Embracing Enterprise Risk Management: Practical - Coso

Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | iii
Overview and the Question of “Where to Start?”
The increased interest in and importance of enterprise risk
management is being driven by many powerful forces. Most
importantly, it is driven by the need for companies to manage
risks effectively in order to sustain operations and achieve
their business objectives. Other forces also come into play,
including rating agency reviews, government regulations,
expanded proxy disclosures, and calls by shareholders and
governance reform proponents for improving the way risks
are managed by organizations.
Any entity that is currently operational has some form of
risk management activities in place. However, these risk
management activities are often ad hoc, informal and
uncoordinated. And, they are often focused on operational
or compliance-related risks and fail to focus systematically
on strategic and emerging risks, which are most likely to
affect an organization’s success. As a result, they fall short
of constituting a complete, robust risk management process
as defined by COSO (See definition of ERM below).
In addition, existing risk management activities often lack
transparency. Transparency about how enterprise-wide
risks are managed is increasingly being sought by directors
and senior management, as well as various external parties
seeking to understand an organization’s risk management
activities. What’s more, existing risk management processes
often are not providing boards and senior management with
an enterprise-wide view of risks, especially, emerging risks.
Unfortunately, many organizational leaders are struggling
with how to begin in their efforts to obtain strategic benefit
from a more robust enterprise-wide approach to risk
management.
Enterprise risk management is a
process, effected by an entity’s
board of directors, management,
and other personnel, applied in
strategy setting and across the
enterprise, designed to identify
potential events that may affect
the entity, and manage risk to be
within the risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives
COSO’s Enterprise Risk
Management – Integrated
Framework (2004)
This leads to the question of “Where do we start?”
Answering this question can be a major challenge for
organizations where the perceived complexity of ERM or
a lack of understanding of its strategic benefits may be
barriers. At the same time, organizational pressures to
reduce costs may prompt some decision makers to look
at risk management as something that can be deferred or
viewed as a lower priority, thereby setting the stage for
unmanaged risk exposures that could seriously threaten the
viability of the organization.
This COSO thought paper describes how an organization
can start to move from informal risk management to ERM.
We discuss the increasing importance of and focus on ERM
and the need for all types of organizations to understand
and embrace ERM. And, we examine perceived barriers to
starting ERM and working through those barriers.
The approaches described in this document are based
on successful practices that organizations have used to
develop an incremental, step-by-step methodology to start
ERM. While this is not the only way to start an ERM initiative,
this incremental approach is designed to be very adaptable
and flexible. We suggest specific, tangible actions that
organizations can use to get started in this thought paper’s
three sections:
i. keys to Success - Overarching themes to provide
management with a strong foundation for an effective ERM
program as they develop and tailor their specific approach
to implementing ERM.
ii. initial Action Steps - Action oriented, “how to” steps
to implement an initial ERM effort. These steps support
development and implementation of a tailored ERM initiative.
iii. Continuing ERM implementation - Next steps
to further develop and broaden the organization’s initial
ERM effort.
w w w . c o s o . o r g