Page 25 - The Insurance Times September 2022
P. 25

COSO intended the cube to illustrate  the links between  aware of the risks arising if different objectives are pursued.
          objectives  that  are  shown  on  the  top  and  the  eight  Entrepreneurial risks are risks that arise from carrying out
          components shown on the front, which represent what is  business activities, such as the risks arising from a major
          needed to achieve the objectives. The third dimension  business investment or competitor activities.
          represents the organisation's units, which portrays the
          model's ability to focus on parts of the organisation as well as  The board also needs to consider risk appetite and take a
          the whole.                                          high-level view of how much risk it is willing to accept. Risk
                                                              tolerance -  the  acceptable variation  around individual
          There  are a number of issues  under each of the eight  objectives - should be aligned with risk appetite.
          components listed on the front of the cube that organisations
          have had to tackle - issues which can be featured in exam  One thing the board should consider is how certain aspects of
          questions for the Strategic Business Leader (SBL) exam.  the control systems can be used for strategic purposes. For
                                                              example, a code of ethics can be used as an important part of
          Internal environment                                the organisation's  positioning  as socially  responsible.
                                                              However, the business framework chosen can be used to
          The  internal  environment  establishes  the  tone of  the
                                                              obscure illegal or unethical objectives. For example, the
          organisation, influencing risk appetite, attitudes towards risk
                                                              problems at Enron were obscured by a complex structure
          management and ethical values.
                                                              and a business model that was difficult to understand.
          Ultimately, the company's tone is set by the board. An
          unbalanced board, lacking appropriate technical knowledge Event identification
          and experience, diversity and strong, independent voices is  The organisation must identify internal and external events
          unlikely to set the right tone. The work directors do in board  that affect the achievement of its objectives.
          committees can also make a significant contribution to tone,
          with the operation of the audit and risk committees being  The COSO guidance draws a distinction between events
          particularly important.                             having a negative impact that represent risks and events
                                                              having a positive impact that are opportunities, which should
          However, the virtuous example set by board members may  feedback to strategy setting.
          be undermined by a failure of management in divisions or
          business units. Mechanisms to control line management may  Some organisations may lack a process for event identification
          not be sufficient or may not be operated correctly. Line  in important  areas. There may be  a  culture of no-one
          managers may not be aware of their responsibilities or may  expecting anything to go wrong.
          fail to exercise them properly. For example, they may tolerate
          staff ignoring controls or emphasise achievement of results  The distinction between strategic and operational risks is also
          over responsible handling of risks.                 important here. Organisations must pay attention both to
                                                              occurrences that could disrupt operations and also dangers
          One criticism of the ERM model has been that it starts at the  to the achievement of strategic objectives. An excessive focus
          wrong place. It begins with the internal and not the external  on internal factors, for which the model has been criticised,
          environment. Critics claim that it does not reflect sufficiently  could result in a concentration on operational risks and a
          the impact of the competitive environment, regulation and  failure to analyse strategic dangers sufficiently.
          external stakeholders on risk appetite and management and
          culture.                                            Businesses must also have processes in place to identify the
                                                              risks arising from one-off events and more gradual trends
          Objective setting                                   that could result in changes in risk. Often one-off events with
                                                              significant risk consequences can be fairly easy to identify -
          The  board  should  set  objectives  that  support  the
                                                              for example, a major business acquisition. The ERM has been
          organisation's mission and which are consistent with its risk
                                                              criticised for discussing risks primarily in terms of events,
          appetite.
                                                              particularly sudden events with major consequences. Critics
          If the board is to set objectives effectively, it needs to be  claim that  the guidance  insufficiently emphasises slow

                                                                     The  Insurance  Times,  September  2022  25
   20   21   22   23   24   25   26   27   28   29   30