Enterprise Risk Management (ERM) Framework

1. ERM Standards and regulations

A list of resources for the topic of Risk Management Framework. (The expression Risk Management Architecture is less commonly used. Finance examples include Moody's Analytics, and EY).

1.1 ISO31000       

Risk management - Principles and guidelines was originally issued by the International Standards Organization in 2009. ISO 31000:2009 was replaced by IS0 31000:2018 Risk management - guidelines.

1.2 ASX       

Each ASX listed entity is required under listing rule 4.10.3 to include in its annual report either a corporate governance statement ... The disclosures required under listing rule 4.10.3 and referenced in Appendix 4G relate specifically to the recommendations in the Principles and Recommendations. (Corporate Governance Principles and Recommendations 4th Edition February 2019, page 3)

1.3 COSO       

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations, 1. American Accounting Association, 2. American Institute of Certified Public Accountants (AICPA), 3. Financial Executives International (fei), 4. The Association of Accountants and Financial Professionals in Business (IMA), and 5. The Institute of Internal Auditors (IIA).

2. ERM Professional and government

2.1 APRA

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation, and is accountable to the Australian Parliament. ... Prudential regulation is concerned with maintaining the safety and soundness of financial institutions, so that the community can have confidence that they will meet their financial commitments under all reasonable circumstances. APRA: About APRA

APRA terminology: CPS is a Prudential Standard, CPG is a Prudential Guide. The CPG Prudential Guides are is to assist APRA regulated entities in complying with the associated Prudential Standard CPS.

2.2 APES, CPA and CA

The Accounting Professional & Ethical Standards Board (APESB) is an independent body, established as an initiative of CPA Australia and the Institute of Chartered Accountants Australia (now Chartered Accountants Australia & New Zealand). Its members are CPA Australia, the Chartered Accountants Australia & New Zealand (CA ANZ) and the Institute of Public Accountants (IPA). APESB are Standards (APES) and Guidance Notes (APES GN).

APESB issues standards that outline the responsibilities of professional accountants to act professionally and ethically when they are performing their role

APES 325 Risk Management for Firms sets out mandatory requirements and guidance for members in public practice to establish and maintain a risk management framework in their firms in respect of the provision of quality and ethical professional services. APES 325: Risk Management for Firms

2.2.1 APEB

  • APESB, Risk Management for Firms

APES 325 applies to members (CPA or IC) in public practice.

2.2.2 CPA - APES 325

  • CPA Australia, APES 325: Risk Management for Firms
  • CPA Australia, An Explanation and Introduction to APES 325 Risk Management for Firms
  • CPA Australia, Risk Management Framework Tool . CPA member access only

2.2.3 CA - APES 325

  • CA, APES 325 - Risk Management for Firms
    • Sole Practitioners and Small Firms
      • Risk Management Framework
        • Establish the Context
        • Identify Risks
        • Analyse and Evaluate Risks
        • Treat Risks
        • Monitor and Review Risks
      • Tools and Templates

    • Midsize Firms
      • Risk Management Framework
        • Establish the Context
        • Identify Risks
        • Analyse and Evaluate Risks
        • Treat Risks
        • Monitor and Review Risks
      • Risk Appetite
      • Tools and Templates

2.3 Government

Australian Government :: Comcover, provides insurance and risk management services to Australian Government entities.

NSW Government Treasury

Queensland Treasury is responsible for managing the state of Queensland's revenue and expenditure consistent with economic growth, creation of jobs, and improved prosperity.

VMIA is the Victorian Government's insurer and risk adviser, established under the Victorian Managed Insurance Authority Act 1996

3. ERM for Corporates



Woolworths Group has an enterprise risk management framework which, together with the governance structure, is designed to provide a sound framework for managing the material risks of conducting business.

The risk management framework has regard to relevant regulations, standards and guidelines including the ASX Corporate Governance Principles and Recommendations and the Australian/New Zealand standard AS/NZS ISO 31000:2009 Risk management - principles and guidelines.

Woolworths Group's risk management framework includes the Group Risk Management Policy and the Enterprise Risk Management Framework. The Group Risk Management Policy reflects the overall principles … Woolworths Group, 2019 Corporate Governance Statement p 10.



This Policy applies to all relevant Business Units, Business Areas, Contractors and Significant Third Parties who work for, or with the Woolworths Group, in all countries of operation. It should be read in conjunction with the Enterprise Risk Management (ERM) Framework.

This Policy seeks to align Woolworths' Risk Management approach with applicable frameworks including but not limited to:
  • Australian/New Zealand Standard (AUS/NZS ISO 31000:2009 Risk management - Principles and guidelines);
  • ASX Corporate Governance Council's Corporate Governance Principles and Recommendation - Third Edition (2013); and
  • Committee of Sponsoring Organisations of the Treadway Commission (COSO ) Enterprise Risk Management Framework: Enterprise Risk Management- Integration with Strategy and Performance (2017).
Woolworths Group, 2019 Group Risk Management Policy p 1.


Macquarie's risk management framework is the totality of systems, structures, policies, processes and people within Macquarie that identify, measure, monitor, report and control or mitigate internal and external sources of material risk. Material risks are those that could have a material impact, financial or non-financial on Macquarie. Macquarie's material risks include:
  • Aggregate risk
  • Asset risk
  • Conduct risk
  • Credit risk
  • Environmental and social risk
  • Equity risk
  • Financial crime risk
  • Legal
  • Liquidity risk
  • Market risk
  • Operational risk
  • Regulatory and compliance risk
  • Reputation risk
  • Strategic / business risk
  • Tax risk
  • Work health and safety risk

Macquarie, Risk Management

Other resources