1.1 The purpose of this document is to provide guidelines and a common approach for enterprise risk management (ERM) throughout government, private, public, and non-profit organizations to ensure continuity and resilience. The application of these guidelines can be customized to any organization and its context.
1.2 Organizations of all types and sizes face external and internal factors of uncertainty that impact their ability to achieve their objectives.
1.3 The purpose of enterprise risk management is the creation and protection of value. When applied, enterprise risk management improves organizational continuity, improves operational performance, encourages innovation and supports the achievement of the organization’s mission and objectives.
1.4 Managing risk throughout the enterprise is iterative and assists organizations in setting strategy, prioritizing efforts, managing financial constraints, achieving objectives and informed decision-making at all levels.
1.5 The enterprise risk management approach can be applied to any type of risk and is not industry or sector specific.
References: GAO, Standards for Internal Control in the Federal Government (Green Book), ISO 31000 (Risk Management), ISO 9000:2015 (Quality Management Systems (QMS), and ISO - The Integrated Use of Management System Standards. OMB Circular A-11 for Strategic Reviews, OMB Circular A-119: Federal Participation in the Development and Use of Voluntary Consensus Standards and Conformity Assessment Activities and OMB Circular No. A-123, Managements Responsibility for Enterprise Risk Management and Internal Control.::
Enterprise Risk Management (ERM) is an organizational process that allows management to identify, prioritize, and mitigate risks across a broader spectrum of activities than traditional risk management to evaluate the impact of risks that can adversely impact an organization's accomplishment mission/s. Subsequently, ERM provides the foundation for strategic-level decision-making across organizational departments and "silos" and eliminates the problems with existing silos in this regard. In addition to internal risks, ERM considers external risks, as well as a combination thereof, and external factors such as natural and economic failures, which could multiply the negative impacts associated with the risks. ERM and resilience integration allows management to identify risks that can adversely impact the effective administration of an agency, organizational, departmental, and workforce policies. Having an ERM guide means that agencies, organizations, departments, and workforce champions will be better positioned to promote and absorb ERM foresight and have a more effective decision-making framework and basis for making implementation-related decisions more effectively. Many organizations have multiple or separate continuity of operation strategies, succession, and risk mitigation plans which may not reflect ERM and resilience. As a result, the development of effective, comprehensive ERM plans would allow management to respond more quickly and effectively to address risks to an organization. Several methodologies exist for addressing risk management, but the distinction between and the applicability for enterprise-wide governance documents that reference voluntary consensus standards and conformity assessment, federal guidance, internal controls would benefit all stakeholders. It would be advantageous to have an ASTM standard guide that provides recommended practices for cooperation and coordination across organizations with respect to ERM and Resilience Integration for creating a more effective and consistent approach.
The title and scope are in draft form and are under development within this ASTM Committee.
Date Initiated: 06-08-2021
Technical Contact: Phillip Selleh
Item: 001
Ballot: E54.02 (24-01)
Status: In Balloting