Introduction

Following the financial crisis of 2008–2009, much criticism was directed toward boards for failing to properly oversee risk. Not only did the lack of risk management and oversight contribute to a massive erosion of corporate value, but boards, including independent directors, were exposed to much anxiety and personal liability. Since then, boards have devoted more attention to risk management and to their board charters, which in many cases hold them responsible to oversee the management of the principal business risks of their organizations. Not surprisingly, ERM has since become a popular discipline practiced around the globe and recommended by the governing bodies for numerous industries, including notably in the financial services, healthcare, and government sectors. National accounting institutes now guide constituents on managing and overseeing risk, such as with the Chartered Professional Accountants (CPA) of Canada's “A Framework for Board Oversight of Enterprise Risk” first introduced in 2012 and since updated.¹

Director institutes are now routinely training new board members on overseeing risks, and university-level risk-related undergraduate and masters business programs are now offered around the world to students of all ages. In the last decade, risk-related offerings by professional services firms have become widely available. Online material is available to assist interested leaders in overseeing and managing risks, such as at North Carolina State University (NC State), which publishes volumes of risk research, openly accessible at no charge for any interested parties.² Further, various simplified frameworks are available to guide organizations on setting up formalized risk management, such as the recently rereleased ISO 31000:2018³ and COSO's Enterprise Risk Management Integrated Framework, updated in 2017.⁴

With so much awareness, education, and information available, formalized risk management should now be readily adopted by most organizations worldwide, and the business world should be well prepared for the next financial crisis. Yet the statistics indicate otherwise. The 2018 survey of 484 corporations across the United States, prepared by the American Institute of Certified Public Accountants' (AICPA) and NC State's ERM Initiative, reveals that while “most boards of directors (68%) are putting pressure on senior executives to increase management involvement in risk oversight … [yet only] … thirty-one percent of organizations (48% of the largest organizations) have complete ERM processes in place.”⁵ Moreover, “Only 29% of the organizations' board of directors substantively discuss top risk exposures in a formal manner when they discuss the organization's strategic plan.…” The statistics are similar in Canada and in other industrialized countries. The good news is that increased adoption has occurred from a decade ago when the practice of ERM was in its infancy. Those astute leaders who are implementing ERM are not only taking positive action to mitigate potential erosion of entity value, but they are reducing the potential liabilities of directors and executives alike. But further progress is required.

So why is the implementation of ERM so slow in coming? In my experience from having served on boards, including as risk committee chair, and from having instructed ERM to hundreds of board members and senior executives, the answer is simple: Leadership from the top results in effective risk management, yet many directors and executives don't understand ERM, nor can they determine if it is fully in place in their organization, nor do they know how to implement it. Hence, if ERM isn't understood, it can't be led. Consider the workings of a properly functioning audit committee at the board level, with most members well-schooled in finance, likely having led and managed senior finance executives. These audit committee directors have held finance jobs and are well equipped to oversee financial executives at the management level. In the risk world however, fewer leaders have had risk-related jobs and are less qualified to implement and oversee a practice they've never learned.

While much excellent material has been written in academia about ERM in philosophical and conceptual terms, little has been written on the practical steps necessary for simple implementation and oversight of ERM at the board and executive levels. Take, for example, the widely heralded article by Robert Kaplan, cocreator of the famous Balanced Scorecard management system, entitled “Managing Risks: A New Framework,”⁶ published by the Harvard Business Review. Kaplan categorizes three levels of risk, giving readers a high-level conceptual approach to risk management. Readers of the Kaplan article will conclude that his approach is innovative but also needed is a more practical guide on how to easily actualize these excellent concepts. Short of taking crash courses, directors and executives simply do not have time to read through hundreds of academic pages on technical risk management details, nor do they typically have the experience in ERM to translate conceptual models into actionable steps. Needed is a summary of best practices, a step-by-step outline of the core fundamentals so that board members know how to fulfill their role in risk oversight, and executives know what to manage.

In short, ERM is a complex subject, but this chapter provides a concise summary for board members of what they need to understand, steps to oversee risk management, and the role management must play for ERM to work.

