According to Lexicon Systems, LLC, this new, strategic imperative has grown momentum, and in a
single paragraph summarizes the activities of ERM which will take organisations years and years to
accomplish, stating that: organisation can support ERM solutions when they reach a certain level of
business and information maturity. When this occurs, they establish a “risk culture” and then gather
risk intelligence. The adoption of a process focused on GRC as against the “siloed” issue -by-issue
style follow. In addition to these, they suggest that the organisations establish a risk and compliance
architecture that considers the business processes, the people and the information technology. And
finally, the organisation commits and trains the members consistently on corporate policies and
procedures.
25
The CAS committee states that this involves continual scanning of the risk environment and
evaluating the performance of the risk management strategies, and the feedback into the context setting step of the process and the cycle repeats again and again, continuously.
26
The ERM process in a generic sense is a reiterative process in which certain sequential activities are
carried out starting with establishing a context, and then identifying events, analyzing and quantifying
risks, integrating risks, assessing and prioritizing risks, and finally treating risks/exploiting
opportunities. The monitoring and reviewing activities are continuous and concurrent with these
other activities.