Enterprise Risk Management (ERM) is an important topic discussed across industries and organizations. Without the background of what it entails and how to implement an effective program, ERM may be an ambiguous idea. So, what is ERM?
As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its most recent 2017 update of Enterprise Risk Management (ERM), ERM is defined as the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
The ERM definition is purposefully broad and meant to capture the key concepts that allow different types of organizations to identify, assess, manage, monitor, and report risk. As a result, ERM Framework and application can and should vary across different industries and sectors. Simply, ERM is an ongoing process of planning, organizing, and leading an organization’s actions to support its goals without setbacks from avoidable obstacles.
Three frameworks have become guiding forces for the implementation of an ERM program:
- COSO ERM Framework
- International Organization for Standardization (ISO) 31000
- The United States Government Accountability Office (GAO) Enterprise Risk Management Framework
Understanding these ERM frameworks and how they are implemented can assist organizations in making informed, risk-based strategic decisions. Below is an overview of each framework.
COSO ERM Framework: Looking at Risk to Enhance Organizational Performance
In 2017, COSO published its updated Enterprise Risk Management Integrated Framework, or the COSO ERM Framework. The framework complements the COSO Internal Control Framework1 and further expands upon risk. The COSO ERM Framework provides a basis for coordinating and integrating an organization’s risk management activities to improve decision-making and enhance organizational performance.
The COSO ERM Framework approaches risk from a portfolio view, looking at risk as it relates to entity-wide strategy and business objectives and their effects on the organization as a whole. Organizational management has ultimate responsibility for an entity’s development, implementation, and management of an effective ERM program.
The COSO ERM Framework consists of five interrelated components:
- Governance and culture
- Strategy and objective-setting
- Review and revision
- Information, communication, and reporting
ISO 31000 Framework: A Principle-Based Approach to Risk
In 2018, ISO published its updated ISO: 31000, Risk Management Guidelines (ISO 31000). ISO 31000 is a principles-based approach to risk management with a purpose of value creation and protection across the organization. According to ISO, effective, efficient, and consistent risk management is comprised of eight principles:
- Structured and comprehensive
- Best available information
- Human and cultural factors
- Continual improvement
The principles are applied and evaluated in conjunction with six components of an effective risk management framework. ISO defines the components of effective, efficient, and consistent risk management as:
- Leadership and commitment
Per ISO 31000, management and the Board of Directors are responsible for setting the organization’s risk attitude and ensuring each of the principles is implemented entity-wide.
GAO Enterprise Risk Management: Applying Risk Management to the Federal Entities
In 2016, GAO published its Enterprise Risk Management Framework. It provides a risk management framework to focus on the essential elements of federal enterprise risk management and mirrors the frameworks discussed above. The framework defines six essential elements:
- Align the ERM process to goals and objectives
- Identify risks
- Assess risks
- Select risk responses
- Monitor risks
- Communicate and report on risks
Assessing the Frameworks and Determining Which is Best for You
Understanding each framework and their nuances gives insight into how each could function within an organization. Organizational structure, culture, and value created by each framework should be the driving forces behind the choice to utilize one framework over the other.
Perhaps the most prevalent factor in deciding which framework to use is the cost-benefit of implementing each one. Prior to making a decision, management should assess the time, effort, and resources that will be allocated and make the most beneficial decision for their organization.
While the GAO ERM Framework serves as a guide for federal government entities to implement enterprise risk management, the COSO ERM Framework and the ISO 31000 Framework are more universally focused, industry agnostic frameworks. Each can be interpreted and applied to help ensure organizations across industries can implement an effective ERM program. As leadership decides if assessing and implementing an ERM program is strategically beneficial, they can consider both frameworks.
It’s important to keep in mind that the implementation of a new framework takes time. There are tools, resources, and experts available to leadership contemplating the decision to implement an ERM program. Consideration of those resources should be made and leveraged to put the organization in the best position for continued success in the future.
In our next blogs, we will take a deep dive into each of the ERM frameworks discussed in this article. If you have any questions, please reach out to our team who would love to speak with you about your organization’s risk management needs.