ERM Assessment Tool
This interactive tool identifies a ranking for you, your department and/or your organisation in an Enterprise Risk Management (ERM) programme. You can use it to determine the robustness of an existing programme and decide where to go next.
Start here
View resources
Tool: Mitigate Organisational risks with a risk heat map Tool: CGMA Cybersecurity Tool CPE: Tools to help CPAs manage risk CPE: Risk Management Techniques and Tools Blog: 4 essential skills for risk managers Article: Risk culture is key component to ERM Article: Enterprise Risk Management: An expert breakdown Blog: Reimagining Risk Assessment
Resources
Complete one, several or all of these tables to better understand your and your organisation’s role, responsibilities, obligations and opportunities.
Risk culture
Risk identification
Risk assessment
Articulation of risk appetite
Risk response
Risk reporting
Integration with strategic planning
Assessment of ERM effectiveness
About the Association and AICPA & CIMA
®
The Association of International Certified Professional Accountants (the Association), representing AICPA & CIMA, advances the global accounting and finance profession through its work on behalf of 689,000 AICPA and CIMA members, students and engaged professionals in 196 countries and territories. The American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession, sets ethical standards for its members and U.S. auditing standards for private companies, not-for-profit organisations, and federal, state and local governments. The Chartered Institute of Management Accountants (CIMA) is the world’s leading and largest professional body of management accountants.
About the Association of International Certified Professional Accountants and AICPA & CIMA
Home
Cultivation of an appropriately risk-aware culture is paramount to effective ERM practices. This requires strong leadership endorsement to invest time and infrastructure to better understand the organisation’s most significant risk exposures. This section helps determine if the board of directors, executive governance group and those charged with governance understand the importance of ERM and fully support its use throughout the organisation.
Back to Menu
The board of directors, executive governance group and those charged with governance set aside agenda time at each of its meetings to discuss the organisation's most significant risks.
Your organisation is reaching ...
Take next assessment
Risk culture Assessment Complete!
Next element
Yes
No
Senior management has formally presented an overview to the board of directors about the organisation’s processes that represent its approach to ERM.
Senior management’s compensation is linked to and dependent upon key risk management metrics.
Senior management has effective risk management capabilities and competencies.
Executive management has identified and defined enterprise-wide risk management principles and guidelines and formally communicated them to all business units.
The organisation has explicitly assigned enterprise-wide risk management authority and responsibility to a senior executive or senior management committee (e.g., identified an internal ‘risk champion’ or ‘risk management leader’).
Senior management reviews the organisation’s efforts to obtain an enterprise perspective on the collection of risks as an important strategic tool for the organisation.
Board of directors, executive governance group and those charged with governance clearly understand the objectives of ERM relative to traditional approaches to risk management (e.g., insurance, credit risk management, etc.).
Click ‘yes’ if this key element is present in your organisation.
1 out 8
Ideal state is ‘yes’
Low Risk
8
High Risk
0
2 out 8
3 out 8
4 out 8
5 out 8
6 out 8
7 out 8
8 out 8
Focus on the total score for your organisation that you calculated in the table to determine which category your score falls into using the chart below. Consult resources for more information.
Tool: Risk Heat Map Tool: Mitigate Organisational risks with a risk heat map Tool: CGMA Cybersecurity Tool CPE: Tools to help CPAs manage risk CPE: Risk Management Techniques and Tools Blog: 4 essential skills for risk managers Article: Risk culture is key component to ERM Article: Enterprise Risk Management: An expert breakdown Blog: Reimagining Risk Assessment
Many organisations believe it sufficient to take an ad hoc or informal approach to identifying and assessing risks. Therefore, they find little benefit in implementing definable, robust and repeatable processes that encourage leadership to regularly think about emergent risks and opportunities that may affect organisation objectives. This section helps determine the robustness of processes the organisation has in place to identify risks, particularly those risks that may be currently unknown but emerging.
Each member of the board of directors or executive governance group has provided input into the risk identification process.
Risk identification Assessment Complete!
Senior management links risks the ERM process identified to strategic goals in the organisation’s strategic plan to evaluate the impact of those risks on the strategic success of the organisation.
Next Element
Senior management has a documented process to accumulate information about risks identified across the organisation to create an aggregate inventory of enterprise-wide risks.
