WHAT IS ERM

Enterprise risk management (ERM) is a systematic approach to

identifying risks associated with running a business, assessing their
likelihood and potential impact, and developing strategies to manage and
mitigate them. Most businesses have some kind of risk management
program in place. But in “traditional” risk management, the management
is typically left in the hands of separate divisions or departments.
What is the COSO Framework?
The COSO Framework is a system used to establish internal controls to be integrated
into business processes. Collectively, these controls provide reasonable assurance that
the organization is operating ethically, transparently and in accordance with
established industry standards.
COSO is an acronym for the Committee of Sponsoring Organizations. The committee
created the framework in 1992, led by Executive Vice President and General Counsel,
James Tread way, Jr. along with several private sector organizations, including the
following:
 American Accounting Association
 Financial Executives International
 The Institute of Internal Auditors
 American Institute of Certified Public Accountants
 The Institute of Management Accountants (formerly the National Association of
Cost Accountants)
The COSO framework was updated in 2013 to include the COSO cube, a 3-D diagram
that demonstrates how all elements of an internal control system are related. In 2017,
the committee introduced their COSO Enterprise Risk Management Framework. The
COSO ERM Framework aims to help organizations understand and prioritize risks and
What are the five components of the
COSO Framework?
Here are the five components of the COSO framework:
 Control environment. The control environment seeks to make sure that all
business processes are based on the use of industry-standard practices. This can
help ensure that the business is run in a responsible way. It may also reduce an
organization's legal exposure if the organization is able to prove that its business
processes are all based around industry standard practices. Additionally, the control
environment can help with making sure that an organization is adhering to
regulatory compliance requirements.
 Risk assessment and management. Risk assessment and management is based
on the idea that risk is an inherent part of doing business. However, those same
risks can sometimes cause a business to suffer adverse consequences. As such,
organizations commonly adopt risk management plans that help them to identify
risks and either reduce or eliminate risks deemed to pose a threat to the
organization's well-being.
 Control activities. Control activities are also tied to the concept of risk
management. They are essentially internal controls that are put into place to make
sure that business processes are performed in a way that helps an organization to
meet its business objectives without introducing unnecessary risks into the process.
continuation
 Information and communications. Communications rules
are put in place to make sure that both internal and external
communications adhere to legal requirements, ethical values
and standard industry practices. For example, private sector
organizations commonly adopt privacy policies establishing
how customer data can be used.
 Monitoring. At a minimum, monitoring is performed by an
internal auditor who makes sure that employees are adhering to
established internal controls. However, in the case of public
companies, it is relatively common for an outside auditor to
evaluate the organization's regulatory compliance. In either
case, the audit results are usually reported to the board of
directors.
How is the COSO Framework used?

