Does your organization use Enterprise Risk Management tools and/or processes to identify risks and opportunities and assess potential impact?

Enterprise Risk Management: Ask This;

TLDR: Ask This;

1. Does your organization have an Enterprise Risk Management Strategy and does it address cyber risk?

2. If your organization has an Enterprise Risk Management program, does your IT audit risk framework link to the ERM catalog?

3. Does your organization use Enterprise Risk Management tools and/or processes to identify risks and opportunities and assess potential impact?

4. Which barriers does your organization face in establishing a formal Enterprise Risk Management program and how significant are those barriers?

5. Which industry standard for Enterprise Risk Management does your organization predominately follow?

6. How does your organization factor in climate change into its Enterprise Risk Management systems, actuarial analysis, underwriting, or investment strategies?

7. Does your organization have a formal budget for Enterprise Risk Management activities/program?

8. Does the finance department play a pivotal role in Enterprise Risk Management by helping ensure that your organization has a risk management program across all programs and operations?

9. Does the Enterprise Risk Management process include assessment and mitigation plans for all material ESG related risks that have been identified?

10. Are risks associated with other legal entities considered/identified in the holding organization systems Enterprise Risk Management program?

11. To what extent has your organization integrated Enterprise Risk Management into budgetary and execution processes?

12. To what extent has your organization integrated Enterprise Risk Management into strategic planning?

13. Where has the pandemic represented a turning point for which parts of your organization that might otherwise not have taken an Enterprise Risk Management approach?

14. Do the SASB disclosure topics align with the key risks identified in your organizations Enterprise Risk Management processes?

15. How is the work of the IT and Enterprise Risk Management departments have utilized in the audit process?

16. To what extent does your Enterprise Risk Management program plan to focus on each over the next 12 months?

17. Does your organization approach climate change as an Enterprise Risk Management issue?

18. Are political risks and opportunities appropriately evaluated in your organizations strategic planning and Enterprise Risk Management processes?

19. In your Enterprise Risk Management risk profile, does your organization identify fraud as one of your enterprise risks?

20. Do your organizations management information systems capture and provide reliable, timely and relevant information sufficient to support effective Enterprise Risk Management?

21. How does your Enterprise Risk Management link to your Corporate Governance compliance requirements?

22. Does your organizations risk reporting provide management and the board with information they need about the top risks and how they are managed?

23. How does your organization approach the data management challenges associated with Enterprise Risk Management?

24. Is your organization ready to demonstrate to regulators how the overall Enterprise Risk Management framework is maintained?

25. Does the evaluator understand each of your organizations activities and each of the components of Enterprise Risk Management being addressed?

26. How does the your Enterprise Risk Management integrate with frameworks as COSO, COBIT, ISO 17799, BITS, NIST Special Publication 800 53 and ITIL?

27. How does data protection fit into the Enterprise Risk Management framework and is it built into audit plans?

28. How do you engage employees from the very top level all the way down to different levels to be engaged in the Enterprise Risk Management process and see the value in it?

29. How does your compliance risk assessment feed into Enterprise Risk Management assessments?

30. Is there a plan in place to have Enterprise Risk Management assessment and response a sustainable process as compared to a project conducted periodically?

31. Does the Enterprise Risk Management process align with the boards expectations and allow the board to appropriately manage risk?

32. Is internal audits risk assessment process appropriately linked to your organizations Enterprise Risk Management activities?

33. Which type of risk appetite articulation best fits your organization, who will use it, when and how?

34. How capable does the enterprise want its risk management to be for each of its priority risks?

35. Does your organization have a robust traditional risk management program that encourages risk awareness with proactive event reporting?

36. How are enterprise risks currently identified, evaluated and prioritized?

37. In creating an agile and flexible governance model, does your organization link its risk management practices to value drivers?

38. Is your information technology risk management (ITRM) program integrated into your overall Enterprise Risk Management strategy?

39. How does your organization integrate resilience into its Enterprise Risk Management structures?

40. How is the impact of Enterprise Risk Management on value creation defined and measured?

41. How does your organization reap early wins for risk management that can then help it achieve more wins down the road?

