Today’s business and economic environment is uncertain at best. This reality makes it essential for managers to understand risk and to have a framework and process for dealing with it. The Committee of Sponsoring Organizations of the Treadway Commission known as COSO recognized this need and developed the ERM Framework in 2004. This framework provides a solid foundation for both understanding and dealing with risk.
I have been teaching risk management programs since the framework was issued and it has been interesting to me to see that it hasn’t gotten the traction it deserved. This seems to be the case based on a recent article in the Journal of Accountancy. Managers realize the importance of managing risk but are too busy with day to day details to take the time to formalize risk management into a process of how they run their businesses. Based on the events we have lived through over the past few months one would think that risk management would be a top priority.
I thought it would be useful to provide insight into the risk management framework and process and then link it to a strategic approach to managing the business. This blog post will begin to provide the basics of the ERM Framework to help you understand risk. I will then follow up with a series of posts to link the application of strategy.
We need to understand that risk evolves out of a series of events from either internal or external sources that have the potential to impact strategy and the achievement of organizational objectives. Risk is the possibility that an event will happen. Management then needs to assess all the risks and consider the impact they might have on the organization.
The ERM Framework developed by COSO is similar to the COSO Framework for internal control but with variations and additional elements. The objectives were expanded through the addition of strategy because of the importance of setting high-level goals that are aligned with and supporting the organization’s mission.
The components of the framework were expanded from the five to eight. The additional components included objective setting, identification of events, and how to respond to identified risks. These changes make sense since enterprise risk management is a process just like internal control where people control it and its application has a direct impact on strategy. Enterprise risk management or ERM will only provide reasonable assurance and it is essential that it be geared toward achievement of objectives.
A critical factor in risk management is gaining an understanding for the organization’s appetite for risk. This is the amount of risk an entity is willing to accept in their pursuit of value. Is the appetite for risk high, moderate, or low? This factor should be related to balancing the goals for growth, return, and investment. It also needs to be a factor in the decision making process by the management team.
Utilizing this foundation, ERM can help to align risk appetite and strategy and enhance risk response decisions. This process is a key in minimizing operational surprises and losses. It helps to balance the downside and increase the upside when managing and responding to risks.
The next blog post on this topic will deal with risk tolerance, forming an appetite for risk, and defining and responding to risks. Eventually we will pull together the process of managing risks, setting objectives, and how strategy should be a component of managing the business on a daily basis. For more information on risk management and other topics visit www.northrupcpa.com.