Page 383 - COSO Guidance Book
P. 383
Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management | 13
After these existing practices have been cataloged, the Step 5.
working group can consider how those practices fit or align Conduct an initial assessment of key strategies
with the organization’s strategy setting and performance and related strategic risks
review process. This will allow them to identify gaps and Understand the organization’s key strategies and the
opportunities to further integrate the organization’s strategy related risks and how they are managed. This involves first
and risk processes. Often, this step highlights a lack of identifying the organization’s key business objectives that
common risk language across the organization. Various units enable those strategies, then the Strategic Risks related to
may be defining or describing risks differently, which may the strategies. “Strategic Risks” as used in this paper refers
present the working group with the opportunity to develop to those events and risks that could impair the organization’s
and communicate a set of common risk definitions or “risk ability to achieve its strategies and business objectives.
language” across the organization. A common risk language This is consistent with the ERM Framework, which refers
or taxonomy is not only helpful but in fact is necessary to risks as “one or more potential events that may affect
to communicate and establish consistent risk processes the achievement of objectives.” These are the risks that
across the organization. are most significant to the long-term success of the
organization. Other risks may hurt or cause a loss of some
value, but these are the risks where the organization could
EX AMPLE 9 lose significant value. The organization should also strive to
Taking Inventory of Risk Management identify external and emerging risks that could impact the
Activities and Integrating Risk Management organization and its strategies.
into the Decision-Making Processes
The CFO of a global manufacturing company EX AMPLE 10
realized that the organization had separate,
detached risk management activities across The Strategic Planning Group as Owner
the company. Risks such as financial, of “Black Swan” Risks
employee safety, operational, IT security, “Black Swans” or “Unthinkable Risks”
and legal were being handled as separate are low-frequency/high impact events,
“silos” without any consistent reporting. which can have severe negative impacts
The CFO assigned a risk leader to inventory on organizations. A major manufacturer
their existing risk management practices of transportation products has tasked
and develop an enterprise risk management their strategic planning group with the
process. One result of the inventory process responsibility for their “Black Swan” risk
was that the company realized that they process. The planning group identifies and
were not identifying and addressing risks assesses “improbable” risk events. The
related to their key strategies. They added risks identified are then communicated and
risk processes related to their strategies discussed with their internal risk committee.
including the use of scenario analysis to help The strategic planning group also considers
the company test strategies for resilience the possible impact of these risk events
and relevance. In addition, they began on the organization’s long-term strategic
a process to subject possible business plans. Finally, the risks, possible impacts on
projects to a systematic risk and opportunity the organization’s strategies and business
assessment as part of preparing the business activities, and the related risk management
case before final decisions are made about a actions are then reported to and discussed
possible project. with the Board.
Organizations can benefit from using a Strategic Risk
Assessment Process. The seven-step process shown in
Figure 3 has been used in the Strategic Risk Management
Lab at DePaul University in its graduate seminar courses and
workshops and applied at organizations in risk assessment
and other ERM initiatives.
c oso . or g
