COSO’s Enterprise Risk Management – Integrated Framework
Why Has COSO Prepared this ERM Framework?
Several recent high-profile business scandals and failures have caused investors, politicians, and businesses to demand enhanced corporate governance and risk management techniques. This demand is seen most clearly in the Sarbanes-Oxley Act of 2002. Public companies are now required to test and certify their internal controls over financial reporting. ERM is a relatively new management technique and differs across companies and industries. The goal of the ERM framework is to provide companies with key principles and concepts, a common language, and clear direction and guidance regarding the management enterprise risks. Additionally, companies may look to this ERM framework both to satisfy their internal control needs and move toward a fuller risk management process. This ERM framework incorporates adequate financial internal controls as a component of enterprise risk management.
Who Are the Likely Readers?
In the framework COSO defines the likely readers as follows:
Board of Directors- This framework conveys the importance and value of enterprise risk management. After reading this, boards will have a better understanding of enterprise risk management aiding them in their company oversight.
Senior Management- This framework suggests that chief executives assess the organization’s enterprise risk management capabilities. This initial assessment will determine whether there is a need for, and how to proceed with a more in-depth evaluation.
Other Entity Personnel- Managers and other personnel need to consider how they are conducting their responsibilities in light of this framework. Internal auditors should consider the breadth of their focus on enterprise risk management.
Regulators- This framework helps to consolidate the different views of enterprise risk. Regulators may refer to this framework in establishing expectations for the entities they oversee.
Professional Organizations- Rule-making and other professional organizations providing guidance on financial management, auditing and related topics should consider their standards and guidance in light of this framework.
Educators- This framework might be the subject of academic research and analysis, to see where future enhancements can be made. ERM concepts and terms should also be incorporated into university curricula.
What Is ERM?
“ERM is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
ERM is based on the premise that every entity exists to provide value for its stakeholders. Basic business principles suggest that the greater the risk associated with a decision, the greater the potential return that decision will yield. Uncertainty presents both risk and opportunity. Risk can decrease value while an opportunity has the potential to enhance value. All entities face uncertainty and the challenge for management is to determine how much uncertainty it is prepared to accept as it strives to grow stakeholder value. ERM enables management to identify, assess, and manage these risks in the face of uncertainty. Under ERM, management is able to assess risk on an enterprise wide basis. Traditionally entities have viewed and assessed risk under a silo method where many different managers would view and monitor their specific risks. However, these risks span across different business functions and should not be monitored in isolation. Under ERM, management assesses and monitors risk from a high-level, or portfolio view. This allows management to first identify risks and then analyze the enterprise-wide affects of these risks.
Under the COSO framework, ERM is geared to achieving an entity’s objectives, set forth in four categories:
- Strategic- These objectives are high level and are aligned with an entity’s mission.
- Operations- These objectives refer to the effective and efficient use of resources.
- Reporting- These objectives surround an entity’s need for reliable reporting.
- Compliance- These objectives refer with an entity’s need to comply with applicable laws and regulations.
Managing risks in these four categories within an entity’s risk appetite will aid in the creation of stakeholder value.
Why Should an Entity Consider ERM?
Entities operate in environments where factors such as globalization, technology, restructurings, changing markets, competition, and regulation create uncertainty. This uncertainty creates risks. ERM allows entities to manage risks to within their risk appetite (defined below). As a result, entities are able to provide maximum value to stakeholders with reasonable assurance that risks outside their risk appetite will be prevented. ERM will help prevent future business failures and scandals. Also, a company correctly utilizing ERM will satisfy the requirements set forth by the Sarbanes-Oxley Act regarding adequate financial statement internal controls.
Who Are the Leaders of an ERM Effort Within an Organization?
Members of top management play a critical role in ERM. Currently, some large companies are creating a Chief Risk Officer position to oversee ERM. Others are having their internal audit function coordinate ERM implementations. Regardless of who is exactly implementing ERM, top management must express a strong desire to implement ERM. This desire and the importance of ERM must then be spread throughout an organization. To some extent every member of an organization plays a role in ERM and can affect the organization’s risks.
Top management must be ethical. Management integrity is a prerequisite for ethical behavior. The effectiveness of ERM cannot rise above the integrity and ethical values of people who create, administer, and monitor entity activities. Management must appear ethical to company personnel and stress the importance of being ethical. If management appears unethical, company personnel may follow their example and begin to make unethical business decisions.
How Should ERM Relate to an Entity’s Strategy?
ERM should directly influence an entity’s strategy. An entity’s mission sets the overarching goals of an entity. From this, management sets its strategic objectives. Strategic objectives are high-level goals. It is important that strategic objectives are aligned with an entity’s mission. They reflect management’s choice as to how the entity will attempt to create value for its stakeholders. Management then considers alternate ways to achieve its strategic objectives through different strategy choices. Management uses ERM to evaluate risks associated with each strategy alternative. Prior to finalizing an entity’s strategy, management must determine that their strategy is within their overall risk appetite. Focusing on strategic objectives and strategy allows an entity to develop related objectives at the entity level. Entity-level objectives are linked to and integrated with more specific objectives (i.e. operations, reporting, and compliance). These specific objectives are broken down further into sub-objectives established for various activities, such as sales, production, and infrastructure functions.
What Are the Eight Key Components of the COSO ERM Framework?
COSO’s ERM-Integrated Framework consists of the eight components:
1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people. It is critical that upper management express the importance of ERM throughout all levels of an entity.
2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification¬- Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both.
4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact. Risk assessment needs to be done continuously and throughout an entity.
5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks. Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.
7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for identifying, assessing, and responding to risk.
8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant.
Risk is the possibility that an event will occur and adversely affect the achievement of objectives.
Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept as it tries to achieve its goal and provide value to stakeholders. It reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many entities define their risk appetite qualitative, while others take a more quantitative approach.
Risk Tolerance is the acceptable level of variation relative to achievement of a specific objective. This variation is often measured using the same units as its related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Therefore, an entity operating with its risk tolerances is operating within its risk appetite.
Risk Culture is the appearance and attitude of management regarding ERM that is conveyed to entity personnel. Are management’s actions aligned with the implemented ERM strategies?
What Is Meant by Assessing Risk “Likelihood” and “Impact”?
Likelihood is the possibility that an event may occur. Likelihood can be described using qualitative terms such as high, medium, and low. Alternately, likelihood can be described using quantitative measures such as a percentage and frequency.
Impact represents the effect that a given event will have on an entity. Impact can be described both qualitatively and quantitatively. Entities often describe events based on severity, consequences, or dollar amounts.
Management is most concerned with events that have a high likelihood and high potential impact.
What Is Meant by “Inherent Risk” and “Residual Risk”?
Inherent risk is the risk to an entity in the absence of any actions management might take to alter the risk’s likelihood or impact. These risks may result from an entity’s industry, strategy, and environmental factors.
Residual risk is the risk that remains after management’s response to the risk. Management must decide whether this residual risk is within the entity’s risk appetite.
What Is a “Risk Map”?
A risk map is a graphic representation of likelihood and impact of one or more risks. Risk maps may plot quantitative or qualitative estimates of risk likelihood and impact. Often, risk maps are referred to as “heat maps” since they present risk levels by color, where red represents high risk, yellow moderate risk, and green low risk. [link to Beasley heat map]
What Are “Event Inventories” and “Leading Event Indicators”?
During the event identification process management identifies events that, if they occur, will affect the entity. Events that have positive effects represent opportunities and those with negative effects represent risks.
Event inventories are detailed listings of potential events common to a company in a particular industry. Software products can generate a generic list of potential events. Often, entities will use this software as a starting point in the event identification process.
Leading event indicators are found by monitoring data correlated to events. Entities can create a list of conditions that could give rise to an event. Entities can monitor indicators to help mitigate risks.
What Are the Four Risk Responses?
Avoidance is a response where you exit the activities that cause the risk. Some examples of avoidance are exiting product line, selling a division, or deciding against expansion.
Reduction is a response where action is taken to mitigate the risk likelihood and impact.
Sharing is a response that reduces the risk likelihood and impact by sharing a portion of the risk. An extremely common sharing response is insurance.
Acceptance is a response where no action is taken to affect the risk likelihood or impact.
How Does the ERM Framework Reconcile to the COSO Internal Control- Integrated Framework?
In 1992, COSO issued the Internal Control – Integrated Framework. This framework provides tools to evaluate internal control systems. It is based on five interrelated components. ERM expands on internal controls by focusing on risk from a portfolio perspective. For example, the Internal Control- Integrated Framework specifies three categories of objectives – operations, financial reporting, and compliance. ERM includes these three categories and expands the reporting objective. While the Internal Control- Integrated Framework is concerned with published financial statements, ERM is concerned with reports, both internal and external, generated across the entire entity. Also, ERM adds an additional category of objectives, namely, strategic objectives, which are based on an entity’s mission. ERM requires that strategic objectives align with operations, reporting, and compliance objectives.
ERM also expands on the Internal Control- Integrated Framework’s risk assessment component by dividing it into four components: objective setting, event identification, risk assessment and risk response. Both frameworks acknowledge that risks are found at all levels of an entity and result from internal and external factors. However, ERM discusses the concept of potential events. It recognizes that events can have positive and negative effects. ERM, also further explores what triggers events to help minimize risk and maximize potential benefits. Risk assessment is a more detailed process under ERM. It looks risk on a residual and inherent basis, and describes how a risk can create multiple risks across an entity. Lastly, risk response options are more detailed under ERM.
ERM also expands on other components of the Internal Control- Integrated Framework. ERM stresses that in some cases control activities themselves serve as a risk response. ERM also expands on the information and communication component by focusing on data derived from past, present and future events. Combined, these three types of data allow an entity to identify events and respond as necessary to remain within its risk appetite. Overall, COSO has used the Internal Control- Integrated Framework as a foundation in the creation their Enterprise Risk Management- Integrated Framework.
Click below for a link to the full executive summary.
Source: COSO’s Enterprise Risk Management – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), New York, NY, September 2004 (see www.coso.org)