Enterprise Risk Management is a fundamental responsibility of governance. Creation of a set of methods and processes used by an organisation to manage risk and to take advantage of opportunities related to business goals is part of the supporting framework.
There are many different frameworks available including Sarbanes Oxley, Basel II and COSO, which are heavyweight frameworks employed by large organisations who work in highly regulated industries such as Finance, Pharmaceuticals and Manufacturing meaning it is difficult for SME’s to adopt such frameworks.
However, it is still the boards responsibility and duty to identify and manage enterprise risk, whatever the size of the organisation. The UK’s revised Combined Code, makes it explicit in that all directors are required to ‘provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enable risk to be assessed and managed’… meaning the leadership needs to balance risk with opportunity.
Over time as organisations have become increasingly dependent on Information Technology and Intellectual Capital assets, IT Risk Management has become a significant topic of discussion. In particular, the focus has been on infrastructure security, data protection, business continuity and IT management, with the advent of the revised standards ISO27001, 22301 and 9001 which built around a risk based approach, it means organisations can implement controls prioritised by and proportionate to the business and information risks they identify.
Adoption of a suitable methodology or framework will be a business decision based on a number of questions that need to be answered, before committing the organisation to a programme of work which could be costly in terms of effort and expenditure.