Key to ISO 31000 Success – Theme 6: Embed ERM into the Business Fabric of the Organization
ERM is a management process, ultimately owned by the board of directors and involves people at every level of the organization. The comprehensive nature of the ERM process and its pervasiveness across the organization and its people provides the basis for its effectiveness.
ERM cannot be viewed or implemented as a stand-alone staff function or unit outside of the organization’s core business processes. In some companies and industries, such as large banks, it is common to see a dedicated enterprise risk management unit to support the overall ERM effort including establishing ERM policies and practices for their business units.
However, because ERM is a process, organizations may or may not decide that they need dedicated, stand-alone support for their ERM activities.
Whether a risk management unit exists or not, a key to success is linking or embedding the ERM process into its core business processes and structures of the organization. Some organizations, for example, have expanded their strategic plans and budgeting processes to include the identification and discussion of the risks related to their plans and budgets.