RiskSoulutions LLP
Risk Assurance Matters
ERM Implementation Checklist
2010. All rights reserved.
�Enterprise Risk Management - Implementation checklist
Enterprise Risk Management (ERM) aims to attain informed business decisions by evaluating total returns relative to total risks. Questions that may be asked when assessing an organizations ERM strategy follow.
I. I N T E R N A L E N V I R O N M E N T
1. 2.
What is the overall risk appetite of the organization? How committed is the Board of Directors (BOD) to establishing a risk management philosophy?
3. 4.
Are there integrity and ethical values and a commitment to competence in the organization? Is the assignment of authority and responsibility over risks well managed? Who manages this process?
5. 6.
What is the organizational structure of the company and departments? What HR standards related to risk management are currently in place?
II. Objective Setting
7. 8.
How well are strategic and related objectives defined? How is the achievement of these objectives monitored?
9.
What activities are on your risk management goal sheet for this year?
10. What does the company need to do well over the next year in order to succeed and reach its goals? What factors do you consider to be critical to your companys success in the next year? 11. What areas would you like to see moved to the next level of performance?
12. What could prevent you from achieving your goals (e.g. people, processes, funding, etc.)?
Source: www.risksoulutions.com
2|P a g e
�Enterprise Risk Management - Implementation checklist
III. Event Identification 13. How do internal and external forces impact the risk profile? 14. What other event identification techniques are in place (e.g. self-assessments, SOX, report reviews, trend reporting, fraud hotline, etc.)? 15. How are deficiencies captured and reported?
16. How does the organization distinguish between risks and opportunities?
IV. Risk Assessment 17. What does management perceive to be the largest risks to the company, in terms of significance and likelihood? 18. What does management perceive to be the biggest risks within their area of control? Please provide examples. 19. Thinking of other areas within the company, how well does management receive information from shared services groups (e.g. IT, Finance, HR)? 20. What additional information would management like to have accessible in order to better perform its responsibilities?
21. In managements opinion, what areas or processes are most susceptible to fraud? 22. Is management aware of any instances of fraud within the company? What/how/who?
V. Risk Response 23. How are risks monitored and reported within the organization? 24. How effectively are identified risks managed?
25. What is management doing specifically to manage identified risks (e.g. financial statement variance reporting, trend reporting, credit reporting, insurance policies, legal, BOD involvement and reporting)?
Source: www.risksoulutions.com
3|P a g e
�Enterprise Risk Management - Implementation checklist
VI. Control Activities
26. What is managements assessment of the effectiveness of overall controls in preventing risks and carrying out risk activities within your organization?
27. How are control activities tested? 28. What type of review process takes place for policies and procedures?
29. What type of review process takes place for IT application controls and the IT general control environment? 30. What does the company do to address entity-specific controls?
VII. Information and Communication
31. How does the organization/department capture information and communicate related risk? 32. What communications barriers are present within the organization?
33. What ongoing monitoring activities are in place (e.g. compliance monitoring, IA, risk management group, BOD monitoring, etc.)?
Source: www.risksoulutions.com
4|P a g e
