A Framework for Enterprise Risk Management
Protection of shareholder value is seen as the chief benefit of Enterprise Risk Management (ERM). Hence enterprise risk management is now firmly on the boardroom agenda. So why is it proving so difficult to implement?
Companies cannot reap the benefits of risk management unless they have the right foundations in place. Any management activity requires a clearly defined set of objectives, clarification of the tasks to be performed, planning and management. Risk management is no exception. In addition, any activity that has multiple participants requires a coordinated consistent approach that aligns all the necessary elements. This uniform approach can be orchestrated through the use of a framework.
The need for a framework is increasing due to the desire to improve governance by integrating information security, business continuity management and risk management, which are commonly treated as discrete disciplines.
The concept behind an ERM framework is to provide a model for organizations to consider and understand the risk related activities they should undertake at all levels of the organization for the effective implementation of risk management. Its purpose is to provide structure, order and discipline. It is composed of components which collectively constitute a robust approach to the implementation of ERM. The components of a framework can be used within a risk maturity model. As the components of the framework are progressively developed, the maturity of an organization’s overall risk management practices is enhanced.
A commonly adopted framework is the model proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) , described in their publication Enterprise Risk Management-Integrated Approach.
COSO is a voluntary private sector organization formed in the U.S. in 1985. Its primary objective is to improve the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO is sponsored by five main professional accounting associations and institutes.
The COSO ERM framework is a three dimensional cube with the following components:
- Four vertical columns represent the primary objectives of enterprise risk.
- Eight horizontal rows describing the primary risk activities.
- Four ‘slices’ describing the levels of the organization from the group or whole company down to subsidiaries.
The dimensions of the cube might be described as why, what and where. Why should risk management be implemented (‘Strategic’ to ‘Compliance’), what risk management activities should be undertaken (‘Internal Environment’ to ‘Monitoring’) and where they should be undertaken within the organization (‘Entity Level’ to ‘Subsidiary’).
There is no ‘one size fits all’ approach to the development of a framework. It needs to be tailored to suit the particular circumstances of an organization. There needs to be a clear understanding of the context of the organization so that the risk management objectives are aligned to the legal and regulatory context as well as the business objectives. The risk management activities should reflect a commonly accepted methodical process where the inputs and outputs of each step in the process are readily understood . Every organization is structured differently and hence there may be more or less ‘slices’ to the framework than illustrated in the COSO framework. The larger the organization and the greater number of operating ‘units’ within an organization, the greater the need a framework.
However a framework on its own will not guarantee effective risk management. It is a means to an end and not an end in itself. Any organization must have a receptive culture that is ready to adopt risk management. There must be, for instance, board level commitment to risk management, a clear understanding of where value can be added or destroyed within the organization and how the context of the organization is changing over time and how the company must change to suit.
Ultimately a robust framework will form the bedrock of all future risk management activity, provided it is regularly reviewed and updated to reflect an ever changing business context.
The Author
Robert Chapman is a risk management specialist and director of Dr Chapman Consulting. Robert has recently authored a book “Simple tools and techniques for enterprise risk management”, John Wiley and Sons Limited, England. He can be contacted at robert.chapman@drchapman-consulting.com