Changing times call for changing approaches to enterprise risk management. The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) released updated guidance for ERM in September 2017. The new guidance enhances COSO's 2004 ERM publication, Enterprise Risk Management-Integrated Framework by providing additional detail organizations can use to enhance enterprise-wide risk management procedures. Updates address evolving risks and help clarify the role ERM plays in strategy and performance.
Enterprise risk management and internal controls go hand-in-hand. COSO's updated guidance in Enterprise Risk Management: Integrating with Strategy and Performance even adopts components and principles, a structure that is similar to COSO's internal control recommendations. To clarify that internal controls and ERM encompass different types of activities, the guidance removes some of the redundancies between COSO's internal control guidance and its ERM framework. It also further develops the governance recommendations for risk management.
New guidance stresses how ERM can be used to create, preserve and realize value, and it emphasizes the importance of including ERM in all aspects of operations. Decision-making can be helped by ERM so that decisions are made with an understanding of how the risk associated with a decision fits in with the organization's risk culture. Analyzing an acquisition in light of ERM, for example, may reveal that the deal is too risky for an organization's risk appetite.
Closely tied to decision-making and value is ERM's role in performance. The new guidance focuses on the role risk plays in business objectives and performance targets. It encourages organizations to identify the top risks that impact performance and determine the amount of risk tolerance that is acceptable for a given level of performance. Risk tolerance enables organizations to better assess whether changes in levels of performance are acceptable or whether the changing levels of performance may necessitate changes to the organization's risk profile. Included in the guidance are graphical depictions of risk profiles to help illustrate how risk can be connected to performance.
Risk management fails when a strategy is used that doesn't fit the organization. ERM should reflect an organization's risk profile and its core values and mission. Updates to COSO guidance stress the importance of an ERM strategy, and the updated guidance encourages organizations to consider the possibility of a strategy and business objectives not aligning, the implications from the strategy chosen, and the risks to executing strategy before deciding on a set approach to risk management.
How to Implement the New Guidance
COSO's ERM framework is not mandatory. It's designed to be a guide that organizations of all types and across all industries can use to help enhance their current ERM practices. It can hold significant benefits for organizations that implement it. Organizations can use it to connect enterprise risk management with stakeholder expectations. It also helps them position risk in the context of performance, and not just an isolated exercise.
By making risk management an integral part of your operating strategy, your company can get ahead of the issues that may impact operations. ERM can also identify changes that need to be made, which may present new opportunities to create value for your organization. For more information about ERM, please contact us.
Published on November 14, 2017