From Internal Control to ERM (Series)

Part Three: Towards the Introduction of ERM—Common Language and GRC Data

Takeru Fujimoto
Senior Consultant

June 30, 2009 (Tuesday)

The final part of the series on the introduction of ERM(*1) as a business management foundation highlights the most important of the three ERM management foundations—sharing risk definitions and assessment measures—as well as trends in the “standardization of risk information,” a current focus of FRI.

Sharing risk definitions and assessment measures: Creating a common language

As noted in the first part of the series, the essence of J-SOX is to turn risk definitions as well as measures to assess what constitutes an important risk into explicit knowledge, and instill this knowledge throughout the company as a whole.

Regarding ERM, the risks that are subject to management are wide-ranging, and the impact when risks occur is quantitative as well as qualitative. It is therefore important to share definitions and guidelines throughout the company.

In terms of the actual management, risk universe and risk assessment tools are created and implemented at the workplaces. Risk universe is a tool for systematically uncovering risks connected to company activity from an overall perspective. It classifies and organizes risk factors with potential to affect business goals into, for example, external environments such as macro environments and stakeholders, and internal environments such as individuals and organization as well as processes and IT. After risks have been clarified in the risk universe, each division identifies its own potential risks. The likelihood of occurrence and level of impact are then assessed using risk assessment tools, and the importance of the risks is decided. With risk assessment tools, measures for assessment are typically defined in three to five levels. For example, the level of monetary impact is divided into “over JPY 1 billion,” “over JPY 100 million,” “negligible impact,” and etc. In some cases, qualitative measures such as “impact on customers” or “harmful rumor” will be used in conjunction.

In this way, the important risks can be appropriately distinguished by unifying understanding within the company concerning “what is a risk?” and from “what perspective or scale to assess?”

Standardization of risk information: Common language and data standard

GRC(*2) is receiving attention as a foundation supporting ERM. For effective ERM, it is important to share the common language, as well as risk information collected using the common language, beyond the business activity of each division and the information systems that support such activity. The OCEG(*3) is currently drawing up a guideline for the GRC process and integration of information, and the OCEG Technology Council is developing international standards for risk information using XML technology. This standardization will allow information to be shared between different business activities and information systems within the same company. FRI is proactively contributing to the development of XML standards as a member of OCEG’s Technology Council.

The development of XML standards will not only improve efficiency by promoting collaboration between information systems, but will also allow risk definitions and assessment measures based on XML as well as risk information to be shared between people and people, and people and information systems.

FRI strives to support customization and workplace training for our clients based on the template of unique risk universes and assessment tools, and help our clients realize sophisticated risk management through OCEG activity.