Enterprise Risk Management™

Enterprise Risk Management Workshop is a comprehensive and practical two-day workshop that introduces participants to the concepts, principles, processes and applications of enterprise risk management.

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: Excerpted from Committee of Sponsoring Organizations of the Treadway Commission Report, September 2004.

UntitledThe workshop follows the Enterprise Risk Management principles and practices outlined in COSO, ISO 31,000, and NIST 800-37 standards.  The reference manual (340 pages) for ERM is ISO: Risk Based Thinking.

Operational ERM is now being deployed in commercial and government operations.  Risk management is now considered a core skill for all professionals as CEO’s spend more time focusing on risk management.    Electric power and 17 other sectors are moving to an operational ERM model.  Quality and many professions are moving to ERM.  Associations are moving to  ERM.  ERM concepts are also being integrated into new ISO, NIST, and ANSI standards, such as i.e. ISO 27K, ISO 28K, and NIST 800’s.

Quality + Engineering risk management experts will introduce participants to critical risk management regulations (ISO, NIST, DOE, FDA, FAA, etc.) and employment opportunities that are arising in many professions.

Workshop Format and Methodology
Workshop focus is on enterprise risk management.  The workshop is delivered through lectures, class discussions, articles, case studies, and exercises.  The topics to be covered include: identifying, classifying, assessing, and controlling operational risks and planning/deploying risk mitigation strategies for the identified risks.

The workshop will help participants to understand and to develop risk management skills, and to apply what they have learned to real-life ERM projects.  Participants will learn how to implement enterprise and programmatic risk management in their organizations.  Participants will learn why management is adopting and developing a portfolio view of multiple views of risk-controls within their organizations and into the supply stream.  The workshop format is approximately 1/3 lecture, 1/3 exercise, and 1/3 ‘lesson learned’ discussion.

Workshop Time Frame
The workshop is designed to be delivered in two days. The first day covers general enterprise risk frameworks, principles, and practices.  The second day covers implementing enterprise risk management and mitigation to real life organizations and programs.

Who Should Attend
This workshop is an excellent opportunity for anyone interested in obtaining and implementing enterprise risk management skills.  The workshop is intended to introduce operational and technical professionals to new perspectives on risk-based decision-making and operations management.  Participants will learn and experience first hand, the forensic, assurance, and analytical risk tools that Q+E has been implementing.

Enterprise Risk Management Tools
Participants will take home an enterprise risk management toolbox. The toolbox is a collection of several articles (written by Q+E), ERM checklists and forms that can be used with any of the major risk management standards or frameworks.  Project tools include: risk maps, risk templates, risk checklists, risk plans, and other tools.  This toolbox will be used extensively during the workshop to give participants enough practice during the workshop.

Learning Objectives
Learn what is enterprise risk management and when to use it.

  • Learn how to implement ERM successfully.
  • Learn ISO 31,000, COSO ERM, NIST 800-37 OMB ERM directive, and additional ERM frameworks and standards.
  • Learn how to identify risk tolerance and appetite for operational decision making
  • Learn and apply the operational risk management process.
Learn and apply ERM identification, analysis, mitigation, tracking, and monitoring practices.
  • Learn how to apply ERM controls to mitigate types of operational risks.
  • Learn how ERM has been applied in federal/commercial organizations.
  • Develop a ‘Next Steps Strategy’ to implement enterprise risk management.

Workshop Outline

  • Key Terms and Definitions
  • What is ERM?
  • ERM Drivers
  • Operational risk in ERM context
  • ERM standards: COSO, NIST, FAA, ISO, etc.
  • Types of risk
  • Financial and operational risks
  • Levels of risk
  • Adaptive management benefits
  • Enterprise (entity level) risk, Programmatic/Project risk, Transactional/Product risk
  • Exercise: Growth of ERM discussion in security (cyber & physical), Gulf oil spill, etc.
  • Casestudy: RIMS, PRMIA, SAO, and other ERM frameworks and approaches

Introduction to ERM Frameworks

  • COSO ERM explained
  • ISO 31000 explained
  • NIST 800-37 explained
  • Common features of ERM frameworks
  • Exercise: Enterprise Risk Management in companies and Federal/State agencies
  • Casestudy: IBM ERM approach
  • Casestudy: Basel II, ASIS, ISO, and other ERM frameworks and approaches

COSO ERM Framework

  • Discussion of the COSO ERM cube
  • Eight risk management steps of framework
  • Benefits/challenges of framework
  • Exercise: COSO framework application
  • Casestudy: Similarities and differences between project risk management standards

NIST 800-37: Guide for Applying the Risk Management Framework for Federal Information Systems

  • Security Lifecycle Approach
  • Integrated organization-wide risk management
  • Information control allocation
  • System develop life cycle
  • Review of the life cycle process
  • Exercise: NIST Integrated risk management application
  • Casestudy: NIST-37 integrated risk management approach
  • Casestudy: Hydro 1 ERM program

Common Elements of ERM Frameworks (COSO)

  • Internal environment
  • Objective setting
  • Event identification
  • Risk assessment
  • Risk response
  • Control activities
  • Information & communication
  • Exercise: Develop event heat maps and roll up to enterprise level
  • Casestudy: Standard & Poor’s approach to ERM evaluations

Risk Management: Risk Assessment Techniques

  • Review Enterprise, Programmatic, Process, Event, Functional, Transactional maps
  • Exercise: Assess risks in various heat maps
  • Casestudy: NASA approach to risk management

Enterprise Risk Management: Risk Control Techniques

  • Organizational risk culture and risk appetite of Risk Capability and Maturity
  • Types of controls
  • Levels of controls
  • Exercise: Develop controls for various risks and heat maps
  • Casestudy: Various forms of enterprise (entity), programmatic/project, and event based controls

Your Next Steps

  • Identify critical next steps for implementing ERM program
  • Exercise: Discuss and evaluate ERM plans