The Corporate Risk Management Library

Here are my notes from this webinar from Compliance Week, sponsored by CA, Inc.: Enhancing the Risk Profile of Your Organization: The Corporate Risk Management Library

Tom McHale, Vice President of Product Management, CA
Christopher Fox, Principal Consultant, Governance Compliance and Risk Group, CA

We are seeing a movement from executive autonomy to executive accountability and corporate secrecy to corporate transparency.

We are seeing an evolution in risk management. We need to identify the strategic risks. We also need to figure out how to get ourselves assured that we are addressing all risks. We are in a changing and diverse environment with government investments, stimulus packages, new regulations and new issues.

A “risk library” is comprehensive set of risks for specific categories, with a representation of the scope of risks for an organization, used by enterprise risk management processes. One key is to have an agreed upon classification (or taxonomy) across the organization.

In searching for a risk library where can you start? These are some references:

  • Federal Sentencing Guidelines
  • OCEG Redbook
  • COSO
  • Federal Reserve Guidance
  • CobIT 4.1
  • Federal Reserve URSIT
  • ISO 27002
  • EPA Legislations
  • Basel II
  • SEC  listing requirements
  • Australian Standard 4360

The requirements of a risk library should have a holistic view. Financial risk is only one dimension. You want to also include strategic and tactical risk.

They moved onto examples of a risk library structure.

They set level 1 as internal risk and external risk. Level 2 was broken down into governance, operations, technology, compliance, financial, reporting, environment, international, market and social trends. Then they showed a third level of risk below the level 2 risk of governance. then they show a level 4 of various market conditions  such as demographics, employment, labor relations and exchange rates.

Once you have the corporate risk management library, you decide which risks you can manage. After selecting those to manage you need to report on the risks, set up a compliance program, create policies and procedures, assess the risks and create an action program.