Around the year 2000, we were asked by COSO to determine if they should write an ERM framework. Students, educators, and others with ERM curiosity might find our original report of some interest. Our answer was, "Yes. Write an ERM framework."
Back then we thought an ERM framework should address:
- Risk identification and establishing a risk language
- Measurement and prioritization of risks
- Business risk solutions, and
- Risk infrastructure.
Despite the fact that a lot has changed in the world, this framework is still a good starting point.