1. The document provides an overview of enterprise risk management (ERM) frameworks, including their purpose, components, and principles. It describes the key elements of an ERM framework as establishing the context, designing the framework, implementing risk management, monitoring and reviewing, and continually improving the process. 2. Several frameworks are discussed and compared, including COSO, AS/NZS, and ISO 31000. The COSO framework is presented as the most widely used standard for designing, implementing and monitoring risk management. It views ERM as a process to identify potential events, assess risks, develop risk responses, and provide assurance. 3. Successful ERM requires establishing the right organizational tone and culture, as well

1. !"#$%&'(')*+*(,%%
&'#,*-./'##0%
!"#$%&'()*$+%*,($%&-&'#%*.'#/*!"(")%0%($**
'(#'1%*234&*3&)"('5"63(*
72"1*!34&$"1"8*97:8*9!:8*9;,8*9<=<8*!>:>*

2. 9%&6B%1*7($%&("C*:41'$3&**
9%&6B%1*!"(")%0%($*:??34($"($**
9%&6B%1*<&3E%##'3("C*'(*=%"&('()*"(1*<%&E3&0"(?%**
9%&6B?"63(*'(*93($&3C*F%CE*:##%##0%($**
9%&6B%1*;&"41*,D"0'(%&**
9%&6B?"63(*'(*.'#/*!"(")%0%($*:##4&"(?%*
:?"1%02*@%)&%%#A*
72"1*!34&$"1"*

3. 4
G-%(H+'(/'()*'#*"(**
:9;,*:4$+3&'5%1*
H&"'(%&*'(*$+%**
I:,*"(1*J"$"&**

7. .'#/*@%B('63(#**
!.'#/*"#$%&'$()##"*"+"%,$%&-%$-.$'/'.%$0"++$)1123$-.4$
-4/'3#'+,$-5'1%$%&'$-1&"'/'6'.%$)7$)*8'19/'#:;$$
<=>=$?@A$B$C.%'D3-%'4$E3-6'0)3F$GH'3#',$<"%,I$JHK$LC<ML#I$NOOPQI$MR$
!.'#/$S"#T$%&'$()##"*"+"%,$)7$-.$'/'.%$)11233".D$%&-%$0"++$
&-/'$-.$"6(-1%$).$%&'$-1&"'/'6'.%$)7$)*8'19/'#:$@"#F$
"#$6'-#23'4$".$%'36#$)7$"6(-1%$-.4$+"F'+"&))4;$$
CMME$GL+%-6).%'$>(3".D#I$EUK$CCLI$NOVVQI$(:PW$$

8. 9"(*234*%C'0'("$%*&'#/K**

9. X-+2'$-.4$@"#F$
VV$
J'0$(3)421%$
4'/'+)(6'.%$
C.13'-#'4$3'/'.2'$
C.13'-#'4$6-3F'%$#&-3'$
M'.-+9'#$-.4$Y.'#$
<&%#%&L'()* ,*
#+"&%+3C1%&*
E3-24$
U-0#2"%#$
9&%"6()*
#+"&%+3C1%&*
L"C4%*
M*
O*
:*
=*
I*
N*
L"C4%*
?.%'3(3"#'$@"#F$A-.-D'6'.%$G?@AQ$-#$-.$'##'.9-+$%))+$7)3$D))4$1)3()3-%'$D)/'3.-.1'I$@-&-82$M-+I$Z'+)"['$$
?.%'3(3"#'$@"#F$>'3/"1'#$I>'(%'6*'3$NOVO$

11. ]2#".'##$=*8'19/'#$$
• >%3-%'D"1$=*8'19/'#$$
• =('3-9).#$=*8'19/'#$$
• @'()39.D$=*8'19/'#$$
• <)6(+"-.1'$=*8'19/'#$
<=>=$?@A$B$C.%'D3-%'4$E3-6'0)3F$GH'3#',$<"%,I$JHK$LC<ML#I$NOOPQI$MR$

14. 9+"()%*$+%*93($%D$*

16. H"/'()*.'#/*
*'#*E4(1"0%($"C*$3*13'()*P4#'(%##*

17. @%"C'()*Q'$+*.'#/*

18. =(96-+$$
@"#F_-F".D$$
<)66"[''$)7$>().#)3".D$=3D-."^-9).#$)7$%&'$_3'-40-,$<)66"##").$$@"#F$L##'##6'.%$".$M3-191'$G=1%)*'3$NOVNQ$$$MV$

19. V:$Z'Y.'$%&'$M3)*+'6$`$=(()3%2."%,$$$
N:$U"#%$L+%'3.-9/'#$$
W:$C4'.97,$M)##"*+'$)2%1)6'$$
P:$U"#%$M-,)5#$
R:$>'+'1%$%&'$?/-+2-9).$A)4'+$
a:$L((+,$A)4'+$b$A-F'$Z'1"#").$

