the
organization, usually against ISO 31000, industry norms, and other benchmarks.
b. Context for risk management in the organization.
c. Design of a (revised) ERM framework, and recommendations for implementation.
3. Approval of the ERM framework, and the implementation plan including IT
system, alignment of the risk management and organizational processes, as
well as continuous review for improvement.
RISK MANAGEMENT POLICY

Risk management policy for ERM frameworks can be considered in three

groups:
1. Policies for the ERM framework and its processes and procedures.
2. Policies for risk management decisions.
a) Risk appetite.
b) Risk criteria.
c) Internal risk reporting.
3. Commitment, responsibility, and timing for monitoring, and review of
policies.
Risk Appetite
Risk appetite has two dimensions, one that focuses on the average or expected situation
and one that focuses on the extreme or worst case situation:
• The risk appetite dimension for expected outcomes of risk consequences. This is
the normal situation that is expected when there is no recession, no new “killer”
technology, no innovations by competitors, and generally business as usual. In
some fields such as perhaps mining this “average all things considered” situation
may never exist.
• The risk appetite dimension for unexpected or “worst case” outcomes of risk
consequences. This is the survival dimension of strategic initiatives and is usually
expressed in terms of resilience and robustness of the organization to the slings
and arrows of outrageous fortune. It is noted that some worst cases are the
product of wildly successful initiatives that place the organization in a position
where it fails because it cannot cope with that much success.
INTEGRATION OF RISK MANAGEMENT
AND RESOURCES FOR ERM

• “Objectives “ provide the glue for integration of ERM into the

organization processes.
• Two keys to making ERM integrated: (1) the top down key and (2) the
bottom up key.
• In larger organizations, full integration of ERM will likely take from
three to five years once ERM is initiated.
• Integration of ERM to the resources, including funds and expertise , be
done on annually and be included in the general budgeting process. For
training and other roll-out activities may be provided by external
resources
COMMUNICATIONS, CONSULTATION,
AND REPORTING
• The information can relate to the existence, Of particular importance is
nature, form, likelihood, severity, evaluation, communications during crisis situations
acceptability, treatment, or other aspects of and the execution of business contingency
the risk management. plans after a crisis. Communication policies
• Consultation is a process of informed would speak to questions such as:
communication between an organization and • What is a crisis?
its stakeholders on an issue prior to making a • Who is in charge?
decision or determining a direction on a • Who is authorized to be the official
particular issue. organization spokesperson?
• The risk communications will utilize • What should employees do?
performance indicators for the risks and risk • What steps should be taken?
management, but also may have their own • Who should communicate to customers?
performance indicators to allow for What communication principles and
monitoring and review of risk guidelines should be followed?
communications.
ACCOUNTABILITY
• The ERM framework should specify or have a process that will specify
who is accountable for every identified risk in the organization as well
as who is responsible for controls to treat the risk.
• Managers should have the authority for managing the risks or controls
they are accountable for and their performance should be evaluated and
appropriately rewarded. Continuous improvement of the controls and
the risk management process is also part of ownership.
• The ERM framework itself should have an owner who is accountable for
the implementation of ERM in the organization and for its continuous
improvement. This owner may also have the responsibility for
communication and consultation for ERM as per above.
CONTINUOUS IMPROVEMENT

The risk management performance of individual managers is usually monitored

and continuously improved through a hierarchy of four review processes:
1. Self-evaluation by the individual manager, perhaps with cooperative
assistance from other managers in a mutual mentoring situation.
2. Internal audit of the manager’s department, including the functioning of
ERM, particularly the risk management process component of ERM
(Standards Australia 2005).
3. External audit of critical risks and controls (usually auditing process and
performance rather than prescriptive check lists), often as a regulatory
activity, for example, to ensure public safety.
4. External review of risk management through participation by the
organization in standards organizations, industry-wide user groups, and so
forth.
IDENTIFYING AND COMMUNICATING
KEY RISK INDICATORS
WHAT IS A KEY RISK INDICATOR?
• A KRI is a measure to indicate the
Example of KRI
potential presence, level, or trend of a
risk.
• A KRI is first and foremost a
measurement tool.
• It can indicate whether a risk has
occurred or is emerging, a sense of the
level of the risk exposure, the trending
of and/or changes in risk exposure.
• KRIs provide information about a risk
situation that may or may not exist and
as such serves as a signal for further
action.
• KRIs help to focus action by providing a
direction to follow.
PRACTICAL APPLICATIONS
KRIs can support strategy and
performance in the following
ways:
• Validate organizational planning
and monitor performance.
• Enhance operational efficiency
and effectiveness.
• Clarify risk-taking expectations.
• Monitor risk exposures.
• Measure risk.
VALUE OF KRIs TO RISK MANAGEMENT
• Risk appetite—Through the setting of threshold levels and escalation levels, KRIs
support and validate the risk appetite and risk tolerance levels of an organization.
• Risk identification—Compared with RCSAs and scenario analysis, KRI is a more
objective way of identifying risk.
• Risk mitigation—A KRI system involves triggering investigative and/or corrective
action and supports day-to-day management of the business.
• Risk culture—Through defining the critical business areas associated with KRIs
that need to be monitored, and related threshold and escalation levels, the system
helps focus the organization on what is important.
• Risk measurement and reporting—KRIs provide objective and quantitative risk
information.
• Regulatory compliance—For organizations that include KRIs in their risk and
capital measurement systems, data from established KRIs can be used as one of
the inputs into operational risk capital calculations.
DESIGN PRINCIPLES
A set of high-quality KRIs should possess
some minimum design characteristics that Sources of Information to Designing KRIs
typically relate to performance measures.
• Keep the stakeholders and objectives in
mind
• Leverage management insight and
existing metrics
• Have a good basic understanding of the
risks
• Limit indicators to those that are most
representative
• Ensure clarity in what is being measured
• Focus more on objective measures
• Consider the wider set of KRIis
• Consider the relative importance of KRIs
• Monitor for continual usefulness
• Think longer term
IMPLEMENTATION CONSIDERATIONS
The implementation of a KRI Accountability for KRIs
framework requires effort and
resources and should therefore be
planned and managed carefully.
• Obtaining Buy-In
• Lack of Resources and Skills
• Data and Technology Challenges
• Integration with Business
Activities
• Sustainability of the KRI
Framework
Simple
Example
KRI #1
Simple
Example
KRI #2
Simple
Example
KRI #3