Key to ISO 31000 Success – Theme 6: Embed Enterprise Risk Management into the Business Fabric of the Organization
Enterprise Risk Management is a management process, ultimately owned by the board of directors and involves people at every level of the organization. The comprehensive nature of the Enterprise Risk Management process and its pervasiveness across the organization and its people provides the basis for its effectiveness.
Enterprise Risk Management cannot be viewed or implemented as a stand-alone staff function or unit outside of the organization’s core business processes. In some companies and industries, such as large banks, it is common to see a dedicated enterprise risk management unit to support the overall Enterprise Risk Management effort including establishing Enterprise Risk Management policies and practices for their business units.
However, because Enterprise Risk Management is a process, organizations may or may not decide that they need dedicated, stand-alone support for their Enterprise Risk Management activities.
Whether a risk management unit exists or not, a key to success is linking or embedding the Enterprise Risk Management process into its core business processes and structures of the organization. Some organizations, for example, have expanded their strategic plans and budgeting processes to include the identification and discussion of the risks related to their plans and budgets.