Organizations looking to step up and improve ERM might want to consider "culture." The new COSO ERM Framework highlights and emphasizes the link between culture and ERM in the following ways:
• There are 124 mentions of the word "culture" in the ERM framework.
• The first Component is called "Governance and Culture."
• Principle 3 is called "Defines Desired Culture."
• Principle 20 is called "Reports on Risk, Culture, and Performance."
Quick Ideas for Getting Ready to Answer Board and Management Questions about the ERM-Culture Connection:
— Find your resources to dig deeper on culture. For example, read the NACD Blue Ribbon Commission on Culture as a Corporate Asset. I'm still a fan of our Risk Challenge Culture study we did for the IMA and ACCA. The IIA has a lot of good material too.
— Read Principle 3 and 20 and determine how your organization compares to the Principle. Does your board and management define the desired culture? Is culture embraced by all personnel? Do you know the factors that drive culture in your organization? Do you know how culture is influencing your ability to identify risks or properly assess risks? Is risk an afterthought to strategy and other big decisions? Do you have escalation policies? Do you have a risk aware culture (this will most likely require training employees and management on ERM)?