ERM is an acronym for “enterprise risk management” and refers to the processes put in place to minimize internal and external threats that a business may face.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), ERM includes all the steps and procedures that a business needs to establish to handle unexpected risks and, at the same time, provide opportunities for value enhancement
The Importance of ERM
There are various ways in which organizations can benefit from a robust ERM program. The program covers governance, compliance, and risk cycle that ensures the organization is well-prepared for threats and opportunities that can show up along the way.
Another benefit of ERM is related to compliance. For many companies, having an ERM strategy helps them to be compliant with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). Generally, your ERM program will be broader than the financial control requirements of the SOX 404.
Having a strategy, multidepartment communication, and management oversight helps to strength the SOX program. However, after coming up with your ERM strategy, there should still be appropriate follow-ups in the organization’s reporting structure
Importance of the COSO ERM Framework
The COSO Enterprise Risk Management framework delegates the task of setting strategies for minimizing organizational risks and threats to the Management. Moreover, the team is required to come up with risk tolerance strategies that promote business growth.
As corporations strive to reach their business objectives and keep their promises to shareholders, they often have to manage various risks. The COSO ERM framework aims to help businesses to respond to risk in a manner that allows them to take advantage of unexpected opportunities while mitigating operational losses and surprises.
The COSO Framework guides Management in the creation of strategies that can be implemented based on the available resources and while staying within compliance requirements. The framework helps organizations to recognize their risk appetite and uncover alternative ways of managing it.
Accepting a risk means exposing the company to a potentially significant loss. Therefore, when you accept a risk, you need a well-laid out ERM plan. Entities with a clear view of their risk appetite will know how to handle it based on their business models.
Risk should be evaluated cumulatively to provide Management with an accurate position on the losses that the company can take. Understanding your capable risk position also make it easier to plan for new opportunities that determine your capital requirements.
Components of Enterprise Risk Management
ERM can be divided into eight parts, all of which can be affected by the Management’s decision-making process. When coming up with an ERM program, it is essential to take a holistic approach to ensure you mitigate risks across the entire organization.
The components of ERM are:
i) Setting Objectives
Before developing your ERM, establish your business’ goals. Management should work together with the Board to establish the entity’s goals, missions, and metrics for success. These three can then be refined and aligned to the company’s risk appetite
ii) Assessing Risk
The foundation of your ERM strategies will depend on risk assessment. To conduct a risk assessment, you must determine the likelihood and impact of the risks that your company faces to the management program.
iii) Responding to Risk
After identifying the risks, come up with a response that will work to ensure the business achieves its objectives. Some of the appropriate responses you can have for different risks include reducing, accepting, avoiding or sharing.
For all responses, there should be pre-approved actions for managing the risk
Create internal policies that will help to eliminate risk. The policies should promote integrity and efficiency in your work culture. Involve all the relevant stakeholders in the creation and implementation of the internal policies.
v) Identifying Events
After determining the risk appetite and the metrics for measuring success, review the events that could make the business fail to achieve its goals. The events, whether internal or external, should be classified as either risks or opportunities and then aligned to the overall strategy of the business
To identify events and respond to risks, there must be policies and procedures to guide you. The policies and procedures form the control activities to be initiated based on the type of event or risk identified
There should be information flow across departments to ensure employees are carrying out their jobs properly to meet the overall business objectives. Information should also be communicated to employees in particular roles to ensure they are adhering to the best practices already established in the company.
viii) Monitoring Activities
Monitoring should be carried out continuously to keep abreast with the changing risks that the business faces. Monitoring should be done regularly by either internal or external auditors.
Role of the Auditor in ERM
The COSO ERM Framework requires companies to be audited by board or audit committee members. The auditors should check whether the implemented strategies are designed to address the threats faced by the organization effectively. Internal auditors can help to navigate, report, and recommend processes. For example, the auditors could create benchmarks to be used for future ERM process audits.
You can also use various software programs to ease ERM. The software can provide employees with the information they need to maintain your corporate culture and ensure they are doing tasks that contribute to the overall goals of the business.
You may also like: Risk Tolerance versus Risk Appetite
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.