The organisation engages in identifiable processes to scan the environment regularly to identify unknown, but potentially emerging risks, such as competitor moves, new regulations, changing consumer preferences, etc.
The organisation has identified a broad range of risks that may arise both internally and externally, including risks that can be controlled or prevented, as well as those over which the organisation has no control (i.e., focus on more than just known risks, such as IT risk, legal risk and credit risk).
The organisation engages in explicit (e.g., identifiable, defined, formal, etc.) efforts to identify the organisation’s important risks at least annually.
Risks have been described in terms of ‘events’ that would affect the achievement of goals, rather than simply a failure to meet goals (i.e., risks can have both positive and negative aspects to the organisation).
The organisation has defined and widely communicated to members of the board of directors, executive governance group and/or senior management what the term ‘risk’ means.
Many organisations find that when they work to identify risks, they discover hundreds or even thousands of potential risk events. While all risks may be relevant, some are more important than others. Organisations need to prioritise risks in a way that offers consistent consideration of the likelihood of the risk occurring and the potential impact on the organisation. This section helps determine if the organisation has developed an effective enterprise-wide set of metrics to assess risks consistently.
The ERM process encourages monitoring regularly (more than once a year) any events substantially affecting the assessments of likelihood and impact.
Risk assessment Assessment Complete!
The board of directors and/or those charged with governance have concurred with the assessment of the risks completed by management.
The senior management team (or other similar group that would have an enterprise view of the organisation) has reached a consensus on the most significant (somewhere between eight and 12 key risks) risks facing the organisation.
The senior management team (or other similar group with an enterprise view of the organisation) has met formally to review the results of the independent assessments and to discuss significant differences in individual risk assessments.
The organisation’s ERM processes encourage management and the board of directors to consider any low probability, but catastrophic events (e.g., ‘black swan’ or ‘tail’ events*).
Guidelines or metric scales have been defined and provided to help individuals assess both likelihood and impact so that assessments are consistently applied across the organisation.
The organisation assesses not only the likelihood of a risk event occurring but also the impact of the risk on the organisation.
The organisation defines the time period over which risks should be assessed (e.g., the next three years) to ensure consistency in management’s evaluations.
*A ‘black swan’ event is an extremely negative event/occurrence that is impossibly difficult to predict. A ‘tail’ event refers to a substantial, unexpected decline in the stock market.
An organisation can only realise the full benefits of identifying and assessing risks if it articulates risk appetite. Without some description of the organisation’s willingness to take on risks as it seeks to achieve its objectives, leadership won’t know when to take risks or manage them. This section helps determine the organisation’s effectiveness in defining its risk appetite.
The organisation has used at least some quantitative measures in defining its risk appetite.
5
Articulation of risk appetite Assessment Complete!
The organisation has expressed in writing its overall appetite for risk-taking.
The organisation has defined its risk appetite separately for different types of risks (e.g., the organisation may have different appetites for engaging in M&A, investing in new ventures, gaps in succession in executive positions, and risks related to employee health and safety).
The board of directors or those charged with governance has concurred with the organisation’s risk appetite.
The board of directors, executive governance group and those charged with governance have engaged in discussions to articulate the organisation’s overall appetite for risk-taking.
1 out 5
2 out 5
3 out 5
4 out 5
5 out 5
Focus on the total score for your organisation that you calculated in the table to determine which category your score falls into, using the chart below. Consult resources for more information.
Organisations may choose to accept certain risks, avoid others, adopt processes to reduce the exposures to risks or share risks with external parties. Of utmost importance is to ensure that an appropriate risk response (like those mentioned above) is implemented, and then to ensure that the response is working as intended. Periodic evaluation of how effective these risk responses are is crucial. This section helps determine the extent to which the organisation has taken appropriate steps to manage its risks to be within its risk appetite.
Risk response Assessment Complete!
The organisation’s ERM process helps identify potential overlaps or duplications in risk responses across the enterprise.
The organisation re-evaluates its risk responses at least annually.
The organisation has separately evaluated the potential cost of the risk response relative to the benefit provided by the response towards either reducing the impact or reducing the probability of occurrence of the risk event.
The organisation has evaluated whether the existing response is sufficient to manage the risks within the organisation’s risk appetite.
