Governance & Culture Strategy and Objective Settin

1 Exercise Board Oversight 6 Analyzes Business Context

● Accountability and Responsibility ● Understanding Business Context
● Skills, Experience, and Business Knowledge ● Considering External Environment and Stakehold
● Independence ● Considering Internal Environment and Stakehold
● Suitability of Enterprise Risk Management ● How Business Context Affects Risk Profile
● Organizational Bias 7 Defines Risk Appetite
2 Establishes Operating Structures ● Applying Risk Appetite
● Operating Structure and Reporting Lines ● Determining Risk Appetite
● Enterprise Risk Management Structures ● Articulating Risk Appetite
● Authority and Responsibilities ● Using Risk Appetite
● Enterprise Risk Management within the Evolving Entity 8 Evaluated Alternate Strategies
3 Defines Desired Culture ● The Importance of Aligning Strategy
● Culture and Desired Behaviors ● Understanding the Implications from Chosen Str
● Applying Judgment ● Aligning Strategy with Risk Appetite
● Effect of Culture ● Making Changes to Strategy
● Aligning Core Values, Decision-Making, and Behaviors ● Mitigating Bias
4 ● Shifting Culture
Demonstrates Commitment to Core Values 9 Formulates Business Objectives
● Establishing Business Objectives
● Reflecting Core Values throughout the Organization ● Understanding
Aligning Business
theObjectives
Implications from Chosen Bu
● Embracing a Risk-Aware Culture
● Enforcing Accountability ● Categorizing Business Objectives
● Holding Itself Accountable ● Setting Performance Measures and Targets
● Keeping Communication Open and Free from Retribution ● Understanding Tolerance
5 ● Responding
Attracts, to Deviations
Develops, in Core
and Retains Values and
Capable Behaviors
Individuals ● Performance Measures and Established Toleranc

● Establishing and Evaluating Competence

● Attracting, Developing, and Retaining Individuals
● Rewarding Performance
● Addressing Pressure
● Preparing for Succession
 COSO ERM PRINCIPLES
bjective Setting Performance Review and Re
xt 10 Identifies Risk 15 Asesses Substantial Change
s Context ● Identifying Risk ● Integrating Reviews into Busin
nvironment and Stakeholders ● Using a Risk Inventory 16 Reviews Risk and Performanc
nvironment and Stakeholders ● Approaches to Identifying Risk ● Integrating Reviews into Busin
Affects Risk Profile ● Framing Risk 17 ● Considering
Pursues Entity Capabilities
Improvement in Ente
11 Assesses Severity of Risk
● Assessing Risk ● Pursuing Improvement
tite ● Assessing Severity at Different Levels of the Entity
te ● Selecting Severity Measures
● Assessment Approaches
tegies ● Inherent, Target, and Residual Risk
ning Strategy ● Depicting Assessment Results
lications from Chosen Strategy ● Identifying Triggers for Reassessment
Risk Appetite ● Bias in Assessment
ategy 12 Prioritizes Risk
● Establishing the Criteria
ectives ● Prioritizing Risk
Objectives ● Using Risk Appetite to Prioritize Risks
ctives ● Prioritization at All Levels
lications from Chosen Business Objectives
● Bias in Prioritization
Objectives 13 Implements Risk Responses
easures and Targets ● Choosing Risk Responses
ce ● Selecting and Deploying Risk Responses
and Established Tolerances ● Considering Costs and Benefits of Risk Responses
● Additional Considerations
14 Develops Portfolio View
● Understanding a Portfolio View
● Developing a Portfolio View
● Analyzing the Portfolio View
 Review and Revision Information, Communication
18 Leverages Information and Technology and Repo
sses Substantial Change
ntegrating Reviews into Business Practices ● Putting Relevant Information to Use
iews Risk and Performance ● Evolving Information
ntegrating Reviews into Business Practices ● Data Sources
onsidering
sues Entity Capabilities
Improvement in Enterprise Risk Management ● Categorizing Risk Information
● Managing Data
ursuing Improvement ● Using Technology to Support Information
● Changing Requirements
19 Communicates Risk Information
● Communicating with Stakeholders
● Communicating with the Board
● Methods of Communicating
20 Reports on Risk, Culture, and Performance
● Identifying Report Users and Their Roles
● Reporting Attributes
● Types of Reporting
● Reporting Risk to the Board
● Reporting on Culture
● Key Indicators
● Reporting Frequency and Quality
Governance & Culture
1 Exercise Board Oversight
The board of directors provides oversight of the strategy and carries out governance responsibilities to
Intro
Sr No. Points Explanation

