The COSO Enterprise Risk Management (ERM) Framework was released last week. It provides an excellent structure for compliance practitioners and businesses to think through the entire lifecycle of risk management. An Executive Summary is available at no cost by clicking here. The full ERM Framework can be purchased by clicking here. This blog post reviews the Executive Summary. I will review the full ERM Framework after I receive and digest it. Matt Kelly and I considered the Executive Summary of the ERM Framework in Episode 52 of Compliance into the Weeds.
As its name implies, it is a framework to consider risk, its assessment and monitoring and mitigation for businesses. As was noted by COSO in the introduction to the Executive Summary, the ERM Framework “is designed for boards and management in entities of all sizes. It builds on the current level of risk management that exists in the normal course of business. Further, it demonstrates how integrating enterprise risk management practices throughout an entity helps to accelerate growth and enhance performance. It also contains principles that can be applied—from strategic decision-making through to performance.”
The ERM Framework is visually represented by a double helix, which lays out the five Components.
The five Components are:
- Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
- Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
- Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
- Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
Laid out below each of the Components are 20 separate Principles which flesh out each Component.
The Principles under Component I, include the setting of corporate governance and company culture through the exercise by the Board of risk oversight, the establishment of operating structures to manage risk, defining a company’s culture around risk and risk appetite, demonstrating a company’s core values around risk management and attracting, development and retention of individuals capable of fulfilling this mission.
The Principles under Component II include the company’s strategic and objective-settings around risk. This is accomplished through analyzing the business context around risk and risk management, defining the company’s risk appetite, evaluating different risk strategies and formulating the company’s business objectives around risk and risk management.
The Principles under Component III, include the performance around risk; sufficient identification around risk to the entity, an accurate assessment of the severity of risk to the organization, prioritizing risk within your company for mitigation, implementing appropriate risk based monitoring and risk mitigation strategies and developing entire risk portfolio views.
The Principles under Component IV, include the review of risk to your organization, coupled with updating and revision; ongoing assessments of substantial change in an organizations risk profile, a period risk review and performance review of how an organization is handling risk performance, and finally an ongoing pursuit of improvement in the overall risk management health of the organization.
The Principles under Component V, include the information, communication and reporting of risk to your organization; leveraging information and technology to more fully execute your risk management process, the communication of risk management process and information throughout the organization and reporting on the company’s risk, culture, and performance.
One of the key concepts put forward is that risk is something which should be managed throughout the organization. Everyone has a role to play which sounds very similar to operationalizing risk management within an organization. The Executive Summary notes the role of the Board in risk management oversight. COSO believes a Board’s risk oversight reviewing, challenging, and concurring with management on some or all of the following: the company’s proposed strategy and risk appetite; the alignment of strategy and business objectives with the entity’s stated mission, vision, and core values; the risk involved in significant business decisions including mergers acquisitions, capital allocations, funding, and dividend-related decisions; the response to significant fluctuations in entity performance or the portfolio view of risk; the response of the organization to instances of deviation from core values; approving management incentives and remuneration and participating in investor and stakeholder relations.
The role of senior management is to “articulate how risk is considered in the selection of strategy or business decisions.” This is through the entire risk management process but overlaid with issues around culture and governance. It requires feedback from the risks forecasted and assessed through a robust risk based monitoring program; all coupled with that feedback incorporated back into the process going forward in feedback loop.
As a company moves risk management through its organization, the process “can also enhance enterprise resilience—the ability to anticipate and respond to change. It helps organizations identify factors that represent not just risk, but change, and how that change could impact performance and necessitate a shift in strategy. By seeing change more clearly, an organization can fashion its own plan; for example, should it defensively pull back or invest in a new business? Enterprise risk management provides the right framework for boards to assess risk and embrace a mindset of resilience.” This will allow a much more nuanced and agile response to changing market conditions, changing regulatory conditions and other forms of risk which businesses face on a daily basis.
The COSO ERM Framework is a welcomed addition to the library of every Chief Compliance Officer (CCO), compliance practitioner and professional as well. As the compliance profession matures and deals with more and greater risks, this type of structured approach can help to drive forward the risk management process. A robust risk management process allows a company to move forward to take advantage of strategic risks for greater business efficiencies and profitability.
The COSO ERM Framework provides a structure to consider the operationalization of risk management.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017