Enterprise Risk Management

Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

Enterprise Risk Management (ERM) supports value creation by enabling management to deal effectively with potential future events that create uncertainty and allows management to respond in a manner that reduces the likelihood of downside outcomes.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations (AIPCA, AAA, FEI, IMA, IIA) and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

The COSO ERM framework:

1. Defines essential components of risk management,
2. Suggests a common language, and
3. Provides clear direction and guidance for enterprise risk management.

COSO defines Enterprise Risk Management as:

1. A process,
2. Effected by an entity’s board of directors, management and other personnel,
3. Applied in strategy setting and across the enterprise,
4. Designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite,
5. To provide reasonable assurance regarding the achievement of entity objectives.

It is important that any ERM process is supported, and owned, by Senior Management.  After all, identification of risks and establishing risk appetite are their responsibility. Therefore the tone set for any ERM initiative must be set at the top and include a holistic approach rather than be an event-based activity. Risk management should be incorporated into the strategic tactical and operational initiatives of the organization.

1. Does your organization have a common definition of risk?
2. Is there strong risk governance, infrastructure and ownership?
3. Does unmitigated residual risk appear to be within the appetite of the company, for that type of risk?  Has it been effectively communicated?
4. Does the risk analysis encompass likelihood and impact?
5. How are risk assessment and planned mitigation steps communicated?  To whom?  How frequently?
6. How are high risk decisions approved?  Is there a policy and is it followed?
7. Do results of risk assessment align with public risk disclosures?
8. Are the board and executive management satisfied with the risk management activities?

 If you are unsure of the answers, or if the answer to many of these questions is “No”, it may be time to evaluate an ERM approach in your organization.