Risk Management & the COSO Framework
Risk is defined as the possibility that an event will occur and adversely affect the achievement of an objective. (Committee of Sponsoring Organizations (COSO) of the Treadway Commission)
Enterprise Risk Management (ERM) is:
- A process effected by an entity’s board of directors, management, and other personnel
- Applied in strategy setting across the enterprise
- Designed to identify potential events that may affect the entity and manage risk to be within its risk appetite
- To provide reasonable assurance regarding the achievement of entity objectives
The ERM framework is graphically depicted as a three-dimensional matrix which depicts the interrelationships between the objectives categories (across the top), the components of ERM (on the face), and the entity’s business structure (the side of the cube).
The business structure across the right face of the cube depicts cascading nature of risk management throughout the organization. It doesn’t matter whether you use a bottom up or top down approach, the risk management plan should be the same at the end of the day.
Certain risks will exist at the entity level, for example those associated with capital markets or overall leadership. As we drill into the organization, risks will vary by division, business unit, and subsidiary based on varying products, customers, suppliers, geographic locations, currency exposure, commodity exposure, etc.
So if you understand this layering of risks, you get the idea of the business structure face of the COSO cube. In the sections that follow, we’ll drill into the other faces of the cube, which require a little more of an explanation.
Click each of the headings below to dive into the Components of ERM
On the top face of the COSO cube we have objectives. Objectives can be categorized into one of four groups:
- Strategic objectives – high level goals aligned with the mission of the organization
- Operational objectives – effective and efficient use of resources
- Reporting objectives – reliable internal and external reporting
- Compliance objectives – conformance with applicable laws and regulations
These objectives aren’t just risk management objectives. These are the very same objectives that would be described and defined through a strategic planning process. When you stand back and look at these objectives, you realize that these are the things you need to achieve to run a successful business.
The internal environment is composed of the tone of an organization, which sets the basis for how risk and control are viewed and addressed. The internal environment is the foundation which provides structure and discipline for all the other components of enterprise risk management.
Objective setting is the process of establishing strategic goals for an entity. The achievement of strategic goals necessitates development of operational, reporting, and compliance objectives.
Objectives are set taking into consideration the risk tolerance and risk appetite of the entity.
Event identification determines which events may affect an entity and whether these events represent opportunities or risks to the achievement of objectives. Opportunities factor into setting the strategic objectives. Risks require management attention for assessment and response.
Identifying events requires management to consider both internal and external factors that could give rise to an event. Factors may arise from: economic events, natural disasters, political changes, societal changes, technological advancements, personnel incidents, process deficiencies, etc.
Risk assessment occurs when management evaluates the potential impact of specific risks on the entity. There are two dimensions that are considered using qualitative and quantitative analysis:
- Likelihood (probability)
- Impact (amount)
There are four risk responses management can take to each risk identified.
- Avoidance. Exiting or divesting of the activities giving rise to the risk
- Reduction. Actions are taken to reduce risk by for example, implementing controls
- Sharing. Actions are taken to transfer or share risk for example by: purchasing insurance, engaging in hedging, or outsourcing an activity
- Acceptance. No action is taken and the entity accepts the risk rather than deploy resources to address
Risks are often related. Sometimes the response to one risk impacts the response to others. Risks should be considered on a portfolio basis as well as an individual basis.
Inherent risk represents the total amount of the risk in the absence of any management actions. Residual risk is the amount of risk left over after management takes actions to alter either the likelihood or the impact of a risk.
Control activities are the policies and procedures that help ensure the risk responses are carried out and are most often associated with risk reduction strategies. These activities occur at all levels and in all functions throughout the organization. Risks are mapped to the key processes in the organization. Control activities are classified in a variety of ways including; preventive or detective, manual or automated, entity level or process level.
Information and Communication requires the identification, capture, and communication of pertinent information to those accountable for managing the risk. To be decision relevant, information must embody these characteristics:
- Appropriate and at the right level of detail
- Available when needed
- Timely, current, and recent
- Accurate and reliable
- Accessible to those who need it
Communication streams must be established for efficient delivery of information not only from the top down, but also the bottom up, across the organization, and between internal and external stakeholders (e.g. suppliers and customers).
Monitoring is the assessment of the ERM continuously over time to ensure it continues to function as designed and is effective. Monitoring activities are often done by internal auditors and any deficiencies are reported to the appropriate level of management or the board depending on the severity.
Monitoring activities can also be performed by individuals within the entity through self- assessments. The external auditor provides a form of monitoring activity.