The board of directors has the primary responsibility for

The full board is typically responsible for risk oversight,
a ● Accountability and Responsibility responsibilities to a risk committee or retain ownership
defining the responsibilities of the board and manageme

The board of directors plays a crucial role in providing o

b ● Skills, Experience, and Business Knowledge
and business knowledge. The board is expected to chall
alternative views and actions. Effective risk oversight is
and relevant issues. As the business context changes, th
composition to provide effective oversight. For example
technology expertise or access to independent advisors.

The board of directors should have independence to en

interest or influence from interested parties. This helps
c ● Independence run in the best interests of all stakeholders, not just a se
government bodies, and non-profit organizations.

The board of directors should understand the complexit

suitability of enterprise risk management practices to en
d ● Suitability of Enterprise Risk Management management to achieve their strategy and business obj
opportunities in support of the strategy.

In order to manage bias affecting decisions relating to e

biases that exist. The board should engage in discussion
e ● Organizational Bias strategy and business objectives. The board has a role i
interests of its stakeholders. By understanding the poten
decisions.

2 Establishes Operating Structures

The organization establishes operating structures in the pursuit of strategy and business objectives.
Intro
Sr No. Points Explanation

The organization establishes its operating structure and

factors such as the entity's strategy and business object
a ● Operating Structure and Reporting Lines assignment of authority, accountability, and responsibili
board of directors determines which management roles
issues and all levels of the entity have defined direct an

a ● Operating Structure and Reporting Lines
b ● Enterprise Risk Management Structures
c ● Authority and Responsibilities
d ● Enterprise Risk Management within the Evolving Entity
3 Defines Desired Culture
The organization defines the desired behaviors that characterize the entity’s desired culture.
Intro
Sr No. Points
a ● Culture and Desired Behaviors
b ● Applying Judgment
c ● Effect of Culture
d ● Aligning Core Values, Decision-Making, and Behaviors
The organization establishes its operating structure and
factors such as the entity's strategy and business object
assignment of authority, accountability, and responsibili
board of directors determines which management roles
issues and all levels of the entity have defined direct an
The management of an organization plays a crucial role
management to have complete information about the ri
where senior leaders and executives are appointed to g
structures, with a clear definition of their authority, resp
may be less formal with management being directly inv
in an entity with a single or dual-board structure, the bo
strategy and business objectives. Management then def
the objectives. Key roles include management personne
who understand their area of responsibility and the ente
responsibility to personnel to make decisions while cons
they align with the entity's strategy and business object
As the entity evolves, the way it manages risk and the v
should be tailored to the capabilities of the entity, consi
operating structure may change as the nature of the bu
and associated reporting lines. With the emergence of n
address shifts in risk and understand how innovation wi
Explanation
The culture of an organization reflects its core values, b
directors and management are responsible for defining
organization to identify and manage risks effectively and
averse to risk aggressive, and each unit within the orga
understanding of acceptable risk decisions to ensure tha
Judgment plays a significant role in defining an organiza
during unprecedented changes or disruptions. Judgmen
Management's judgment can be susceptible to bias and
ability of an organization to navigate the situation depen
experienced management teams and well-defined risk a
Judgment also affects innovation and the identification
while a risk-aware culture may rely more on manageme
The culture of an organization affects its approach to ris
identification and assessment, risk response selection, r
influences the type of risks considered, the risk respons
risk-averse organization may prioritize risk avoidance ov
quickly to changes in performance, whereas a risk-aggr
performance.
When an organization's behaviors and decisions do not
inconsistent approaches, and lower performance. This m
from the top, lack of oversight, misaligned middle mana
incentives or pressures that go against core values, unc
non-compliance with core values. In a risk-aware cultur
entity's risk appetite.
 When an organization's behaviors and decisions do not
inconsistent approaches, and lower performance. This m
from the top, lack of oversight, misaligned middle mana
d ● Aligning Core Values, Decision-Making, and Behaviors
incentives or pressures that go against core values, unc
non-compliance with core values. In a risk-aware cultur
entity's risk appetite.

