A Peek at COSO ERM 2004
Community of Sponsoring Organizations (COSO), a voluntary organization which provides guidance to executive management and governance entities, released a framework by the name Enterprise Risk Management (ERM) in 2004. The framework is meant to offer integrated principles, common terms and practical implementation guidance for companies to create and develop their enterprise risk management processes. The Goals of ERM According to the Executive Summary of the Enterprise Risk Management, this framework aims at:
- Aligning Risk Appetite and Strategy – The framework takes into consideration the entity’s risk appetite during the evaluation of strategic alternatives, the establishment of related aims, and the development of mechanisms to manage risks.
- Improving Risk Response Decisions – ERM allows companies to define and choosing from different alternative risk responses, including risk reduction and risk sharing.
- Decreasing Operational Hindrances and Losses – By ensuring the implementation of ERM, companies will be able to identify potential risks before they occur and establish responses. Therefore, there will be no surprises, costs or losses.
- Discovering and Managing Numerous and Cross-Enterprise Risks – Because some risks may occur at the same time and at different parts of the organization, ERM is designed to provide effective response to the interrelated impacts and multiple risks.
- Grabbing Opportunities – ERM allows companies to manage numerous events, therefore allowing them to proactively discover opportunities.
- Enhancing the Use of Capital – By implementing ERM’s framework, companies will have more risk information than from any other best practice standard. Therefore, they will be able to determine how much capital they will require as well as be able to allocate capital efficiently.
Components of ERM To achieve the aforementioned goals, ERM was designed to consist of eight components.
- Internal Environment – This component explains the tone of an organization and determines how a risk will be viewed and addressed.
- Objective Setting – With this component, companies will develop a process to set objectives. Objectives are usually important for companies to identify potential events which can hinder their success.
- Event Identification – Internal and external events which affect the company’s objectives should be identified and differentiated from risks and opportunities.
- Risk Assessment – Risks should be analyzed based on their probability and impact in order for the company to decide on how they should be managed.
- Risk Response – Professionals in charge of managing risks should be able to select risk responses in order to decide the actions to be taken beforehand.
- Control Activities – This module shines the limelight on the need for establishing and implementing policies and processes that carry out risk responses effectively.
- Information and Communication – Information related to the risks are identified, capture and communicated in a specific format and timeframe so that professionals can carry out their responsibilities effectively.
- Monitoring – All the components and objectives of ERM are monitored and modified when necessary.