Practice Aid: Enterprise Risk Management: Guidance For Practical Implementation and Assessment, 2018

Recognition

Assurance Services Executive Committee (2017–2018)

Robert Dohrer, Chair

Bradley Ames

Christine M. Anderson

Nancy Bumgarner

Jim Burton

Mary Grace Davenport

Chris Halterman

Jennifer Haskell

Elaine Howle

Brian Martin

Brad Muniz

Joanna Purtell

Miklos Vasarhelyi

Risk Assurance and Advisory Services Task Force (2013-2014)

Alan Anderson, Co-Chair

Suzanne Christensen, Co-Chair

Aron Dunn

John Farrell

Bailey Jordan

Leslie Murphy

Tom Patterson

Paul Penler

Sallie Jo Perraglia

Dietmar Serbee

Beth A. Schneider

Leslie Thompson

Additional Contributors

Anita Dennis

Enterprise Risk Management: Guidance for Practical Implementation and Assessment

Revision Contributor (2017–2018)

Suzanne Christensen

AICPA Staff

Charles E. Landes

Vice President

Professional Standards Team

Amy Pawlicki

Vice President

Assurance and Advisory Innovation

Ami Beers

Director

Assurance & Advisory Services — Corporate Reporting

Dorothy McQuilken

Senior Manager

Audit Data Analytics and ERM

TABLE OF CONTENTS

Chapter

1 Overview of the Enterprise Risk Management Publication

I. Introduction

II. Who Should Use This Publication

III. Conceptual Basis for This Publication

2 ERM Benefits, Concepts, and Components

I. Benefits of a Successful ERM Program

II. ERM Concepts

Definition of ERM

Risks and Opportunities

Risk in Strategy and Objective-Setting

The Importance of Taking an Enterprise or Portfolio View of Risk

Risk Appetite, Risk Tolerance, and Risk Profile

Risk Inventory

Emerging Risks

Integration and Embeddedness

III. Components of an ERM Program

1.0 Governance and Culture

2.0 Strategy and Objective Setting

3.0 Performance

4.0 Review and Revision

5.0 Information, Communication, and Reporting

3 ERM Roles and Responsibilities

I. Organization Roles

Board or Equivalent Roles

Organization Management

Internal Auditors

II. The Role of External Parties in the ERM Process

4 ERM Program Development

I. Mobilize

Establishing Appropriate Sponsorship and Resourcing

ERM Sponsorship

Commitment of Resources

Establishing Roles and Responsibilities

Program Governance

Planning and Launch for an Initial Program Development Phase

Timeline

II. Current State Analysis

Current State Considerations

Creating an Initial Inventory of Activities and Outcomes and Gather Documentation

Timeline

III. Future State Operating Model Design

Peer and Industry Analysis

Developing a Target ERM Operating Model and Framework

Developing the ERM Risk Appetite and Risk Tolerances

Linking Current ERM Activities to the ERM Program Plan

Documenting ERM Policies

ERM Program Scalability and Related Considerations

ERM Program Technology Considerations

Timeline

IV. Gap Analysis

Preliminary Observations

Recommendations

Timeline

V. Implementation and Reporting

Developing Implementation Roadmap and Project Plan

Designing Program Performance Measures and Reporting

Communication and Training

Changes to the Implementation Plan

Timeline

5 ERM Program Evaluation and Continuous Improvement

I. ERM Program Evaluation

Approach to an ERM Program Evaluation

II. Continuous Improvement

Approach to Continuous Improvement

Commitment to Continuous Improvement

Glossary of Terms

Appendix A — COSO and ISO 31000 Framework Mapping

Appendix B — Example ERM Program Maturity Self-Assessment

Appendix C — References

EULA

Chapter 1

Overview of the Enterprise Risk Management Publication

I. Introduction

Every organization1 exists for the purpose of creating value for its stakeholders. To create value, an organization sets objectives, develops strategies, and plans for pursuing them, and performs actions. However, strategies, plans, and actions alone do not guarantee a desired outcome. Events and circumstances could affect the execution of these strategies and plans. Management is faced with the challenge of dealing with the uncertainties surrounding the achievement of its objectives. Enterprise risk management (ERM) is a process that enables management to address these uncertainties in a comprehensive, integrated, and organization-wide manner in order to create value. By implementing and maintaining an effective ERM program, management teams and the governing bodies of those organizations can increase their confidence that the organization can be successful in achieving its objectives. Customers, vendors, regulators, rating agencies, and other stakeholders are increasingly interested in understanding an organization’s ERM process and may base decisions regarding their interactions with the organization on the perceived sophistication and effectiveness of the ERM process.

This publication is intended to help those responsible for an ERM program, whether the program is in its early stages or is already well established, to design and operate an effective ERM program.

To begin, it is helpful to understand what an ERM program encompasses and how it is defined. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in its 2017 Enterprise Risk Management—Integrating with Strategy and Performance publication, defines ERM as follows:

The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

In comparison, the International Standardization Organization (ISO) 31000, Risk Management—Guidelines, defines risk management as coordinated activities to direct and control an organization with regard to risk and further explains a risk management process as a systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

For purpose of this publication, an ERM Program is defined as an organization’s ERM culture, capabilities, and practices, including its people, structures, governance mechanisms, documents, values and incentives, data, and supporting technologies that allow an organization to operationalize and execute its end-to-end ERM programs. Many organizations are challenged with the initial design and implementation of such an enterprise-wide risk management process and program and with maintaining and improving them over time so that they continue to operate effectively and add value.

Thus, the purpose of this publication is to leverage these two existing conceptual frameworks and provide practical guidance for designing and implementing a new ERM program along with the policies and procedures that define an entire ERM program, or for assessing and improving an existing program. This publication intends to serve as a bridge