Professional Documents
Culture Documents
The organization is committed to building human capital in alignment with the strategy and business objectives.
Intro
Sr No. Points Explanation
has the primary responsibility for overseeing risk in the organization and has a fiduciary responsibility to the stakeholders.
ly responsible for risk oversight, with management responsible for day-to-day risk management. The board may delegate
committee or retain ownership at the full board level. Regardless of the structure, it is common to establish a statement
ities of the board and management.
plays a crucial role in providing oversight of enterprise risk management by leveraging their collective skills, experience,
e. The board is expected to challenge management and ask relevant questions, interact with stakeholders, and present
ctions. Effective risk oversight is possible only when the board has a clear understanding of the entity's strategy, industry,
the business context changes, the board must periodically review if it has the appropriate skills, expertise, and
effective oversight. For example, in entities exposed to cyber risk, the board may need to have members with information
access to independent advisors.
should have independence to ensure objectivity and evaluate the performance of the entity without any conflicts of
m interested parties. This helps to serve as a check and balance on management and to ensure that the entity is being
s of all stakeholders, not just a select few. Independence is important for both publicly traded and private entities,
d non-profit organizations.
should understand the complexity of the organization and engage in conversations with management to determine the
risk management practices to enhance value. Different organizations may focus on different aspects of enterprise risk
e their strategy and business objectives, such as reducing risks to the strategy, aligning mission and vision, or increasing
t of the strategy.
s affecting decisions relating to enterprise risk management, the board needs to be aware of the potential organizational
oard should engage in discussions with management to understand and challenge any biases that may impact the entity's
objectives. The board has a role in ensuring that decisions are made objectively and that the entity is being run in the best
ders. By understanding the potential for bias, the board can help to mitigate its impact and make more informed
nd business objectives.
ishes its operating structure and reporting lines to carry out its strategy and business objectives while considering various
ty's strategy and business objectives, nature and size of the entity's business, risks related to the business, the
y, accountability, and responsibility, type of reporting lines, financial, tax, regulatory and other reporting requirements. The
rmines which management roles have a direct reporting line to the board to ensure open communication of important
the entity have defined direct and informational reporting lines.
ishes its operating structure and reporting lines to carry out its strategy and business objectives while considering various
ty's strategy and business objectives, nature and size of the entity's business, risks related to the business, the
y, accountability, and responsibility, type of reporting lines, financial, tax, regulatory and other reporting requirements. The
rmines which management roles have a direct reporting line to the board to ensure open communication of important
the entity have defined direct and informational reporting lines.
organization plays a crucial role in carrying out the entity's strategy and business objectives. It is important for the
omplete information about the risks associated with the strategy. This can be achieved through the use of committees,
nd executives are appointed to gather and contribute information. The management committees may have different
definition of their authority, responsibilities, and operating principles. In smaller entities, the enterprise risk management
h management being directly involved in decision-making.
e or dual-board structure, the board delegates authority to management to design and implement practices to achieve
objectives. Management then defines roles and responsibilities for individuals, teams, divisions, and functions aligned to
s include management personnel with authority to make decisions and oversee business practices and other personnel
rea of responsibility and the enterprise risk management practices. Authority is clearly defined and management delegates
nel to make decisions while considering new and emerging risks. Management periodically revisits its structures to ensure
ty's strategy and business objectives.
he way it manages risk and the value it seeks from enterprise risk management may change. Enterprise risk management
e capabilities of the entity, considering both what the organization is seeking to attain and the way it manages risk. The
y change as the nature of the business and its strategy evolves, and management must regularly evaluate this structure
g lines. With the emergence of new operating structures relying more on technology, management must be prepared to
d understand how innovation will impact enterprise risk management practices.
d culture.
ization reflects its core values, behaviors, and decisions, and is shaped by internal and external factors. The board of
ent are responsible for defining the desired culture and making sure that it is embraced by all personnel. This helps the
and manage risks effectively and achieve its strategy and business objectives. The culture spectrum ranges from risk
e, and each unit within the organization may have a different approach to risk-taking. It is important to have a shared
table risk decisions to ensure that the entity responds appropriately and achieves its objectives.
icant role in defining an organization's culture and risk management. It is relied upon when there is limited information,
changes or disruptions. Judgment is influenced by personal experiences, risk appetite, capabilities, and organizational bias.
nt can be susceptible to bias and affected by group dynamics and communication styles. During periods of crisis, the
n to navigate the situation depends on the judgment and behaviors of management and the board. Organizations with
ent teams and well-defined risk appetite are more likely to exercise good judgment and gain stakeholder confidence.