The COSO Framework is heavily used by publicly traded companies and

accounting and financial firms. The framework seeks to put internal
controls in place that formalize the way in which key business processes
are performed. This helps organizations to adhere to legal and ethical
requirements, while also focusing on risk assessment and management.
In addition to integrating such controls into key business processes, the
framework places a heavy emphasis on monitoring and reporting,
especially as it relates to using internal auditors to monitor adherence to
established controls.
What is enterprise risk
management?
Enterprise risk management (ERM) is a systematic
approach to identifying risks associated with running
a business, assessing their likelihood and potential
impact, and developing strategies to manage and
mitigate them. Most businesses have some kind of risk
management program in place. But in “traditional”
risk management, the management is typically left in
the hands of separate divisions or departments.
Steps in the Enterprise Risk
Management (ERM) Process
 Identify Risks: The first step in the ERM process is to identify the potential
risks (and opportunities) that may affect the organization’s objectives. This
step involves recognizing internal and external risks that may arise from
various sources such as operations, financial, regulatory, legal, reputational
and strategic risks. Identifying new risks is key to managing what is on the
horizon.
 Assess Risks: After identifying the risks, the next step is to assess their
likelihood and potential impact on the organization’s objectives. This step
involves analyzing the risks in terms of their probability of occurrence,
potential impact, the speed (or velocity) that the risk might affect the
organization and the adequacy of the organization’s current controls to
mitigate those risks.
 Prioritize Risks: Based on the risk assessment, the next step is to prioritize
the risks based on their level of importance to the organization’s objectives.
This step involves determining which risks require immediate attention and
which risks can be managed over the long term.
CONT’N
 Develop Risk Mitigation Strategies: After prioritizing the risks, the
next step is to develop risk management strategies that align with the
organization’s objectives. This step involves developing a risk
management plan that outlines how the organization will mitigate, avoid,
transfer or accept each risk.
 Implement Risk Mitigation Strategies: The next step is to implement
the risk mitigation strategies identified in the previous step. This step
involves putting in place the necessary processes, policies and procedures
to manage the risks identified.
 Report, Monitor and Review: The final step in the ERM process is to
report, monitor and review the effectiveness of the risk management
strategies implemented. This step involves continuously monitoring the
risks, evaluating the effectiveness of the risk management strategies,
adjusting the strategies as necessary and reporting the results in a timely
manner to be useful in strategic planning.
COMPONENTS OF ERM-
INTEGRATED FRAMEWORK
ERM-Integrated Framework consists of the eight components:
 Internal Environment- Management sets a philosophy regarding risk and establishes a
risk appetite. The internal environment sets the basis for how risk and control are viewed
and addressed by an entity’s people. It is critical that upper management express the
importance of ERM throughout all levels of an entity.
 Objective Setting- Objectives must exist before management can identify potential
events affecting their achievement. ERM ensures that management has in place a process
to set objectives and that the chosen objectives support and align with the entity’s
mission and are consistent with its risk appetite.
 Event Identification¬- Potential events that might have an impact on the entity must be
identified. Event identification involves identifying potential events from internal or
external sources affecting achievement of objectives. It includes distinguishing between
events that represent risks, those that represent opportunities, and those that may be
both.
 Risk Assessment- Identified risks are analyzed in order to form a basis for determining
how they should be managed. Risks are associated with objectives that may be affected.
Risks are assessed on both an inherent and residual basis, with the assessment
considering both risk likelihood and impact. Risk assessment needs to be done
continuously and throughout an entity.
CONT’N
 Risk Response- Personnel identify and evaluate possible responses to
risks, which include avoiding, accepting, reducing, and sharing risks.
Management selects a set of actions to align risks with the entity’s risk
tolerances and risk appetite.
 Control Activities- Policies and procedures are established and
executed to help ensure the risk responses management selects are
effectively carried out.
 Information and Communication- Relevant information is identified,
captured, and communicated in a form and timeframe that enable
people to carry out their responsibilities. Information is needed at all
levels of an entity for identifying, assessing, and responding to risk.
 Monitoring- Then entirety of ERM is monitored, and modifications
made as necessary. In this way, it can react dynamically, changing as
conditions warrant.
Benefits of integrating enterprise
risk management
 Increasing Range of Opportunities: Integrating ERM enables comprehensive assessment
of risks, identifying opportunities for revenue growth and product development. For
instance, a food company adapting to changing consumer trends preserved existing
revenue by improving products and expanded its consumer base.

 Enhancing Positive Outcomes and Reducing Surprises: ERM improves risk identification,
leading to better responses and reduced costs. For example, a manufacturing company
mitigated delivery risks by optimizing shipping processes, leading to improved
performance and minimized disruptions.

 Identifying and Managing Entity-wide Risks: ERM helps in recognizing and addressing
risks that impact various parts of the organization, ensuring sustained performance. For
instance, a bank developed a system to analyze trading risks comprehensively, allowing
effective responses to risks across departments and customers.

 Reducing Performance Variability: ERM enables organizations to anticipate and manage

performance variability, minimizing disruptions. For example, a public transportation
system implemented strategies to mitigate schedule variations, improving overall
performance and customer satisfaction.
CONT’N
 Enhanced Decision-Making: ERM provides decision-makers with a comprehensive
view of risks, enabling informed decision-making aligned with organizational objectives.
By considering risks alongside opportunities, leaders can make strategic choices that
maximize value and mitigate potential threats.

 Improved Stakeholder Confidence: Effective risk management instills confidence in

stakeholders, including investors, customers, and regulators. Transparent risk disclosure
and proactive risk mitigation efforts demonstrate organizational resilience and
commitment to long-term success, enhancing trust and credibility.

 Better Business Continuity Planning: ERM helps organizations anticipate and prepare
for potential disruptions, improving business continuity planning. By identifying critical
risks and developing contingency plans, businesses can minimize downtime, mitigate
losses, and maintain operations during unforeseen events.

 Enhanced Innovation and Agility: ERM encourages a proactive approach to risk

management, fostering a culture of innovation and agility. By embracing risk-taking
within defined parameters, organizations can pursue new opportunities, adapt to
changing market conditions, and stay ahead of competitors.
Challenges of implementation of
ERM
 Culture Shock: Resistance to change from key management personnel can
hinder ERM implementation progress. To overcome this challenge, Stewart
suggests co-developing ERM processes, procedures, and governance models
with frontline personnel to foster ownership and effective post-implementation
operations.

 Poor Execution: Executing risk action plans to completion and reporting results
to the ERM steering committee is crucial for successful implementation.
Guidance, best practices, and advice from experienced professionals can help
organizations avoid common pitfalls and ensure effective execution.

