Effective enterprise risk management and governance, risk, and compliance processes begins with establishing the context of the risk assessment. In the risk management literature, the “context” is commonly thought of as the opportunity, strategy, outcome or process on which stake-holders want formal analysis and assurance. AS/NZS 4360: 2004, a widely accepted risk management standard published by Standards Australia, suggests that the strategic context, the organizational context, and the risk management context must all be considered. The assessment of the strategic context links the organization’s mission and strategic objectives to the management of risks to which it is exposed. Defining the risk management context involves setting the scope and boundaries of the risk assessment process, including the time frame and specific project or activity. A context could include the entity as a whole, a business unit, a line of business, a geographic area or all of the above. The context is the level at which management feels the need to set strategy and assess risk. Whatever the context, it will usually be the basis for formal board reporting and will usually include a variety of existing business activities and functions. Whatever the context identified for an enterprise risk management assessment, it must be sufficiently important to be visible to the senior officers and the board. Its importance may be due to its current significance or its potential significance. The entity’s entire portfolio of economic assets should be considered. A simple but effective way to get started is to establish the initial context as the company’s major geographic areas, business units or product lines. These are the focus of management’s strategic initiatives. The emphasis is on steering the organization toward value adding opportunities.
Read more about how to achieve effective and strategic risk management in the following whitepaper: Seven Steps for Effective Enterprise Risk Management.