23. c$

27. Internal Auditing:
Assurance and Consulting
Services, 2nd Edition. ©
2009 by The Institute of
Internal Auditors
Research Foundation,
247 Maitland Avenue,
Altamonte Springs, FL
32701 USA

30. <=>=$G<)66"[''$)7$>().#)3".D$=3D-."^-9).#Q$

31. 7(+%&%($*.'#/#*

33. Internal Auditing:
Assurance and Consulting
Services, 2nd Edition. ©
2009 by The Institute of
Internal Auditors
Research Foundation,
247 Maitland Avenue,
Altamonte Springs, FL
32701 USA

34. F34&?%A*7.!*

35. RSS*

37. @"#F$L(('9%'$-.4$_)+'3-.1'$
CCL$<-.-4-I$?3"1$U-/)"'$

38. <C%"#%**
/% % - * *
$+%*79,*

40. <C"(*"(1*?3(#$&4?$*$+%*$"CC%#$*#$&4?$4&%*
"(1*-4$*$+%*0"&#+0"CC3Q*3(*$3->**

41. C6(-1%$/#:$M3)*-*"+"%,$
Share/Transfer Mitigate & Control
Control
Accept (Mointor)
High Risk
Medium Risk
Medium Risk
Low Risk
High
Low
High
I
M
P
A
C
T
PROBABILITY

42. ,($%&-&'#%*&'#/*0"(")%0%($*T,.!U*

43. 9GFG*,.!*

44. @%B('63(*3E*,.!*
$ $!"#$#!"#$%&&%#&'&()&*#+,#$-#&-.),/0#+1$2*#13#
*42&()120%#5$-$6&5&-)#$-*#1)7&2#8&201--&9%#$8894&*#
4-#0)2$)&6,#0&:-6#$-*#'$"#&&()*%(%+)%"!",&%%#*&046-&*#
)1#4*&-.3,#81)&-.$9#&;&-)0#)7$)#5$,#$'&()#)7&#&-.),%#
$-*#5$-$6&#240<0#)1#+&#=4)74-#4)0#240<#$88&.)&%#)1#
821;4*&#2&$01-$+9&#$00>2$-(&#2&6$2*4-6#)7&#
$(74&;&5&-)#13#&-.),#1+?&(.;&0@A#
# # # #########################B1>2(&C##DEBE#F-)&28240&#G40<#H$-$6&5&-)#I#J-)&62$)&*#K2$5&=12<@##LMMN@##
O7&#D1554P&&#13#B81-0124-6#E26$-4Q$.1-0#13#)7&#O2&$*=$,#D15540041-#RDEBES$

45. ,.!*@%B('63(*E&30*77:*
?@A$!"#$-$#%321%23'4I$1).#"#%'.%$-.4$
1).9.2)2#$(3)1'##$-13)##$%&'$0&)+'$
)3D-."^-9).$7)3$"4'.97,".DI$-##'##".DI$
4'1"4".D$).$3'#().#'#$%)$-.4$3'()39.D$).$
)(()3%2."9'#$-.4$%&3'-%#$%&-%$-5'1%$%&'$
-1&"'/'6'.%#$)7$"%#$)*8'19/'#:;$

49. L##'##$@"#F#$M3)1'##$E+)0$Z"-D3-6$

52. Internal Auditing:
Assurance and Consulting
Services, 2nd Edition. ©
2009 by The Institute of
Internal Auditors
Research Foundation,
247 Maitland Avenue,
Altamonte Springs, FL
32701 USA

53. @3?40%(6()**
.'#/*:##%##0%($***

54. Rd$

55. Re$

56. =3#$*"$*F%"**
V&"+"0%*W(3D*
&[(K``000:".#"D&%:%,('(-4:1):2F`$

61. V%$*R*H'?/%$*34$*RSS**
$3*Q'(*RS8SSS*
V%$*R*H'?/%$*34$*3E*RS8SSS**
$3*Q'(*R8SSS8SSS*
:*
X*
RY*
S>SRY*

62. -.#/($'+(*'0%(1",22,'+)(,3%'&4(
1/)(,5(6#/($'+7)(8%)()*%9(
'$"#&&:(6#/"(,3%'&(;#+7)(8%)(
6#/('+6;*%"%<=(
(>(?%%(@'$#$$':(A#"9%"(B*"6&2%"($*',"9'+(*

65. .'#/*&%-3&6()*"(1*?3004('?"63(#*

67. I(1%&#$"(1*$+%*-%&#-%?6L%*3E*234&*?C'%($*

68. *Measure and report RM implementation
Excellent
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
• Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
Strong
• Clear vision of risk tolerance and overall risk profile
• Risk control exceeds adequate for most major risks
• Has robust processes to identify and prepare for emerging risks
• Incorporates risk management and decision making to optimize risk adjusted
returns
Adequate
• Has fully functioning control systems in place for all of their major risks
• May lack a robust process for identifying and preparing for emerging risks
• Performing good classical “silo” based risk management
• Not fully developed process to optimize risk adjusted returns
Weak
• Incomplete control process for one or more major risks
• Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
Source: Standard & Poor!

69. f2"4'$%)$?.%'3(3"#'$@"#F$A-.-D'6'.%I$E3'g2'.%+,$L#F'4$h2'#9).#$M3)9/"9$C.1:$H-.2-3,$NOOa$

72. F?3-%*3E*7FG*ZRSSS*
_&"#$".%'3.-9).-+$#%-.4-34$(3)/"4'#$
(3".1"(+'#$-.4$D'.'3"1$D2"4'+".'#$).$3"#F$
6-.-D'6'.%i$"%$1-.$*'$2#'4$*,$-.,$
(2*+"1I$(3"/-%'$)3$1)662."%,$'.%'3(3"#'I$
-##)1"-9).I$D3)2($)3$".4"/"42-+:$$
_&'3'7)3'I$%&"#$#%-.4-34$"#$.)%$#('1"Y1$%)$
-.,$".42#%3,$)3$#'1%)3:$

73. 9&'6?"C*930-3(%($#*3E*7FG*ZRSSS*
_&'$-&'(?'-C%#$
(3)/"4'$%&'$
7)2.4-9).$-.4$
4'#13"*'$%&'$
g2-+"9'#$)7$
'5'19/'$3"#F$
6-.-D'6'.%$".$
-.$)3D-."^-9).$
The
framework
manages the
overall
process and
its full
integration
into the
organization
The process for
managing risk
focuses on
individual or
groups of risks,
their
identification,
analysis,
evaluation and
treatment
A)."%)3".D$b$3'/"'0I$1).9.2-+$"6(3)/'6'.%$-.4$
1)662."1-9).$)1123$%&3)2D&)2%$
E3)6$LJ>C`L>>?`C>=$WVOOO$

74. Principles
Framework RM Process
A-.4-%'$b$
<)66"%6'.%$
Z'#"D.$73-6'0)3F$
7)3$6-.-D".D$3"#F$
C6(+'6'.%$
3"#F$6-.-D'6'.%$
<).9.2-++,$
"6(3)/'$%&'$
73-6'0)3F$
A)."%)3$-.4$3'/"'0$
%&'$73-6'0)3F$
?#%-*+"#&$%&'$
1).%'j%$
<)662."1-%'$-.4$1).#2+%$
A)."%)3$-.4$3'/"'0$
@"#F$-##'##6'.%$
@"#F$"4'.9Y1-9).$
@"#F$-.-+,#"#$
@"#F$'/-+2-9).$
@"#F$%3'-%6'.%$
• <3'-%'#$/-+2'$
• C.%'D3-+$(-3%$)7$$
)3D-."^-9).-+$
(3)1'##'#$
• M-3%$)7$4'1"#").$
6-F".D$
• ?j(+"1"%+,$-443'##'#$
2.1'3%-".%,$
• >,#%'6-91I$
#%321%23'4$b$96'+,$
• ]-#'4$).$*'#%$
-/-"+-*+'$".7)$
• _-"+)3'4$
• _-F'#$&26-.$$b$
12+%23-+$7-1%)3#$".%)$
-11)2.%$
• _3-.#(-3'.%$b$
".1+2#"/'$
• Z,.-6"1I$"%'3-9/'$b$
3'#().#"/'$%)$
1&-.D'$
• E-1"+"%-%'#$1).9.2-+$
"6(3)/'6'.%$b$
'.&-.1'6'.%$)7$%&'$
)3D$

76. k.4'3#%-.4$J'0$@"#F#$

77. U)0$M3)*-*"+"%,$*2%$X'3,$l"D&$C6(-1%$

83. 9&%"6()*"*.'#/*94C$4&%*

85. 7($%CC')%($*.'#/*!"(")%0%($*#2#$%0*

86. 7($%CC')%($*.'#/*!"(")%0%($*#2#$%0*

87. V3L%&("(?%8**
.'#/*!"(")%0%($**
"(1*930-C'"(?%*TV.9U*

88. 7$*'#*(3$*"P34$**
.'#/*!"(")%0%($**
P4$*&"$+%&*"P34$*
0"(")'()*$+%*&'#/*