As enterprise risk management (ERM) has become popular in the past two decades, organizations have been trying to implement a program that makes all stakeholders satisfied that they are “doing risk management right.” The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM — or more generically “risk management” — is an integral component of decision-making. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does. Unfortunately, many organizations don’t execute risk management well and suffer the consequences.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently published an update to its 2004 COSO ERM framework. The name of the 2017 version says it all: Enterprise Risk Management–Integrating With Strategy and Performance. Risk management is all about strategy and performance.
Making Better Decisions
Risk management is an integral part of decision-making. What does this mean? Consider two different situations.
Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such.
Beta Co. is repainting the exterior of its headquarters buildings. The company turns to its normal painter to get the job done. There also were risks related to this project, but it is less obvious how Beta managed the risks.
Both Acme and Beta made decisions (multiple ones, in fact). Risk management was an integral part of both organizations’ decisions. While the risk management may have looked different in the two situations, it was still risk management. Acme took a more formalized approach, outlining its path forward while considering what deviations from this path might occur because of unexpected events (i.e., risks) and planning accordingly. Beta was not nearly as formal, but relied on past habits to try to accomplish its objectives. The questions for both organizations are how good was the risk management and did they use the right approach?
Risk management does not need to look the same for every organization and every decision. It should be fit for purpose, having the level of sophistication, formality, and transparency that is necessary for the importance of the objectives and risks. Both Acme and Beta may have done a great job or a poor job of risk management. It is not the specific activities and formality of the program that matters. What matters is whether management is handling risks the way it should in the situation.
The new COSO ERM lays out a framework for improving risk management so better decisions are made, helping an organization accomplish its objectives. The framework is not another process to be sent to the ERM team or even to a committee of the board. It needs to be incorporated into the fabric of the organization, providing guidance, tools, processes, and many other elements to improve risk management, regardless of the decision being made. The updated framework’s executive summary discusses five interrelated components:
Governance and Culture. Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
- Strategy and Objective Setting. ERM, strategy, and objective setting work together in the strategic planning process. A risk appetite is established and aligned with strategy. Business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
- Performance. Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Review and Revision. By reviewing entity performance, an organization can consider how well the ERM components are functioning over time and in light of substantial changes, and what revisions are needed.
- Information, Communication, and Reporting. ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
Clearing Up Misconceptions
Although the new COSO ERM framework is fairly straightforward, a few key points often are missing in ERM as practiced today.
Risk Is Not the Focus The approach to risk management should not focus on the risks in isolation. The focus should be on those events that can affect the achievement of strategy and business objectives. When the focus is on the risks, and not the strategies and objectives, ERM becomes a program. To add value, ERM always must be about accomplishing strategies and objectives. Management does not think first about risk, but about delivering performance and what can impact that performance.
Risk Is Not an Evil to Be Eliminated Every organization takes risks because the world is not perfectly predictable. Every time an organization takes an action, it takes the risk that its expectations are not correct. Sometimes the events that occur have a positive impact, and sometimes they are negative. Risk is a fundamental part of every organization, but it needs to be managed.
There Are Many Ways to Respond to Risk The framework outlines five basic responses to risk: accept, avoid, pursue, reduce, and share. Internal auditors frequently assume the right response to risk is the fourth option — reduce. This reduction is frequently in the form of implementing internal controls to reduce the likelihood or impact of a risk event. However, this is not the only option and other options may be better.
Risk Management Is More a Skill and Mindset Than a Process When risk management turns into a department, team, or process, it can easily become something separate from management decision-making. Doing risk management right improves decision-making. While many experienced managers intuitively incorporate aspects of good risk management into their normal thinking, almost anyone can benefit from the guidance laid out in the framework. There are clear skills, tools, and mindsets the framework supplies that managers need to learn. Don’t relegate them to a few select people who never influence decision-makers.
All of the Framework Is Important What most internal auditors and risk managers would think of as risk management is in the Performance component of the framework, but that would fail to see all five components as critical. All five are interrelated. One can’t set risk appetite without an understanding of culture; one can’t select risk responses without communicating about risks within the organization; one can’t have a great risk assessment approach without the feedback loop to review and improve the process based on learning.
ERM Does Not Compete With Internal Controls The framework eliminates any confusion as to how ERM interacts with internal controls. ERM addresses risks as part of decision-making. In managing some risks, a desire to reduce the risks could be accomplished through internal controls. If this is the direction, then organizations should look to the COSO Internal Control–Integrated Framework for guidance on how to implement internal controls effectively.
An Opportunity for Internal Audit
Some internal auditors have responsibility for their organization’s ERM approach, some provide facilitation, and some perform assessments of management’s design and execution of ERM. The IIA Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management, provides useful guidance on the options, and limitations, for internal audit’s involvement with ERM.
Internal auditors who have a more engaged role in ERM through facilitation, training, etc., will work through the new COSO ERM framework in a fair amount of detail. However, there is a wealth of information in the framework for every internal auditor.
|ISO 31000 Update Coming Soon|
The International Organization for Standardization’s Technical Committee 262 is updating its ISO 31000 risk management standard. The revision to the 2009 standard is expected to be issued in early 2018. While different in structure, the core aspects of ISO 31000 are consistent with COSO ERM. The standard asserts that risk management is an integral part of decision-making, and creating value for the organization is the primary reason for risk management.
Indeed, the framework is a fabulous opportunity for internal auditors who are not intimately involved in ERM. The increased attention to risk management that will come about through the release of the updated framework — and the expected release of an updated version of the International Organization for Standardization’s ISO 31000: Risk Management Principles and Guidelines — provides internal auditors with the ability to reorient their work, messaging, and reporting around the way management thinks (See “ISO 31000 Update Coming Soon” at right). As internal audit strives to create and protect value for organizations, understanding the principles of risk management better and incorporating them into the practice of internal auditing can pay large dividends. Here are some suggested next steps for every internal auditor.
First, internal auditors should become conversant with the fundamentals of the framework. At its core, internal auditing is all about risk. While most internal auditors focus on the adequacy of internal controls, internal controls should be viewed as a method to implement the “reduce” response to risk. Risk is central and comes first, however. Internal auditors should master the concepts of risk — how it is identified, assessed, analyzed, responded to, reviewed, and reported. Without this context, it is not possible to effectively address internal controls.
Second, auditors can do themselves a favor if they talk less about the adequacy of internal controls and talk more about risk, managing risk, and reducing risk where advised. Management thinks of the world through the perspective of setting out objectives and accomplishing them — all with the goal of delivering performance. The more internal auditors talk about those objectives and the events that can impact delivering performance, the more management would understand how internal audit delivers value. Auditors are not here to be naysayers or add bureaucracy with more controls. They are here to help management deliver on its objectives. This requires auditors to think and talk in terms of risk, potential impact, and response.
Third, internal auditors should not only evaluate internal controls, but also management’s choice and implementation of risk responses. Internal controls are but one potential risk response. Internal auditors should be considering all five risk responses in assessing whether management has selected the optimal way to address a risk.
Fourth, internal auditors should not focus blindly on always trying to reduce risk. Risk responses should be designed to improve performance. This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance. When internal auditors’ orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.
Internal auditors are some of the best in understanding the theory regarding risk. The revised COSO ERM framework provides auditors the opportunity to become even more expert in the material so they can help their organization navigate how best to implement it. Not everyone will see the framework as something worth their attention, providing an opportunity for internal auditors.
To download the IIA position paper, The Role of Internal Auditing in Enterprise-wide Risk Management, visit http://bit.ly/2vIU6Mt