Understanding and implementing enterprise risk management.
Over the past few decades, enterprise risk management (“ERM”) has been receiving increased attention by boards and executives and has undergone a continuing evolution in its development and uses. Along the way, lessons have been learned and ERM has been better understood regarding its benefits, objectives, and role in the organization.
This COSO thought paper takes advantage of lessons learned and new guidance on enterprise risk management published by COSO to provide directors and executives with a better understanding of the role of enterprise risk management in creating and preserving value and its relationship to the key strategies of the organization. While not a detailed implementation guide, this paper includes overall guidance and an outline of succinct tangible steps that can used to implement an effective ERM program.
This thought paper outlines and provides clarity on the role and value of enterprise risk management to help directors and executives answer several key questions including:
- “What is the real value of enterprise risk management?”
- “What is its role and objectives?
- “What are practical steps that can be taken to implement enterprise risk management?
The business environment today is one in which boards of directors and senior management will continue to face rapid changes, complexities, and volatile risks. Such an environment, however, also presents them with significant new opportunities. Organizations can enhance their abilities to be successful in both addressing risks and taking advantage of opportunities by enhancing their enterprise risk management processes and integrating ERM fully into their strategy setting and performance processes. Enhancing their ERM processes starts witha clear understanding of the role of ERM in assisting the directors and management to make better decisions and achieve their strategy and business objectives. The updated COSO ERM Framework clarifies both the relationship between strategy and risk and that the objective of ERM is to assist the organization to achieve its strategy and business objectives. Understanding these two key points is not only critical for success but important in setting and communicating the risk culture of the organization.
The concepts, approach, and guidance outlined in this paper provides useful insights in how management and directors can take initial steps in implementing or enhancing their ERM processes in alignment with the new guidance. Together with COSO’s Enterprise Risk Management – Integrating with Strategy and Performanceand other COSO thought papers, this paper is a starting point and foundation for an effective ERM initiative. Any ERM initiative needs to be tailored carefully to the needs of a specific organization. The ideas and recommendations presented in this paper are neither intended to be, nor are they, the only way to implement an ERM initiative. The approach of this paper and the updated ERM Framework and related guidance provide the flexibility to tailor an ERM initiative and realize fully its benefits. Keep in mind the benefits of taking small, incremental steps and building a culture of continuous improvement.
Above all, keep the momentum going and help ensure that the organization will increase its chances of successfully achieving its strategy and business objectives though a robust management of the risks that could impair that achievement. The goal is to develop the momentum for ERM which will continue to expand and deepen the organization’s strategy setting, performance, and risk management processes in its pursuit of creating and protecting value.