[ERM UPDATE 2017] – What you need to know about the framework changes to Enterprise Risk Management
“Risk comes from not knowing what you are doing.” -Warren Buffett
New ERM Framework
In September 2017, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) published its revised enterprise risk management (“ERM”) framework which is now titled ERM – Integrating with Strategy and Performance.
The original framework called ERM – Integrated Framework was introduced by COSO in 2004, and since then the framework has been recognized and widely adopted by organizations worldwide. Since adoption of this framework, the business environment substantially changed. New risks emerged and ERM thinking and practices evolved dramatically.
What is ERM?
In many organizations, adoption of ERM is immature and is considered something that had to be done but that does not add any additional value. ERM should be an integral part of everyday decision making and is embedded throughout an organization and its culture.
COSO’s definition of ERM is:
Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.
What’s new?
The new ERM framework:
1. Consists of five components and 20 principles
The new framework now has five interrelated components instead of eight:
- Governance and Culture;
- Strategy and Objective-Setting;
- Performance;
- Review and Revision;
- Information, Communication and Reporting.
The five components are supported by 20 key principles of effective risk management. These principles cover everything from governance to day-to-day operations for any type or size of organization.
2. Emphasizes the importance of ERM in strategic planning and performance
The ERM framework emphasizes the importance of aligning business objectives and strategy with an organization’s mission, vision, and core values. Organizations need to learn how to identify, assess, prioritize, and manage risks. Companies that can do this are better able to achieve business objectives, execute strategies and improve their performance.
The new framework breaks down the relationship between risk and strategy into three dimensions:
- Risk to the strategy: considers risks that could impact the success of the selected strategy;
- Risk of the strategy: evaluates if the strategy is aligned with an organization’s mission, vision, and core values;
- Implications from the strategy: considers the unintended consequences of the selected strategy.
The three dimensions are depicted below:
3. Recognizes the importance of corporate culture
Culture, ethics, tone of leadership and corporate core values help an organization choose their own risk culture—risk averse, risk neutral or risk aggressive. If risk management is a well-integrated in an organization’s culture, individual decision making and operational decisions will be in alignment with the company’s chosen risk culture.
4. Focuses on improving value
The new ERM framework is focused on improving value, rather than preserving it. It is not just about managing risk and keeping it at a level that is acceptable to the organization.
The new ERM emphasises the relationship between risk and value and the important role of ERM in creating, preserving, and realizing value.
It helps an organization explore new opportunities by taking acceptable risks and realizing the value of taking these risks.
5. Emphasizes the connection between risk and decision making
The updated framework identifies the close relationship between risks and decision making. All decisions should be made with risk management in mind. Embedding ERM throughout an organization supports risk-aware decision making at every stage of the value chain. Better decision making is associated with better management and organizational performance.
6. Refines risk tolerance in risk assessment
When performing risk assessments, the concepts of risk appetite and risk tolerance are important. The new framework refines the definition of Risk Tolerance to mean the level of risk acceptable for a given level of performance. Organizations are now supposed to outline the limits of acceptable risk within the context of performance. The framework helps organizations remain within the limits of acceptable risk while changing the levels of performance. In the new ERM, rather than being static and separate, risk and performance are interrelated and constantly changing.
7. Builds links to internal control framework
The ERM framework and the COSO’s Internal Control – Integrated Framework are distinct but complementary frameworks. To avoid duplication, some aspects of the internal control framework are not repeated in the updated ERM framework. You should refer to the Internal Control Framework for more information about risks and internal controls.
8. Focuses on integration
The need to integrate ERM into all aspects of an organization’s operations is emphasised throughout the new framework. Organizations that integrate enterprise risk management into all business practices experience better decision making and enhanced overall performance.
Summary of ERM updates
| 2004 ERM | 2017 ERM | |
| Title | ERM – Integrated Framework | ERM – Integrating with Strategy and Performance |
| Definition | ERM is a process, influenced by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of an entity’s objectives. |
ERM is reflected in an organization’s culture, capabilities, and practices and is integrated into corporate strategy-setting. Managing risk is recognized as a means to creating, preserving, and realizing value.
|
| Structure |
Consists of 8 components: · Internal environment · Objective setting · Event identification · Risk assessment · Risk response · Control activities · Information and communication · Monitoring |
Consists of 5 components and 20 principles: · Governance and culture · Strategy and objective-setting · Performance · Review and revision · Information, communication and reporting
|
| Objective | Objectives (strategic, operations, reporting, and compliance) | Strategy, business objectives and enhanced performance |
| ERM vs. culture | Doesn’t mention culture | Recognizes importance of culture in ERM practices |
| ERM vs. value | Focuses on preventing the erosion of value and minimizing risk to an acceptable level | Emphasizes the role of ERM in creating, preserving and realizing value |
| ERM vs. decision making | Enhances risk response decision making (risk avoidance, reduction, sharing, and acceptance) | Enhances risk aware decision making at every stage of the value chain: selection of strategy, establishment of business objectives and performance targets, and allocation of resources |
| Relationship to Internal Control Framework | Expands and elaborates on elements of COSO’s 1992 Internal Control – Integrated Framework | Compliments COSO’s 2013 Internal Control – Integrated Framework |
Looking to adopt a new ERM framework?
Contact our PFC experts at info@pfcaccounting.com or call us at +1-403-375-9955.
