Expert Advice Community

Guest

Question on enterprise risk management framework

  Quote
Guest
Guest user Created:   Jun 03, 2021 Last commented:   Jun 03, 2021

Question on enterprise risk management framework

I bought your book Becoming Resilient.  It has been helpful. I just started reviewing your blog. I am developing a BC framework for a company that has nothing. Your book and blog are good resources for this effort. I have also been tasked with developing an enterprise risk management framework. I have been reading up on COSO’s 8 key components that comprise an ERM framework: 1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite.  The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people.  It is critical that upper management express the importance of ERM throughout all levels of an entity. 2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement.  ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. 3. Event Identification¬- Potential events that might have an impact on the entity must be identified.  Event identification involves identifying potential events from internal or external sources affecting achievement of objectives.  It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both. 4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed.  Risks are associated with objectives that may be affected.  Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact.  Risk assessment needs to be done continuously and throughout an entity. 5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks.  Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite. 6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out. 7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.  Information is needed at all levels of an entity for identifying, assessing, and responding to risk. 8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary.  In this way, it can react dynamically, changing as conditions warrant. Do you have any additional suggestions or advise as I embark on this journey?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

Expert
Rhand Leal Jun 03, 2021

I’m assuming that you are thinking about an enterprise risk management framework to support you BC framework.

Considering that, to make your implementation of business continuity easier, you should consider ISO 22301 only. This ISO standard for business continuity management does not need anything else (you do not need to implement a complete risk management framework).

These articles will provide you a further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

To see how risk assessment documents, as well as other required documents compliant with ISO 223301 looks like, please take a look at the free demo of this toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 03, 2021

Jun 03, 2021

Suggested Topics