Which of the following statements about the 2004 and 2022 ERM COSO frameworks is not true
What Is Enterprise Risk Management (ERM)? Enterprise risk management (ERM) is a methodology that looks at
risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization's operations and objectives and/or lead to losses. Show
Key Takeaways
Understanding Enterprise Risk Management (ERM) Enterprise risk management takes a holistic approach and calls for
management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence. It also often involves making the risk plan of action available to all stakeholders as part of an annual report. Industries as varied as aviation, construction, public health, international development, energy, finance, and insurance all have shifted to utilize ERM. ERM, therefore, can work to minimize firmwide risk as well as identify unique firmwide opportunities. Communicating and coordinating between different business units is key for ERM to be successful, since the risk decision coming from top management may seem at odds with local assessments on the ground. Firms that utilize ERM will typically have a dedicated enterprise risk management team that oversees the workings of
the firm. While ERM best practices and standards are still evolving, they have been formalized through COSO, an industry group that maintains and updates such guidance for companies and ERM professionals. ERM-friendly firms may be attractive to investors because they signal more stable investments. A Holistic Approach to Risk ManagementModern businesses face a diverse set of risks and potential dangers. In the past, companies traditionally handled their risk exposures via each division managing its own business. Enterprise risk management calls for corporations to identify all the risks they face. It also makes management decide which risks to manage actively. As opposed to risks being siloed across a company, a company sees the bigger picture when using ERM. ERM looks at each business unit as a "portfolio" within the firm and tries to understand how risks to individual business units interact and overlap. It is also able to identify potential risk factors that are unseen by any individual unit. Companies have been managing risk for years. Traditional risk management has relied on each business unit evaluating and handling their own risk and then reporting back to the CEO at a later date. More recently, companies have started to recognize the need for a more holistic approach. A chief risk officer (CRO), for instance, is a corporate executive position that is required from an ERM standpoint. The CRO is responsible for identifying, analyzing, and mitigating internal and external risks that impact the entire corporation. The CRO also works to ensure that the company complies with government regulations, such as Sarbanes-Oxley (SOX), and reviews factors that could hurt investments or a company's business units. The CRO's mandate will be specified in conjunction with other top management along with the board of directors and other stakeholders. A good indication that a company is working at effective ERM is the presence of a chief risk officer (CRO) or a dedicator manager who coordinates ERM efforts. Components of Enterprise Risk ManagementThe COSO enterprise risk management framework identifies eight core components that define how a company should approach creating its ERM practices. Internal EnvironmentA company's internal environment is the atmosphere and corporate culture within the company set by its employees. This sets the precedence of what the company's risk appetite is and what management's philosophy is regarding incurring risk. The internal environment may be set by upper management or the board and communicated throughout an organization, though it is often reflected through the actions of all employees. Objective SettingAs a company determines its purpose, it must set objectives that support the mission and goals of a company. These objectives must then be aligned with a company's risk appetite. For example, an ambitious company that has set far-reaching strategic plans must be aware there may be internal risks or external risks associated with these lofty goals. In response, a company can align the measures to be taken with what it wants to accomplish such as hiring additional regulatory staff for expansion areas it is currently unfamiliar with. Event IdentificationPositive events may have a great impact on a company. On the other hand, negative events may have detrimental outcomes on a company's ability to continue to operate. ERM guidance recommends that companies identify important areas of the business and associated events that may have dire outcomes. These high risk events may pose risks to operations (i.e. natural disasters that force offices to temporarily close) or strategic (i.e. government regulation outlaws the company's primary product line). Risk AssessmentIn addition to being aware of what may happen, the ERM framework details the step of assessing risk by understanding the likelihood and financial impact of risks. This includes not only the direct risk (i.e. a natural disaster yields an office unusable) but residual risks (i.e. employees may not feel safe returning to the office). Though difficult, the ERM framework encourages companies to consider quantifying risks by assessing the percent change of occurrence as well as the dollar impact. Risk ResponseA company can respond to risk in the following four ways:
Control ActivitiesControl activities are the actions taken by a company to create policies and procedures to ensure management carries out operations while mitigating risk. Control activities, often referred to as internal controls, are broken into two different types of processes:
Information and CommunicationInformation systems should be able to capture data useful to management to better understand a company's risk profile and management of risk. This means not granting exceptions for departments outperforming others; all aspects of a company should be continually monitored. By extension, some of this data should be analyzed and communicated to employees if it is relevant to mitigating risk. By communicating with employees, there is more likely to be greater buy-in for processes and protection over company assets. MonitoringA company can turn to an internal committee or an external auditor to review its policies and practices. This may include reviewing what is actually performed compared to what policy documents suggest. This may also entail getting feedback, analyzing company data, and informing management of unprotected risks. In an ever-changing environment, companies must also be ready to assess their ERM environment and pivot as needed. The Committee of Sponsoring Organizations (COSO) board published the ERM framework in 2004, and the publication has been widely used since. How to Implement Enterprise Risk Management PracticesERM practices will vary based on a company's size, risk preferences, and business objectives. Below are best practices most companies can use to implement ERM strategies.
