In the Executive Summary of the Committee of Sponsoring Organization of the Treadway Commission (COSO), ERM refers to the strategies implemented by an organization to handle risk and uncertainty in a way that creates new opportunities that enhance value.
The COSO framework outlines the roles that Management should play in an organization. According to the framework, Management should set objectives and initiate strategies that will minimize threats while at the same time tolerate risks that will lead to growth of the business. To set goals, Management has to follow specific strategic, operational, reporting and compliance guidelines.
Goals of the COSO ERM Framework
Developing risk management strategies and evaluating alternative options is vital to managing risk appetite.
Organizations need flexible strategies that will guide their risk tolerance while reducing unexpected losses and surprises. To determine the best capital intensive opportunities to go after, it is critical to identify and manage risks all across the board. By creating strategic objectives that align with available resources, companies can effectively manage their risk and report to customers.
By determining the risk tolerance of your organization, it will be easy to understand, reduce, avoid and accept the risks of your business model. However, accepting risk also means taking a loss, which you have to consider as part of your ERM strategy.
When evaluating your business risks, consider all areas that could be affected. You can better decide the opportunities to pursue and where to allocate capital when you know the extent of risk you can tolerate.
Components of Enterprise Risk Management
When establishing an ERM strategy, it is critical to consider all your business processes and approach risk in a holistic manner. There are eight facets of ERM that can guide you in the decision making process
i) Objective Setting
Consider your business goals to determine the extent of risk you can accept or deny. The Management should work together with the Board of Directors to come up with the company’s objectives as well as success metrics for evaluating risk tolerance.
ii) Risk Assessment
Any ERM strategy is built upon risk assessment. Evaluate your organization’s short- and long-term goals and processes to determine what kind of risk management program would be suitable for implementation.
iii) Risk Response
After identifying the core and non-core risks that your business faces as well as their impact, come up with appropriate response measures. The responses can involve sharing, reducing, avoiding or accepting the risk. It’s critical to have clear-cut steps for managing risk.
iv) Internal Environment
Evaluate the internal environment of your organization to gauge how it can contribute to risk. For example, come up with policies that guide the ethics and integrity of your employees. Strive to create a corporate culture that recognizes and encourages ethical operations.
v) Event Identification
After determining the amount of risk the organization can tolerate and the success metrics to measure, review the events that are likely impact meeting of the goals. The events can either be internal or external should be classified as either risks or opportunities and be aligned with the overall strategy of the organization.
vi) Control Activities
All organizations should implement specific policies that would guide them in identifying risk events and responding to them. These policies should indicate the procedure to be followed when initiating responses.
vii) Information and Communication
Employees should carry out their tasks based on their roles and job objectives. You can collect and share information to allow your employees know what is expected of them. Organizational performance information should be drilled down to departments and roles to ensure employees follow the appropriate business practices in their particular divisions.
Monitoring can be done in different ways, including both internal and external audits. Monitoring should be an ongoing experience. Make sure you monitor the ERM and adjust the objectives of your strategy based on changing risks.
Role of the Auditor in ERM
The board and audit committee should constantly be evaluated to ensure they are effectively addressing the threats that the organization faces.
Internal auditors should follow the benchmarks set in the COSO EMR Integrated Framework to assess the ERM processes. For example, the auditors can help with tasks such as evaluation, reporting and recommendations as outlined in the COSO ERM Framework.
The Importance of ERM
Organizations need robust ongoing governance, risk and compliance management strategies. These requirements can be met in different ways through establishment of an ERM program. For most organizations, implementing primary ERM strategies will help them to be compliant with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX).
A general ERM program covers more than the financial activities in your organization. To ensure proper controls in your organization’s structure, you need to implement a strategy that includes management oversight and departmental communication.
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Read more at ReciprocityLabs.com.