The enterprise view allows a company to formally link risk management, corporate governance and entity performance.
Enterprise Risk Management
ERM’S FUTURE IS BRIGHTER
Framework provides tool for implementation
by senior management
by Michael J. Moody, MBA, ARM
|
The enterprise view allows a company to formally link risk management, corporate governance and entity performance. |
Over the past few years, the concept of enterprise risk management (ERM) has suffered from the lack of a common lexicon and structure. About three years ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) retained PricewaterhouseCoopers (PwC) to research ERM practices and create a framework that would encompass key principles of ERM. In mid-2003, PwC completed a draft of “Enterprise Risk Management—Integrated Framework.” The draft was made available and public comments were requested up to October 14, 2003. PwC completed the revisions to the draft document based on the public comments and issued the Framework in final form on September 29, 2004.
With many companies now attempting to develop and implement enterprise risk management programs, the revised Framework has come at a good time. It provides boards and senior management an organized approach to risk management that takes a holistic view of the corporation. Many believe it is the enterprise view that allows a company to formally link risk management, corporate governance and entity performance. John J. Flaherty, COSO chairman, states, “Successfully managing risk drives better business performance and facilitates achievement of strategic, operations, reporting and compliance objectives.”
Basic structure
For the most part, the revised Framework retains the basic concepts and structure of the draft document. For example, the definition of enterprise risk management remains the same:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
While the definition includes a number of elements, several merit particular notice. One of the most important aspects of the definition has to do with the “process” aspects. According to Miles Everson, a PwC partner, ERM is intended to be a continuous process, rather than “a periodic risk assessment.” To assist in this process, the Framework, in Exhibit B - Summary of Key Principles, provides a document that lists many of the key principles. Everson notes, however, that because this does not include all of the principles, it should not be considered as a checklist. He says companies should ask themselves, “How are we applying the principles, and could we do it better?” If the document is used as part of an ongoing process, he says, “It will raise the bar on how effective companies are at managing risks.”
Eight components
The ERM process, according to the Framework, consists of eight interrelated components. The components are derived from the way management runs the enterprise and are integrated with the overall management process. The components are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. It should be pointed out that ERM is not strictly a serial process, where one component builds upon the next. Rather, it is a multidirectional, interactive process where any component can and does influence another.
To help companies better understand the various aspects of the ERM process and its specific components, COSO has also provided an Application Techniques Manual under separate cover. This manual offers specific illustrations of how effective ERM concepts and principles can be successfully applied in a competitive business environment. The manual also affords significant insight into ERM foundations and presents illustrations of how the Framework can be implemented. It should be pointed out, however, that despite the value of the illustrations, they are neither intended to be, nor are they, a complete resource for all of the ERM components. Rather, the manual has been written as a cross section of applications, some designed for large, complex organizations and others more appropriate for smaller entities.
According to PwC’s Everson, the manual is written from a “how to apply the principles approach, rather than a theoretical guidance document.” While the illustrations and examples used are beneficial, they should not be considered as the only way to effect ERM; “they should not even be considered as the preferred method or represented as a best practice approach.” Everson goes on to say, “You can find many different ways to apply the principles; these are just a few illustrations of some of the available techniques.” He reminds readers, “The manual does not purport to be the complete composite of techniques.”
Just the beginning
While COSO and PwC have completed their work on the Framework, Everson notes it is really only the beginning. He says that industry-specific approaches will follow, and they are likely to be generated from one of three perspectives:
• Individual company modifications. The Framework will be modified for specific applications by individual organizations as they work through the ERM process.
• Funding sources and/or rating agencies modifications. Everson observes that soon you “will start to see more influence from various funding sources and rating agencies around a common understanding of risk for a particular industry segment; not just what the risk is, but determining how a company actually manages risks and how they think about risks.” The Framework will offer a consistent platform from which companies can build their industry-specific modifications.
• Operating sector organiza-tions modifications. Industry groups and associations will also be a catalyst for change. Everson points out that several industry groups, most notably “energy and financial services, already have steering committees in place to use the Framework for the development of industry-specific guidance.” These industry-specific approaches will become available to company representatives through their associations.
In all three cases, the COSO Framework will serve as a common base of knowledge to which industry-specific modifications can be applied. This process is necessary to make the information more tactical, according to Everson.
Value creation
A key concept of the ERM approach is value creation, or the ability to use ERM equally for risk and opportunity. For the most part, the Framework tracks with this value creation approach. However, one aspect has caused some confusion regarding this issue, until people have realized the totality of the ERM process. Everson indicates that there have been comments regarding the specific definition of risk as used in the Framework. As noted in the Framework’s Glossary (Appendix F), “risk” is defined as “the possibility that an event will occur and adversely affect the achievement of objectives.”
In essence, “The definition of risk is the potential for an adverse effect,” says Everson. He says some people think this means “it is all about downside risks only, and that is not the case at all.” He goes on, “When you properly deploy ERM, what happens is you identify all events (both positive and negative) that can affect the performance of an entity.” Obviously, some of those risks could have a positive impact or present opportunities for the company. “To the extent they do, you put those risks back through the entirety of the strategic planning process and objective setting process,” Everson says. In this way, he notes, “the positive risks actually come back through the process as a new objective; then you can address the risks which are associated with it.” As a result, it can readily be seen that value creation is integral to the ERM process.
Conclusion
The finalization of the COSO Enterprise Risk Management Framework provides interested parties a roadmap for successful ERM development. The Framework offers a scalable platform for the deployment of ERM. The companion Application Techniques Manual provides excellent illustrations and examples of specific approaches for ERM development. Together, these two documents will greatly assist any organization that needs guidance in ERM implementation. Both the Framework and the Manual will serve as keystones to future growth as companies begin to see the competitive value of ERM. With a common language and structure, one would expect to see significant interest in ERM implementation. n
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF), an independent consulting firm that was established to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.