Embracing Enterprise Risk Management: Practical - Coso
Embracing Enterprise Risk Management: Practical - Coso
Embracing Enterprise Risk Management: Practical - Coso
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Thought Leadership in ERM | <strong>Embracing</strong> <strong>Enterprise</strong> <strong>Risk</strong> <strong>Management</strong>: <strong>Practical</strong> Approaches for Getting Started | iii<br />
Overview and the Question of “Where to Start?”<br />
The increased interest in and importance of enterprise risk<br />
management is being driven by many powerful forces. Most<br />
importantly, it is driven by the need for companies to manage<br />
risks effectively in order to sustain operations and achieve<br />
their business objectives. Other forces also come into play,<br />
including rating agency reviews, government regulations,<br />
expanded proxy disclosures, and calls by shareholders and<br />
governance reform proponents for improving the way risks<br />
are managed by organizations.<br />
Any entity that is currently operational has some form of<br />
risk management activities in place. However, these risk<br />
management activities are often ad hoc, informal and<br />
uncoordinated. And, they are often focused on operational<br />
or compliance-related risks and fail to focus systematically<br />
on strategic and emerging risks, which are most likely to<br />
affect an organization’s success. As a result, they fall short<br />
of constituting a complete, robust risk management process<br />
as defined by COSO (See definition of ERM below).<br />
In addition, existing risk management activities often lack<br />
transparency. Transparency about how enterprise-wide<br />
risks are managed is increasingly being sought by directors<br />
and senior management, as well as various external parties<br />
seeking to understand an organization’s risk management<br />
activities. What’s more, existing risk management processes<br />
often are not providing boards and senior management with<br />
an enterprise-wide view of risks, especially, emerging risks.<br />
Unfortunately, many organizational leaders are struggling<br />
with how to begin in their efforts to obtain strategic benefit<br />
from a more robust enterprise-wide approach to risk<br />
management.<br />
<strong>Enterprise</strong> risk management is a<br />
process, effected by an entity’s<br />
board of directors, management,<br />
and other personnel, applied in<br />
strategy setting and across the<br />
enterprise, designed to identify<br />
potential events that may affect<br />
the entity, and manage risk to be<br />
within the risk appetite, to provide<br />
reasonable assurance regarding the<br />
achievement of entity objectives<br />
COSO’s <strong>Enterprise</strong> <strong>Risk</strong><br />
<strong>Management</strong> – Integrated<br />
Framework (2004)<br />
This leads to the question of “Where do we start?”<br />
Answering this question can be a major challenge for<br />
organizations where the perceived complexity of ERM or<br />
a lack of understanding of its strategic benefits may be<br />
barriers. At the same time, organizational pressures to<br />
reduce costs may prompt some decision makers to look<br />
at risk management as something that can be deferred or<br />
viewed as a lower priority, thereby setting the stage for<br />
unmanaged risk exposures that could seriously threaten the<br />
viability of the organization.<br />
This COSO thought paper describes how an organization<br />
can start to move from informal risk management to ERM.<br />
We discuss the increasing importance of and focus on ERM<br />
and the need for all types of organizations to understand<br />
and embrace ERM. And, we examine perceived barriers to<br />
starting ERM and working through those barriers.<br />
The approaches described in this document are based<br />
on successful practices that organizations have used to<br />
develop an incremental, step-by-step methodology to start<br />
ERM. While this is not the only way to start an ERM initiative,<br />
this incremental approach is designed to be very adaptable<br />
and flexible. We suggest specific, tangible actions that<br />
organizations can use to get started in this thought paper’s<br />
three sections:<br />
i. keys to Success - Overarching themes to provide<br />
management with a strong foundation for an effective ERM<br />
program as they develop and tailor their specific approach<br />
to implementing ERM.<br />
ii. initial Action Steps - Action oriented, “how to” steps<br />
to implement an initial ERM effort. These steps support<br />
development and implementation of a tailored ERM initiative.<br />
iii. Continuing ERM implementation - Next steps<br />
to further develop and broaden the organization’s initial<br />
ERM effort.<br />
w w w . c o s o . o r g