The term Enterprise Risk Management (ERM) has been around since the late 1990s. It refers to organizational risks and how to best manage those risks. Some risks have continued and will continue to be risks, such as natural disasters, equipment malfunctions, employee safety, securing sensitive data, regulations, or fraud. Others, such as those involving IT, constantly change with the ever-changing IT landscape. Some risks are common across organizations while others can be unique. Properly managing these risks protects the organization from harm, creates opportunities for improvement, and enables the organization to continue.
COSO (Committee of Sponsoring Organizations) created a framework that was first published in 2004 and later updated in 2017 and is titled Enterprise Risk Management—Integrating with Strategy and Performance. This same document says, “Readers may also wish to consult a complementary publication, COSO’s Internal Control— Integrated Framework.” Using these two documents as a guide, an organization can create it’s own strategy.
According to the document, some of the benefits of ERM are:
- Increased opportunities by considering both positive and negative aspects of identified risks.
- Sometimes a risk originates in one part of an entity but ends up impacting the entire entity. ERM seeks to identify and manage risks entity-wide.
- By establishing appropriate responses to risks, positive outcomes are increased while negative ones and surprises are reduced.
- Performance variability is reduced by allowing an organization to anticipate risks that could affect performance and put in place actions to minimize disruption.
- Improve the use of resources by assessing and prioritizing resource allocation.
- An organization’s ability to anticipate and respond to change allows it not only to survive, but to thrive.
When choosing a strategy an organization needs to consider how that strategy aligns with the organization’s mission, vision, and core values. In addition, management must work through inherent trade-offs with management’s risk appetite.
The framework is made up of five components supported by twenty principles as illustrated below.
The five interrelated components:
The twenty principles:
On October 2024 the AICPA & CIMA reported that the ERM process continues to be undervalued by boards and executives. The report found that 66% of respondents felt the volume and complexities of risk increasing, but only 32% felt their risk oversight was sufficient. 48% also noted that their organizations faced an operational surprise within the last 5 years that had a significant impact on the organization as a whole.
Alan T. Dickson a Distinguished Professor of Accounting and Director of the ERM Initiative at NC State said, “Risk management will not become easier over time. Given the rapid speed of change in the global business environment, complex risk issues will continue to emerge at rapid-fire pace. Now is the time for many organizations to give their approach to risk governance an honest assessment.”
If your organization has not yet implemented ERM, now is the time to do so. There are many resources available to aid in this process including Teuscher Walpole.
