Enterprise Risk Management Framework
Enterprise risk management is a process:
- effected by an entity’s board of directors, management and other personnel,
- applied in strategy setting and across the enterprise,
- designed to identify potential events that may affect the entity
- manage risk to be within its risk appetite
- to provide reasonable assurance regarding the achievement of entity objectives
Why is ERM important?
Management can identify new opportunities and unique challenges associated with current opportunities
Helps in identifying and adding value to its stakeholders
Allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments
Deal effectively with potential future events that create uncertainty
Obtaining robust information on risk allows management, in the face of finite resources, to assess overall resource needs, prioritize resource deployment and enhance resource allocation
ERM Framework
COSO’s enterprise risk management (ERM) model has become a widely-accepted framework for organizations to use. The framework has been established as a model that can be used in different environments worldwide. ERM considers activities at all levels of the organization: Enterprise level, Division or Subsidiary level, Business unit processes.
Components of ERM framework
The Framework itself is a set of principles organized into five interrelated components:
Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
The five components in the updated Framework are supported by a set of principles. These principles cover everything from governance to monitoring. They are manageable in size, and they describe practices that can be applied in different ways for different organizations regardless of size, type, or sector. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives.
How internal auditors can add value to an organization’s ERM framework
Reviewing critical control systems and risk management processes
Performing an effectiveness review of management's risk assessments and the internal controls
Providing advice in the design and improvement of control systems and risk mitigation strategies
Implementing a risk-based approach to planning and executing the internal audit process.
Ensuring that internal auditing’s resources are directed at those areas most important to the organization.
Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies