Enterprise Risk Management


Overview

Enterprise Risk Management (ERM) simply means that risk management is applied to the entire organization.

Frameworks published by COSO and ISO are the two dominant and most widely used risk management frameworks.  These two frameworks talk about the same thing: value creation. But each has distinct approach and structure. COSO answers “how can an organization achieve its objective?” while ISO answers “how should an organization manage its risk?”

The difference in approach is understandable based on how these frameworks define risk. COSO defines risk as the possibility that events will occur and affect the achievement of objectives. The process of achieving the objectives is basically driven by culture. And the interaction of the people within the culture naturally brings risk management process to ensure that the organizational objectives are achieved. Hence, it treats risk management process as a mere component of ERM framework designed to achieve organizational objectives.

On the other hand, ISO defines risk as the effect of uncertainty on objectives. The effect can be positive or negative. And objectives can be applied at different levels.

Hence, ISO treats risk management process as an integral part of all organizational activities. It provides a separate framework; which purpose is not to assist organization achieve its objectives but to integrate risk management into significant activities and functions. It also ISO provide an option to increase risk.

Nevertheless, COSO and ISO frameworks are mere guidance. Each company can establish its own enterprise risk management framework tailored on its own need.

Course Objectives

After studying this module, you should be able to
  • Examine the objectives, components, roles, and responsibilities of the 2017 COSO Enterprise Risk Management Framework;
  • Describe the benefits of Enterprise Risk Management–Integrated Framework;
  • Compare the COSO risk management approach with ISO 310000 and the Turnbull guidance;
  • Explore the elements and the processes of the risk management processes that can companies can adopt in establishing effective risk management framework.
Course Materials

Governance & Culture

Governance guides the course of the organization, its external and internal relationships, and the rules processes and practices needed to achieve its purpose.

Exercises Board Risk Oversight (Leadership and commitment)

Risk management begins at the highest level of the organization. The Board has the ultimate responsibility for all risks taken by the organization. The general responsibilities of the Board are to - 
  • oversee that a sound ERM framework is in place;
  • formulate Company’s vision, mission, strategic objectives, policies and procedures that shall guide its activities, including the means to effectively monitor Management’s performance;
  • provide oversight of the strategy and carry out governance responsibilities to support management in achieving strategy and business objectives;
  • define the company’s level of risk tolerance;
  • be accountable for overseeing risk management.
  • ensure that risks are adequately considered when setting the organization’s objectives
  • understand the risks facing the organization in pursuit of its objectives
  • ensure that systems to manage such risks are implemented and operating effectively
  • ensure that such risks are appropriate in the context of the organization’s objectives
  • ensure that information about such risks and their management is properly communicated
See SEC Code of Corporate Governance for the complete powers, duties, and responsibilities of the Board of Directors.

The Board should establish a separate Board Risk Oversight Committee that should be responsible for the oversight of a company’s Enterprise Risk Management system to ensure its functionality and effectiveness.

Establishes Operating Structures

Some key roles and responsibilities that are necessary to ensure effective ERM are summarized below.
  • Board of Directors. Provides an oversight role to risk management activities including the periodic review and approval of the ERM Policy, ERM Framework and ERM Process through the Board Risk Oversight Committee.
  • Board Risk Oversight Committee (BROC). Assists the Board in fulfilling its responsibility for oversight of the Group’s risk management activities.
  • President & Chief Executive Officer. Is the overall/comprehensive ERM executive; final enforcer of ERM strategies; heads the Risk Management Executive Committee.
  • Risk Management Executive Committee (RMEC). ERM think tank; defines risk priorities, aligning risk policies and strategies with overall company plan.
  • Chief Risk Officer. The ultimate champion of ERM at the company; develop, implement risk management process, tools and methodologies; analyze, develop and execute policies and report risks; submit risk report to the Board; assess company risk profiles.
  • Heads of subsidiaries, business units, projects Business risk champions; supports the RMEC in cascading the program to the various functional groups/business units and in assessing and reporting risks.
  • Risk Owners. Have the overall accountability for and ownership of the assigned risks and other risks in his functional areas of responsibility; manage risks at source.
  • Risk Agents (All Employees). Must regard risk management as part of their everyday activities; report emerging risks/opportunities to business risk champion. Everyone in an organization has responsibility for managing risk.
  • Internal Audit. Provides independent assessment of the ERM framework on a corporate-wide basis; review compliance and assurance.
Management structures translate governance direction into the strategy and associated objectives.  Determining risk management accountability and oversight roles within an organization are integral parts of the organization’s governance.