nnovation and the identification of opportunities within the organization. A more prescriptive culture may stifle innovation,
ure may rely more on management's judgment for decision-making and new opportunities.
ization affects its approach to risk management in various aspects of its operations such as setting strategy, risk
sment, risk response selection, resource allocation, and performance review. The level of risk aversion and aggressiveness
sks considered, the risk responses chosen, and the pace of change in response to performance trends. For example, a
n may prioritize risk avoidance over pursuing opportunities, allocate more resources for risk management, and respond
erformance, whereas a risk-aggressive entity may take more calculated risks and make slower changes in response to
behaviors and decisions do not align with its core values, it can result in loss of confidence from stakeholders,
s, and lower performance. This misalignment can be caused by factors such as ineffective communication of expectations
ersight, misaligned middle management and functional managers, neglecting risk in strategy and business planning,
that go against core values, unclear escalation policies, inadequate investigation of excessive risk-taking, or deliberate
ore values. In a risk-aware culture, personnel understand the entity's mission and values, and their actions align with the
behaviors and decisions do not align with its core values, it can result in loss of confidence from stakeholders,
s, and lower performance. This misalignment can be caused by factors such as ineffective communication of expectations
ersight, misaligned middle management and functional managers, neglecting risk in strategy and business planning,
that go against core values, unclear escalation policies, inadequate investigation of excessive risk-taking, or deliberate
ore values. In a risk-aware culture, personnel understand the entity's mission and values, and their actions align with the
ization can change over time due to internal and external factors such as changes in leadership, acquisitions, and
s can impact the organization's attitude and philosophy towards enterprise risk management, causing a shift in how risks
ns are made.
ial role in enterprise risk management, as they influence the behavior and decisions of the organization. A consistent
ization helps establish a common understanding of these values and desired behavior, but this can be challenging to
arkets. Maintaining a consistent tone leads to consistent performance of risk management responsibilities and builds
eholders. A strong commitment to core values, demonstrated by leadership, reinforces the entity's adherence to its
ernal stakeholders can observe the commitment to core values through internal communications and reporting.
ate a risk-aware culture through strong leadership, participative management style, accountability for actions, alignment
with performance, embedding risk in decision-making, open and honest discussions about risks, and encouraging risk
ntity. The behavior of individuals must align with the culture, which is shaped by the organizational policies, rules, and
The most effective way to establish culture is through the implicit and subtle processes led by management who enforces
are important.
cer is held accountable by the board of directors for managing the risk faced by the entity and implementing effective
ment practices. The CEO and other members of management are responsible for enforcing accountability and
ations for conduct. This includes clearly communicating expectations, ensuring risk information is shared throughout the
ployees to align with the entity's business objectives, and responding to deviations from standards.
cture, performance targets and evaluations occur from the board of directors to the CEO and other personnel. Adherence
desired culture behaviors is evaluated, and rewards or disciplinary actions are applied as appropriate. The board may also
on. In dual-board structures, the supervisory board evaluates the management board and its members, while the
tes the senior management team.
ible for promoting open communication and transparency about risk and risk-taking expectations throughout the entity.
consistent messages to employees that managing risk is part of everyone's daily responsibilities and is critical to the
ation on risk and risk-related incidents is shared and escalated to the appropriate level within the entity. Management
irectors with enough risk information to assess the effectiveness of current risk management practices. There are
concerns about potentially inappropriate or excessive risk taking or behavior without fear of retaliation. Any form of
and those who engage in it may face disciplinary action.
hat have a strong commitment to core values and desired behaviors, operational failures and scandals can still occur. This
akes, moments of weakness, or intentional wrongdoing. To prevent this, the organization must prioritize risk management
s and behaviors with the goal of avoiding mistakes and identifying wrongdoers. The organization must respond
tly to deviations from standards of conduct, and the response will vary depending on the magnitude of the deviation. The
om a warning to termination, but the expectation for risk-aware behavior and decision-making must remain consistent to
on's culture.
hat have a strong commitment to core values and desired behaviors, operational failures and scandals can still occur. This
akes, moments of weakness, or intentional wrongdoing. To prevent this, the organization must prioritize risk management
s and behaviors with the goal of avoiding mistakes and identifying wrongdoers. The organization must respond
tly to deviations from standards of conduct, and the response will vary depending on the magnitude of the deviation. The
om a warning to termination, but the expectation for risk-aware behavior and decision-making must remain consistent to
on's culture.
