The concept of Enterprise Risk Management (ERM) has received increased attention in recent years as a fundamental shift in the way companies approach risk. ERM is an all-encompassing approach to risk management and this can often make implementing ERM seem overwhelming. To make the process more palatable, the Commission of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private-sector financial reporting organization, has released the first ERM framework.
When compared to the traditional approach of addressing risks associated with accidental losses, ERM has a holistic approach that covers both insurable and traditionally non-insurable risks including financial, operations, strategic and other risks. The process applies to managing risk and also capitalizing on it for growth. Proponents say that ERM may improve capital efficiencies in that it provides an objective measure for allocating resources.
Sometimes called business risk management or strategic risk management, this systematic approach is attractive in that it ensures uniform risk identification and treatment throughout an organization. ERM is inherently collaborative and requires a risk team including accounting, marketing, research and development, treasury and operations management.
Released in September 2004, COSO's Enterprise Risk Management - Integrated Framework describes the essential components, principals and concepts of ERM for organizations of all sizes. It establishes a uniform language for identifying risks, avoiding pitfalls and seizing opportunities for growing shareholder value.
Eight interrelated components outlined in the Framework are:
- Internal Environment - Establishes the entity's risk culture by establishing a philosophy regarding risk management.
- Objective Setting - Involves setting objectives and forming a risk strategy. This step forms the risk appetite of an organization, how much risk management and the board members are willing to accept. Aligned with risk appetite is risk tolerance, the acceptable level of variation around objectives.
- Event Identification - Differentiates risks and opportunities by identifying events, occurring internally and externally, that may have a negative impact and those that may have a positive impact.
- Risk Assessment - Assesses the likelihood and impact that potential events could have on objectives. Involves qualitative and quantitative risk assessment methodologies.
- Risk Response - Identifies and evaluates possible responses to risk.
- Control Activities - Lays out policies and procedures at all organizational levels and in all functions, which help ensure that risk responses are carried out.
- Information and Communication - A form and timeframe to broadly communicate pertinent information enabling the risk management team to fulfill their responsibilities.
- Monitoring - Ongoing monitoring activities as well as specific planned evaluations determine the effectiveness of an organization's ERM.
The Framework also defines the roles and responsibilities of key ERM team members including management, board of directors, risk offices and internal auditors. For more information about the Framework and to order print or electronic copies, visit www.coso.org.