When initiating the project to update its enterprise risk management (ERM) framework, COSO saw opportunities to achieve clarity on several fronts. The updated framework recognizes the increasing importance of the interconnection of risk, strategy, and enterprise performance, particularly in making important decisions. It begins with an underlying premise that every entity exists to provide value to its stakeholders and faces uncertainty in pursuing that value. Therefore, the framework itself focuses on preserving and creating enterprise value, emphasizing managing risk within the entity’s risk appetite. The term “uncertainty” is defined as not knowing how or if potential events may manifest themselves in achieving future strategies and business objectives. “Risk” is considered the effect of such uncertainty in formulating and executing the business strategy and achieving business objectives.
The challenge for management and the board of directors is to evaluate how much uncertainty and risk they are prepared and able to accept when executing the strategy and pursuing the organization’s performance goals. Therefore, ERM is all about balancing risks and rewards in creating value. Achieving that balance leads to an emphasis on protecting enterprise value and enhancing it.
The framework is principles-based, meaning it introduces five interrelated components and outlines 20 relevant principles arrayed among those components. The framework significantly improves its 2004 counterpart, as its structure offers a benchmarking option for companies seeking to enhance their ERM approach. The framework focuses on integrating ERM with the core processes that matter. Its subtitle says it all – “Integrating with Strategy and Performance.” Its concept of integration is embodied within its definition of ERM: “The culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk creating, preserving and realizing value.”
If a company implements a stand-alone process, it may be worthwhile and useful, but not an ERM, as COSO defines it. Four themes are vital to effective ERM integration:
- Implementing strategy
- Integrating performance
- Laying a strong foundation with risk governance and culture
- Tying risk considerations into decision-making processes