According to the COSO’s ERM Integrated Framework, ERM is "a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
• SOX Background
• Internal Controls
• SOX and derivatives reporting
There are five key aspects of addressing risk:
• Tolerate
• Treat
• Transfer
• Terminate
• Take the opportunity
The option of ’treat’ in addressing risk can be broken down into five
different types of controls:
• Preventive controls
• Detective controls
• Corrective controls
• Directive controls (to ensure that a particular outcome)
The IIA and the COSO define 
Internal Control as an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved:
• effectiveness and efficiency of operations,
• reliability of financial reporting, and
• compliance with applicable laws and regulations.
Internal control is a continuous built–in component of operations. It is effected by people and provides reasonable assurance, not absolute assurance at unit, division and group–wide levels. It is based on five standards:
• Monitoring
• Information and Communications
• Control Activities
• Risk Assessment
• Control Environment
As the COSO/IIA ’s graph (© COSO and IIA) shows, these initial standards have been reinforced by the ERM framework which defines essential components, suggests a common language, and provides clearer direction and guidance.
Applying the ERM framework is a structured process which begins with objectives setting (i.e. management determines the purpose of risk taking, the risk appetite and tolerance the acceptable level of variation around objectives, is aligned with risk appetite. The next step is to differentiates risks and opportunities in other words how do internal and or external event affect the organization and change the risk appetite. This is called risk identification.
The Risk assessment process determines the actual impact and magnitude of risk events and also likelihood (frequency, time horizon). Where risk is quantifiable, metrics such as standard deviations, value at risk, earnings at risk can be applied. Qualitative assessment are just as important for certain inherent and a residual risk that cannot be captured by the metrics. Once risk has occurred or been detected how should company respond? Risk response calls for an evaluation of the options, the ramifications, and examining whether the risk can be simply minimize (i.e. take some losses) or completely eliminated. However, prevention is better than cure. This is achieved with control activities which ensure that management directives are executed. They include activities such as approvals, authorizations, verifications, reconciliation, reviews of operating performance, the safeguarding of assets, and the segregation of duties through general information technology controls.
Risk management framework cannot function with an effective information, communication and monitoring system. Communication occurs in a broader sense, flowing down, across, and up the organization. The flow must provide the means to communicate information with customers, suppliers, regulators, and shareholders. Internal control can become obsolete and the business environment and financial conditions change. Monitoring allows the internal control process to react to changing conditions of the company. This is accomplished through management’s ongoing assessment of the performance of internal control.