Building your Enterprise Risk Management System
Check your library for the April version of Internal Auditor, whose title is “ERM Under Construction”. There are three articles on Enterprise Risk Management (ERM) that are news worthy to quality professionals working for companies in compliance to Sarbanes-Oxley (SOX). The first article titled Building on [SOX] 404 [for ERM] by Paul Sobel, shows the internal financial auditor view point of moving from SOX COSO Internal Controls to operation-wide COSO ERM.
While every part of SOX COSO Internal Control is a useful stepping stone to ERM, there remain many large steps to move to ERM. This is a result of three facts:
- COSO Internal Control five components include one on Risk Assessment, while COSO ERM has three of eight components on Event Identification, Risk Assessment, and Risk Response,
- SOX is focused on quarterly and annual financial reports, where COSO ERM is continuous
- SOX is focused on financial / accounting department where ERM is heavily structured in operations
This important article gave me hope that Quality Managers and Engineers can move their QMS to a QMS/SOX system and then to a QMS/ERM system. I am looking for case studies to help the quality community on this important journey.
Background: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published the Enterprise Risk Management — Integrated Framework. To order the full framework go to here
