16    |   Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management







        Utilizing these two models in the sequence of first   Step 6.
        identifying the critical strategies and then the related key   Develop a Consolidated Action Plan and Communicate to
        risks provides a methodology that is consistent with the   Board and Management
        COSO ERM principles, including starting the process by   Develop action plans and respond and manage the risks
        focusing on the strategies not the risks. The Strategic Risk   identified. Enterprise risk management is more than just
        Assessment Process and related models also provide an   identifying risks. The real value of ERM is developing action
        approach to identify and work with a manageable number   plans to respond and manage the risk identified. This is the
        of critical risks that are most significant in regard to the   key to helping the organization achieve its strategy and
        key strategies of the organization. This process also   business objectives. An effective ERM process develops
        establishes a clear linkage between the strategies and the   and implements risk responses to enhance its ability to be
        related risks and provides a way to prioritize those risks.  successful.  This is consistent with Principle 13 of COSO
                                                          ERM Framework which indicates that: “The organization
                                                          identifies and selects risk responses.”
                        EX AMPLE 11
                    Thinking the “Unthinkable”            Risk responses in an action plan may take many forms.
                                                          The 2017 ERM Framework cites five types of risk
                The audit committee chair of a public     responses; accept, avoid, pursue, reduce, and share. The
             company believed that the audit committee    risk response to each critical risk identified needs to be
               did not have sufficient time in its regular   appropriate for that specific risk and the organization’s
               agenda for detailed discussions on the     risk appetite. The action plans should be developed and
              topics of risk and ERM given their normal   combined into a consolidated action plan addressing the
             committee activities.  In particular, the chair   organization’s responses to the critical risk identified. The
               was concerned that among other risks,      action plan should also prioritize actions and responses
               the audit committee needed to consider
             “unthinkable risks,” which are low-frequency/  and allocate resources across those actions. In particular,
               high-severity risks that do not generally   the organization should assign specific responsibility and
               receive the same level of focus as high-   accountability for actions and monitoring.
              probability/high impact risks.  Accordingly,
               they added four meetings to the annual     The consolidated initial action plan should then be presented
               audit committee agenda that would be       to and discussed with the board and management. Here, the
                focused solely on risk and ERM. One       organization’s risk leader or management risk committee
             meeting is focused solely on cybersecurity.    should be actively engaged. Consideration should also be
             Two other meetings are focused on selected   given to developing a communications plan to communicate
              risk topics as circumstances dictate.  The   risk identified and responses across the organization
              fourth meeting is then devoted solely to a
               discussion of “unthinkable risks” and has
               proven to be very valuable in fostering    Step 7.
                robust discussion among the directors     Develop and/or Enhance Risk Reporting
                 and identifying new areas of risk for    Consider risk reporting that will be part of the organization’s
                          consideration.                  ongoing ERM process. Given the dynamic nature of risk
                                                          and ongoing changes to the organization’s strategies,
                                                          a robust risk reporting process is necessary. Initial risk
                                                          reporting should be simple and clear. In particular, users
        For additional information regarding identifying and   of the risk reporting should receive information that is
        assessing risks, review the Performance component of   focused, understandable, and clearly communicates risk
        the COSO ERM framework and Principles 10 – 14 that are   priorities and severity. As risk management processes
        contained in that component.                      mature, risk reporting can become more granular and
                                                          detailed and possibly include some quantification. The
                                                          organization should also consider how its risk reporting
                                                          process fits and integrates into its existing performance
                                                          measurement processes rather than developing a separate
                                                          line of reporting. A starting point here is to review its existing









           c oso . or g