The Mechanics of ERM

In overseeing risk management at the board level, directors need to ensure that processes are in place to identify, measure, and manage key risks. Hence, to effectively undertake this responsibility, the board must understand, at least at a high level, the mechanics of ERM. This section explains how ERM works and read in conjunction with the Appendix to this chapter, the Gap Study, capsulizes ERM into five ERM Elements and four ERM Fundamentals. To assist the board in determining what practices are in place, it is suggested that management complete and present to the board the Gap Study for a snapshot of current risk management practices, or lack thereof.

As with other corporate systems, organizations often deploy a “framework” to guide the implementation and maintenance of ERM. The world's two leading risk frameworks differ in approach, but both prompt focused priority on those risks which are most impacting on organizational objectives/goals. Risks which don't significantly impact organizational objectives are less important. The definition of “risk” from the International Standards Organization (ISO) was derived after consultation and input from many countries globally and is stated as “the effect of uncertainty on objectives”³ This definition is contained in the ISO standard referred to as ISO:31000:2018, and is one of ISO's most purchased documents/standards globally. Similarly, “COSO” (Committee of Sponsoring Organization), a popular standard in the United States used frequently by large financial institutions, defines ERM as “a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.…”⁴ Notice the focus (emphasized by the writer) within both standards on those key risks which impact objectives. Impact on objectives is a key determinant of the importance of a risk.

The Risk Polygon model in Figure 31.1 shows the top risks of ABC Corporation (a fictitious company) each aligned with the corporate objective these risks could most impact. A polygon is a multisided object; hence if the organization has three corporate objectives, the Risk Polygon becomes a triangle, and if the entity has eight corporate objectives, the Risk Polygon becomes an octagon, and so forth. In Figure 31.1, ABC Corporation has five corporate objectives; hence its Polygon becomes a pentagon, with each corporate objective shown inside the center. Outside the Polygon are the key risks most impacting that objective.

From Figure 31.1, each corporate objective should be measurable via specific metrics and/or KPIs, such as “Net Annual Operating Income > X%,” or “> 90% Employee Engagement.” Key definitions are highlighted in bold in the following two paragraphs.

Following a Risk Identification exercise, the executives of ABC Corporation align each risk next to the ABC objective which such risk is most likely to impact. Next, through engaging in a Risk Assessment exercise whereby the entity rates the numeric Impact of each risk on the corresponding objective and considers the Likelihood of the event, risks are ordered in priority from 1 to 20. Risks are also rated based on the Perceived Effectiveness of Control Plans. A Risk Register is created with risks prioritized by Severity, usually with a focus on the Top 10. This exercise is repeated on a scheduled basis. A Risk Polygon is created and becomes a simple, easy to understand snapshot of the Risk Register for use by the board executives, the executives, and the risk practitioners (CRO, risk manager, or dedicated executive risk champion). A Corporate Risk Profile report is created periodically (such as annually) to summarize the state of risk at the entity. Now with everyone on the same page, the organization can analyze the Polygon, determining things such as: Interconnectivity of Risks and which risks may cascade and impact more than one objective; Risk Clock Speed, the time available to anticipate and react to an occurrence)¹; the Risk Controls needed to mitigate the key risks; who are the Risk Owners for each key risk, ideally the executives of the organization; and the numerous other “Actions” (shown in the Appendix, Gap Study) necessary to oversee and govern the risks of the organization. Depending on the complexity, risk software is utilized to roll up, monitor, comply with requirements and timelines, and report on risk.

Roles of board and management are often documented in a Framework or ERM Policy (a document approved by board defining roles, purpose, mandate, timing and format of board reporting, and Risk Appetite). The board then designates a board committee which has the appropriate expertise, and such committee(s) oversees the activities and actions it considers to be material. Risk committees at the board and management levels can plan the quarterly activities they wish to focus on via annual calendars. A Qualified Risk Director often leads board risk oversight.

The Five ERM Elements

Board risk oversight is one of five ERM Elements, essentially five components of successful ERM programs. Proper board risk oversight requires ensuring that the other four elements are in place. The five elements are described in brief below and are also listed in checklist form in the Appendix, the Gap Study, which lists “Actions” for each and shows who is responsible (i.e., board or management). Please see Figure 31.2.

