While organizations have practiced risk management for a long time, they only developed and implemented risk management frameworks, particularly enterprise risk management (ERM) frameworks, more recently. These frameworks have become integral to organizational governance, risk management, and compliance, reflecting modern organizations’ growing complexity and interconnectedness of risks.
In partnership with PRMIA, AuditBoard’s new eBook Fragmented to Connected: Achieving Cohesion by Unifying Risk Management explores how organizations should implement risk management frameworks. It emphasizes the role of people as an essential component of these frameworks and the implementation challenges caused by scarce resources and siloed communication.
However, many organizations are developing their own risk management frameworks, with elements featured in this whitepaper, such as risk appetite, risk taxonomy, and risk assessment, being common to most of them.
- COSO ERM Framework: Developed by the Committee of Sponsoring Organizations of the Treadway Commission, the COSO ERM framework is one of the most widely recognized. It aligns risk management with an organization’s strategy and performance objectives.
- ISO 31000: This is an international standard providing guidelines for risk management. It emphasizes creating a risk management process integral to governance and decision-making.
- Basel Framework: For Financial Institutions, the Basel Accords are international regulatory frameworks for banks that focus on risk management, initially for credit risk but now also for operational risk, liquidity, and market risk.
This approach should ensure that organizations complete the full risk management cycle—from risk identification to risk assessment, risk response, risk monitoring, and reporting. However, the interaction among different parts of an organization creates the foundational elements of a risk framework that brings the most benefits.
These elements typically include:
Risk Strategy: A risk strategy enables an organization to adopt a structured approach to managing its risks. Leaders should engage in strategic discussions about risky activities the organization should pursue, mitigate, transfer, or avoid. A well-defined risk strategy ensures that the organization’s risk-taking activities align with its strategic goals, risk capacity, and long-term survival. Emerging risks represent significant potential threats that require organizations to be forward-thinking in their risk management practices. Making this part of regular risk assessments through horizon scanning is useful. To do this, the risk manager needs to facilitate an analysis of trends across various areas, including economics, technology, politics, and the environment, to anticipate how these trends might converge or impact the organization.
Cyber Risk: Cyber risk refers to the potential for loss, damage, or disruption to an organization’s data, information systems, or reputation due to cyberattacks, data breaches, or other malicious activities. Recognizing the high risk of being breached, a prepared organization should develop and test a plan to respond to and recover from cyber incidents.
Geopolitical Risk: Several factors, including the rapid pace of technological change and the interconnectedness of the global economy, seem to have resulted in a more volatile and unpredictable world in recent years. A risk manager can develop scenarios based on potential geopolitical changes to prepare for various outcomes and adjust accordingly.
Climate Risk: Physical climate risk arises from the physical impacts of climate change. These can include increased frequency and severity of weather events, flooding, drought, heat waves, and even sea level rise. Risk managers must consider more robust responses to the more extreme weather events expected from climate change.
Risk Capacity / Appetite / Tolerance: An organization’s risk capacity refers to the maximum level of risk that the organization can bear without jeopardizing its financial stability or viability. This capacity defines the upper limit of risk the organization can absorb based on its capital, profits, reputation, and business model. Risk appetite indicates the level of risk the organization is willing to accept in pursuit of its objectives. In contrast, risk tolerance is more granular and quantifiable, representing the specific thresholds or limits the organization sets within its risk appetite.
Risk Taxonomy: A risk taxonomy is a common and managed set of risk categories the organization uses. Leaders can enhance it by establishing a hierarchy of underlying risk sub-categories and risks that all stakeholders agree upon. Teams can also use the taxonomy to classify risks by entity, such as geography, office, or business unit. By providing this structure, the taxonomy encourages everyone involved in risk management across the organization to consider all types of risks that could affect their objectives.
Risk Assessment: The risk assessment phase of a risk framework systematically identifies, analyzes, and evaluates potential risks that could impact the organization’s objectives. This phase provides a clear understanding of the organization’s risk landscape, enabling better decision-making and more effective risk management strategies.
Emerging risks represent significant potential threats that require organizations to be forward-thinking in their risk management practices. Making this part of regular risk assessments through horizon scanning is a useful approach. To do this, the risk manager needs to facilitate an analysis of trends across various areas, including economics, technology, politics, and the environment, to anticipate how these trends might converge or impact the organization.
Download the eBook here to learn how to adopt new technology to optimize existing resources.