New information and IT risks seem to be everywhere, and so it is essential that organisations address these risks in the context of enterprise risk management (ERM).
What is enterprise risk management?
ERM is a practice that has become increasingly popular. It’s important that an organisation’s information risk management specialist or auditor understands this practice because much of their work will need to be in the context of ERM.
ERM can be described as: “a strategic enterprise wide management process, to identify potential risks that could significantly impact the entity, and manage them within the entity’s risk appetite. The aim is to provide reasonable assurance management can still achieve the entity’s strategic objectives.” Christopher Wright, Fundamentals of Information Risk Management Auditing.
Benefits of enterprise risk management frameworks
The most commonly used and internationally recognised ERM framework is the COSO framework. This framework provides a broader and more robust focus on ERM, and comprises five components (control environment, risk assessment, control activities, information and communication, and monitoring activities).
The main benefit for organisations that choose to adopt an ERM framework is that they will have a comprehensive understanding of risks, and therefore are likely to be more stable and successful in the long run.
Other benefits to organisations adopting an ERM framework include having an improved focus and outlook on risk, standardised risk reporting, and better organisation of regulatory and compliance matters.
Save 10% on our book of the month
Fundamentals of Information Risk Management Auditing provides further insight and guidance on ERM for those considering a career in information risk management, and is an introduction for non-specialist auditors and managers.
This book will give you an introduction to:
- Risk and risk management
- Information security and management risks
- Concepts of application controls