Implementing ERM in the Enterprise
Virtually all larger public companies today have some type of risk management department or function. All too often in past years, their formal enterprise risk management was structure as a lower level department which often was primarily responsible for purchasing insurance and implementing routine loss prevention programs for certain high-frequency exposures. That risk management function usually did not receive the respect it should deserve in today's era of COSO ERM. Often called the insurance department in past years, those risk management functions were not structured at a senior or C-level status in enterprise charts. A currently trendy term, C-level refers to an enterprise function headed by a very senior manager or officer-level person, such as a chief information officer (CIO) or chief audit executive (CAE). While perhaps not reporting directly to the CEO, C-level group heads often have a direct reporting relationship one level below the CEO, such as to the chief financial officer (CFO) or some other very senior manager. An effective risk management function here would be headed by a chief risk officer (CRO), an executive whose responsibility is to ascertain that enterprise risks are properly understood and translated into meaningful business requirements, objectives, and metrics.
Even if an enterprise has a traditional “insurance department,” the COSO ERM framework provides an enterprise with an excellent opportunity to reengineer ...