42. What role do which international frameworks and standards play in your organization in Enterprise Risk Management, internal control and fraud deterrence and the prevention, mitigation and management of risk?

43. Is management periodically considering advise from external parties (e.g., customers, vendors and others doing business with the entity, external auditors, and regulators) on the functioning of Enterprise Risk Management?

44. Is Enterprise Risk Management included in employees Key Performance Indicators (KPIs)?

45. Is there a formalized risk governance plan that defines the Enterprise Risk Management program requirements?

46. Do you use Enterprise Risk Management processes to consider threats from insiders and near insiders?

47. How are you adjusting your Enterprise Risk Management structure and oversight based on market data and your experience and learning?

48. How can the boards role in Enterprise Risk Management improve identification and oversight of ESG risk and opportunity?

Organized by Key Themes: RISK, MANAGEMENT, SECURITY, MANAGER, DEVELOPMENT, DATA, COMPLIANCE, AUDIT, ENTERPRISE, PROCESS:

RISK:

How do you perform an evaluation when the risk areas often overlap one another?

Make sure the team also provides information, analysis and support to those responsible for risk management strategy and execution, ranging across line managers, state managers, business unit leaders and enterprise risk managers.?

Are the current enterprise risk management frameworks effective at capturing emerging or current sustainability risks?

Work with process owners and executive management to formulate and implement a plan to monitor current and emerging risks to ensure appropriate risk management principles are integrated throughout the overall business strategy of the Association.?

What level of risk management competency does the board want to achieve across your organization?

Integrate risk management activities of individual business units into an integrated view across the entire organization, including establishing open channels of communication and bringing functional leaders across the organization to balance risks and new business opportunities to achieve optimal overall association performance.?

How do you use the data that already exists internal and external to your organization to better identify and predict emerging changes in the risk environment?

Make sure your design develops and maintains model risk management policy, standards, and procedures that outline the guiding principles for how the organization develops, documents, controls, validates, and maintains statistical, econometric, financial, or mathematical models for business use.?

How do you collaborate on risk assessments and/or risk information gathering?

Collaborate with business units and risk management functions to ensure appropriate model control standards for all businesses are consistent with organization wide policies.?

How do you best invest your assets, given the structure of your exposures?

Interface so that your group is implementing and overseeing an enterprise-wide compliance, business continuity, vendor due diligence and enterprise risk management programs that effectively measure, monitor, and mitigate consistent with the Credit Unions risk appetite.?

How do you manage future upcoming regulations and guidelines for financial organization and banks?

Verify that your strategy creates and leads any business unit specific Risk Committees required and participates in the enterprise wide Management Risk Committee.?

Does the evaluator understand each of your organizations activities and each of the components of Enterprise Risk Management being addressed?

Assure your process develops Enterprise Risk Management tools, practices, and policies to analyze and report enterprise risks, and manages risks according to an Enterprise Risk Management (ERM) framework.?

Is there an effective process for reliable reporting on risks and risk management performance?

Partner with business units to drive operational and strategic direction to improve overall enterprise risk management, risk governance, and reporting in accordance with risk management standards.?

What are the greatest risks, inherent and emerging, that could keep your organization from achieving its strategic objectives?

Guarantee your staff works with the Chief Strategy Officer to integrate risk management into strategic planning and identifies enterprise wide risks to achieving strategic priorities, goals and objectives.?

MANAGEMENT:

Do you provide some assurance that there is in fact an action plan with people responsible for addressing issues now?

Warrant that your group serves as Risk Committee Chair responsible for the on-going development, management, and execution of a comprehensive Enterprise Risk Management Program, providing strategic guidance and direction to the organization and leadership on risks and risk mitigation.?

What risk management strategies do you use to maintain and improve organizational sustainability?

Make sure the department analysis reporting and data output, as well as system administration and project management all must maintain strict compliance with Entity level and business line processes key and secondary SOX controls, regulatory requirements and corporate policies.?

Do you have a contract or MOU with your partner that includes protections and contingency plans?

Partner with the Enterprise Risk Management organization to ensure compliance to the program.?

Who needs to be involved in considerations about your risk landscape and risk management activities?

Confirm that your process is involved in enterprise risk management and mitigation planning.?

