Page 668 - COSO Guidance
P. 668
Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | iii
Overview and the Question of “Where to Start?”
The increased interest in and importance of enterprise risk This leads to the question of “Where do we start?”
management is being driven by many powerful forces. Most Answering this question can be a major challenge for
importantly, it is driven by the need for companies to manage organizations where the perceived complexity of ERM or
risks effectively in order to sustain operations and achieve a lack of understanding of its strategic benefits may be
their business objectives. Other forces also come into play, barriers. At the same time, organizational pressures to
including rating agency reviews, government regulations, reduce costs may prompt some decision makers to look
expanded proxy disclosures, and calls by shareholders and at risk management as something that can be deferred or
governance reform proponents for improving the way risks viewed as a lower priority, thereby setting the stage for
are managed by organizations. unmanaged risk exposures that could seriously threaten the
viability of the organization.
Any entity that is currently operational has some form of
risk management activities in place. However, these risk This COSO thought paper describes how an organization
management activities are often ad hoc, informal and can start to move from informal risk management to ERM.
uncoordinated. And, they are often focused on operational We discuss the increasing importance of and focus on ERM
or compliance-related risks and fail to focus systematically and the need for all types of organizations to understand
on strategic and emerging risks, which are most likely to and embrace ERM. And, we examine perceived barriers to
affect an organization’s success. As a result, they fall short starting ERM and working through those barriers.
of constituting a complete, robust risk management process
as defined by COSO (See definition of ERM below). The approaches described in this document are based
on successful practices that organizations have used to
In addition, existing risk management activities often lack develop an incremental, step-by-step methodology to start
transparency. Transparency about how enterprise-wide ERM. While this is not the only way to start an ERM initiative,
risks are managed is increasingly being sought by directors this incremental approach is designed to be very adaptable
and senior management, as well as various external parties and flexible. We suggest specific, tangible actions that
seeking to understand an organization’s risk management organizations can use to get started in this thought paper’s
activities. What’s more, existing risk management processes three sections:
often are not providing boards and senior management with
an enterprise-wide view of risks, especially, emerging risks. i. keys to Success - Overarching themes to provide
Unfortunately, many organizational leaders are struggling management with a strong foundation for an effective ERM
with how to begin in their efforts to obtain strategic benefit program as they develop and tailor their specific approach
from a more robust enterprise-wide approach to risk to implementing ERM.
management.
ii. initial Action Steps - Action oriented, “how to” steps
to implement an initial ERM effort. These steps support
Enterprise risk management is a development and implementation of a tailored ERM initiative.
process, effected by an entity’s
board of directors, management,
and other personnel, applied in iii. Continuing ERM implementation - Next steps
strategy setting and across the to further develop and broaden the organization’s initial
enterprise, designed to identify ERM effort.
potential events that may affect
the entity, and manage risk to be
within the risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives
COSO’s Enterprise Risk
Management – Integrated
Framework (2004)
w w w . c o s o . o r g
