Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida
This document begins by listing the COSO Board Members, Principal Contributors (Authors), Advisory Council Members, Observers, and a Table of Contents.
Foreword p. iv
Robert B. Hirth Jr. (COSO Chair) and Dennis L. Chesley (PwC Project Lead Partner Global Risk Leader) explain why the 2004 ERM Integrated Framework needs to be updated. The complexity of risk has changed and new risk have emerged. This update puts more emphasis on the connection between ERM and strategy.
Applying the Framework: Putting it into Context
1. Introduction p. 3
Every organization exists to provide value and risks affect every organization's ability to achieve its objectives. Enterprise Risk Management provides a way to balance exposure with opportunity. ERM affects value, affects strategy, is linked to business, performance management, and internal control. Benefits or ERM include an increase in the range of opportunities, identifying and managing entity-wide risks, reducing surprises and losses and performance variability. ERM incorporates the concept of organization sustainability.
2. Understanding the Terms: Risk and Enterprise Risk Management p. 9
Risk - "The possibility that events will occur and affect the achievement of strategy and business objectives."
Enterprise Risk Management - "The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value."
Enterprise risk management is closely related to the culture of the organization and helps people understand risk in the context of the organization's strategy and objectives.
Enterprise risk management is a continual process involving day-to-day tasks such as business planning, operations, and financial management.
3. Enterprise Risk Management and Strategy p. 12
Integrating enterprise risk management with strategy helps the organization understand how its mission (core purpose), vision (future aspirations) and core values (beliefs about behavior) align with opportunities and risk.
This section includes additional information about mission, vision, and core values; the importance of aligning them with strategy; evaluating the chosen strategy; risk to executing the strategy; governance and operating models; legal structure; management structure; and managing risks through the value chain.
4. Considering Risk and Entity Performance p. 17
This section includes a discussion of risk and uncertainty and understanding the organization's risk profile that shows the level of acceptable risk, the related interdependencies of risks, and how they might affect performance.
Also included are discussions of an organization's risk appetite statement that might include strategic parameters (new products, investments, mergers), financial parameters (return on assets, return on capital, target debt rating, debt/equity ratio), and operating parameters (capacity management, environmental requirements, safety and quality targets, and customer concentrations).
Acceptable variation in performance, or risk tolerance is closely related to risk appetite. An illustration similar to the one above is included with the target area expanded to show that the optimal point is where the right boundary of acceptable performance intersects the risk appetite.
5. Components and Principles p. 21
The ERM Framework includes five interrelated components:
Risk Governance and Culture
Risk, Strategy, and Objective-Setting
Risk Information, Communication and Reporting
Monitoring Risk Management Performance
Assessing Enterprise Risk management - An organization should provide criteria for conducting an assessment of the overall effectiveness of its ERM practices including components, relevant principles and controls.
The five components or principles are discussed in Chapters 6-10.
6. Risk Governance and Culture p. 27
Principles related to risk governance and culture:
Exercises board risk oversight
Establishes governance and operating model
Defines desired organizational behaviors
Demonstrates commitment to integrity and ethics
Attracts, develops, and retains talented individuals
7. Risk, Strategy, and Objective-Setting p. 43
Principles relating to risk, strategy, and objective-setting:
Considers risk and business context - External Categories: Political, Economic, Social, Technological, Legal, and Environmental. Internal Categories: Capital, People, Process, and Technology.
Defines risk appetite - Sample expressions: Target, Range, Ceiling, and Floor. Risk Appetite Continuum: Lower←Moderate→Higher
Evaluates alternative strategies - Aligning with Mission and Vision, Aligning with Risk Appetite, and Mitigating Bias
Considers risk while establishing business objectives
Defines acceptable variation in performance
8. Risk in Execution p. 61
Principles related to risk in execution:
Identifies risk in execution
Assesses severity of risk - Risk Profile, Inherent, Target, and Residual Risk, Severity Measures, and Heat Maps
Prioritizes risks - Risk Appetite
Identifies and selects risk responses - Accept, Avoid, Pursue, Reduce, Share
Develops portfolio view - Risk Profile showing Total Risks
Assesses risk in execution
9. Risk Information, Communication, and Reporting p. 83
Principles related to information and communication channels:
Uses relevant information
Leverages information systems
Communicates risk information
Reports on risk, culture, and performance
10. Monitoring Enterprise Risk Management Performance p. 97
Principles related to monitoring entity performance:
Monitoring substantial change
Monitors enterprise risk management
A. Glossary of Terms p. 104
B. Roles and Responsibilities p. 107
C. Risk Profile Illustrations p. 114
Link to the COSO ERM document: https://www.coso.org/Documents/COSO-ERM-draft-Post-Exposure-Version.pdf
Link to the COSO site: https://www.coso.org/Pages/default.aspx
Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).
Kaplan, R. S. and A. Mikes. 2012. Managing risks: A new framework. Smart companies match their approach to the nature of the threats they face. Harvard Business Review (June): 48-60. (Discussion of three categories of risks: Preventable risks, strategy risks, and external risks that are beyond the organization's influence and control. Each type of risk requires a different risk-management approach). (Summary).
Malone, D. and M. Mouritsen. 2014. Change management: Risk, transition, and strategy. Cost Management (May/June): 6-13. (Summary).
McKay, S. 2016. CGMA tools: How to communicate risks using a heat map. Journal of Accountancy (June): 35-40. (Summary).
Merchant, K. A. 2012. ERM: Where to go from here. Journal of Accountancy (September): 32-34, 36. (Summary).
Porter, M. E. 1980. Competitive Strategy: Techniques for Analyzing Industries and Competitors. The Free Press. (Summary).
Porter, M. E. 1996. What is a strategy? Harvard Business Review (November-December): 61-78. (Summary).
Shenkir, W. G. and P. L. Walker. 2006. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May/June): 32-38. (Summary).
Sull, D. N. 1999. Why good companies go bad. Harvard Business Review (July-August): 42-48, 50, 52. (Summary).