THE UPDATED COSO ERM FRAMEWORK: WHAT TO EXPECT AS INTERNAL AUDIT – Part 2
In the previous newsletter we introduced the updated COSO ERM framework and discussed the broad outline of the new framework-Click here to view the previous article. We also touched on the effect of the new framework for Internal Auditors. In this edition we will further investigate the changes to the ERM framework and discuss the possible application of the framework as an Internal Audit Guide.
The new title, Enterprise Risk Management—Aligning Risk with Strategy and Performance, recognizes the increasing importance of the connection between strategy and entity performance. COSO therefore provides guidance on the strategic application of the framework as a strategic tool in achieving entity performance. It emphasises that All organizations need to set and periodically adjust strategy with an awareness of both ever-changing opportunities for creating value and the challenges they will face in pursuit of that value. The ERM framework defines risk management as:
“the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value” and the integration of this definition could lead to the following benefits:
- Increasing the range of opportunities: By considering all possibilities—both positive and negative aspects of risk – management can identify new opportunities and unique challenges associated with current opportunities.
- Identifying and managing risk entity-wide: Every entity faces myriad risks that can affect many parts of the organization. Sometimes a risk can originate in one part of the entity but impact a different part. Consequently, management identifies and manages these entity-wide risks to sustain and improve performance.
- Reducing negative surprises and increasing gains: Enterprise risk management allows entities to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from advantageous developments.
- Reducing performance variability: For some, the challenge is less with surprises and losses and more with variability in performance. In addition, performing ahead of schedule or beyond expectations may cause as much concern as performing short of scheduling and expectations. Enterprise risk management allows entities to anticipate the risks that would impact performance and enable them to put in place the actions needed to minimize disruption.
- Improving resource deployment: Obtaining robust information on risk allows management to assess overall resource needs and enhance resource allocation.
These benefits highlight the fact that risk should not be viewed solely as a potential constraint or challenge to executing a strategy. Rather, the change that underlies risk and the organizational responses to risk also give rise to strategic opportunities and key differentiating capabilities.
Strategy selection is about making choices and accepting trade-offs. So it makes sense to apply enterprise risk management, the best approach for untangling the art and science of making well-informed choices, to strategy. Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy. In other words, the discussions focus on risks to the strategy: “We have a strategy in place, what could affect the relevance and viability of our strategy?”
However, risk to the chosen strategy is only one aspect of risk to consider. The COSO ERM Framework emphasizes two additional aspects to enterprise risk management that can have far greater effect on an entity’s overall risk profile.
The first, is the possibility of strategy not aligning with an organization’s mission, vision, and core values. Every entity has a mission, vision, and core values that define what it is trying to achieve and how it wants to conduct business. Some are sceptical about organisations truly embracing their corporate credos. But mission, vision, and core values have been demonstrated to matter—and they matter most when it comes to managing risk and remaining resilient during periods of change.
A chosen strategy must support the organization’s mission and vision. A misaligned strategy increases the possibility that the organisation may not realise its mission and vision, or may compromise its values, even if a strategy is successfully executed. Therefore, enterprise risk management considers the possibility of strategy not aligning with the mission and vision of the organisation.
Secondly, when management develops a strategy and works through alternatives with the board, they make decisions on the trade-offs inherent in the strategy. Each alternative strategy has its own risk profile—these are the implications from the strategy.
The board of directors and management need to consider how the strategy works in tandem with the organisation’s risk appetite, and how it will help drive the organisation to set objectives and ultimately allocate resources efficiently.
It is therefore important to note that Enterprise Risk Management is as much about understanding the implications from the strategy and the possibility of strategy not aligning as creating an inventory of all risks within the organisation. These considerations are why enterprise risk management can be so valuable in the strategy-setting process.
To assist in implementing risk management as a strategic planning tool, the Framework itself is divided into a set of principles organized in five interrelated components:
- Risk Governance and Culture: Risk governance sets the organisation’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviours, and understanding of risk in the entity.
- Risk, Strategy, and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
- Risk in Execution: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritised by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Risk Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organisation.
- Monitoring Enterprise Risk Management Performance: By monitoring risk management performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes.
In the next issue will elaborate further on the Principles supporting the above 5 components and the applicability of these components as an audit tool for internal auditors.