The organisation has documented the risk responses for each of the other risks identified outside those deemed as the top eight to 12 most significant enterprise-wide risks.
The organisation has documented the existing response(s) to its most significant risks (i.e., its top eight to 12 risks).
The organisation has identified risk owners responsible for each of its most significant risks (i.e., its top eight to 12 risks).
The organisation has objectively assessed the effectiveness of risk response plans for its most significant risks (i.e., its top 8–12 risks).
ERM processes should provide information to leadership regarding the organisation’s portfolio of risks and related responses to those risks. As risks are identified and assessed across the organisation, processes are needed to facilitate the communication of risk-related information, so that an aggregate view of important risks and their related risk responses are provided to decision-makers and stakeholders. This section helps determine the effectiveness of the organisation’s communication regarding its most significant risks.
Output from the organisation’s ERM processes about significant risk exposures are an important input to the organisation’s risk disclosures to key stakeholders (e.g., item disclosures in a public company’s filing).
Risk reporting Assessment Complete!
Senior management has identified thresholds or trigger points whereby risk metrics indicate that an emerging risk warrants greater management and/or board attention.
The board of directors, executive governance group and those charged with governance regularly receives and reviews a ‘dashboard’ or other report that provides the status of key risks and/or risk response plans.
Senior management regularly reviews a ‘dashboard’ or other report that provides the status of key risks and/or risk response plans.
The organisation has developed and monitors key risk indicators that are leading in nature in that they provide some indication that a risk event is more likely to occur in the future.
The organisation has developed and monitors key risk indicators that are lagging in nature (i.e., metrics that show when risk events have occurred or are escalating).
1 out 6
ERM resource and tool for the risk leader Risk heat map COSO Enterprise Risk Management Certificate Program
6
2 out 6
3 out 6
4 out 6
5 out 6
6 out 6
Successful leaders know they must take risks to generate returns. Unfortunately, some organisations’ risk management efforts and strategic planning efforts are distinct and separate activities. Effective ERM provides critical insights into the portfolio of existing and emerging risk exposures that can contribute to the organisation’s strategic success. This section helps determine the extent to which enterprise-wide risk considerations are incorporated into the firm’s strategic planning process.
The organisation’s strategic plan has been communicated to employees so that they can understand how their actions can create or prevent risks to achieving strategic objectives.
The entity’s risk appetite statement guides the goal-setting process (e.g., if the business has a low appetite for M&A, it will set lower achievable growth goals without engaging in M&A, if the government is preparing for a bond issuance, etc.).
The organisation’s ERM processes encourage the consideration of opportunities where the organisation can take informed risks to generate incremental returns.
The senior executive with explicit responsibility for enterprise-wide risk management leadership (or the chair of the committee with that responsibility) is actively engaged in the strategic planning process.
When evaluating a range of strategic options, consideration is given to the potential impact of each option on the organisation’s existing enterprise-wide risk profile.
Senior management links the top risk exposures to strategic objectives to determine which objectives face the greatest number of risks and to determine which risks impact the greatest number of objectives.
The organisation’s existing risk profile (i.e., output from the ERM processes) is an important input for the strategic planning process.
The organisation has a formal strategic planning process.
Integration with strategic planning Assessment Complete!
As the complexity of the global business environment increases, new methodologies and procedures will be needed to manage the portfolio of risks organisations face effectively. As a result, leadership needs to view ERM as an evolution rather than a point-in-time project to be implemented. This section helps determine the extent to which the organisation regularly reviews the effectiveness of its ERM processes and monitors emerging ERM best practices.
The organisation identifies and subsequently implements changes to improve its ERM processes.
7
Assessment of ERM effectiveness Assessment Complete!
The organisation evaluates risk events to better understand why the risk occurred and whether there were failures in the organisation’s ERM processes.
The organisation obtains an objective assessment of its ERM processes periodically (e.g., through internal audit or third-party ERM expert evaluations).
Adequate resources have been dedicated to support the ERM function.
Senior management and the board of directors have engaged in ERM-related training or other knowledge-enhancing activities.
Senior management seeks to understand and monitor emerging ERM best practices.
Senior management regards ERM as an ongoing process rather than just a project.
1 out 7
2 out 7
3 out 7
4 out 7
5 out 7
6 out 7
7 out 7