A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

Source: © Airmic, Alarm, IRM

Executive Summary
‘Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organisation or it may simply be embedded in the activities of the organisation. An enterprise-wide approach to risk management enables an organisation to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organisation benefiting from what is often referred to as the ‘upside of risk’.

The global financial crisis in 2008 demonstrated the importance of adequate risk management. Since that time, new risk management standards have been published, including the international standard, ISO 31000 ‘Risk management – Principles and guidelines’. This guide draws together these developments to provide a structured approach to implementing enterprise risk management (ERM).

Intended benefits of risk management
For all types of organisations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organisations need to understand the overall level of risk embedded within their processes and activities. It is important for organisations to recognise and prioritise significant risks and identify the weakest critical controls.

When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics (change projects) and the efficacy of the strategy of the organisation.

Purpose of this guide
A successful enterprise risk management (ERM) initiative can affect the likelihood and consequences of risks materialising, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation, better marketplace presence and, in the case of public service organisations, enhanced political and community support.

This guide provides a brief commentary on ISO 31000 as well as setting out advice on the implementation of an ERM initiative. The purpose of the guide is to:
– describe the principles and processes of risk management
– provide a brief overview of the requirements of ISO 31000
– give practical guidance on designing a suitable framework
– give practical advice on implementing enterprise risk management’

Download report