Page 372 - COSO Guidance
P. 372

2    |   Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management




        I. BACKGROUND AND OVERVIEW OF THE UPDATED COSO ERM GUIDANCE

        In June of 2017, the COSO board published new guidance   While these concepts were also included in the 2004 ERM
        on enterprise risk management entitled “Enterprise Risk   guidance, the updated Framework makes them much more
        Management – Integrating with Strategy and Performance,”   explicit and clear, creating a simplified structure for ERM.
        (the “Framework”). The Framework updated COSO’s   The new guidance is also principles-based, which provides
        previous ERM guidance, which was published in 2004,   a comprehensive structure that can be used for both
        entitled “Enterprise Risk Management – Integrated   developing and assessing an ERM process.
        Framework.” The 2004 guidance presented a comprehensive
        framework and detailed guidance on ERM as it was starting   Components of Enterprise Risk Management
        to receive strong focus by organizations and boards. The   The COSO ERM framework consists of five interrelated
        2004 ERM guidance was an important milestone in the   components of enterprise risk management as shown
        advancement of ERM.                               in Figure 1 Risk Management Components. The figure
                                                          illustrates these components and their relationship with the
        Since the publication of the 2004 ERM guidance, there has   entity’s mission, vision, and core values. It depicts the flow
        been a continued evolution of the concepts and practices of   of an organization’s business model, ultimately resulting
        risk management while simultaneously the dynamic nature   in enhanced value. The ribbons in the figure represent
        of risk has also evolved. It was becoming increasingly clear   the components and show how they flow through an
        that in today’s risk environment, improved risk management   organization, integrated with all aspects of strategy
        processes are needed to ensure that organizations are   and performance.
        successful. In addition, the nature and role of ERM was
        being better understood and clarified particularly in the
        understanding that the role of ERM was not just that
        of a separate staff function but was integral to how an       COSO’s 2017 Framework,
        organization creates and preserves value.                   Enterprise Risk Management –
                                                                    Integrating with Strategy and
        In response to the risk environment and evolved thinking   Performance, defines enterprise risk
        on ERM, in June of 2017, COSO published its updated ERM           management as:
        Framework. The updated guidance makes some very         The culture, capabilities, and practices,
             COSO Infographic with Principles
        important distinctions and clarifications about both the role   integrated with strategy-setting
        and objective of ERM as well as the need for its integration   and performance that organizations
        in the organization’s strategy-setting process. It explains and   rely on to manage risk in
        makes explicit the relationship between strategy and risk,      creating, preserving,
        and discusses how improved risk management practices            and realizing value.
        can contribute to improving performance and helping the
        organization create and enhance value.



        Figure 1. Risk Management Components
                                            ENTERPRISE RISK MANAGEMENT





             MISSION, VISION     STRATEGY           BUSINESS         IMPLEMENTATION          ENHANCED
             & CORE VALUES      DEVELOPMENT         OBJECTIVE        & PERFORMANCE           VALUE
                                                   FORMULATION





               Governance          Strategy &         Performance     Review             Information,
               & Culture           Objective-Setting                  & Revision         Communication,
                                                                                         & Reporting
          1.  Exercises Board Risk    6.  Analyzes Business  10.  Identifies Risk   15.  Assesses Substantial  18.  Leverages Information
           Source: COSO ERM Framework, 2017
               Oversight           Context       11.  Assesses Severity         Change         and Technology
          2.  Establishes Operating  7.  Defines Risk Appetite         of Risk  16.  Reviews Risk and  19.  Communicates Risk
               Structures     8.  Evaluates Alternative  12.  Prioritizes Risks         Performance         Information
          3.  Defines Desired Culture         Strategies  13.  Implements Risk  17.  Pursues improvement    20.  Reports on Risk,
                                                                                           Culture, and
          4.  Demonstrates    9.  Formulates Business         Responses         in Enterprise Risk
               Commitment          Objectives    14.  Develops Portfolio          Management         Performance
               to Core Values                           View
          5.  Attracts, Develops,
           c oso . or g
               and Retains Capable
               Individuals
   367   368   369   370   371   372   373   374   375   376   377