Enterprise Risk Management – Integrating with Business Strategy and Performance
Enterprise risk management is no longer focused principally on minimizing risk to an acceptable level. Rather, it is viewed as integral to setting strategy and identifying opportunities to create and maintain value for business.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued its latest framework. COSO provides thought leadership through the development of comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud deterrence designed to improve organizational performance and oversight and to reduce the extent of fraud in organizations. It’s most recent framework, entitled Enterprise Risk Management-Integrating with Strategy and Performance was released in June 2017.
You may be thinking, “So what? What are the implications for my business, brand, and bottom line? Well, plenty!
The landscape upon which companies do business today is constantly changing.
For enterprises to be successful in the 21st Century, they must anticipate and manage a multiplicity of risks that are the wove and weave of the fabric of our reality. From data breaches, to work place violence, to cyber terrorism, to inappropriate employee behavior, to just plain old rapid change, the list of threats seems endless.
It’s no longer enough to have a business strategy that focuses exclusively on performance. Companies must also think about how to incorporate risk considerations into their strategy and how it all links to and impacts performance.
COSO can help.
The executive summary to the framework document states: “Enterprise Risk Management—Integrating with Strategy and Performance clarifies the importance of enterprise risk management in strategic planning and embedding it throughout an organization—because risk influences and aligns strategy and performance across all departments and functions.”
The Framework itself is a set of principles organized into five interrelated components:
- Governance and Culture: Focuses on governance setting the “Tone at the Top.” Culture pertains to ethical values, desired behaviors, and understanding of risks in the entity.
- Strategy and Objective-Setting: Emphasizes how enterprise risk management, strategy, and objective-setting work together in the strategic-planning process.
- Performance: Underscores the importance of identifying, assessing, and prioritizing risks that may impact the achievement of strategy and business objectives.
- Review and Revision: Critical for determining how well a company’s enterprise risk management components are functioning over time in light of substantial changes, and what revisions are needed.
- Information, Communication, and Reporting: A continual process of obtaining and sharing internal and external information up, down, and across the organization is paramount for effective enterprise risk management.
These five components are supported by a set of 20 principles that cover everything from governance to monitoring. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives.
To learn more, check out the COSO Executive Summary at: https://www.coso.org/Pages/erm-integratedframework.aspx
Mr. Gilbert Hopkins is a consulting director within McConnell & Jones’ Risk Advisory and Business Process Improvement Team where he specializes in providing financial management, accounting, and business process improvement services to public and private organizations. Mr. Hopkins is a certified public accountant and certified financial planner with more than 30 years of accounting and business experience. He has performed a multitude of compliance, operational and efficiency audits for a diverse clientele. These projects include financial audits, performance audits, compliance reviews, business process analysis, cost studies, strategy implementation, and research projects. Connect with Gilbert – via email and LinkedIn.