Defines Desired Culture

Defining the desired culture of the entity as a whole and of the individuals within is the responsibility of the board of directors and management.

Entity’s culture influences how the organization applies COSO ERM Framework: how it identifies risk, what types of risk it accepts and how it manages risk. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.  It reflects the mission, vision and core values of the organization – why an entity exists, who it is, what it intends to do and how it intends to do it.

COSO ERM Framework focuses on culture as the main driver of risk management. It defines ERM as “culture” integrated with strategy-setting, that organizations rely on to manage risk. The integration of the enterprise risk management activities also helps organizations avoid a “siloed” risk management environment where separate parts of the organization are undertaking independent risk related activities.

KPMG emphasizes the importance of establishing risk culture simply because culture drives how people think and what they do. Culture operates in the absence of formal direction, such as written policies and procedures, and influences what actually happens even when there is formal direction.

ISO does not provide a provision about defining the culture but requires that risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.

Demonstrates Commitment to Core Values

Core values are the entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.  Employees and leaders must constantly consider whether their actions support the organization’s core values.

The board must demonstrate clear support for ERM as an important strategy and governance process and provide clear direction and oversight to management’s ERM undertakings. It is the board’s responsibility to see that management is devoting the right level of attention, resources and priority to ERM and that actions are being taken to integrate ERM with the appropriate functions and processes across the organization.

Attracts, Develops, and Retains Capable Individuals

The board should see that an effective ERM leader is in place who is widely respected across the organization, knowledgeable about its businesses and strategies, and given the resources and support to accomplish the ERM effort.

Top management and oversight bodies, where applicable, should ensure allocation of appropriate resources for risk management, which can include, but are not limited to: people, skills, experience and competence; the organization’s processes, methods and tools to be used for managing risk; documented processes and procedures; information and knowledge management systems; professional development and training needs.

The organization should consider the capabilities of, and constraints on, existing resources.

Strategy & Objective Setting

Analyzes Business Context

COSO ERM Framework defines business c¬ontext as trends, events, relationships and other factors that may influence, clarify or change an entity’s current and future strategy and business objectives. Business context can be external – such as political, economic, social, technological, legal and environmental forces – and internal resources such as capital, people, processes and technology. 

ISO uses the term “external and internal context,” which is defined as the environment in which the organization seeks to define and achieve its objectives.  Establishing the Context involves defining and understanding the internal and external parameters to be considered when managing risk.

Defines Risk Appetite (Risk Criteria)

The COSO ERM Framework defines risk appetite as the types and amount of risk, on a broad level, that an entity is willing to accept or reject in pursuit of value. It speaks of two concepts: first, the level of cost of treating the risk versus the cost of the risk happening; second, the potential losses versus the potential benefit.

Tolerance refers to the boundaries of acceptable variation in performance related to achieving business objectives.

Under ISO, risk criteria should reflect the organization’s values, objectives and resources and be consistent with policies and statements about risk management. The criteria should be defined taking into consideration the organization’s obligations and the views of stakeholders.

Evaluates Alternative Strategies and
Formulates Business Objectives

The COSO ERM Framework defines strategy as the organization’s plan to achieve its mission and vision and to apply its core values while business objectives are those measurable steps the organization takes to achieve its strategy.

The organization assesses the risks and opportunities of different strategic alternatives. Included in the assessment are the following:
  • possibility that the strategy does not align with the mission, vision and core values of the entity
  • implications from the chosen strategy
  • risk to the chosen strategy
Performance

Risk management process may be applied at different levels so long as risk affects the company’s objectives. For example, at organizational level, for key risks affecting strategy e.g., risks relating to competition; at a divisional level e.g., risk brought by supply shortages; and at a day-to-day operational level e.g., risks of machine breakdown delaying production.

Risk Identification

In COSO risk identification is a separate step from risk assessment while ISO treats risk identification as part of risk assessment.

The purpose of risk identification is to find, recognize and describe risks (or opportunities) that might help or prevent an organization achieving its objectives.

In identifying risk, it also necessary to determine the sources, causes and drivers of risks, as well as the nature and root cause of the risk.  Sources of risk can include events, decisions, actions and processes, both favorable and unfavorable, as well as situations that are known to exist but where outcomes are uncertain. ISO recognizes that events and consequences can have multiple causes or causal chains, and risk can often only be controlled by modifying risk drivers. 