• Element #1: Education. Continual education of the risk practitioners (i.e., CRO, risk manager, or designated senior officer) is obviously imperative, as is the need for risk-related education for line managers. But also essential is that senior leadership (i.e., directors and executives) be well versed in ERM through education and continual learning.
• Element #2: Process. Risk registers change regularly, hence formalized risk management must be continually active and evolving to respond. This requires structured processes under the direction of management (but overseen by board). Risk processes generally revolve around a core set of activities which can be summarized as the “Five Steps in the ERM Process”: Identification; Assessment; Controls/Risk Response Plans; Monitoring; Reporting. Important to directors in understanding the “Five Steps” process is having a full grasp of the entity's strategic objectives and especially the KPIs which measure their success. Directors must also understand the “Risk Context,” that is, the environment in which the organization operates, and should be aware of the “Stakeholders” who can be impacted by the entity's activities.
• Element #3: Governance. ERM needs parameters, that is, policies, a framework, practices, and procedures endorsed by management and board, to be adopted by the entity. The entity needs to define the purpose of the ERM program and needs ample funding and resource deployment. In order that ERM is led from the top down, accountability must be created via the assignment of roles for the board, executives, and CEO, chief risk officer, and other top leaders of the organization.
• Element #4: Board Risk Oversight. This is addressed in “Board Risk Oversight” section ahead.
• Element #5: Strategy. Bad strategy can ruin an organization. Numerous risks can arise from poor strategic decisions, including the failure of strategy; failure to execute the strategy, including lack of timeliness; and choosing the wrong strategy. Proper strategic risk management, with the goal of creating and protecting shareholder and stakeholder value, can benefit from applying risk assessments in strategy setting, in key decisions, and in performance management processes. Per “A Framework for Board Oversight of Enterprise Risk” issued by CPA Canada,¹ “The contrast between the oversight of financial reporting versus strategy is staggering. Financial reporting has well-defined rules and parameters, often known as generally accepted accounting principles … in contrast, there are no rules or regulations governing how strategy should be developed and presented. There are no professional standards or qualifications for those developing strategy … this can lead to developing strategic plans that assume sustained growth but ignore the risk of contraction, overestimate the company's own competencies, and underestimate competitors' capabilities and actions.” Hence, key is ensuring that risks in strategy-setting process and risks in the strategy itself be understood and managed.

The Four ERM Fundamentals

The following four ERM Fundamentals, essentially basic requirements for risk program survivability, need to be in place to ensure that risk management is sustained⁷ over the long term:

1. Leadership: The directors and senior leaders in the organization need to walk the talk and support the risk practitioners and their processes. Board risk oversight is ideally coordinated via having one or several directors who are thoroughly experienced in risk management (see “Board Risk Oversight” section on qualified risk director). Organizations such as the Directors and Chief Risk Officers Group (“the DCRO”)⁸ provide much guidance to those in leadership roles on the board. Skills matrices used in board searches now typically require that at least one member of the board or risk committee have significant experience in ERM as a skillset. At the executive C-suite level, there needs to be a full-time or part-time CRO who acts as a “champion” of the ERM process. It is critical that the board chair and CEO fully support the ERM program.
2. Defined Roles: Effective ERM is led from the top down via clearly understood roles for directors and the executives, and such roles are often documented in a framework or ERM Policy. Some risk-related roles are for management, some are for boards, but some are also shared, hence each element described in the Appendix suggests a primary responsibility. Contrary to popular opinion, directors are not solely relegated to overseeing risk, nor are managers solely responsible for managing risk. For example, it will be occasionally necessary for board members to take a deep dive in order to understand the key risks of the company¹⁴; a second example is that with the direction of management, boards will need to approve, understand, review, and in some cases define the “Risk Appetite” parameters for the organization.
3. Management Resources: Successful ERM requires competent people at the management level and adequate funding. Staffing should include a chief risk officer, a risk manager, a corporate secretary or another dedicated senior executive who can devote a significant share of time to facilitating and coordinating risk management on behalf of the organization. Such risk experts will coach, guide, and liaise with the board, and dialogue with “risk owners” (usually members of the executive team) and with the executives. Staff this function with the same care and attention taken to staffing senior finance or legal functions. Hiring in-house is good but requires training from a qualified inside or outside source. This function also needs qualified support staff. Plan to dedicate adequate funding for conferences and education, risk software, and benchmark other similar organizations regarding funding levels.
4. Customization: No two organizations are the same and ERM is ideally customized for each entity. Hence, ensure that the Elements and Fundamentals are in place (as shown in this chapter) and leave the customization to the risk experts.

