Enterprise Risk Management (ERM) has been around for a long time, but many organisations have struggled to understand it or genuinely embrace it.
Many organisations who try to develop their risk frameworks find that they are not fully effective at driving cohesive risk identification, monitoring and reporting. This limits their ability to use risk thinking to drive business decisions.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), provides standards on enterprise risk management, internal control and fraud deterrence.
COSO has plans to revise the Enterprise Risk Management - Aligning Risk with Strategy and Performance framework, to recognise the increasing importance of the connection between strategy and entity performance. Grant Thornton is contributing to this initiative.
What action should be taken?
To address this, organisations should evaluate their current risk frameworks, and develop and embed their risk thinking, taking the following into consideration:
- the alignment between business strategy and a clearly defined risk appetite
- how they identify and respond to the key risks that may affect their achievement of their strategic objectives
- how they consider risk to enhance strategic decisions
- how they monitor, manage and report on risks and changes to their risk profile
- the effectiveness of their risk culture
- the nature and effectiveness of different levels of assurance
How Grant Thornton can help
At Grant Thornton, we regularly work with organisations of all sizes and sectors to assist them develop and embed their risk. We support them in connecting risk thinking to their business or strategic objectives as well as day-to-day management activity.
We help put all levels of management in control. Recognising their roles in managing risk, we use risk concepts to help them decide on new projects, initiatives and priorities. Services include:
- facilitating risk workshops to identify key risks - judging their impact and likelihood. We then assist in articulating risk appetite and risk tolerance
- independently reviewing risk frameworks, and providing input from shared good practice
- advising on risk identification, monitoring and reporting
- assurance mapping, to identify and evaluate different sources of assurance and the “three lines of defence”