Risk Identification Techniques

There are variety of techniques that companies may use in identifying risks. These are also the techniques you encountered in your TQM/Project Management subject.

Workshops and interviews. Facilitator-led structured discussions to draw on the collective knowledge and experience of management, staff, and other stakeholders about events that may impact the achievement of entity or unit objectives.

Event inventories/checklists. Detailed list of potential events common to companies within a particular industry or to a particular process or activity.

Process flow analysis. Examines the combination of inputs, tasks, and responsibilities in a process; considered internal and external factors that affect inputs or activities within a process; identifies events that could impact the achievement of process objectives.

Risk Analysis (Assessing the Severity of Risk)

Severity means a measurement of considerations such as the likelihood and impact of events or the time it takes to recover from events.

At this stage, identified risks are translated into impacts at all levels of an organization (e.g., entity, business unit, division or other functional level)   in order to determine whether the identified risks are relevant. A risk is relevant if it could impact the achievement of an entity’s strategy or business objectives. Impact is the result or effect of a risk.

Qualitative Techniques

Risk analysis considers both the quantitative and qualitative impact and likelihood of a risk. Some quantitative and qualitative techniques are discussed in the succeeding paragraphs.

Qualitative techniques are often used to assess risks which do not lend themselves to quantification, when sufficient reliable data is not readily available to use a quantitative model, or it is not cost-effective to obtain or analyze quantitative data. The most commonly used qualitative assessment techniques are interviews, cross-functional workshops, and surveys, benchmarking, even tree analysis.

Quantitative Techniques

Probabilistic or non-probabilistic models may be used to quantify risk. Probabilistic models associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions. Examples of probabilistic models include value at risk, cash flow at risk, earnings at risk, credit or loss distributions, or back-testing.

Risk Evaluation (Risk Prioritization)

Risk evaluation involves comparing the results of the risk analysis (level of risk) with the established risk criteria (against predetermined target risk levels and tolerance thresholds).

Some techniques for evaluating the significance of risk are As low as reasonably practicable (ALARP), Pareto charts, Consequence/likelihood matrix (risk matrix or heat map), Game theory, Cost/benefit analysis (CBA).

Risk Treatment (Risk Response)

For all risks identified, management selects and implements a risk response as follows:

COSO
ISO
Accept
Changing the likelihood; Changing the consequences
Share
Sharing the risk (e.g. through contracts, buying insurance)
Avoid
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Removing the risk source
Reduce
Retaining the risk by informed decision
Pursue
Taking or increasing the risk in order to pursue an opportunity

Review & Revision

Organizations should continually monitor for substantial changes in the internal or external environment to determine if any of these shifts trigger a change in an entity’s risk profile and require a response or decision from management.

The purpose of the review is to determine how well the enterprise risk management components are functioning over time and what revisions are needed. 

There is no particular requirement in ISO to assess substantial changes. But ISO recognizes that risks are dynamic but a properly designed and implemented management framework will adequately capture changes in external and internal contexts. The risk management framework should be improved to address external and internal changes.

In addition, ISO requires that monitoring and review take place in all stages of the process. This involves ongoing monitoring and periodic review of the risk management process. The outcome of the monitoring and review should be a planned part of the risk management process. The results of monitoring and review should be incorporated throughout the organization’s performance management, measurement and reporting activities.

Information Communication & Reporting

The risk owner is the central owner of risk information and communication. Top management and oversight bodies should ensure allocation of appropriate resources for risk management including information and knowledge management systems. The organization should establish an approved approach to communication and consultation in order to support the framework and facilitate the effective application of risk management. The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required.

Communication on risk varies depending on the audience and information needs of each stakeholder – internal or external.

Internal Communication of risk information is critical to improving decisions relating to strategy-setting and day-to-day operations. Internal communication can help:

Inform the board of directors and management how risks will impact the business strategy and objectives
Promote awareness of critical ESG-related risks to the entity
Encourage a culture of risk awareness and employee engagement throughout the organization

External communications and disclosure on risks should align to an entity’s mandatory and voluntary reporting obligations. External stakeholders are interested in understanding how an organization is managing its risks to create and maintain shareholder value

References

Reading materials you may use in this course are the following: