Enterprise Risk Management

From Wikipedia, the free encyclopedia

In business, Enterprise Risk Management (ERM) are the methods and processes used to manage those risks, possible events or circumstances that can have influence on the enterprise in question. By identifying and proactively treating such potential effects, one protects the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external effects on society, markets or the environment.

ERM is similar to operational risk management (ORM) but also includes credit risk and market risk.

Contents 1 ERM defined by the COSO (Committee of Sponsoring Organisations) 2 The Role of Internal Audit in ERM 3 See also 4 External links

[edit] ERM defined by the COSO (Committee of Sponsoring Organisations)

The "Enterprise Risk Management - Integrated Framework", nicknamed "COSO-ERM", is an Enterprise Risk Management Framework designed in 2004 by the COSO. The COSO is the Committee of Sponsoring Organisations, or "Treadway Commission".

The COSO-ERM has eight Components and 4 objectives, and is an expansion of the initial COSO framework of the 90's, which had 5 Components and 3 objectives.

The eight components - additional components highlighted - are:

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

The four ERM objectives - additional components highlighted - are:

• Strategy
• Operations
• Financial Reporting
• Compliance

[edit] The Role of Internal Audit in ERM

Internal auditors play an important role in evaluating the ERM of an organisation. As an independent function reporting to the top management, Internal Audit is able to assess the ERM implemented by the organization and contribute to ongoing effectiveness. As such internal audit often plays a significant monitoring role. In order to preserve its independence of judgment Internal Audit should not take any direct responsibility in designing, establishing, or maintaining the controls it is supposed to evaluate. It may only advise on potential improvement to be made.

See the IIA's definition of Internal Audit: "(...) it helps the organisation (...) to improve the effectiveness of Risk Management, Control and Governance activities.

[edit] See also

• credit risk
• Information Quality Management
• market risk
• Operational risk management
• Risk adjusted return on capital
• ISA 400 Risk Assessments and Internal Control

[edit] External links

• COSO
• The Institute of Internal Auditors
• New York State Internal Control Association
• Enterprise Risk Management article - CEO Forum
• Essays on Common Sense Management regarding Internal Control