and management evaluate the competency of personnel to carry out the business objectives and processes, with the
on helping to promote competence by developing job descriptions, providing training, and evaluating performance. In
tence requirements, management considers factors such as knowledge, skills, and experience with risk management, the
ent and authority, and the costs and benefits of different skill levels and experience.
anagement processes are used to support the ongoing commitment to competence, which includes attracting candidates
-aware culture and have the necessary competence for the role, training individuals to develop and maintain enterprise
etencies, mentoring and evaluating performance, and retaining individuals by offering incentives and addressing any
ith standards. Organizations must continuously identify and assess essential roles, making decisions based on the
g a position unfilled.
ed by accountability and rewards, which are established by management and the board of directors. They create
appropriate for all levels of the entity, considering the achievement of both short-term and long-term business objectives.
e to the entity's standards of conduct are not rewarded, while salary increases and bonuses, as well as non-monetary
r responsibility, visibility, and recognition are common incentives. Management regularly reviews the entity's measurement
n relation to desired behavior and performance of individuals and teams, which are reviewed based on defined measures
ormance factors and demonstrated competence.
tion can come from various sources such as achieving targets, regular tasks, self-imposed pressure, and unexpected
ntext. Excessive pressure can lead to fear of consequences and unethical behavior. The organization can positively
djusting workloads and communicating ethical behavior. The pressure can also be created by changes such as strategy,
d external factors. It's the responsibility of management to guide individuals in decision making and adjust pressure as
and management need to create plans for the succession of important responsibilities in enterprise risk management,
utives. They should identify and prepare multiple candidates for the critical roles through training, coaching, and
Strategy and Objective Setting
6 Analyzes Business Context
The organization considers potential effects of business context on risk profile.
Intro
Sr No. Points Explanation
take into account the current and future factors that impact its strategy and business objectives when considering its
e values. This includes considering the dynamic, complex, and unpredictable trends, relationships, and other factors in the
ent is a part of the business context that includes anything outside of the entity that can impact its ability to achieve its
objectives. This includes external stakeholders such as regulatory bodies, investors, customers, suppliers, competitors, and
he external environment and the extent of the influence of these stakeholders on the business can help organizations
dapt to change. The external environment is comprised of several factors, including political, economic, social,
d environmental factors, which can be analyzed using the acronym PESTLE.
nt of an entity consists of everything inside the organization that can impact its ability to achieve its strategy and
stakeholders are the individuals within the entity who directly affect the organization, such as board directors,
onnel. The impact of internal stakeholders on the organization can vary depending on the size and structure of the entity.
sess the impact of its business context on its risk profile by evaluating past, present, and future performance. This can
nderstand how current trends and relationships are affecting its risk profile and predict how it might change in the future
k management
g strategy and developing risk appetite in an entity is not linear and there is no universal risk appetite that applies to all
te should align with the analysis used to assess risk and should reflect the entity's culture. The risk appetite is determined
on's mission and vision, prior strategies and its desired culture. The best approach is to balance risk and opportunity to
ce. The risk profile is depicted as a solid area along with the risk appetite line. The entity must also consider its risk
maximum amount of risk it can absorb, and strive to keep its risk appetite within its capacity. In rare cases, the
se to set its risk appetite above its capacity, but it must be approved by the board.
8 Evaluated Alternate Strategies 9 For
The organization evaluates alternative strategies and potential impact on
Exp risk profile. Exp
Performance
10 Identifies Risk 11
The organization identifies risk that impacts the performance of strategy
Exp and business objectives. Exp
a ● Identifying Risk a
b ● Using a Risk Inventory b
c ● Approaches to Identifying Risk c
d ● Framing Risk d
e
12 Prioritizes Risk f
The organization prioritizes risks as a basis for selecting responses to risks. g
Exp
h
a ● Establishing the Criteria
b ● Prioritizing Risk 13
c ● Using Risk Appetite to Prioritize Risks
Exp
d ● Prioritization at All Levels
e ● Bias in Prioritization a
b
14 Develops Portfolio View c
The organization develops and evaluates a portfolio view of risk. d
Exp
a ● Pursuing Improvement
nce
11 Assesses Severity of Risk
The organization assesses the severity of risk.
● Assessing Risk
● Assessing Severity at Different Levels of the Entity
● Selecting Severity Measures
● Assessment Approaches
● Inherent, Target, and Residual Risk
● Depicting Assessment Results
● Identifying Triggers for Reassessment
● Bias in Assessment
evision
16 Reviews Risk and Performance
The organization reviews entity performance and considers risk.