Have any of the risks recorded changed significantly in terms of impact or likelihood?

Work closely with business analysts, system administrators, department manager and/or supervisor in obtaining the skills, techniques and knowledge to ensure all reporting projects and development are properly tested, validated and documented as they progress and follow the departments project methodology and documentation standards, and change management requirements.?

How do you plan for partner collaboration or implementation outsourcing?

Serve as trusted partner to key business executives focused on the customer, enterprise risk management, regulatory compliance and finance.?

How do you effectively link strategy and risk management?

Be confident that your process has involvement in developing communications and delivering key information effectively to stakeholders and all levels of management to influence decisions centered around business optimization.?

How might risks emerge that impact a crown jewel or how might risks emerge that impede the successful launch of a new strategic initiative?

Be confident that your company leads teams and owns project management action plans, business rules analysis and development, product development and service delivery.?

Has the policy been distributed to all employees and contractors for whom it is applicable?

Oversee that your strategy is responsible for managing relationship(s) between a Business Units Portfolio Manager(s) and the Enterprise Portfolio Management Office (EPMO) to ensure pertinent information is gathered, maintained, addressed and distributed.?

How does your organization factor in climate change into its Enterprise Risk Management systems, actuarial analysis, underwriting, or investment strategies?

Assure your team is leading and directing staff in evaluating the impact of new laws and regulations and coordinating the change management process with business units.?

SECURITY:

How would a loss from a key risk affect incentive compensation of top management and planning/budgeting?

Interface so that your operation participates as a member of the Enterprise Risk Management Committee and helps define the risk management strategy of your organization as it pertains to information security.?

How do you use information on risk intelligence to support risk and resilience management?

Invest in planning, organizing and leading IT security projects related to network, system and data security, to include insider threat detection, enterprise information security reporting, auditing, as well as system risk management and mitigation.?

Do you have the appropriate level of expertise and support to effectively monitor information assets around the clock?

Serve as the Information System Security Manager (ISSM) to provide cybersecurity and Risk Management Framework (RMF) support.?

How do you align identified risks and the strategic objectives and goals within your organization?

Safeguard that your staff develops and/or invest in providing training pertaining to changes to contractual clauses related to ethics and compliance including information technology, data security and privacy, human rights, personnel vetting, business ethics etc.?

Does your organization need to appoint a Chief Risk Officer or have dedicated ERM staffing?

Check that your personnel implements incident response plans and procedures to ensure business critical services are recovered in a security event.?

Does the responsible manager understand the purpose of the duty and what the obligations are?

Partner with Security Governance team to supervise and carry out compliance with the organizations security policies and standards among employees, contractors and third parties responsible for Security Delivery.?

What are the liability ramifications and enterprise risk management options involved if a shooting is determined to be unjustified, unwarranted or even negligent?

Be certain that your personnel is involved in the implementation and management of your organizations cybersecurity program.?

Should enterprise risk management move from a support function to a strategic imperative?

Certify your group supports and coordinates efforts with Security Operations, Security Systems and Technology, and Regional Security Leads to ensure resources are properly aligned to support Security COE initiatives.?

Does your organization anticipate rapid growth that might require using cloud solutions?

Make sure your team manages and contains information security incidents and events to protect corporate IT assets, intellectual property, regulated data and your organizations reputation.?

How aligned is your organizations risk management program today with business functions?

Interface so that your process assess and align core and extended team member skills with strategic Security and Technology direction.?

MANAGER:

Who is responsible for cloud strategy, and is that aligned with the business strategy?

Make sure the ERM Manager is responsible for providing guidance to business decision makers on issues and development of risk mitigation strategies.?

Have administrators observed any quantifiable benefits from the implementation of ERM?

Make sure the delivery manager is also a team process coach (Scrummaster, Agile Coach) responsible for process health results (the quality of collaboration across the whole team, the removal of impediments that slow down the team, and the coaching and improvement of everyone on the team).?

Are risk tolerance thresholds, which trigger action, defined for each category of risk?

Make sure your group supports the business unit managers via the Resiliency Coordinator network to meet both (internal) client and regulatory requirements related to Resiliency.?

