When initiating the project to update its ERM framework, COSO saw opportunities to achieve clarity on several fronts. The updated framework recognizes the increasing importance of the interconnection of risk, strategy and enterprise performance – particularly in conjunction with making important decisions. It begins with an underlying premise that every entity exists to provide value to its stakeholders and faces uncertainty in the pursuit of that value. Therefore, the framework itself focuses on preserving and creating enterprise value, with an emphasis on managing risk within the entity’s risk appetite. The term “uncertainty” is defined as not knowing how or if potential events may manifest themselves in the context of achieving future strategies and business objectives. “Risk” is considered the effect of such uncertainty in the formulation and execution of the business strategy and the achievement of business objectives.
The challenge for management and the board of directors is to evaluate how much uncertainty – as well as how much risk – they are prepared and able to accept when executing the strategy and pursuing the organization’s performance goals. Therefore, ERM is all about balancing risks and reward in creating value. Achieving that balance leads to an emphasis on protecting enterprise value as well as enhancing it.
The framework is principles-based, meaning it introduces five interrelated components and outlines 20 relevant principles arrayed among those components. The framework is a significant improvement over its 2004 counterpart, as its structure offers a benchmarking option for companies seeking to enhance their ERM approach. The framework focuses on integrating ERM with the core processes that matter. Its subtitle says it all – “Integrating with Strategy and Performance.” Its concept of integration is embodied within its definition of ERM: “The culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk creating, preserving and realizing value.”
If a company implements a stand-alone process, it may be worthwhile and useful, but not an ERM, as COSO defines it. There are four themes that are vital to effective ERM integration:
- Implementing strategy
- Integrating performance
- Laying a strong foundation with risk governance and culture
- Tying risk considerations into decision-making processes
*This post has been updated to include Enterprise Risk Management - Integrated Framework updates.