COSO broadly defines enterprise risk management (ERM) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The framework encompasses, but does not replace, the Internal Control – Integrated Framework published by COSO in 1992.
Like its internal control counterpart, the ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives across the top – strategic, operations, reporting and compliance. There are eight components of enterprise risk management, which are further explained below.
Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix for applying the framework. As outlined by COSO, the framework provides eight components for use when evaluating ERM:
1. Internal Environment
This component reflects an entity’s enterprise risk management philosophy, risk appetite, board oversight, commitment to ethical values, competence and development of people, and assignment of authority and responsibility. It encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people.
Management sets strategic objectives, which provide a context for operational, reporting and compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response.
3. Event Identification
Management identifies potential events that may positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives and performance goals. Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses. Potentially positive events represent opportunities, which management channels back into the strategy and objective-setting processes.
4. Risk Assessment
Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon.
5. Risk Response
Management considers alternative risk response options and their effect on risk likelihood and impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired risk tolerances. Risk response planning drives policy development.
6. Control Activities
Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed.
7. Information and Communication
The organization identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities. Effective communication also flows down, across and up the organization. Reporting is vital to risk management and this component delivers it.
Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time. The thought process underlying the above framework works in the following manner: For any given objective, such as operations, management must evaluate the eight components of ERM at the appropriate level, such as the entity or business unit level.