EYs ERM Roadmap

Many consulting and risk management firms have their own methodologies for implementing Enterprise Risk Management Framework for their clients. Some use the COSO’s ERM Frameworks, others have developed their own models and methodologies and still others, although having own methodologies prefer to customize model specifically for the client.

The methodology below is used by EY – India for ERM roadmap. The information below has been summarised based on presentation delivered by EY India in 2008 at Bangalore. For further information, readers may please contact EY-India.

STEP 1: Identify Risk Universe

STEP 2: Develop Risk Library - Goal is to come from 1000 to 40 key risks and group them in some logical grouping.

STEP 3: Formulate Risk Assessment- This involves aspects such as Prioritize risks and assess on Probability/Impact scales

STEP 4: Identify risks that matter. Need to carry out a risk profile. Further, need to identify 5-10 risks which are mission critical for the organisation.

STEP 5: Group these 5 or 10 risks in two buckets. These two buckets are labeled “critical – well managed” and “critical – ill managed.

STEP 6: Develop risk mitigation plan for those risks that form part of the “critical – ill managed” bucket.

STEP 7: Institutionalize Risk management framework for long term effectiveness.

STEP 8: Continues reporting of ERM Performance for success stories, motivation and desire to continue the ERM programme long after it was initially implemented.

One key aspect of the above methodology is grouping of risks in two buckets. As we note above, critical but well managed risks are not in the limelight. And this is the correct way to go. Organisation may have many top risks that are well managed. But organisations continue to define extensive process notes, policies, monitoring mechanisms etc to further manage them. This results in loss of focus. Management time is precious and so it is important that such resources be channeled for those risks that have gaps and require immediate attention.

So, EY methodology goes a step further. Not only does the company focus on top 5 or 10 risks, but even amongst those, the real focus is only on ill managed risks from those top 5 or 10 risks.

Other Services of Interest

  • Global Compliances - Free Webinar on key Global Regulations

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on how to be future ready with respect to Global Compliances. Alleviate risk and strengthen your control on global compliance with this...
  • Sarbanes Oxley (SOX) Compliance - Free Webinar

    EVENT OVERVIEW: Riskpro India is conducting a free webinar on SOX (Sarbanes Oxley) Compliance which will take you through the applicability and requirements of the SOX 404 and 302 Act. The...
  • Auditing EUC - Free Webinar

    EVENT OVERVIEW Uncontrolled and untested spreadsheet models pose significant business risks. These risks include: lost revenue and profits; mis-pricing and poor decision making due to prevalent but...
  • Personal Data Protection Services (PDP) - India

    Overview of the Indian PDP Bill (draft) 2018 The Indian PDP Bill (draft) 2018 is one of the most momentous steps towards safeguarding the personal data of citizens. The Bill gives citizens a say...
  • SSPA Assessment - Microsoft DPR Assessments

    The Supplier Security and Privacy Assurance (SSPA) and Data Protection Requirement (DPR) previously known as the Vendor Privacy Assurance Program is an assessment for Microsoft suppliers/vendors who...
  • Self Assessment Software Login - India Data Protection Regulation

    Riskpro India has developed a Self Assessment tool to evaluate and manage the compliance gaps against the almost here regulation on Data Protection. The Free Login access provides you the ability...
  • India: Data Protection Services

    The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Now India has its own version of Data protection regulation that will change...
  • Fire Safety Assessments and Training

    Some of our features of Fire Safety Assessments and Training • Fire Science • The common causes of fire • Identify fire hazards • Types of fires and extinguishers • Fire...
  • Data Protection Officer (DPO) Services

    Why a DPO The General Data Protection Regulation (GDPR) makes it compulsory for certain companies to appoint a DPO. this is a mandatory position that is expected to carry out certain defined tasks....
  • Go to top