What Employees Need to Know about Risk ManagementTo round out the discussion in my last two posts of the Protiviti FAQ for enterprise risk management (ERM), I want to cite Protiviti's take on what employees should learn about their company's risk management policies and procedures. Protiviti recommends that employee ERM learning emphasize:
- The company's risk management vision, goals, objectives and policies.
- The company's common language and other enabling frameworks.
- The company's processes for identifying and sourcing risk and the methods and tools supporting those processes, including how those processes compare to the COSO Enterprise Risk Management - Integrated Framework. (COSO is the Committee of Sponsoring Organizations of the Treadway Commission. "Sourcing Risk" means figuring out what, at a fundamental level, gives rise to a particular risk.)
- The self-assessment processes in place and how they are integrated with day-to-day business activities.
- The risk measurement methodologies selected by the company and how they are used.
- The company's priority risks and the enterprise-wide risk assessment process for keeping the risk profile up-to-date.
- The elements of ERM infrastructure and their importance and contribution in building and improving risk management capabilities.
- The process by which gaps in risk management capabilities are determined.
- How to participate in established communications channels to enable the flow of risk management information within the company.
- The company's commitment to continuous improvement and what it means to risk management, to the company's operating units, and to the individual employee.
Labels: Risk management