Every company is exposed to a wide range of risks. It is crucial for organizations to understand and manage the risks it faces. But what’s the right approach to identify and manage your company’s risks? Let’s take a look at some of the basic principles and objectives of risk management — COSO, ERM, and business risk assessment — to see if we can help provide some guidance.
What is COSO?
COSO is an acronym for “Committee of Sponsoring Organizations” of the Treadway Commission. It’s a joint initiative of five organizations in the private sector that have come together to form a committee. Their sole purpose is to provide frameworks and guidelines around enterprise risk management, internal control, and fraud.
In the Enterprise Risk Management (ERM) area, in 2004, COSO issued their initial ERM Framework Enterprise Risk Management – Integrated Framework to the public. Since then the complexity of risk has changed and new risks have emerged. Therefore on September 6, 2017, COSO released a new document Enterprise Risk Management – Integrating with Strategy and Performance. The new document builds on its predecessor and is designed to help organizations create, preserve and realize value while improving their approach to managing risk. The document is forward looking and integrates risk with business strategy. It requires the involvement of senior management and the board in the risk evaluation and consideration process.
Getting Everyone on the Same Page
The COSO framework is important because in light of many corporate scandals and failures, there was a need to have a risk management framework which provided clear direction and guidance as well as a common risk language. This framework was developed and written by PwC, a globally recognized independent financial services firm. The document had input from a variety of experts from all business sectors and was subject to public comment. The sole purpose of the final document is to provide an accepted and common reference point for the practice of ERM.
What Is Enterprise Risk Management?
Taking risk can be viewed as the intentional interaction with uncertainty. Every organization is subject to a variety of risks. The important risks are those risks that would adversely affect a company from achieving its goals and objectives. A company should discuss and document its philosophy and appetite for taking risk in the pursuit of its goals and objectives. An example would be a company deciding to grow by aggressively pursuing cutting edge technologies in the alternative energy industry and stating that over the next five years it plans to invest in solar technology through internal research while pursuing wind power through an acquisition strategy. Once you have a statement like this, the company can better define its risk appetite and tolerance to accomplish this objective.
Speaking of appetite and tolerance, the two words have slightly different meanings in ERM. For example, appetite sets broad non-numeric boundaries such as investing in wind and solar power, investing in domestic projects, and using internally generated funds. While tolerance is a bit more numeric and specific, such as not to exceed an investment of $5 million dollars in a given solar project or not exceeding an annual budget of $100 million dollars in the aggregate for wind power acquisitions.
COSO’s definition of ERM talks about looking to the strategy of the company and involving the board of directors, senior management and, as appropriate, the entire enterprise in managing risks that could adversely affect accomplishing its goals and objectives. COSO ERM talks about developing a risk philosophy for the enterprise and expressing its appetite to take risk within defined tolerances. These parameters provide management with guidelines in making decisions to keep the company on track as it pursues its overall strategy. ERM is an ongoing discipline in which businesses make decisions considering the risks involved in those decisions.
The objective of an ERM program is to provide management and the board of directors with reasonable assurance that the company’s goals and objectives will be achieved by identifying, evaluating, managing, reporting and monitoring risks in a timely manner for consideration and decision making.
What Is a Business Risk Assessment?
As a practical matter, a Business Risk Assessment, is the technique company’s use most often. Non-financial companies are usually hesitant to invest the time and money to develop and maintain a full and formally documented ERM program. As discussed above, a full ERM program would be an ongoing, comprehensive, board room to employee, culture-based, multi-year journey with an objective of providing reasonable assurance to its stakeholders that the company will achieve its goals and objectives.
A business risk assessment, on the other hand, is normally a point in time study of the company’s risks and does not attempt to provide any specified level of assurance in achieving the company’s objectives. It starts with an initial study (gathering and assessing risks) which is refreshed periodically (annually). Additionally, the study includes actions and controls that are necessary to mitigate the identified risks. These studies are very beneficial to management and the board. Some business risk assessments are more robust than others. The COSO framework can help to understand how to make your business risk assessment more or less robust.
How Business Risk Assessments and ERM Complement Each Other
Looking at the ERM model below, a full ERM program would involve implementing each bar in the image throughout your organization. It’s a massive, ongoing effort. A business risk assessment is essentially a subset of an ERM program. It provides many tangible near term benefits, and can always be expanded into a more robust program as a company is ready.
There are seven components to the COSO risk management framework as outlined below, starting with the “Internal Environment” and ending with “Monitoring.” ERM involves a full understanding and implementation of all seven components, while a business risk assessment usually involves the risk portion of the “Event Identification” component, along with the “Risk Assessment” and “Control Activities” components. The other components are less formally involved in the business risk assessment study.
COSO Risk Management Framework
In a business risk assessment, you can identify risks without objective setting. There are several published risk universes that you can use to identify general risk categories. From there, you can work to assess and control the risks you have identified. A business risk assessment is intuitive. It requires you to: a) identify your risks, and b) assess your risk and review your controls to mitigate the risks. It’s relatively straightforward.
The risks go into a report to senior management and the board. When it comes to your top 10 risks, the organization and management are generally well aware of them and control and monitor them to the extent they can with some amount of appetite and tolerance, even if not formally defined.
Choosing Your Path
Whichever path your company chooses, a full ERM program or a business risk assessment, it’s important that you identify and continually monitor the company’s risks. Don’t assume that everyone already knows what they are and what is being done about them. It’s critical that you get a good handle on them by documenting and reporting them regularly so you and your board can understand what they are and how they are being managed.
Bill Dawson, CPA is a Principal and the service line leader for AC Lordi’s Risk & Compliance practice. He has a diverse background in accounting and reporting, tax, audit and business consulting with public and privately held domestic and multinational corporations. He served as VP of Internal Audit, and later as the VP of Corporate Income Tax for a $2+ billion specialty apparel retailer. He also has 18+ years of Big 4 experience with PricewaterhouseCoopers, including as an Audit Partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients. Bill can be reached at email@example.com or 610-738-0100.