Recall that there are five components of the internal control framework. Likewise, there are five components of the ERM framework:

• Governance and Culture

• Review and Revision

• Information, Communication, and Reporting

• Performing

• Strategy and Objective-Setting

Fortunately, three of these are essentially the same as the internal control framework, meaning you don’t need to memorize five additional components. Discussing the three components which essentially mirror those in the internal control framework: The first one is named ‘Governance and Culture.’ This is nearly identical to the ‘Control Environment’ component of the internal control framework.

The second analogous component in the ERM framework is termed ‘Review and Revision.’

This aligns closely with the ‘Monitoring’ component of the internal control framework.

The third, ‘Information Communication and Reporting,’ parallels the ‘Information and Communication’ component of the internal control framework.

The fourth component, named ‘Performing,’ is a combination of the ‘Risk Assessment’ and ‘Control Activities’ components of the internal control framework. However, there is a significant difference. While the internal control framework employs internal controls to assist with its risks, the ERM framework adopts a much higher-level approach, examining a broad range of solutions to its risks, not only internal controls. Additionally, during the ‘Performing’ stage, the organization decides whether to avoid, accept, reduce, or share its risk.

The final ERM component is ‘Strategy and Objective Setting.’ Given that the ERM framework operates on a higher level than the internal control framework, it scrutinizes strategies and objective setting. During this stage, the organization determines its risk appetite, deciding how much risk it is willing to accept. Subsequently, the organization ensures that its strategies align The final ERM component is ‘Strategy and Objective Setting.’ Given that the ERM framework operates on a higher level than the internal control framework, it scrutinizes strategies and objective setting. During this stage, the organization determines its risk appetite, deciding how much risk it is willing to accept. Subsequently, the organization ensures that its strategies align well with its mission, vision, and core values. When evaluating the suitability of its strategies, it considers alternative strategies potentially better aligned with the company’s mission, vision,and core values.

These constitute the five components of the ERM framework. The ERM framework delves more deeply into risks and methods for mitigating them, focusing on aligning a company’s strategies with its risk appetite. Like the internal control framework, which contains 17 different principles to clarify its five components, the ERM framework also possesses 20 principles to provide more detail on its five components.