Board Risk Oversight

Board risk oversight is typically mandated in an entity's board charter, or within a board committee charter (i.e., often Audit or Governance). Board charters often use language such as “The Board shall oversee the management of the organizations principal business risks….” Hence, the board's role in ERM is generally to oversee and understand the executive team's processes, and this requires that the board perform its duties via a structured approach, enlisting directors with the required skillsets.

This section defines for boards seven key “Actions” (what to do) with a corresponding “Approach” (how to do it) in setting up risk oversight at the board level. Also listed is “Responsibility” (i.e., whether board or management is responsible for each Action). Effective board risk oversight is one of the five elements of ERM and must occur simultaneously while the other four elements are being coordinated.

• Action 1: Qualified Risk Director. Ensure the board has at least one director who is experienced in ERM and who can lead board risk oversight.
  • Responsibility: Board
  • Approach: Modern boards utilize skills matrices detailing the various competencies required to round out the board membership, and risk management skills are now routinely mandated. Depending on the complexity and size of the organization, extensive experience may be required to fill the role of director who leads the process of coordinating risk on behalf of the board. Ideally the candidate director(s) will have led risk exercises at the management and/or board levels and will be educated with a risk-related degree or diploma and a director's education course which includes an ERM component. Various sources define the qualifications for those who lead board risk oversight, such as the “Qualified Risk Director Guidelines” ⁹ prepared by the Directors and Chief Risk Officers Group—a document scoping the skills of risk-qualified directors who oversee risk at major organizations. Many courses are available to provide education for directors in ERM. The qualified director should be prepared to lead risk oversight at the committee or board level, including as chair of the Risk Committee or at a subcommittee. The qualified director should be the main liaison with management and the board. Does a qualified risk director or a person designated to lead board risk oversight have increased liability? According to law firm McMillan LLP, “As a general rule, the same duty of care applies to all directors, without regard to the special skills or experience that a particular director may possess. However, directors with special skills are expected to apply those skills when they make decisions affecting the corporation…”¹⁰ Hence, selection of a member to lead oversight of board risk must not be taken lightly and must entail a thorough examination of that director's experience, ability, and willingness to apply their skills. More details on protecting directors via proper conduct, corporate, and personal indemnification agreements and insurance is beyond the scope of this chapter.
• Action 2: Protecting Independent Directors. Create opportunities for IDs to question the risks and processes of the company.
  • Responsibility: Board
  • Approach: Independent directors often feel vulnerable to not having enough inside knowledge about the key risks and what is being done about them. IDs can benefit from opportunities to question management on such matters such as: risk processes; the top risks as prioritized by the organization, and whether proper controls are in place. Proper actualization of the board's role in risk (as defined herein) will comfort IDs in terms of reducing potential anxiety and personal liabilities. Additional comfort can come from in-camera interviews with the chief risk officer and through interviews with executive risk owners as necessary.
• Action 3: Board's Role in Risk. Formalize and actualize the board's role in risk oversight, including approving Appetite and the ERM Policy.
  • Responsibility: Board and management
  • Approach: The board's role in oversight of ERM can be outlined in the board and/or committee charters. The board's role can be more fully described in an “ERM policy” or “Framework.” Boards should create a formalized structure in order to better actualize risk oversight by addressing steps such as:
    1. Board structure: Ensure risk is assigned to the appropriate board committee.
    2. Risk governance: Approve the ERM policy, including defined roles for board, board chair, management, CEO, and chief risk officer.
    3. Understanding key risks: Understand the nature and magnitude of key risks, ensuring that the risk profile and emerging risks are current and updated according to a schedule (such as quarterly).
    4. Oversight of ERM activities: Ensure processes exist to identify, measure, manage, and control key risks, including appropriate policies, procedures, and controls, with proper monitoring and reporting.
    5. Alignment with strategic objectives: Ensure that the key risks are aligned with the strategic objectives.
    6. Risk appetites and tolerances: With the assistance of senior management, understanding, reviewing, and approving risk appetites and tolerances according to a schedule (such as annually).
    7. Risk culture: Review management's progress in establishing, setting, and enabling risk culture.
    8. Chief risk officer (CRO): Oversight of the CRO's performance, meeting in camera with CRO.
    The role of the board in ERM should be customized to suit an organization's requirements. Spelling out the annual activities in the board calendar helps check off the items to be accomplished over the year. Industry regulatory bodies may guide boards' role, such as with Canada's Office of the Superintendent of Financial Institutions (OSFI), which offers principle-based advice.¹¹ Other industry bodies offer more mandated roles such as with Ontario's Deposit Insurance Corporation (DICO) as shown in Table 31.1.