As a company implements ERM practices, it is widely advised to continually gather feedback from all employees. Everyone will have a different perspective of what might not be working or what could be done better. Advantages and Disadvantages of Enterprise Risk ManagementAdvantages of ERMERM sets the organizational-wide expectations around a company's culture. This includes communicating more openly about the risks a company faces and how to mitigate them. This leads to less unexpected risks and more guided direction on how to respond to certain events. In addition, this may lead to greater employee satisfaction knowing plans are in place to protect company resources as well as greater customer service knowing how to respond to customers should certain risks actually occur. ERM practices are often synthesized by a standardized risk report delivered to upper management. This report succinctly summaries the risks a company faces, the actions being taken, and information needed for decision-making. As a result, a company may be more efficient with its time, especially considering what is delivered to upper management ERM may also have a company-wide positive impact on the resourcefulness of the business. ERM may eliminate redundant process, ensure efficient use of staff, reduce theft, or increase profitability by better understanding what markets to enter into. Disadvantages of ERMAs a company builds out its ERM practices, it will likely consider familiar risks it has been exposed to in the past. Therefore, ERM is limited in identifying future risks that the organization is unaware that may have more detrimental impacts. In this manner, some may consider ERM as reactive as companies can only forecast risk based on what they have prior experience on. ERM also relies very heavily on management estimates and inputs. This may be nearly impossible to accurately predict. For example, in the very low chance a company forecast the occurance of the COVID-19 pandemic, would a company be able to accurately calculate the fiscal impact of business closures or changes in consumer spending? ERM mitigation costs may also be difficult to assess. ERM practices are time-intensive and therefore require resources of the company to be successful. Though the company will benefit from protecting its assets, a company must detract time of its staff and may make capital investments to implement ERM strategies. In addition, a company may find it difficult to quantify the success of ERM as financial risks that do not occur must simply be projected. ERM PracticesPros
Cons
What Types of Risks Does Enterprise Risk Management Address?ERM can help devise plans for almost any type of business risk. Business risk threatens a company's ability to survive, and these risks may be further classified into different risks discussed below. In general, ERM most commonly addresses the following types of risk:
What Is ERM and Why Is It Important?ERM is a company's approach to managing risk. It is the practices, policies, and framework for how a company handles a variety of risks its business faces. ERM is important because it helps prevent losses or unexpected negative outcomes. ERM is also important because it helps a company set the plans in place to strategically approach risk and garner employee buy-in. What Are the 3 Types of Enterprise Risk?ERM often summaries the risks a company faces into operational, financial, and strategic risks. Operational risks impact day-to-day operations, while strategic risks impact long-term plans. Financial risks impact the general financial standing and health of a company. What Are the 8 Components of ERM?The COSO framework for ERM identifies eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. These eight core components drive a company's ERM practices. What Is the Difference Between Risk Management and Enterprise Risk Management?Risk management has traditionally been used to describe the practices and policies surrounding a specific risk a company faces. More modern risk management has introduced ERM, a comprehensive, company-wide approach to view risk holistically for the entire company. The Bottom LineAs a company makes, sells, and delivers goods to customers, it faces countless risks from numerous sources. To better plan for these risks, companies are turning to enterprise risk management, a company-wide, top-down approach of assessing risk and devising plans. The ultimate goal of ERM is to protect a company's assets and operations while have strategies in place should certain unfortunate events occur. |