 Inadequate Tolerance: Establishing tolerance levels with a risk appetite

statement (RAS) is essential for aligning the organization's appetite for risk.
Failing to quantify risk tolerance with metrics that align with ERM
implementation objectives can prevent feedback and compromise the readiness
of business units to manage risk appetite.
CONT’N
 Lack of Awareness: Executive-level buy-in is essential for the success of ERM
implementation. Without awareness and participation from senior leadership or
executive board members, the likelihood of successful ERM operations decreases
drastically.

 Insufficient Data: Data is crucial for establishing assessment criteria, executing

risk action plans, and measuring results. ERM dashboards and collaboration
software can help teams discover, communicate, and analyze data critical to
identifying and managing risk. Developing ERM maturity with governance, risk,
and compliance (GRC) software solutions can aid in project coordination and
visibility, providing a framework for process efficiency, data management, and
advanced reporting.

 Resource Constraints: Limited resources, including budget, time, and expertise,

can impede the successful implementation of ERM initiatives. Organizations may
struggle to allocate sufficient resources to ERM initiatives, which can lead to
incomplete or ineffective implementation.
CONT’N
 Complexity and Integration: ERM implementation often involves integrating risk
management processes across different business units and functions, which can be
complex and challenging, especially in large or decentralized organizations.
Ensuring that all relevant stakeholders are engaged and that the ERM framework is
consistently applied across the organization can be a significant challenge.

 Regulatory Compliance: Meeting regulatory requirements and compliance

obligations adds another layer of complexity to ERM implementation, requiring
organizations to navigate and adhere to various regulatory frameworks and
standards. Ensuring that ERM processes are aligned with regulatory requirements
and that the organization is prepared to demonstrate compliance can be a
significant challenge.

 Resistance to Change: Resistance to change from employees and stakeholders who

are accustomed to existing processes and procedures can pose a significant challenge
to ERM implementation efforts. Overcoming resistance to change requires effective
communication, training, and a clear understanding of the benefits of ERM.
CONT’N
 Technology Adoption: Adopting and implementing new
technologies and software solutions for ERM can be
challenging, requiring investment, training, and
integration with existing systems and processes. Ensuring
that the chosen technology solutions are effective, efficient,
and aligned with the organization's ERM strategy can be a
significant challenge.
Practical Considerations in
implementing Enterprise Risk
Management
Once an organization decides to go for Enterprise Risk Management, the challenge is
the implementation. At the ground level there are lots of considerations in successful
implementation of the same. These considerations vary with the organizations;
however the following more or less remain the same:
 ERM Champion: First and foremost, considering the challenges an individual is to
be selected in the organization that spearheads the initiative. He or she is often
called as the chief risk officer (CRO), who either reports to the chief executive officer
or the chief financial officer. Next the CRO is now provided with a staff. The whole
department should be enabled to act as a change agent and is equally accountable to
the top management.
 Incorporating ERM into Organizational Culture: Traditionally risks facing each
function or department were taken care of the department heads. There was no such
person as the Chief Risk Officer specially deployed for Risk Management of the
organization. The finance department looked after financial risks, informational
technology looked after operational risks, and marketing department took care of
strategic risk and the like. Most importantly they reported to different heads, used
different procedures, tools and strategies. Even the calibration was different.
CONT’N
 Risk Assessment: This is typically the second stage in risk management
cycle. Visible risks are easier to deal with or one can have a plan at least to
deal with them but risks that are not visible or cannot be identified are the
ones that are often the source of greatest problems. For example, no one
could have thought of risks like the criminal tampering of products in
pharmaceutical industry! In risk assessment the challenge is to identify
and contemplate of such unthinkable events.
 Quantifying Strategic and Operational Risk: Physical hazard and
financial risk are easy to quantify but what about risks that are intangible.
For a situation where there is inappropriate application of knowledge
leads to a knowledge risk. Similarly an operational inefficiency that goes
unnoticed for long can lead to production deficit. These are risks that are
difficult to estimate in terms of their likelihood and degree of impact.
Such risks can be better dealt with qualitative analysis to determine the
relative possibility of occurrence.
CONT’N
 Integrating Various Kinds of Risk: It is often very difficult to determine
the exact relationship between various kinds of risks. Past relationships may
mislead when considering future trends. It is however better to build
structural models that permits improvement in corresponding stage over
time.
 Lack of Appropriate Risk Transfer Mechanism: Although there are
appropriate risk transfer mechanism available but they are often inadequate.
Capital and reinsurance markets, for example, are not adequate to support
an organization in its risk transferring mechanism. These markets need due
evolution in terms of products and services with time. In case of operational
and strategic risk the transfer mechanism is even more inappropriate.
 Monitoring the Process: Finally the ERM needs to be monitored on a
continual basis. Successful ERM needs reports and comparisons to last risk
assessments. Strategies need to be reworked with the changing risk
environment.