How supportive and cooperative was your organization to the introduction and implementation of risk management?

Make sure the C and OR Manager plans, drives and reviews team deliverables to support consistent quality of activities, processes and outputs.?

Will the required resources in the user environment be available to implement the system?

Partner with business managers and HR Business Partners to create and implement strategic talent plans.?

Do business continuity and Disaster Recovery readiness have the support of top management in your organization?

Make sure your operation is working closely with the ERM Leader and the ERM deployment team, the ERM program manager is responsible to plan for and support a smooth deployment of the ERM framework to all relevant SE entities.?

Does your organization have a robust traditional risk management program that encourages risk awareness with proactive event reporting?

Provide and manage the planning framework, systems and resources to deliver an effective planning and reporting service to Project Managers and Sponsors.?

Are there cultural issues within your organization that could compromise the effectiveness of risk management?

Have you mastered establishing and advancing relationships from the C suite, to business line and IT leaders, middle managers and front line users.?

What do you see as the greatest barriers to the effective management of risk in your organization?

Confirm that your team reviews health and performance of portfolio regularly and identifies performance improvement opportunities in alignment with Portfolio Manager.?

What is the relationship between effective enterprise risk management and improved financial reporting and transparency?

Oversee that your design administers the performance appraisal process for direct report managers.?

DEVELOPMENT:

How likely is it that your organizations external financial and operating reporting information is incomplete?

Make sure your company is responsible for the development, oversight and implementation of core ERM tools including risk identification, assessment of risk on the operations and mission, prioritization, development and implementation of response to mitigation plans, monitoring, reporting templates and communications tools.?

Do investment cash flow sensitivities provide useful measures of financing constraints?

Ensure your design works closely experienced with the development of service levels, performance measures, and business process improvement initiatives.?

Which incident handling activities are coordinated with contingency planning activities?

Invest in the development and integration of programs, plans, strategies and processes to meet business goals for authorization, such as sourcing strategy for commitment of work, cost imperatives, deployment analysis and impact mitigation.?

Are you developing a new line of business, experiencing growth or in a post merger environment?

Develop and lead strategic plans and analyzing business information to create complex Success Plans for strategic accounts, develop and streamline operational Playbooks and processes, invest in the development of developing best-practice training for the (internal) customer Success team.?

Where is the highest level of direct responsibility for climate change within your organization?

Guarantee your staff documents business requirements and communicates such requirements to the operational and development teams for the design and implementation of business solutions.?

Do you minimise potential blind spots in your risk identification and assessment efforts?

Be confident that your team is engaging in business plan development and proactively anticipating needs that can be addressed with an innovation strategy or solution.?

How do you continue to deliver value and service to the public despite uncertainty and turbulence?

Partner with the Corporate Development team to monitor and track acquisition performance; deliver key business insights to executive leadership.?

How do you plan to invest in asset risk management?

Verify that your process has leadership and successes with business process development and/or improvement associated with health plan operations.?

How effectively can information technology be leveraged to support your organizations risk and control framework?

Verify that your operation conducts benchmarking, market landscape assessments, scenario planning analyses and business case development in support of strategic recommendations and decisions.?

Is there adequate time set aside in the process for the directors to proactively participate and so fully understand the process?

Participate in development of organizations disaster recovery and business continuity plans for information systems.?

DATA:

Which opportunities to enhance alignment of risk and operational management seem obvious?

Safeguard that your workforce supports cross-functional decision-making, including corporate and business unit strategy, enterprise model design, data strategies and insights, and optimization of data and decision support systems to enhance the (internal) customer success program.?

What do you consider to be main barriers/challenges to effective risk management in your bank?

Collaborate with Enterprise Fraud Governance team to identify businesses changes requiring independent monitoring and develop a process to support data driven challenge of fraud RCSAs.?

How much is the average cost to create a risk register and complete a risk assessment?

Establish that your group provides leadership and expertise in working with I/T and other business partners to ensure data captured by systems is verifiable, validated using appropriate sources, and complete.?

Is the board satisfied there is a risk management process that provides a common framework for managing risk across your organization?

Certify your staff gathers information, analyzes data trends, identifies root cause(s), and provides information to the business or project teams.?

