I bought your book Becoming Resilient. It has been helpful.
I just started reviewing your blog.
I am developing a BC framework for a company that has nothing.
Your book and blog are good resources for this effort.
I have also been tasked with developing an enterprise risk management framework.
I have been reading up on COSO’s 8 key components that comprise an ERM framework:
1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people. It is critical that upper management express the importance of ERM throughout all levels of an entity.
2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification¬- Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both.
4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact. Risk assessment needs to be done continuously and throughout an entity.
5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks. Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.
7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for identifying, assessing, and responding to risk.
8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant.
Do you have any additional suggestions or advise as I embark on this journey?