Enterprise Risk Management

Simple Tools and Techniques for Enterprise Risk Management

 COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework

Enterprise risk management - and the creation of an enterprise risk management framework - is a fundamental governance responsibility. This site provides information, advice and guidance on enterprise risk management, and you can browse our extensive online risk management book store.

The corporate board has, depending on jurisdiction, either a fiduciary or both a fiduciary and a statutory duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner has three specific contributions to make to the risk management activity and, for that reason, needs to have a practical, high level understanding of the key risk management issues and concepts.

“Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. Major projects fail; customer shifts make our offers irrelevant; billion-dollar brands erode, then collapse; entire industries stop making money; technology shifts or unique competitors kill dozens of companies in one stroke; companies stagnate needlessly. When these risk events happen, thousands of jobs get lost, brilliant organizations are disassembled, expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses.” From The Upside, Adrian J. Slywotzky.

Enterprise Risk Management: A Manager's Journey is a quick yet thorough approach to the practical realities of enterprise risk management.

Operational Risk Management

Operational risk management, particularly in the financial sector, is essential. Operational Risk Modelling & Analysis collates the work of the leading experts in the field. There is no more up-to-date and authoritative title on the subject of operational risk - unless you prefer Advances in Operational Risk, Second Edition, a multi-contributor title that brings you right up-to-date on all the latest issues and developments in the area of operational risk management and the regulatory environment. Our Operational Risk Bookshelf has more!

Sarbanes Oxley

The US Sarbanes Oxley Act mandated the adoption, by US listed companies, of an appropriate system of internal control and, in parallel, requires directors to monitor and report operational risk 

COSO ERM framework

COSO, whose internal control framework has become the de facto standard for companies complying with SOX, started work on developing a separate risk management framework in 2001. This framework, the Enterprise Risk Management – Integrated Framework was designed to provide a common framework, ‘key principles and concepts, a common language, and clear direction and guidance.’ This framework expands on the internal control framework, providing a broader and more robust focus on enterprise risk management. Because it incorporates the internal control framework, organizations could (as COSO suggests) move toward implementing an ERM framework to satisfy their internal control needs as well as their broader business risk management needs. COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework is a pragmatic guide to using the COSO framework for real. 

Basel 2

Financial sector corporate governance means that organizations have to comply with the operational risk management guidance of the Basel Committee.  The 10 principles set out in the Basel Committee's Risk Management Group's paper on the management and supervision of operational risk are best addressed from within an IT governance framework that ensures that measures taken to assess, control and monitor operational risk are integrated with the firm's overall risk and information management strategy.

Basel 2 has raised operational risk management right up the agenda of financial institutions around the world. Operational risk (see Sound Practices for the Management and Supervision of Operational Risk is defined as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’  Risk categories include systems risks, such as hardware or software failure, issues over availability and integrity of data, and utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure.)

Here are books on the Basel2 Accord.

Risk Management Standards

New risk management standards are emerging and the most important can all be purchased from this site.

Information Risk and ISO 27001

The information security standard, ISO/IEC 27001:2005, is specifically risk-based. It recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2008

Information Security Risk Management for ISO27001/ISO17799 provides the most comprehensive guidance on the subject.

Risk assessment is an asset-level activity that is virtually impossible, for any but the smallest of organizations, without a risk assessment database and specialist tool such as vsRisk™

Cyber Security

Information security should be a boardroom issue for all organistions. In today's modern economy the protection of information assets (information security) is a key element in the long-term competitiveness and survival of commercial organizsations.

Read all about Cyber Security and download our free White Paper here.

Management of Risk (M_o_R^®)

Management of Risk (M_o_R) is the OGC Best Practice Methodology for managing risk.

Acknowledgement of OGC Copyrights.