COSO defines ERM as a process, effected by an entity board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The implication of this definition can be summarised as follows:
A process, ongoing and flowing through an entity. Implication – ERM never ends. It’s about an entity improvement of risk management capabilities and is a continuous journey, not a destination, for any organization that seeks to improve continually. Effected by people at every level of an organizationImplication Everyone should be involved in managing risk. Unfortunately in many organizations today, ERM is localised to a particular department (Risk Management Dept) and many officers are not even aware of the risks they are incurring on behalf of their organizations.
Thus, workers in establishments are divided into two as follows:
Those who incur risks
Those who are saddled with the responsibility of managing risks.
This must not be so in ERM compliant organizations. For your organization to be ERM compliant, think on these things.