The culture of an organization can change over time du

e ● Shifting Culture mergers. These changes can impact the organization's a
are viewed and decisions are made.

4 Demonstrates Commitment to Core Values

The organization demonstrates a commitment to the entity’s core values.

Intro
Sr No. Points Explanation

Core values play a crucial role in enterprise risk manage

"tone" across the organization helps establish a commo
a ● Reflecting Core Values throughout the Organization maintain in different markets. Maintaining a consistent t
confidence among stakeholders. A strong commitment t
mission and vision. External stakeholders can observe th

An organization can create a risk-aware culture through

of risk-aware behaviors with performance, embedding r
b ● Embracing a Risk-Aware Culture awareness across the entity. The behavior of individuals
standards of conduct. The most effective way to establi
the values they believe are important.

The chief executive officer is held accountable by the bo

enterprise risk management practices. The CEO and oth
c ● Enforcing Accountability
communicating expectations for conduct. This includes
entity, encouraging employees to align with the entity's

In the governance structure, performance targets and e

to the core values and desired culture behaviors is evalu
d ● Holding Itself Accountable
conduct a self-evaluation. In dual-board structures, the
executive board evaluates the senior management team

Management is responsible for promoting open commun

This includes clear and consistent messages to employe
entity's success. Information on risk and risk-related inc
e ● Keeping Communication Open and Free from Retribution
provides the board of directors with enough risk informa
channels for reporting concerns about potentially inappr
retaliation is prohibited and those who engage in it may

Even in organizations that have a strong commitment to

can happen due to mistakes, moments of weakness, or
and align its core values and behaviors with the goal of
f ● Responding to Deviations in Core Values and Behaviors
consistently and promptly to deviations from standards
response may range from a warning to termination, but
preserve the organization's culture.
 Even in organizations that have a strong commitment to
can happen due to mistakes, moments of weakness, or
and align its core values and behaviors with the goal of
f ● Responding to Deviations in Core Values and Behaviors
consistently and promptly to deviations from standards
response may range from a warning to termination, but
preserve the organization's culture.

5 Attracts, Develops, and Retains Capable Individuals

The organization is committed to building human capital in alignment with the strategy and business objectives.
Intro
Sr No. Points Explanation

The board of directors and management evaluate the co

human resources function helping to promote competen
a ● Establishing and Evaluating Competence
determining the competence requirements, managemen
required level of judgment and authority, and the costs

The human resource management processes are used t

who fit the desired risk-aware culture and have the nece
b ● Attracting, Developing, and Retaining Individuals risk management competencies, mentoring and evaluat
behavior inconsistent with standards. Organizations mu
consequences of leaving a position unfilled.

Performance is influenced by accountability and reward

incentives and rewards appropriate for all levels of the e
Those who don't adhere to the entity's standards of con
c ● Rewarding Performance
rewards such as greater responsibility, visibility, and rec
and reward structures in relation to desired behavior an
including business performance factors and demonstrat

Pressure in an organization can come from various sour

changes in business context. Excessive pressure can lea
d ● Addressing Pressure influence pressure by adjusting workloads and commun
operating structure, and external factors. It's the respon
needed.

The board of directors and management need to create

e ● Preparing for Succession specifically for key executives. They should identify and
mentoring.
ernance responsibilities to support management in achieving strategy and business objectives.

has the primary responsibility for overseeing risk in the organization and has a fiduciary responsibility to the stakeholders.
ly responsible for risk oversight, with management responsible for day-to-day risk management. The board may delegate
committee or retain ownership at the full board level. Regardless of the structure, it is common to establish a statement
ities of the board and management.

