Enterprise Risk Management: The COSO Framework

2004
Colleen Sayther-Cunninham

 High profile business scandals, economic slowdown causing many business failures, world events - all have created an increased awareness of the importance of risk management, governance and control. They have emphasized the danger of not paying attention to risks and uncertainties. On September 29, 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released "Enterprise Risk Management - Integrated Framework" (the "Framework") to provide companies with a roadmap for identifying risks, avoiding pitfalls as well as taking advantage of opportunities to grow shareholder value.

The Framework builds on COSO's previously issued framework - Internal Control - and identifies the interrelationships between enterprise risk management ("ERM"), internal control and entity management. The Framework is much broader that the Internal Control Framework and expands on it. It defines risk and risk management, provides key principles and concepts, a common language and other elements of a comprehensive risk management framework, as well as providing criteria for companies to use in determining whether their risk management is effective, and if not, what is needed to make it so.

So, what is ERM? It is defined as a process for identifying, analyzing and managing risk across the entire enterprise.

The ERM Framework has eight components:

• Internal Environment - sets the foundation for how risk and control are viewed and addressed by the entity - what is the risk philosophy? Ethics and integrity of senior management is a vital part of the culture that drives the internal environment
• Objective Setting - high level goals aligned with entity's mission/vision - all employees must understand the entity's objectives as it relates to their individual function
• Event Identification - what internal/external sources can influence strategy and/or achievement of objectives?
• Risk Assessment - analysis of the likelihood that an event will occur and the potential impact of the event on the entity
• Risk Response - Action taken as a result of the risk - eg., exit activities causing the risk, reduce the likelihood or impact of the risk, transfer or share the risk with another party, or accept the risk
• Control Activities - what policies/procedures have been established to ensure that the risk responses are carried out?
• Information & Communication - communicating accurate information on a timely basis and to the right people is key to an effective ERM
• Monitoring - ensures that all components of ERM continue to function at all levels - includes one time evaluations as well as ongoing activities

In order to implement an ERM using the Framework, start with an analysis of the internal environment and work your way down the list of components. It's easier to start small and keep the project manageable, then expand it to other areas. Many companies have used the COSO Internal Control framework for their assessment of the internal control environment under Sarbanes Oxley Section 404. Companies can leverage that compliance effort to implement a broader ERM effort to get more value.

Why implement an ERM? An ERM can support value creation by helping company deal effectively with potential future events that create uncertainty, respond in a manner that reduces the likelihood of downside outcomes and increases the upside and seize opportunities. The idea behind ERM is to create value with good corporate governance. Audit committees and regulators are also recognizing the value that appropriate risk management can play in corporate governance. When Fannie Mae reached an agreement with regulators recently to address accounting and control issues, one of the corrective steps they took was to hire a chief risk officer.

Everyone in an organization has some responsibility for enterprise risk management. The success of an ERM implementation is dependent upon everyone throughout the organization being aligned with the objectives and priorities of the company in the context of the company's internal environment (culture). Therefore, communication down to every level of the organization is essential.

No matter how well designed and executed, ERM cannot ensure an organization's success or guarantee results. The future will always be uncertain and some events are outside of management's control. However, by putting in place a process to identify and analyze both internal and external risks, the chances of your company weathering an event are much greater.

For more information on COSO's ERM framework visit COSO's website at

www.coso.org

.