Changing times call for changing approaches to enterprise risk management. The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) released updated guidance for ERM in September 2017. The new guidance enhances COSO's 2004 ERM publication, Enterprise Risk Management-Integrated Framework by providing additional detail organizations can use to enhance enterprise-wide risk management procedures. Updates address evolving risks and help clarify the role ERM plays in strategy and performance.
Enterprise risk management and internal controls go hand-in-hand. COSO's updated guidance in Enterprise Risk Management: Integrating with Strategy and Performance even adopts components and principles, a structure that is similar to COSO's internal control recommendations. To clarify that internal controls and ERM encompass different types of activities, the guidance removes some of the redundancies between COSO's internal control guidance and its ERM framework. It also further develops the governance recommendations for risk management.
New guidance stresses how ERM can be used to create, preserve and realize value, and it emphasizes the importance of including ERM in all aspects of operations. Decision-making can be helped by ERM so that decisions are made with an understanding of how the risk associated with a decision fits in with the organization's risk culture. Analyzing an acquisition in light of ERM, for example, may reveal that the deal is too risky for an organization's risk appetite.
Closely tied to decision-making and value is ERM's role in performance. The new guidance focuses on the role risk plays in business objectives and performance targets. It encourages organizations to identify the top risks that impact performance and determine the amount of risk tolerance that is acceptable for a given level of performance. Risk tolerance enables organizations to better assess whether changes in levels of performance are acceptable or whether the changing levels of performance may necessitate changes to the organization's risk profile. Included in the guidance are graphical depictions of risk profiles to help illustrate how risk can be connected to performance.
Risk management fails when a strategy is used that doesn't fit the organization. ERM should reflect an organization's risk profile and its core values and mission. Updates to COSO guidance stress the importance of an ERM strategy, and the updated guidance encourages organizations to consider the possibility of a strategy and business objectives not aligning, the implications from the strategy chosen, and the risks to executing strategy before deciding on a set approach to risk management.
How to Implement the New Guidance
COSO's ERM framework is not mandatory. It's designed to be a guide that organizations of all types and across all industries can use to help enhance their current ERM practices. It can hold significant benefits for organizations that implement it. Organizations can use it to connect enterprise risk management with stakeholder expectations. It also helps them position risk in the context of performance, and not just an isolated exercise.
By making risk management an integral part of your operating strategy, your company can get ahead of the issues that may impact operations. ERM can also identify changes that need to be made, which may present new opportunities to create value for your organization. For more information about ERM, please contact us.
Published on November 14, 2017
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.