How do you bring your risk strategy more in line with your business strategy to support one another?

Be certain that your company has involvement in creating meaningful data analysis and metrics to support business needs.?

Are risk aggregation principles in place to support standardization across your organization?

Be sure your staff utilizes relevant data to solve problems, make recommendations, and support business decisions.?

Has management taken an occasional fresh look at focusing directly on enterprise risk management effectiveness?

Support Business and Functions in profiling the processes, data lineage and identifying control enhancements using data quality tools and techniques.?

How are employees or representatives consulted and involved in health and safety matters?

Establish that your company is involved in Business Objects including building data queries and providing meaningful analysis.?

Can the patient give quick or one word responses to update information or monitor symptoms and test results?

Capture Business Impact Analysis data and update relevant business continuity plans.?

How is your organization monitoring for new and potential Cybersecurity regulatory changes and complying with new legal requirements?

Work with Group IT using agile methodology to drive Data Architecture related Enterprise Data Toolset improvements and facilitate the change required across CDO teams.?

COMPLIANCE:

How do you know whether AI risks are on the increase, decreasing or staying at the same level?

Make sure your operation advises stakeholders by providing business planning guidance to include research, development, planning and implementation of procedures and processes to increase business viability and ensure compliance and/or product competitiveness and profitable growth.?

Are the network designs suitably secure for your organizations cloud adoption strategy?

Be sure your operation is responsible for scoping and managing business systems projects that deliver products to support work processes as well as compliance with insurance and other regulatory requirements.?

How prepared is your organization for a major risk event that has never happened before?

Ensure your strategy ensures compliance of Business Unit portfolio with company and regulatory policies and procedures, including adherence to EPMO processes, procedures, controls, standards, tools and templates (with priority).?

How is the current amount factor used in the calculation of the indicated rate level change?

Interface so that your organization assures consistency in Business Continuity policies and procedures, as well as alignment to the overall business strategy; assures compliance with organization standards and systems in the area of Business Continuity.?

Does the charter clarify that the board risk committee oversees senior managements implementation of risk management strategy?

Be sure your group identifies outstanding compliance issues and oversees proper implementation of business requirements.?

Should the pathways/entry advice be strengthened to provide better advice on what competencies, knowledge and experience should be necessary?

Warrant that your group anticipates business needs and proactively identifies and executes on opportunities to improve and strengthen the Compliance environment.?

Does management involve the board when making decisions to accept or reject significant risks?

Warrant that your team designs and executes education and training programs for employees whose functions or responsibilities involve compliance with applicable organization policy and regulatory and industry laws.?

AUDIT:

Where should the valuable time of directors and senior management be directed to generate the maximum benefit for your organization?

Be certain that your organization is leading projects in the areas of Enterprise Risk Management, Sarbanes Oxley Compliance, Internal Audit, and Quality Assessment Reviews.?

Does the use or disclosure of protected health information to the person or entity concern only the treatment of an individual?

Confirm that your design is involved in operational and financial auditing, enterprise risk management, and regulatory compliance.?

Does business continuity and Disaster Recovery readiness have the support of top management in your organization?

Provide consulting support to IT leaders, Cloud Operations leaders, line of business leaders, internal audit, and external auditors relative to the full range of disaster recovery and business continuity issues and resolution planning.?

Have stakeholders been consulted and involved in developing and evaluating treatment plans?

Liaison so that your team interprets audit findings and analyzes the corresponding regulations and the impacts to auditable processes.?

How many different computing platforms or environments exist within your organization?

Make sure your staff investigations, training audit findings etc.?

Is there an honest evaluation on an ongoing basis to anticipate new issues and improve the program?

Warrant that your strategy works closely with the Internal Auditor.?

Are the development and risk management processes effective in achieving the required result?

Manage overall underwriting audit framework.?

Does management carry out your organizations mission, vision, core values and strategy?

Interact with Audit on complex sanctions requirements.?

Which accounting standards do you use/have to use to comply with local reporting requirements?

Develop experience creating Board, Audit Committee and Executive reporting on the ERM function.?

How do you make sure risk adds value to your business?

Have the following certified staff in place internal auditor (cia).?

