In response to a number of requests, I have attached a sanitized business process document for ERM*. I don't know about the rest of you, but I found reviewing multiple standards documents from different parts of the world confusing.
The attached represents an effort to combine the "better" parts of COSO, UK, AS/NZ and other documents into a relatively succinct, meaningful business process that provides a basis of authority for implementing a full blown ERM function. The document is a draft, although in our organization it has since been adopted with proprietary revisions.
The subject company is a publicly traded, diversified, U.S.-based conglomerate with multiple business units. Section 1 of the document addresses Structure, Alignment and Fundamentals. Section 2 covers Risk Categories and Components (basically a Risk Glossary). Section 3 provides implementation guidelines for ERM. *Important note - Using a document like this in practice assumes ERM has been sold to executive management and business units are coming on board as well. In short, the document assumes there is a cultural willingness to embrace ERM as an intrinsic business practice. Absent such support, any attempt to use something like the attached would likely be perceived as a bolt-on.
As a side note, there are two computer models supporting the document for use in risk assessment activities at both an enterprise-wide and enterprise-local level. The enterprise-wide model captures the Risk Glossary and concepts addressed in Section 2 and enables a list of Top Five risks to be identified, discussed and rated for each major risk category (a "category," for exmaple, may be Mergers and Acquisitions Risk). The enterprise-local model provides a practical application of ERM techniques to projects involving Contract Risk. In this case, construction bid specifications are analyzed using the Risk Algorithm disscussed in Section 1 and also recommendations offered that are predicated on a knowledge base of information. The knowledge base is adjusted using fuzzy logic techniques by analyzing the results of multiple bids compared to actual performance and providing recommendations to decision makers of weaknesses and opportunities in the business development process.
Unfortunately, both models are proprietary but if anyone wants to discuss, let me know.
-------------------------------------------
Ken Dolan
-------------------------------------------