WHAT IS ENTERPRISE RISK MANAGEMENT(ERM)?
It is a known fact that, in today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring the organization’s business opportunities and risks. The question is: How does an organization take practical steps to link opportunities and risks when managing the business? And further: What does this have to do with risk management? In August 2004, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) issued its Enterprise Risk Management – Integrated Framework after completing a developmental project that took three-year period.
The framework, which includes application techniques, expands on the previously issued Internal Control – Integrated Framework to provide a more robust and extensive focus on enterprise risk management (ERM). COSO defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Enterprise Risk Management is:
· A process, ongoing and flowing through an entity
· Effected by people at every level of an organization
· Applied in strategy-setting
· Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
· Designed to identify potential events affecting the entity and manage risk within its risk appetite.
· Able to provide reasonable assurance to an entity’s management and board.
· Geared to the achievement of objectives in one or more separate but overlapping categories – it is a means to an end, not an end in itself.”
ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. It advances the maturity of the enterprise’s capabilities around managing its priority risks. Before a company can assert that it is applying ERM, it must address ALL of the above concepts embodied in COSO’s definition.
Using the ERM definition articulated above, the overriding objective for implementing ERM is to provide reasonable assurance to an entity’s management and board that the entity’s business objectives are achieved.
COSO states that ERM assists management with aligning risk appetite and strategy, enhancing risk response decisions, reducing operational surprises and losses, identifying and managing cross-enterprise risks, providing integrated responses to multiple risks, seizing opportunities and improving deployment of capital.