COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence. COSO defines Enterprise Risk Management as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

Enterprise Risk Management Framework The Enterprise Risk Management Framework reflects input from hundreds of business and risk professionals, senior executives and board members, academics and government representatives from across the globe.

Example Enterprise Risk Management Framework The purpose of the J&J Enterprise Risk Management Framework is to describe: Categorization of risk The common framework used to identify and manage potential events that may affect the enterprise Accountability for risk management Governance and oversight of risk management activities

Example Enterprise Risk Management Framework Generally, risks to J & J Company’s success can be grouped into four categories: (1) Strategic, (2) Operational, (3) Compliance and (4) Financial & Reporting.

Example Enterprise Risk Management Framework Strategic Loss of intellectual property & trade secrets Operational Physical property/damage/disruption Compliance Employee health & safety Financial & Reporting Currency exchange, funding & cash flow, credit risk

ISO 31000 ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.  The design and implementation of risk management plans and frameworks needs to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed”

ISO 31000 ISO 31000:2009 is a brief and high-level set of principles and guidelines on how to implement risk management. ISO 31000:2009, Risk management — Principles and guidelines IEC 31010:2009, Risk management — Risk assessment techniques ISO Guide 73:2009, Risk management — Vocabulary

ISO 31000 Process

Risk Treatments Avoid:  Avoiding risk is completely disengaging from the activity.  While avoidance precludes suffering losses, it also prevents potential gains from the activity. Modify the frequency or severity: For hazard risks, modifying the frequency/severity of loss is termed loss prevention.  Modifying the severity of the loss is loss reduction.   Transfer: A method of risk financing executed by insurance, contractual agreements, or hedging to reduce the variability in cash flows due to uncertainty in a particular risk. Retain:  A method of risk financing where a risk is funded internally.  This can be done purposefully (low financial impact) or because there is no other option (no insurance or contract available).  It should be done consciously after the risk in analyzed.  Retaining of unidentified risk can be catastrophic to an organization.  Retention can also be complete or partial.   Exploit:  Risk exploitation is a treatment for speculative risks to seize an opportunity for the organization.

Risk Classification Systems An important part of analyzing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system.

Name or title of risk Unique identifier or risk index Scope of risk Scope of risk and details of possible events, including description of the events, their size, type and number Nature of risk Classification of risk, timescale of potential impact and description as hazard, opportunity or uncertainty Stakeholders Stakeholders, both internal and external, and their expectations Risk evaluation Likelihood and magnitude of event and possible impact or consequences should the risk materialize at current level Loss experience Previous incidents and prior loss experience of events related to the risk Risk tolerance, appetite Loss potential and anticipated financial impact of the risk or attitude Target for control of risk and desired level of performance Risk attitude, appetite, tolerance or limits for the risk Risk response, treatment Existing control mechanisms and activities and controls Level of confidence in existing controls Procedures for monitoring and review of risk performance Potential for risk improvement Potential for cost-effective risk improvement or modification Recommendations and deadlines for implementation Responsibility for implementing any improvements Strategy and policy Responsibility for developing strategy related to the risk developments Responsibility for auditing compliance with controls

Qualitative Risk Analysis A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur.

Quantitative Risk Assessment A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project.

Loss Probability Distribution

Additional Examples of Risk Identification Root Cause Analysis FMEA 5 Whys