Enterprise risk management framework

enterprise risk management framework

The enterprise risk management framework (ERM) from COSO is widely used as the framework of choice in organizations. COSO is the Committee of Sponsoring Organizations set up in the mid 1980s to sponsor research into fraudulent financial reporting.


The ERM Model

The ERM model illustrates the links between the objectives of the model and the eight aspects of it which are at the front. The units in an organization are represented in the third dimension of the enterprise risk management framework model and how it can be used to focus on the different units.

good enterprise risk management framework

The internal environment of an organization
The internal environment determines the essence of an organization and influences its level of risk appetite, the approach to risk management and ethical values it upholds. It is determined by an organization’s board which should ideally collaborate with audit and risk committees. This may not be enough to assess and deter internal fraud though which is one thing the COSO enterprise risk management framework is criticized for.

Setting objectives
A board should set objectives that are in the line with the mission of an organization which should be set in accordance with its risk appetite. The board can only set realistic objectives if they are aware of the entrepreneurial risks they face. Risk tolerance which refers to the acceptable variation from set objectives should also be considered. Considering the way control systems can be used strategically is part of this.

Identifying events
Organizations must identify the internal and external events that influence the achievement of set objectives. The COSO framework differentiates between negative impact events that represent risks and positive ones that represent opportunities. A distinction between strategic and operational risks is also important. Organizations also need identify the risks from one-time events like mergers and acquisitions and those that are periodic which could result in changes in risk like expansion.

Assessment of risks
This is about assessing the probability and impacts of risks to determine how to manage them. The interrelation between individual risks should also be considered. The COSO framework emphasizes the importance of using both qualitative and quantitative risk assessment. Residual risks that remain after risk management actions are taken should be addressed as well.

enterprise risk management
Risk response
There are four main responses to risks which are to avoid, reduce, transfer or accept. A portfolio rather than isolated view of risk is encouraged. Risk responses have to be realistic and take into account the cost of response and the impact on risk. The principle of ALARP where comprehensive risk responses and controls are in place is important where there are potentially serious health or safety risks. Putting in place a solid system of internal controls is part of risk response. COSO suggests including and detection controls that are both manual and automated.

Control activities
The latest draft of the guide on Internal Control- Integrated Framework by COSO emphasizes that control activities are a means to an end and it is people who effect them. It then explains that controls fail because of how managers and staff handle controls by not taking them seriously, overriding controls and errors. The COSO guide emphasizes separation of duties at every level to deter individual fraud attempts and the possibility of errors.

Information and communication
Information systems should identify, capture and communicate data

Leave a Reply

Your email address will not be published. Required fields are marked *