Topics:   Compliance,Risk Management,Strategy

Topics:   Compliance,Risk Management,Strategy

September 6, 2017

Does Your Enterprise Risk Management Make a Difference?

September 6, 2017

Now that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released its updated framework on enterprise risk management (ERM), it’s time for companies to take a fresh look at their risk management practices. While the concepts in the update aren’t new, the emphasis is markedly different, with a focus on what’s really important in maximizing the value of ERM.

In recent years, ERM implementations have generally focused on three questions:

  1. Do we know what our key risks are?
  2. Do we know how they’re being managed?
  3. How do we know?

In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.

While seeking these answers is a useful exercise, is it enough? Directors should also ask:

  • Is our ERM approach helping us identify flaws and weaknesses in our strategy on a timely basis?
  • Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt?
  • Do we truly consider risk and return in our decision-making processes or do we blindly follow the herd and remain emotionally invested in the comforts of our business model?
  • Do we seek out what we don’t know? Are we prepared for the unexpected?
  • Is everyone competing for capital and funding with rose-colored glasses, making the resource and budget allocation process a grabfest?

Yes, companies have made progress in various ways with enterprise risk management, but depending on the answers to the above questions, more needs to be done.

Adoption and application of COSO’s Framework could alter the conversation by clarifying the importance of integrating risk, strategy, and enterprise performance. While a stand-alone process may be worthwhile and useful, it is not ERM as defined by COSO. The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components, offering a benchmarking option for companies seeking to enhance their ERM approach.

Four observations frame what COSO is looking for:

  • Integrate ERM with strategy. There are three dimensions to integrating ERM with strategy-setting and execution:
    • risks to the execution of the strategy;
    • implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and resulting risk profile); and
    • the possibility of the strategy not aligning with the enterprise’s mission, vision and core values.

   All three dimensions need to be considered as part of the strategic management process.

  • Integrate risk with performance. Risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
  • Lay the foundation for ERM with strong risk governance and culture. The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incentivizing unintended consequences. Such pressures may be spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model, and imbalances between rewards for short-term financial performance and stakeholders focused on the long term.
  • Tie risk considerations into decision-making processes. COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity, and better anticipation of changes to the enterprise, the more relevant it is and the more likely the organization will execute its strategy successfully and achieve its business objectives.

Boards should urge the executives within their companies to consider the principles embodied by the COSO framework to advance their current ERM approach. In this regard, we suggest organizations focus on three keys:

Position the organization as an early mover. When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The question is: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy? The organization attains time advantage when it obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known.

Address the challenges of risk reporting. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile and nimble in responding to a changing business environment. To truly impact decision-making, risk reporting must address three questions:

  1. Are we riskier today than yesterday?
  2. Are we entering a riskier time?
  3. What are the underlying causes?

Risk reporting is often not actionable enough to support decision-making processes. Once risk reporting is designed to answer these three questions, it becomes the key to evolving ERM to a “risk-informed” decision-making discipline.

Preserve reputation by maximizing the lines of defense. How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense. The first line consists of the business unit management and process owners whose activities give rise to risk. The second line consists of the independent risk and compliance functions, and internal audit is the third line. Also important is the tone of the organization—the collective impact of the tone from the top, the tone from the middle, and the tone at the bottom on risk management, compliance, and responsible business behavior. The proper tone lays the cultural foundation for the effective functioning of each of the three lines of defense. Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board when necessary.

These three keys offer a focused line of sight for companies and their boards seeking to advance their ERM approach consistent with the principles and guidance in the updated COSO framework. The relationship of ERM to the processes the CEO values most can be compared to the contribution of salt, pepper, and other seasonings to a sumptuous meal. The objective is to enhance the outcomes that the organization is attempting to achieve by enabling it to be more adaptive in a volatile, complex, and uncertain world.


Jim DeLoach is managing director at Protiviti. 


Jim DeLoach October 09, 2017

Sankar, your point is spot on. Learning should not be confined to internal sources. Incidents affecting other companies offer a valuable source of learning and present an opportunity to evaluate internal controls and preparedness. They prompt such questions as:
— Can what happened to them happen to us? If not, how do we know?
— Have we incorporated these risks into our own assessment process?
— How would we have reacted? Have we thought about it?

These are appropriate questions for board members to raise when they become aware of high profile events that truly concern them. The resulting line of inquiry and the tabletop exercises you referred to in your comments can lead to refinements in established internal controls and more robust response plans.

Thank you for sharing your observations!

Sankar Krishna(swamy September 29, 2017

Jim DeLoach, great article and excellent summary of COSO’s continuous improvement in Risk management and mitigation. In addressing “Preserve reputation by maximizing the lines of defense”, your suggestion was comprehensive.

I was wondering if perhaps we can also use external parties how they reacted in risky scenaros in our risk database meaning how risks by other organizations (e.g Recent Equifax breach of consumer data) – the root cause, damage it caused, PR nightmare. Finally we should debate internally with the right team, how this organization could have reacted in a similar scenario if it occurred here (obviously this will require some periodic say luncheon meetings with stakeholders within the company esp. Risk managers).

This can also make the organization get smarter to defend risks, learning from some one else’s mistakes and (good/bad) experience, in my humble opinion. Appreciate your response. Once again, excellent article and a Great Read. Thanks

Jim DeLoach September 16, 2017

Thanks, Bud. Appreciate the feedback and color commentary.

Bud Schrock September 08, 2017

Jim – as always you’re on top of things. Great recap. It’s good to know that COSO is continuing to move toward a more relevant view of risk. At the philosophical level, risk management exists only to assure that strategies (at every level of the organization) have a reasonably good chance of achieving their related objectives. Everything else is just implementation of that single idea.

Jim DeLoach September 07, 2017

You’re absolutely right, Jim. High velocity, high persistence and high impact risks require high response readiness in this day and age. It’s not just a question of whether a risk event will occur; it’s a question of what will we do if it were to occur. BTW, I know Sri very well and that is an excellent article you cited. Thanks for the commentary!

Jim Wanserski September 07, 2017

Comprehensive approach for this day and age…thanks for your summarization. One additional thing…there’s definitely a “velocity” component/element that must be evaluated in conjunction with “likelihood” and “impact”…and it’s not just negative risks to be prepped for, but opportunities not optimized. Velocity/speed/timing considerations are just as important as the classical two, if not MORE SO. See Ramamoorti, (June 2017) piece in The CPA Journal on “velocity” of risk..