ENTERPRISE:

Do you know the location from which the provider will deliver support and management services?

Safeguard that your group serves on IT planning and policymaking committees; drives the development of enterprise security technology standards, governance processes and performance metrics to ensure the services consistently deliver value to the enterprise.?

Who is responsible for authorizing, taking, controlling, and evaluating each type of risk?

Confirm that your workforce collaborates with enterprise partners to facilitate the development of business rules, requirements and artifacts for business projects and initiatives, and responsible for required documentation of business decisions.?

Should code of conduct and whistle blowing processes be revised to avoid potential conflicts of interest?

Make sure your team works collaboratively and advises diverse business areas across the enterprise on the development of legally compliant solutions for newly enacted or revised mandates.?

Is attention paid to risk management in setting your organizations strategic objectives?

Utilize an enterprise perspective while serving as critical connection point to the rest of the organization on all components of your business to aid in development of new initiatives and execution of your new solutions.?

How is the work of the IT and Enterprise Risk Management departments have utilized in the audit process?

Safeguard that your personnel works collaboratively with Culture Transformation, Communications, Human Resources teams and Enterprise Transformation leaders at all levels to ensure integration and alignment of business plans.?

What influences program manager behavior and encourages compliance with internal controls?

Safeguard that your organization develops and implements business continuity plans enterprise wide, where applicable.?

Is your organizations risk management strategy mature enough to meet your business needs?

Ensure your group works closely with business units and subsidiaries to implement enterprise requirements, developing tools and technology to meet enterprise standards.?

Is attention paid to risk management in setting your organizations strategic objectives?

Utilize enterprise perspective while serving as critical connection point to the rest of the organization on all components of your business to aid execution of your strategic account plans and processes.?

How skilled are risk professionals in your organization in preventing and detecting fraud risk?

Oversee the enterprise-wide Business Continuity program and staff to ensure appropriate oversight of the design, development, maintenance, and testing of disaster recovery and business resumption plans for each critical functional area.?

How do you ensure were allocating administrative resources to your areas of greatest need?

Invest in the formulation of stress test plans for a line of business or the enterprise including the evaluation of results and framing of contingency plans in partnership with key business stakeholders.?

PROCESS:

How do you align operational risk management with enterprise risk management?

Establish that your organization provides the high level of business expertise while conducting complex business process analyses, needs assessments, and preliminary cost/benefit analyses in an effort to align business solutions with your organization strategy and initiatives.?

Are operating systems, policies and procedures effective in addressing identified risks?

Safeguard that your workforce analyzes and identifies opportunities for business or system process improvements and develops initiatives to address identified opportunities.?

Does your organization rely on proprietary rates or base rates on loss costs filed by rating bureaus?

Be sure your group leads or participates in large scale business process improvement initiatives resulting in significant improvements in (internal) customer satisfaction, increased revenue and decreased operations costs.?

Does your organizations risk reporting provide management and the board with information they need about the top risks and how they are managed?

Evaluate current and new Finance and Reporting business processes and system functions, gather business requirements and perform requirements analysis to support enhancements and propose opportunities for process, system and reporting improvement.?

How do external changes or new approaches render your existing assets and investments?

Be sure your strategy notifies business users and other impacted business partners of system changes or process changes due to system changes.?

Is well managed risk taking encouraged to help seize opportunities and support effective innovation?

Safeguard that your design collaborates with others to analyze utilities operational business processes and decision support system solutions.?

Have there been changes in the appointed actuary in recent years, and, if so, how often have corresponding changes occurred and why?

Be confident that your staff works with business users to translate business rules and processes to business requirements for new vendor systems and changes to existing vendor systems.?

Is your organizations culture promoting employee behaviors that are consistent with priorities?

Ensure your workforce contributes high level expertise in business processes and systems analysis while considering the business implications to the current and future business environment.?

How do you know if the CISOs security program has accounted for all the components to be effective?

Confirm that your workforce performs consulting tasks associated with business process analysis, asset registers/inventories, criticality, condition assessment, and repair and renewal needs.?

How do you monitor process safety performance to ensure business risks are effectively managed?

Make headway so that your team is learning business processes being performed by users and how the application enables those processes.