My 2 cents is an organization’s options are below, from cheap to complicated and more dollars.
- Use maturity model. A little input. A little output.
- Attend ERM events.
- Peer to peer review (I know several co’s that do this)
- Join an ERM group.
- Get ERM training (COSO Certificate, CRMP, CRMA, MS or MBA in ERM at St. John’s, or the new St. John’s ERM Certificate). Get customized ERM training.
- Self assessment of ERM vs COSO framework components and priniciples or vs ISO.
- Ask leaders and board what they want out of the process via survey; workshops.
- Deep dives on risk booms.
- Review or Audit of ERM by internal audit
- Review or Audit of ERM by external party
Finally, compare your process to what other companies disclose. In the US, read the proxy. But also read the European, Australian, disclosures in the annual report. Their ERM disclosures are much better than US companies. Many disclose not only the board’s role but also how they are improving risk management and how they are managing the top risks.