plays a crucial role in providing oversight of enterprise risk management by leveraging their collective skills, experience,
e. The board is expected to challenge management and ask relevant questions, interact with stakeholders, and present
ctions. Effective risk oversight is possible only when the board has a clear understanding of the entity's strategy, industry,
the business context changes, the board must periodically review if it has the appropriate skills, expertise, and
effective oversight. For example, in entities exposed to cyber risk, the board may need to have members with information
access to independent advisors.

should have independence to ensure objectivity and evaluate the performance of the entity without any conflicts of
m interested parties. This helps to serve as a check and balance on management and to ensure that the entity is being
s of all stakeholders, not just a select few. Independence is important for both publicly traded and private entities,
d non-profit organizations.

should understand the complexity of the organization and engage in conversations with management to determine the
risk management practices to enhance value. Different organizations may focus on different aspects of enterprise risk
e their strategy and business objectives, such as reducing risks to the strategy, aligning mission and vision, or increasing
t of the strategy.

s affecting decisions relating to enterprise risk management, the board needs to be aware of the potential organizational
oard should engage in discussions with management to understand and challenge any biases that may impact the entity's
objectives. The board has a role in ensuring that decisions are made objectively and that the entity is being run in the best
ders. By understanding the potential for bias, the board can help to mitigate its impact and make more informed

nd business objectives.

ishes its operating structure and reporting lines to carry out its strategy and business objectives while considering various
ty's strategy and business objectives, nature and size of the entity's business, risks related to the business, the
y, accountability, and responsibility, type of reporting lines, financial, tax, regulatory and other reporting requirements. The
rmines which management roles have a direct reporting line to the board to ensure open communication of important
the entity have defined direct and informational reporting lines.
 ishes its operating structure and reporting lines to carry out its strategy and business objectives while considering various
ty's strategy and business objectives, nature and size of the entity's business, risks related to the business, the
y, accountability, and responsibility, type of reporting lines, financial, tax, regulatory and other reporting requirements. The
rmines which management roles have a direct reporting line to the board to ensure open communication of important
the entity have defined direct and informational reporting lines.

organization plays a crucial role in carrying out the entity's strategy and business objectives. It is important for the
omplete information about the risks associated with the strategy. This can be achieved through the use of committees,
nd executives are appointed to gather and contribute information. The management committees may have different
definition of their authority, responsibilities, and operating principles. In smaller entities, the enterprise risk management
h management being directly involved in decision-making.

e or dual-board structure, the board delegates authority to management to design and implement practices to achieve
objectives. Management then defines roles and responsibilities for individuals, teams, divisions, and functions aligned to
s include management personnel with authority to make decisions and oversee business practices and other personnel
rea of responsibility and the enterprise risk management practices. Authority is clearly defined and management delegates
nel to make decisions while considering new and emerging risks. Management periodically revisits its structures to ensure
ty's strategy and business objectives.

he way it manages risk and the value it seeks from enterprise risk management may change. Enterprise risk management
e capabilities of the entity, considering both what the organization is seeking to attain and the way it manages risk. The
y change as the nature of the business and its strategy evolves, and management must regularly evaluate this structure
g lines. With the emergence of new operating structures relying more on technology, management must be prepared to
d understand how innovation will impact enterprise risk management practices.

d culture.

ization reflects its core values, behaviors, and decisions, and is shaped by internal and external factors. The board of
ent are responsible for defining the desired culture and making sure that it is embraced by all personnel. This helps the
and manage risks effectively and achieve its strategy and business objectives. The culture spectrum ranges from risk
e, and each unit within the organization may have a different approach to risk-taking. It is important to have a shared
table risk decisions to ensure that the entity responds appropriately and achieves its objectives.

icant role in defining an organization's culture and risk management. It is relied upon when there is limited information,
changes or disruptions. Judgment is influenced by personal experiences, risk appetite, capabilities, and organizational bias.
nt can be susceptible to bias and affected by group dynamics and communication styles. During periods of crisis, the
n to navigate the situation depends on the judgment and behaviors of management and the board. Organizations with
ent teams and well-defined risk appetite are more likely to exercise good judgment and gain stakeholder confidence.
nnovation and the identification of opportunities within the organization. A more prescriptive culture may stifle innovation,
ure may rely more on management's judgment for decision-making and new opportunities.

