Choosing an adequate risk framework before adopting Enterprise Risk Management (ERM) is an important task. Adopting a standard framework for defining ERM as baseline is not only best practice but it also allows CROs and Risk Managers to capitalise on existing resources. There are several possible frameworks to start from; some references include COSO Enterprise Risk Management – Integrated Framework, ISO 31000 Risk Management – Principles and Guidelines on Implementation, BS 31100 Code of Practice for Risk Management, FERMA A Risk Management Standard, and OCEG Red Book 2.0 (GRC Capability Model), to name a few.
Regarding ERM, in 2004 COSO issued “Enterprise Risk Management – Integrated Framework”. COSO has also published several thought papers beginning in 2009 relating to ERM (available here). The COSO framework emphasises on providing a flexible evaluation standard against which to assess the current ERM processes in a firm, with the clear advantage (over other frameworks) that COSO incorporates a mature, well tested, internal control framework in it – something which is positively valued by Compliance and Risk professionals.
The series of videos below are part of a COSO course and cover several topics within the COSO ERM framework.
- Objectives COSO
- Evaluating the Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication