Enterprise Risk Management

Enterprise risk management, and the creation of an enterprise risk management

framework, is a fundamental governance responsibility.
Enterprise risk management is a set of methods and processes used by
organisations to manage risk and seize opportunities that are related to their
organisational goals.
Read on for information, advice and guidance on enterprise risk management.
You can also browse our extensive online enterprise risk management book store.
CONTINUE READING

On this page:

What is Enterprise Risk Management?

Operational Risk Management

Combined Code and Turnbull Report

Sarbanes Oxley

COSO ERM Framework

Basel 2

IT Risk Management

Information Risk and ISO 27001

Management of Risk (M_o_R)

Selected Risk Management Books and Tools

What is Enterprise Risk Management?

The corporate board has (depending on jurisdiction) either a fiduciary, or both a
fiduciary and a statutory, duty to identify and manage enterprise risk. While
enterprise risk management ought to be the responsibility of a corporate risk

management team, the IT governance practitioner has three specific

contributions to make to the risk management activity and for that reason
needs to have a practical, high-level understanding of the key risk management
issues and concepts.
'Unmanaged risk is the greatest source of waste in your business and in our
economy as a whole. Major projects fail; customer shifts make our offers
irrelevant; billion-dollar brands erode, then collapse; entire industries stop
making money; technology shifts or... unique competitors kill dozens of
companies in one stroke; companies stagnate needlessly. When these risk
events happen, thousands of jobs get lost, brilliant organisations are
disassembled, expertise gets lost, and assets are destroyed. Yet all of these
risks can be understood, identified, anticipated, mitigated, or reversed, thereby
averting hundreds of billions of dollars in unnecessary losses.'
- from The Upside, Adrian J. Slywotzky.
The Enterprise Risk Management chapter of IT Governance Today: a
Practitioner's Handbook provides a comprehensive introduction to, and
overview of, the subject.
Operational Risk Management
Operational risk management, particularly in the financial sector, is essential.
Operational risk management deals with the cyclical application of a process of
risk assessment, decision making, and the implementation of controls to
manage and mitigate risk.
Enterprise Risk Assessment and Business Impact Analysis is a key operational responsibility
for all practitioners, and the Cabinet Office's guidance Management of Risk (M_o_R)
is particularly useful to any organisation. Information security risk assessment is
another key area.
Combined Code and Turnbull Report
The UKs revised Combined Code, for instance, is now explicit in saying that all
directors are required to provide entrepreneurial leadership of the company

within a framework of prudent and effective controls which enable risk to be

assessed and managed.
Sarbanes Oxley
The US Sarbanes-Oxley Act (SOX) mandated the adoption by US-listed companies
of an appropriate system of internal control and, in parallel, requires directors to
monitor and report operational risk.
COSO ERM Framework
COSO, whose internal control framework has become the de facto standard for
companies complying with SOX, started work on developing a separate risk
management framework in 2001.
This framework, the Enterprise Risk Management: Integrated Framework was designed to
provide a common framework, key principles and concepts, a common
language, and clear direction and guidance. This framework expands on the
internal control framework, providing a broader and more robust focus on
enterprise risk management. Because it incorporates the internal control
framework, organisations could (as COSO suggests) move toward implementing
an ERM framework to satisfy their internal control needs as well as their broader
business risk management needs.
Basel II
Financial sector corporate governance means that organisations have to comply
with the operational risk management guidance of the Basel Committee on
Banking Supervision. The 10 principles set out in the Basel Committee's Risk
Management Group's paper on the management and supervision of operational
risk are best addressed from within an IT governance framework that ensures
that measures taken to assess, control and monitor operational risk are
integrated with the firm's overall risk and information management strategy.

Basel II has raised operational risk management right up the agenda of financial
institutions around the world. Operational risk (see Sound Practices for the

Management and Supervision of Operational Risk) is defined as the risk of loss resulting
from inadequate or failed internal processes, people and systems, or from
external events. Risk categories include systems risks, such as hardware or
software failure, issues over availability and integrity of data, and utility failures,
and external events (e.g. malware or hacker attack, terrorist attack, vandalism
or supplier failure.)
IT Risk Management
IT risk management has become a hot IT topic over the last few years. As
organisations become increasingly dependent on information technology and
intellectual capital assets, the key areas of IT risk are usually seen as:

IT infrastructure and network security (arising from concerns about

hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so
on);

data integrity, confidentiality and privacy (arising from regulatory

and market pressure around protecting personal (e.g. data protection
legislation), and corporate data (e.g. fair disclosure regulations), as well
as financial and operational data (e.g. Sarbanes Oxley));

business continuity (arising from concerns about the capability to

continue in business after a natural or man-made disaster);

IT management (arising from concerns about project failure, poor IT

operational performance, inadequate IT infrastructure, etc.)

Information Risk and ISO 27001

ISO/IEC 27001:2005, the information security standard, is specifically risk-based. In
effect, it recommends that organisations implement information security
controls prioritised by, and in proportion to, the business and information risks
they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability
Evaluation) is a clear risk assessment methodology, information security risk
assessment can also now follow the guidelines contained in ISO/IEC
27005:2011.

Information Security Risk Management for ISO27001/ISO27002 provides the most

comprehensive guidance on the subject.
Risk assessment is an asset-level activity that is virtually impossible, for any but
the smallest of organisations, without a risk assessment database and specialist
tool such as vsRisk
Management of Risk (M_o_R)
Management of Risk (M_o_R) is the British Cabinet Offices best practice
methodology for managing risk. It is generic and can be applied in any type or
size of organisation.
Selected Risk Management Books and Tools
IT Governance Today: a Practitioner's Handbook

vsRisk

ISO/IEC 27005:2011

Enterprise Risk Assessment

Knowledge Management Intellectual Capital

In the information economy, intellectual capital is key to an organisation's
competitive position and long term shareholder value.
At the heart of developing intellectual capital is the knowledge management
challenge: how to go about capturing, storing, maintaining and leveraging the
knowledge that exists inside the organisation.
This page has a range of information about knowledge management, including
an extensive knowledge management bookshop.
CONTINUE READING

On this page:

Knowledge Management defined

Intellectual Capital

Knowledge Management Defined

The term 'Knowledge Management' (often abbreviated to 'KM') "designates
an approach to improving organisational outcomes and learning by introducing
into an organisation a range of specific processes and practices for identifying
and capturing knowledge, know-how, expertise and other intellectual capital,
and for making such knowledge assets available for transfer and reuse across
the organization.
- Wikipedia

Intellectual Capital
Intellectual capital can be thought of as 'the stored knowledge possessed by an
organisation'. This knowledge may be tacit (personal knowledge possessed by

an employee that may be difficult to express or communicate to others); in

other cases it may be explicit knowledge, which is codified and stored by the
organisation and available to all employees.
Most KM projects focus on collecting, storing and making this knowledge
available. KM projects can involve a wide range of software tools and products,
ranging from simple collaborative software to intranets, extranets, portals and
sophisticated databases.
Knowledge Management, increasingly the responsibility of a Chief Knowledge
Officer (CKO), is supported by a comprehensive body of knowledge that has
developed over a relatively short time period. One of the challenges faced by
anyone who wishes to derive business value from KM is the sheer volume of
information that has been generated on the subject.
Much of the published material suggests that organisations can get immediate
benefits from a KM project. Knowledge Management projects need to be
approached constructively, and with a clear understanding of both the benefits
and the challenges inherent in such projects.
Key to long term success with KM projects is the full understanding and
involvement of everyone in the organisation. The better a KM project is
structured, and the better an understanding everyone involved has, the more
likely will the project deliver the real, long-term benefits expected of it.
The concept of Intellectual Capital, discussed in detail in Chapter 3 of IT
Governance: Guidelines for Directors, is closely linked to Knowledge
Management.

Energy Savings Opportunity Scheme (ESOS) &

ISO 50001:2011 Energy Management Systems
(EnMS)
The Energy Savings Opportunity Scheme (ESOS) Regulations 2014 were
established by the government in order to implement the EU Energy Efficiency
Directive. ESOS is a mandatory energy assessment scheme for organisations in
the UK that meet the qualification criteria.

ISO 50001:2011 is the international standard for energy management systems.

ISO 50001 supersedes the European standard EN 16001:2009.
Buy a copy of the ISO 50001 standard here.
Below, we provide information on ESOS compliance and the significance of ISO
50001 as a tool for compliance with this mandatory regulation.
CONTINUE READING

What is on this page?

Energy Savings Opportunity Scheme (ESOS) compliance

The ISO 50001 standard

ISO50001 EnMS Documentation Toolkit

ESOS compliance
The Energy Savings Opportunity Scheme (ESOS) Regulations 2014 were
established by the government in order to implement the EU Energy Efficiency
Directive, which aims to cut carbon emissions across the EU by requiring large
businesses to make energy savings.
ESOS is a mandatory energy assessment scheme for organisations in the UK
that meet certain criteria.
Any UK company that:

employs over 250 people; and/or

has an annual turnover in excess of 50 million (38,937,777) and an

annual balance sheet total in excess of 43 million (33,486,489).

An overseas company with a UK-registered establishment that has 250 or more

UK employees (paying income tax in the UK).
If you qualify for ESOS and your organisations energy is fully covered by a
certified ISO 50001 EnMS you do not need to carry out an ESOS assessment.

You do, however, need to notify the Environment Agency that you are compliant
with ESOS.
For more information on ESOS compliance, visit: https://www.gov.uk/energy-savingsopportunity-scheme-esos.
The ISO 50001 standard
The new set of regulations requiring organisations to manage their energy
efficiently will increase demand from suppliers, customers and stakeholders for
businesses to manage their energy usage in an efficient and environmentally
friendly manner.
The most efficient way to comply with ESOS is by certifying to ISO 50001. By
doing this, organisations are promoting commitment to energy management as
well as ensuring that they:

meet legal and contractual energy compliance, specifically ESOS;

save money by managing energy more efficiently;

demonstrate a commitment to improved energy performance to

customers and stakeholders.

The ISO 50001:2011 standard is a set of requirements that helps organisations

develop an efficient energy management system (EnMS). ISO 50001 helps
organisations develop an energy policy and achieve objectives, taking into
account statutory, legal and other requirements. The Standard specifies
requirements applicable to energy use and consumption, including:

Measurement

Documentation and reporting

Design and procurement practices for equipment

Systems

Processes and personnel that contribute to energy performance.

ISO 50001 has been designed to be applicable to any organisation in any sector
and in such a way that it can easily be integrated into other management
systems. The benefits of creating an EnMS aligned with ISO 50001 include:

Reduced costs and/or better use of an organisations' energy consumption.

Compliance with legal, contractual and statutory requirements.

Promoting energy management best practice throughout the supply

chain.

Planning and developing new energy-efficient procedures and

technologies.

Supporting and developing the organisations brand, and creating more

business by committing to being environmentally friendly.

Purchase the ISO 500001 standard here.

ISO 50001 EnMS Documentation Toolkit
Go one step further than ESOS and ensure ongoing commitment to a more
sustainable future while meeting the ESOS requirements with our ISO 50001 EnMS
Documentation Toolkit.
Our toolkit provides organisations with the necessary document templates that
support both certification to ISO 50001 and compliance with ESOS.
The ISO 50001 EnMS Documentation Toolkit can be applied to any organisation
and provides a structure in which to run energy efficient projects.
Learn more about the ISO 50001 EnMS Toolkit here >>