ization affects its approach to risk management in various aspects of its operations such as setting strategy, risk
sment, risk response selection, resource allocation, and performance review. The level of risk aversion and aggressiveness
sks considered, the risk responses chosen, and the pace of change in response to performance trends. For example, a
n may prioritize risk avoidance over pursuing opportunities, allocate more resources for risk management, and respond
erformance, whereas a risk-aggressive entity may take more calculated risks and make slower changes in response to

behaviors and decisions do not align with its core values, it can result in loss of confidence from stakeholders,
s, and lower performance. This misalignment can be caused by factors such as ineffective communication of expectations
ersight, misaligned middle management and functional managers, neglecting risk in strategy and business planning,
that go against core values, unclear escalation policies, inadequate investigation of excessive risk-taking, or deliberate
ore values. In a risk-aware culture, personnel understand the entity's mission and values, and their actions align with the
 behaviors and decisions do not align with its core values, it can result in loss of confidence from stakeholders,
s, and lower performance. This misalignment can be caused by factors such as ineffective communication of expectations
ersight, misaligned middle management and functional managers, neglecting risk in strategy and business planning,
that go against core values, unclear escalation policies, inadequate investigation of excessive risk-taking, or deliberate
ore values. In a risk-aware culture, personnel understand the entity's mission and values, and their actions align with the

ization can change over time due to internal and external factors such as changes in leadership, acquisitions, and
s can impact the organization's attitude and philosophy towards enterprise risk management, causing a shift in how risks
ns are made.

ial role in enterprise risk management, as they influence the behavior and decisions of the organization. A consistent
ization helps establish a common understanding of these values and desired behavior, but this can be challenging to
arkets. Maintaining a consistent tone leads to consistent performance of risk management responsibilities and builds
eholders. A strong commitment to core values, demonstrated by leadership, reinforces the entity's adherence to its
ernal stakeholders can observe the commitment to core values through internal communications and reporting.

ate a risk-aware culture through strong leadership, participative management style, accountability for actions, alignment
with performance, embedding risk in decision-making, open and honest discussions about risks, and encouraging risk
ntity. The behavior of individuals must align with the culture, which is shaped by the organizational policies, rules, and
The most effective way to establish culture is through the implicit and subtle processes led by management who enforces
are important.

cer is held accountable by the board of directors for managing the risk faced by the entity and implementing effective
ment practices. The CEO and other members of management are responsible for enforcing accountability and
ations for conduct. This includes clearly communicating expectations, ensuring risk information is shared throughout the
ployees to align with the entity's business objectives, and responding to deviations from standards.

cture, performance targets and evaluations occur from the board of directors to the CEO and other personnel. Adherence
desired culture behaviors is evaluated, and rewards or disciplinary actions are applied as appropriate. The board may also
on. In dual-board structures, the supervisory board evaluates the management board and its members, while the
tes the senior management team.

ible for promoting open communication and transparency about risk and risk-taking expectations throughout the entity.
consistent messages to employees that managing risk is part of everyone's daily responsibilities and is critical to the
ation on risk and risk-related incidents is shared and escalated to the appropriate level within the entity. Management
irectors with enough risk information to assess the effectiveness of current risk management practices. There are
concerns about potentially inappropriate or excessive risk taking or behavior without fear of retaliation. Any form of
and those who engage in it may face disciplinary action.

hat have a strong commitment to core values and desired behaviors, operational failures and scandals can still occur. This
akes, moments of weakness, or intentional wrongdoing. To prevent this, the organization must prioritize risk management
s and behaviors with the goal of avoiding mistakes and identifying wrongdoers. The organization must respond
tly to deviations from standards of conduct, and the response will vary depending on the magnitude of the deviation. The
om a warning to termination, but the expectation for risk-aware behavior and decision-making must remain consistent to
on's culture.
hat have a strong commitment to core values and desired behaviors, operational failures and scandals can still occur. This
akes, moments of weakness, or intentional wrongdoing. To prevent this, the organization must prioritize risk management
s and behaviors with the goal of avoiding mistakes and identifying wrongdoers. The organization must respond
tly to deviations from standards of conduct, and the response will vary depending on the magnitude of the deviation. The
om a warning to termination, but the expectation for risk-aware behavior and decision-making must remain consistent to
on's culture.

