Diary of an IRM student

No comments

I’ve started the second module, which is Risk Strategy

In January and February my attention turned to polishing off the first module of the IRM’s Certificate in International Risk Management and beginning the second, Risk Strategy.

The last part of reading for my first module, the Introduction to Risk Management, required a tackling of the COSO ERM Framework.

COSO is short for the Committee of Sponsoring Organisations of the Treadway Commission, a rather long winded name for a US group set up to help organisations improve their internal control and risk management frameworks.

The ERM Framework goes further than COSO’s earlier publication, the Internal Control Framework—which was mainly designed to satisfy the requirements of the Sarbanes Oxley Act, a big piece of regulation written in the wake of the Enron and Worldcom corporate disasters.

To my surprise, I found COSO’s framework to be a digestible and easy to grasp summary of what Enterprise Risk Management (ERM) is all about.

Fundamentally ERM is about linking risk management with the company’s strategic business objectives. The risk manager who applies ERM across their enterprise can, with reasonable certainty, identify any problems before they arise and, crucially, channel any opportunities back to senior management. Or so the theory goes.

As COSO says, ERM is limited by human judgement and the fact that controls can be circumvented when you know how. Management, being the ultimate decision makers, can also override ERM decisions.

Risk Strategy is the next module on my reading list. It is designed to give me an overview of the risk management policy, documentation, responsibilities, architecture, culture, training and communication. That’s a lot of information.

So far I’ve covered what the risk management policy should include, what is meant by risk architecture, the importance of a risk strategy that defines the risk appetite of an organisation, and the procedures or protocols to assess an organisation’s risk.

The next section is all about defining and using risk registers. I’ve already scanned previous IRM exam questions and seen that this pops up from time to time—so I’ll be paying particular attention to this part of the book.