Enterprise Risk Management (ERM) Framework
1. ERM Standards and regulations
A list of resources for the topic of Risk Management Framework. (The expression Risk Management Architecture is less commonly used. Finance examples include Moody's Analytics, and EY).
1.1 ISO31000
Risk management - Principles and guidelines was originally issued by the International Standards Organization in 2009. ISO 31000:2009 was replaced by IS0 31000:2018 Risk management - guidelines.
- International Organization for Standardization (ISO), ISO 31000:2018(en) Risk management - Guidelines
- International Organization for Standardization (ISO), ISO 31000:2009(en) Risk management - Principles and Guidelines This standard has been replaced by ISO 31000:2018
- Standards Australia, AS ISO 31000:2018 Available for purchase.
- IRM (Institute of Risk Management), Standard Deviations, A Risk Practitioners Guide to ISO 31000:2018
- Complispace, New Risk Management Standard ISO 31000 - The Changes You Need to Know About . Includes a comparison of 2009 and 2018 standards.
- Praxicom, ISO 31000:2018 Plain English Definitions
1.2 ASX
Each ASX listed entity is required under listing rule 4.10.3 to include in its annual report either a corporate governance statement ... The disclosures required under listing rule 4.10.3 and referenced in Appendix 4G relate specifically to the recommendations in the Principles and Recommendations. (Corporate Governance Principles and Recommendations 4th Edition February 2019, page 3)
- Corporate Governance Principles and Recommendations
- Lay solid foundations for management and oversight
- Structure the board to be effective and add value
- Instil a culture of acting lawfully, ethically and responsibly
- Safeguard the integrity of corporate reports
- Make timely and balanced disclosure
- Respect the rights of security holders
- Recognise and manage risk
- Remunerate fairly and responsibly
- Principle 7: Recognise and Manage Risk :: Guide for small - mid market capitalised companies
1.3 COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations, 1. American Accounting Association, 2. American Institute of Certified Public Accountants (AICPA), 3. Financial Executives International (fei), 4. The Association of Accountants and Financial Professionals in Business (IMA), and 5. The Institute of Internal Auditors (IIA).
- COSO, Guidance on Enterprise Risk Management Available for purchase.
- COSO, Enterprise Risk Management - in Practice pdf 28 pages.
- Deloitte, Enterprise Risk Management - Integrated Framework by COSO . Includes a link to "Deloitte - Heads Up 2014, Challenges and Leading Practices Related to Implementing COSO's Internal Control - Integrated Framework, Vol 21, Issue 23"
- NC State Library, COSO's Enterprise Risk Management - Integrated Framework Includes the Eight Key Components of the COSO ERM Framework, and Risk terms - Risk Appetite, Risk Tolerance, and Risk Culture. Definitions of Likelihood / Impact, Inherent Risk / Residual Risk, and Risk Map. The Four Responses: Avoidance, Reduction, Sharing, and Acceptance
2. ERM Professional and government
2.1 APRA
The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation, and is accountable to the Australian Parliament. ... Prudential regulation is concerned with maintaining the safety and soundness of financial institutions, so that the community can have confidence that they will meet their financial commitments under all reasonable circumstances. APRA: About APRA
APRA terminology: CPS is a Prudential Standard, CPG is a Prudential Guide. The CPG Prudential Guides are is to assist APRA regulated entities in complying with the associated Prudential Standard CPS.
- APRA, CPS 220 Risk Management
- APRA, CPG 220 Risk Management
- APRA, Risk Culture
- APRA, Self-assessments of governance, accountability and culture
2.2 APES, CPA and CA
The Accounting Professional & Ethical Standards Board (APESB) is an independent body, established as an initiative of CPA Australia and the Institute of Chartered Accountants Australia (now Chartered Accountants Australia & New Zealand). Its members are CPA Australia, the Chartered Accountants Australia & New Zealand (CA ANZ) and the Institute of Public Accountants (IPA). APESB are Standards (APES) and Guidance Notes (APES GN).
APESB issues standards that outline the responsibilities of professional accountants to act professionally and ethically when they are performing their role
APES 325 Risk Management for Firms sets out mandatory requirements and guidance for members in public practice to establish and maintain a risk management framework in their firms in respect of the provision of quality and ethical professional services. APES 325: Risk Management for Firms
2.2.1 APEB
APES 325 applies to members (CPA or IC) in public practice.
