The ultimate goal of Enterprise Risk Management (ERM) is to evaluate total returns relative to total risks, leading to more informed business decisions. This questionnaire can be used when assessing an organization’s enterprise risk management strategy. It focuses on the internal environment, objective setting, event identification, risk assessment, risk response, control activities, and information and communication.
I. Internal Environment
1. What is the overall risk appetite of the organization?
2. How committed is the Board of Directors (BOD) to establishing a risk management philosophy?
3. Describe the overall integrity and ethical values and the commitment to competence of the organization?
4. Is the assignment of authority and responsibility over risks well managed? Who manages this process?
5. What is the organizational structure of the company and your department?
6. What HR standards related to risk management are currently in place?
II. Objective Setting
7. How well are strategic and related objectives defined?
8. How is the achievement of these objectives monitored?
9. What activities are on your risk management goal sheet for this year?
10. What does the company need to do well over the next year in order to succeed and reach its goals? What factors do you consider to be critical to your company’s success in the next year?
11. What areas would you like to see moved to the next level of performance?
12. What could prevent you from achieving your goals (e.g. people, processes, funding, etc.)?
III. Event Identification
13. How do internal and external forces impact the risk profile?
14. What other event identification techniques are in place (e.g. self assessment, SOX, report review, trend reporting, fraud hotline, etc)?
15. How are deficiencies captured and reported?
16. How does the organization distinguish between risks and opportunities?
IV. Risk Assessment
17. What do you perceive to be the largest risks to the company, in terms of significance and likelihood? See Protiviti Risk Model for examples.
18. What do you perceive to be the biggest risks within your area of control? Please provide examples.
19. Thinking of other areas within the company, how well do you receive information from the shared services groups (e.g. IT, Finance, HR)?
20. What additional information would you like to have accessible in order to help you better perform your management responsibilities?
21. In your opinion, what areas or processes are most susceptible to fraud?
22. Are you aware of any instances of fraud within your company? What/how/who?
V. Risk Response
23. How are risks monitored and reported within your organization?
24. How effectively are you managing identified risks?
25. What are you doing specifically to manage identified risks (e.g. financial statement variance reporting, trend reporting, credit reporting, insurance policies, legal, BOD involvement and reporting)?
VI. Control Activities
26. What is your assessment of the effectiveness of overall controls in preventing risks and carrying out risk activities within your organization?
27. How are control activities tested?
28. What type of review process takes place for policies and procedures?
29. What type of review process takes place for IT application controls and the IT general control environment?
30. What does the company do to address entity-specific controls?
VII. Information and Communication
31. How does the organization/your department capture information and communicate related risk?
32. What communications barriers are present within the organization?
33. What ongoing monitoring activities are in place (e.g. compliance monitoring, IA, risk management group, BOD monitoring, etc.)?
34. How are control-evaluation results communicated?