• Action 4: Board Risk Committee Structure. Set Up a Board Risk Committee and/or subcommittee
  • Responsibility: Board
  • Approach: In setting up a proper structure for overseeing risk at the board level, the board will typically utilize one of the following four approaches, with responsibility for board risk oversight assigned to either: (1) subcommittee of the Audit Committee or another committee such as Governance; (2) whole board responsibility, not relegated to a specific committee; (3) a specific board Risk Committee; (4) risk responsibility residing with each of the board committees with each overseeing risk in their functional areas (i.e., audit overseeing financial risk, etc.). This is a topic requiring much consideration based on the specific requirements of the board and the entity. A key element of board risk oversight is that the management-level risk practitioner (chief risk officer, risk manager, or other manager) should have a reporting line to the board or the committee and should be available regularly for reporting and in-camera sessions when necessary, and should be performance reviewed by the board.

  The Board of Directors Governs the Risk Profile of the Credit Union	Management Takes Action to Manage the Risks to an Acceptable Level
  Oversees of ERM framework, gains assurance on its effectiveness	Develops processes to implement Enterprise Risk Management in the credit union
  Establishes, approves, annually updates governing policy on Enterprise Risk	Assigns responsibilities for risk ownership, monitoring of risk, risk reporting
  Articulates risk appetite/risk tolerance in policy	Identifies process to develop risk profile
  Gains understanding of overall risk profile of credit union at inherent and residual levels	Implements processes to develop risk profile and to assess the severity of each risk
  Gains understanding of significant risks at inherent and residual levels	Implements processes to determine risk responses are in place and identify if further action required
  Understands level of risk absorber (capital) in relation to aggregate residual risk of credit union	Determines level of risk absorber (capital) in place, make recommendations where it is not sufficient
  Approves acceptance of residual risks or direct additional risk response action where residual level is in excess of established risk appetite/tolerance	Reports to board on the risk profile of the credit union including significant risks at the inherent and residual level
  Gains assurance that management has undertaken the risk responses as outlined	Takes action, monitors to ensure risk responses operate effectively and continuously
  Monitors risk indicators for known significant risks on quarterly basis and more frequently on specific risks when issues arise	Presents periodic reports to board which present risk indicators and level of risk by categories
  Monitors emerging risks and discuss implications with management	Presents information to board on emerging risks

• Action 5: ERM Maturity, Board Oversight. Using the GAP Study and roadmapping to determine progress in developing ERM.
  • Responsibility: Board and management
  • Approach: The current state of the entity's ERM program should be benchmarked with other mature ERM programs, ideally every three to five years, with the objective to determine if progress is being made in gradually enhancing the ERM program. This benchmarking is ideally done independently by internal audit and/or by external experts. A simple approach is to utilize the Gap Study in the Appendix, to be completed by an internal or outside expert to compare existing versus ideal/best practices, reporting back to the executives and board. It is a simple tool to test ERM maturity and is a checklist of adherence to the concepts addressed in this chapter. It is intended to help show management and the board and other interested parties the stage of development of risk within the entity.

    Another simple test is the “RIMS Risk Maturity Model”¹³ available from the Risk and Insurance Management Society (RIMS). Organizations can take this quick survey to determine how deeply entrenched ERM is in their organization. Per Adrian Castillo Cisneros, enterprise risk manager for CEMEX, a global building materials company, “Our organization has benefited from RIMS by using the RIMS Risk Maturity Model. With that tool, we found out the areas of opportunity we still have, along with our current status (half-way to full maturity).”

    A more formal approach is to have internal or outside experts create a roadmap outlining which of the steps (such as those in this chapter) have been completed and which new steps are to be scheduled in the future.