2.2.2 CPA - APES 325
- CPA Australia, APES 325: Risk Management for Firms
- CPA Australia, APES 325 RISK MANAGEMENT FOR FIRMS A GUIDE FOR MEMBERS pdf
- CPA Australia, An Explanation and Introduction to APES 325 Risk Management for Firms
- CPA Australia, Risk Management Framework Tool . CPA member access only
2.2.3 CA - APES 325
- CA, APES 325 - Risk Management for Firms
- Sole Practitioners and Small Firms
- Risk Management Framework
- Establish the Context
- Identify Risks
- Analyse and Evaluate Risks
- Treat Risks
- Monitor and Review Risks
- Tools and Templates
- Risk Management Framework
- Midsize Firms
- Risk Management Framework
- Establish the Context
- Identify Risks
- Analyse and Evaluate Risks
- Treat Risks
- Monitor and Review Risks
- Risk Appetite
- Tools and Templates
- Risk Management Framework
- Sole Practitioners and Small Firms
2.3 Government
Australian Government :: Comcover, provides insurance and risk management services to Australian Government entities.
NSW Government Treasury
Queensland Treasury is responsible for managing the state of Queensland's revenue and expenditure consistent with economic growth, creation of jobs, and improved prosperity.
VMIA is the Victorian Government's insurer and risk adviser, established under the Victorian Managed Insurance Authority Act 1996
- Vic.Gov, Victorian Government Risk Management Framework
- VMIA, Risk management tools
- Business Victoria, Managing risk in your business
3. ERM for Corporates
Woolworths
RISK MANAGEMENT FRAMEWORK AND POLICY
Woolworths Group has an enterprise risk management framework which, together with the governance structure, is designed to provide a sound framework for managing the material risks of conducting business.
The risk management framework has regard to relevant regulations, standards and guidelines including the ASX Corporate Governance Principles and Recommendations and the Australian/New Zealand standard AS/NZS ISO 31000:2009 Risk management - principles and guidelines.
Woolworths Group's risk management framework includes the Group Risk Management Policy and the Enterprise Risk Management Framework. The Group Risk Management Policy reflects the overall principles … Woolworths Group, 2019 Corporate Governance Statement p 10.
GROUP RISK MANAGEMENT POLICY
Scope
This Policy applies to all relevant Business Units, Business Areas, Contractors and Significant Third Parties who work for, or with the Woolworths Group, in all countries of operation. It should be read in conjunction with the Enterprise Risk Management (ERM) Framework.
This Policy seeks to align Woolworths' Risk Management approach with applicable frameworks including but not limited to:Woolworths Group, 2019 Group Risk Management Policy p 1.
- Australian/New Zealand Standard (AUS/NZS ISO 31000:2009 Risk management - Principles and guidelines);
- ASX Corporate Governance Council's Corporate Governance Principles and Recommendation - Third Edition (2013); and
- Committee of Sponsoring Organisations of the Treadway Commission (COSO ) Enterprise Risk Management Framework: Enterprise Risk Management- Integration with Strategy and Performance (2017).
Macquarie
Macquarie's risk management framework is the totality of systems, structures, policies, processes and people within Macquarie that identify, measure, monitor, report and control or mitigate internal and external sources of material risk. Material risks are those that could have a material impact, financial or non-financial on Macquarie. Macquarie's material risks include:
- Aggregate risk
- Asset risk
- Conduct risk
- Credit risk
- Environmental and social risk
- Equity risk
- Financial crime risk
- Legal
- Liquidity risk
- Market risk
- Operational risk
- Regulatory and compliance risk
- Reputation risk
- Strategic / business risk
- Tax risk
- Work health and safety risk
Other resources
- CPA Australia, Risk management guide for small to medium businesses
- Queensland Treasury, A Guide to Risk Management Queensland Government
- Small Business Development Corporation, Risk management Government of Victoria
- Published: 10 August 2020
- Revised: Saturday 25th of February 2023 - 10:12 AM, [Australian Eastern Standard Time (EST)]