egy and business objectives.

and management evaluate the competency of personnel to carry out the business objectives and processes, with the
on helping to promote competence by developing job descriptions, providing training, and evaluating performance. In
tence requirements, management considers factors such as knowledge, skills, and experience with risk management, the
ent and authority, and the costs and benefits of different skill levels and experience.

anagement processes are used to support the ongoing commitment to competence, which includes attracting candidates
-aware culture and have the necessary competence for the role, training individuals to develop and maintain enterprise
etencies, mentoring and evaluating performance, and retaining individuals by offering incentives and addressing any
ith standards. Organizations must continuously identify and assess essential roles, making decisions based on the
g a position unfilled.

ed by accountability and rewards, which are established by management and the board of directors. They create
appropriate for all levels of the entity, considering the achievement of both short-term and long-term business objectives.
e to the entity's standards of conduct are not rewarded, while salary increases and bonuses, as well as non-monetary
r responsibility, visibility, and recognition are common incentives. Management regularly reviews the entity's measurement
n relation to desired behavior and performance of individuals and teams, which are reviewed based on defined measures
ormance factors and demonstrated competence.

tion can come from various sources such as achieving targets, regular tasks, self-imposed pressure, and unexpected
ntext. Excessive pressure can lead to fear of consequences and unethical behavior. The organization can positively
djusting workloads and communicating ethical behavior. The pressure can also be created by changes such as strategy,
d external factors. It's the responsibility of management to guide individuals in decision making and adjust pressure as

and management need to create plans for the succession of important responsibilities in enterprise risk management,
utives. They should identify and prepare multiple candidates for the critical roles through training, coaching, and
Strategy and Objective Setting
6 Analyzes Business Context
The organization considers potential effects of business context on risk profile.
Intro
Sr No. Points Explanation

The organization must take into account the current and

a ● Understanding Business Context mission, vision, and core values. This includes considering
business context.

The external environment is a part of the business contex

strategy and business objectives. This includes external s
b ● Considering External Environment and Stakeholders more. Understanding the external environment and the e
better anticipate and adapt to change. The external envir
technological, legal, and environmental factors, which can

The internal environment of an entity consists of everythi

c ● Considering Internal Environment and Stakeholders objectives. The internal stakeholders are the individuals w
management, and personnel. The impact of internal stake

An organization can assess the impact of its business con

d ● How Business Context Affects Risk Profile help the organization understand how current trends and
as part of enterprise risk management

7 Defines Risk Appetite

The organization defines risk appetite in the context of creating, preserving, and realizing value.
Intro
Sr No. Points Explanation
The process of selecting strategy and developing risk app
entities. The risk appetite should align with the analysis u
based on the organization's mission and vision, prior strat
a ● Applying Risk Appetite reach the optimal balance. The risk profile is depicted as
capacity, which is the maximum amount of risk it can abs
organization may choose to set its risk appetite above its

b ● Determining Risk Appetite

b ● Determining Risk Appetite

c ● Articulating Risk Appetite

d ● Using Risk Appetite

etting
file.

take into account the current and future factors that impact its strategy and business objectives when considering its
e values. This includes considering the dynamic, complex, and unpredictable trends, relationships, and other factors in the

ent is a part of the business context that includes anything outside of the entity that can impact its ability to achieve its
objectives. This includes external stakeholders such as regulatory bodies, investors, customers, suppliers, competitors, and
he external environment and the extent of the influence of these stakeholders on the business can help organizations
dapt to change. The external environment is comprised of several factors, including political, economic, social,
d environmental factors, which can be analyzed using the acronym PESTLE.

nt of an entity consists of everything inside the organization that can impact its ability to achieve its strategy and
stakeholders are the individuals within the entity who directly affect the organization, such as board directors,
onnel. The impact of internal stakeholders on the organization can vary depending on the size and structure of the entity.

sess the impact of its business context on its risk profile by evaluating past, present, and future performance. This can
nderstand how current trends and relationships are affecting its risk profile and predict how it might change in the future
k management

efines Risk Appetite

g, and realizing value.

