4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 30 on various quantification techniques. When statistical tools and/or data are not available to quantify risks then subjective techniques are employed. The risk identification and quantification step is generally a bottom -up process with information provided by each business unit. However, firms usually employ a risk management department or committee to inventory, collect, and measure or validate the quantification of risks. After risks are identified and potential impacts quantified, then risks are assigned to appropriate persons or departments in the organization to be dealt with in the following steps. 3.1.2. Establish Risk Tolerance and Policies The second step to implementing an ERM framework is to define risk appetite and tolerance and then draft appropriate Risk Policies. Top priority risks that emerge from Step One of the process should be addressed by the strategic plans of the firm. Furthermore, the strategic plan should identify the risk management objectives and risk tolerance of the firm. These plans, objectives, and the risk tolerance should then shape the way that key risks are managed throughout the firm. Risk Policies are developed to formalize and articulate the risk tolerance of the organization and to clearly identify the decision-making process and authority for individuals or committees within the firm to carry out transactions or business activities. The elements of the organizational design may include the following: • A senior risk officer (often the Chief Risk Officer – “CRO”) that has responsibilities for a broad spectrum of risks throughout the organization – often leads the Corporate or Enterprise Risk Management function (“CRM”, “ERM”) • A Risk Management Committee (“RMC”) Structure comprised of senior level decision makers representing various responsibilities within the company – may include Board and Management level committee members • Positions within the business units that have responsibility for risk management • Defined lines of reporting or communications to ensure an effective and comprehensive internal flow of risk information The scope of risk issues that are the responsibility of the CRO may vary from company to company but most encompass a broad enough scope to allow for the identification and assessment of key drivers of firm performance. From an ERM perspective, the primary function of the CRO is to ensure that the elements necessary for an effective and efficient program are implemented and to oversee the ongoing process. Organizationally, the CRO role may report to one of various senior management positions, but must report at a level in the organization sufficiently high to allow the position to have some meaningful governance authority and ensure appropriate separation of duties. The CRO position should also have a reporting function to the Board of Directors much in the same way that the firm’s internal auditor generally has a reporting relationship to the Audit Committee of the Board. Ultimately, the responsibility to inform the Board of significant risks rests with the CRO. The Risk Management Committee provides oversight and governance of the company’s risk management functions. Composed of senior management, the committee reviews and approves corporate and business unit risk management policies, risk roles and responsibilities, risk limits