All companies face and manage a variety of risks every day. Some risks are extremely important and others not so much. So how do you know which ones are which? Having a good enterprise or business risk management program helps to identify, measure and prioritize the organization’s risks. This is best done using a defined methodology and with the oversight of senior management and the Board of Directors. Additionally, a good ERM program promotes a common understanding within the organization of the company’s risks and their potential consequences.
The Difference between Risk Management and Enterprise Risk
It is important to distinguish between risk management or loss prevention and enterprise risk management (ERM). Risk management tends to be focused on known loss exposure areas (e.g., currency, commodity, fire, explosion, business interruption). Whereas, enterprise risk expands the province of risk management to define risk as “the possibility that events will occur and affect the achievement of the company’s strategy and business objectives”.
The Enterprise Risk Management Framework
The primary drivers for much of the public discussion around enterprise risk management over the years, are the many corporate scandals and failures that have caused losses to unsuspecting stakeholders (e.g., employees, management, lenders, shareholders, suppliers, customers). Many questions have arisen as to why boards of directors are not properly informed about the company’s risks and how they are being managed and reported. Proper identification and reporting can assist in making informed decisions about exposures. Some boards have heard or read about their company’s failure from the news, while not appreciating the severity or timing of the risks that caused the failure. Neither the SEC nor the stock exchanges currently require a company to have a formal ERM program.
In response to the many corporate scandals and failures, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission entered the picture realizing that there wasn’t a common reference point for companies to refer to in establishing and maintaining a good ERM program. In 2004, COSO issued their initial ERM Framework, Enterprise Risk Management – Integrated Framework to the public. Since then, the complexity of risk has changed and new risks have emerged; therefore on September 6, 2017 COSO released a new document, Enterprise Risk Management – Integrating with Strategy and Performance. The new document builds on its predecessor and is designed to help organizations create, preserve and realize value while improving their approach to managing risk. The new document is forward looking and integrates risk with business strategy. It requires the involvement of senior management and the board in the risk evaluation and consideration process.
Why Every Company Needs an ERM Program
Without a formal and ongoing ERM program, management cannot be sure that all the important risks and opportunities of the company have been identified, inventoried, assessed, reported and managed to the company’s desired risk appetite or tolerance. The company may want to accept certain risk and limit exposure to others. It is best when risk is understood and aligned with strategy and performance.
A few questions your ERM program should be able to answer are:
- What are your company’s risks?
- Which ones are important?
- How are the risks being managed and by whom?
- Have the risks been evaluated for severity and are resources allocated to properly protect the company and its ongoing operation?
- Are risks sufficiently mitigated?
- Are senior management and the Board of Directors properly informed and involved in monitoring the company’s risks and risk program?
It is expected that a good ERM program will increase stakeholder confidence as well as the possibility of increasing the company’s overall value and longevity through improved decision making. A good ERM system looks ahead to future events. It helps provide critical information in decision making, and it helps anticipate and manage negative events. For these reasons, a formal ERM program should be an essential part of every company’s strategic management process.
Bill Dawson, CPA is a Principal and the service line leader for AC Lordi’s Risk & Compliance practice. He has a diverse background in accounting and reporting, tax, audit and business consulting with public and privately held domestic and multinational corporations. He served as VP of Internal Audit, and later as the VP of Corporate Income Tax for a $2+ billion specialty apparel retailer. He also has 18+ years of Big 4 experience with PricewaterhouseCoopers, including as an Audit Partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients. Bill can be reached at email@example.com or 610-738-0100.