g strategy and developing risk appetite in an entity is not linear and there is no universal risk appetite that applies to all
te should align with the analysis used to assess risk and should reflect the entity's culture. The risk appetite is determined
on's mission and vision, prior strategies and its desired culture. The best approach is to balance risk and opportunity to
ce. The risk profile is depicted as a solid area along with the risk appetite line. The entity must also consider its risk
maximum amount of risk it can absorb, and strive to keep its risk appetite within its capacity. In rare cases, the
se to set its risk appetite above its capacity, but it must be approved by the board.
 8 Evaluated Alternate Strategies 9 For
The organization evaluates alternative strategies and potential impact on
Exp risk profile. Exp

a ● The Importance of Aligning Strategy a

b ● Understanding the Implications from Chosen Strategy b
c ● Aligning Strategy with Risk Appetite c
d ● Making Changes to Strategy d
e ● Mitigating Bias e
f
g

Performance
10 Identifies Risk 11
The organization identifies risk that impacts the performance of strategy
Exp and business objectives. Exp

a ● Identifying Risk a
b ● Using a Risk Inventory b
c ● Approaches to Identifying Risk c
d ● Framing Risk d
e
12 Prioritizes Risk f
The organization prioritizes risks as a basis for selecting responses to risks. g
Exp
h
a ● Establishing the Criteria
b ● Prioritizing Risk 13
c ● Using Risk Appetite to Prioritize Risks
Exp
d ● Prioritization at All Levels
e ● Bias in Prioritization a
b
 14 Develops Portfolio View c
The organization develops and evaluates a portfolio view of risk. d
Exp

a ● Understanding a Portfolio View

b ● Developing a Portfolio View
c ● Analyzing the Portfolio View

Review and Revision

15 Asesses Substantial Change 16 Re
The organization identifies and assesses changes that may substantially
Exp affect strategy and business objectives. Exp

a ● Integrating Reviews into Business Practices a

17 Pursues Improvement in Enterprise Risk Management b

The organization pursues improvement of enterprise risk management.

Exp

a ● Pursuing Improvement

Information, Communication and Repor

18 Leverages Information and Technology
19 Co
The organization leverages the entity’s information and technology
Exp systems to support enterprise risk management. Exp

a ● Putting Relevant Information to Use a

b ● Evolving Information b
c ● Data Sources c
d ● Categorizing Risk Information
e ● Managing Data 20 Reports
f ● Using Technology to Support Information
Exp
g ● Changing Requirements
a
b
c
d
e
f
g
 9 Formulates Business Objectives
The organization considers risk while establishing the business
objectives at various levels that align and support strategy.
● Establishing Business Objectives
●
● Aligning Business
Understanding theObjectives
Implications from Chosen Business Objectives

● Categorizing Business Objectives

● Setting Performance Measures and Targets
● Understanding Tolerance
● Performance Measures and Established Tolerances

nce
11 Assesses Severity of Risk
The organization assesses the severity of risk.

● Assessing Risk
● Assessing Severity at Different Levels of the Entity
● Selecting Severity Measures
● Assessment Approaches
● Inherent, Target, and Residual Risk
● Depicting Assessment Results
● Identifying Triggers for Reassessment
● Bias in Assessment

13 Implements Risk Responses

The organization identifies and selects risk responses.

● Choosing Risk Responses

● Selecting and Deploying Risk Responses
 ● Considering Costs and Benefits of Risk Responses
● Additional Considerations

evision
16 Reviews Risk and Performance
The organization reviews entity performance and considers risk.

● Integrating Reviews into Business Practices

● Considering Entity Capabilities

tion and Reporting

19 Communicates Risk Information
The organization uses communication channels to support enterprise
risk management.
● Communicating with Stakeholders
● Communicating with the Board
● Methods of Communicating

20 Reports on Risk, Culture, and Performance

The organization reports on risk, culture, and performance at multiple
levels and across the entity.
● Identifying Report Users and Their Roles
● Reporting Attributes
● Types of Reporting
● Reporting Risk to the Board
● Reporting on Culture
● Key Indicators
● Reporting Frequency and Quality