• Action 6: Executive Compensation. Align executive compensation with performance on risk management milestones.
  • Responsibility: Board and management
  • Approach: Build “measurables” into executive compensation to reward the CEO and the executive team for effective management of risk and for accomplishing milestones, such as those Actions defined in the Appendix, Gap Study.
• Action 7: Board Risk Workshops. Board risk workshop, giving directors an opportunity to review, comment, and input on the Corporate Risk Profile and other elements of ERM.
  • Responsibility: Board and management
  • Approach: Board participates in various risk-related activities, including:
    1. Are risks aligned with objectives?: Review the alignment of key risks with the key organizational objectives, ensuring the risks arising from the Strategic Plan have been discussed and utilize a Risk Register and/or Risk Polygon for discussion purposes.
    2. Priorities: Review management's ranking in the Risk Register and if necessary, adjust management's priorities.
    3. Risk appetite and tolerances: Review, discuss, and approve.
    4. Key risks and controls: Discuss the top risks and whether they are being managed.
    5. ERM process: Discuss the effectiveness of management's processes, discussing areas for improvement, including the effectiveness of CRO (chief risk officer).
    6. ERM maturity: Review progress made in developing ERM Risk Maturity.
    7. Executive compensation: Address compensating executives for completing ERM milestones.

Conclusion

ERM requires a top-down effort, with management leading the process and the board supporting and overseeing the important steps. This requires proactivity and a good understanding of the key Elements and Fundamentals. An example of the need for board proactivity is with cybercrime—this risk currently tops the risk registers of many organizations. Despite regular news stories such as ransomware attacks that are freezing sophisticated computer systems of major organizations, and reports of the increased presence of state-sponsored cyberterrorism, 44 percent of the 9,500 executives surveyed in PwC's 2018 Global State of information Security Survey say they don't have an overall information security strategy.¹⁴ The solution for boards of directors as proposed by PwC is to “focus on getting the right information and building relationships with the company's tech and security leaders so you get a better sense of whether management is doing enough.” Reducing the exposure to cyber risks requires active management by the organization and is enhanced by a deep dive by the board.

Like with effective cybercrime mitigation, effective control of other top risks is best driven by a deep understanding by the board and a regular liaison with management. For executives, ERM is a structured and systematic discipline which can align the entire organization to manage its risks. Leadership from the top results in empowerment to the risk practitioners. Strong support from the chair and CEO is a critical starting point needed for building a successful and lasting ERM program.

This chapter and the Risk Polygon methodology outline best practices, key “Elements,” and important “Fundamentals,” which if adopted will lead to better preservation of organization value, more predictability, and enhanced likelihood of attaining organizational objectives.

A starting point is to use the Gap Study in the Appendix at the end of this chapter to benchmark the state of ERM at your organization versus the best practices addressed in this chapter.

About the Author

Stephen (Steve) Mallory ICD.D, CRM, FCIP, brings close to 10 years of experience on Canadian Federal Government (Crown) Corporation boards. He served from 2012 to 2017 on the board of VIA Rail Canada including as chair of the Governance, Risk and Strategy Committee, and was on the Pension Investment Committee. Previously he served from 2008 to 2012 as a director with the Standards Council of Canada and sat on the Audit Committee. He led board risk oversight on both boards and has served since 2011 on Canada's CSA/ISO/TC262 Project committee: Risk Management.

He teaches Enterprise Risk Management at the Institute of Corporate Directors across Canada; at York University in Toronto in the Master's Financial Accountability program; and with the Governance Professionals of Canada.

Steve is principal of Directors Global Risk Consulting Inc., a Toronto-based firm which provides enterprise-risk-management advice for organizations located across Canada. He also advises clients at Benson Kearley IFG, a top Canadian insurance brokerage. Prior to founding his own firm in 2007, he served as CEO and region head within two of Canada's largest insurance brokerages.

Steve is regularly quoted in business publications and has led various charitable initiatives, including funding for water wells supplying nourishment to 15,000 people in Africa.

Acknowledgments

Special thanks to the following people who have provided extra support, advice, and guidance in the writing and review of this chapter, and/or who have provided inspiration on the subject of ERM: Andrew Poprawa, Regulator and Independent Director and Board Chair; Michael Murphy, Risk and Internal Audit Professional; William Thomson, Independent Director and Board Chair; John Fraser, Risk and Internal Audit Professional and worldwide leader in ERM.

Appendix: Gap Study—Risk Oversight for Directors: A Practical Guide

This Gap Study is a tool for boards and executive teams to gauge if the key steps and best practices in ERM exist at their organization and/or on their boards. The Gap Study checklist should be completed by an internal or outside expert to compare existing behaviors versus ideal/best practices, reporting back to the board and executives. This Appendix also serves as a summary of the Five Elements.