Page 384 - COSO Guidance
P. 384
14 | Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management
Figure 3. Strategic Risk Assessment Process
1
Understand the
Strategies of the Ongoing Monitoring and
2 Organization 7 Assessment of Changes
• Constantly changing
business environment
Gather Data Return Driven Implement requires ongoing
and Views Strategy Model Enterprise Risk monitoring
(Figure 4)
of Strategic Management • Need to identify
and assess
Risks 4 Action Plans substantial changes
• Revise strategies
Validate and and risk profile
Strategic Risk as appropriate
Management Model Finalize the
(Figure 5) Strategic
Risk Profile
3 6
Identify Risks Prepare Communicate Communicate
Risk Information
• The possibility that events • Directors
will occur and affect the Preliminary 5 the Strategic
achievement of strategy Strategic Risk Profile and • Executive management
and business objectives • Line management
Risk Profile Develop Action Plans • Risk and control units
Enterprise Risk
Management
Action Plans Strategy Map
(Figure 6)
Identify and Select Risk Responses
• Mitigation activities
• Risk monitoring
• Updating assessment process
• Risk reporting
Source: Adapted from Frigo, Mark L., and Richard J. Anderson. “Strategic Risk Assessment: A First Step for Risk Management and Governance.” Strategic Finance
(December 2009) and Frigo, Mark L. and Richard J. Anderson, Strategic Risk Management for Directors and Management Teams (2011). Used with permission.
The Strategic Risk Assessment Process includes seven applied and vetted at many organizations. This risk
steps, representing a continuous process for organizations assessment approach can be useful in both identifying the
to assess and manage risks. While depicted differently in key strategies of the organization and the related critical
Figure 3, these seven steps align with the components in risks. These supporting models are to be used sequentially.
COSO’s 2017 Framework. First, the Return Driven Strategy Model is used to identify
the major strategic initiatives of the organization. While
1 Understand the strategies of the organization the organization may have many initiatives underway, the
model is used to identify those strategies that are most
2 Gather data and views on strategic risks critical to the achievement of the organization’s overall
business objectives. Second, once those key strategies are
3 Prepare a preliminary strategic risk profile identified, the Strategic Risk Management Model is used to
identify corresponding risks related to those key strategies.
4 Validate and finalize the strategic risk profile See Appendix D- Examples of the Relationship between
Strategies and Risks for examples of the thought process
5 Develop enterprise risk management action plans for the assessment of risks related to strategies.
6 Communicate the strategic risk profile and action plans The Return Driven Strategy Model (see Figure 4) provides a
way to understand the strategy of the organization as a first
7 Implement the enterprise risk management action plans step in the Strategic Risk Assessment Process. It provides
a structure that is useful to break down the strategies of the
The Strategic Risk Assessment Process, along with its organization into separate, discrete components. This can
supporting models have been used in the Strategic Risk be especially helpful to identify and categorize individual
Management Lab at DePaul and has been successfully strategies so that the related risks can then be considered.
c oso . or g
