Page 672 - COSO Guidance
P. 672
Thought Leadership in ERM | Embracing Enterprise Risk Management: Practical Approaches for Getting Started | 3
Although it makes sense to build upon existing risk related organizations may or may not decide that they need
activities, it must be done with the recognition that the dedicated, stand-alone support for their ERM activities.
existing activities probably do not constitute ERM. ERM
requires risk management processes that ultimately are Whether a risk management unit exists or not, a key to
applied across the enterprise and represent an entity-wide success is linking or embedding the ERM process into its
portfolio view of risk, which is often missing from these core business processes and structures of the organization.
existing functions. Some organizations, for example, have expanded their
strategic plans and budgeting processes to include the
Theme 6. identification and discussion of the risks related to their
Embed ERM into the business plans and budgets.
Fabric of the Organization
As articulated in COSO’s ERM definition, enterprise risk Theme 7.
management is a process that is applied across the Provide Ongoing ERM Updates and Continuing
organization. It is a management process, ultimately owned Education for Directors and Senior Management
by the chief executive officer and involves people at every ERM practices, processes and information continue
level of the organization. The comprehensive nature of the to evolve. Thus, it is important for directors and senior
ERM process and its pervasiveness across the organization executives to ensure that they are receiving appropriate
and its people provides the basis for its effectiveness. updates, new releases and continuing education on ERM,
including information about regulatory requirements and
ERM cannot be viewed or implemented as a stand-alone best practices. This information provides the opportunity
staff function or unit outside of the organization’s core for directors and senior management to update their risk
business processes. In some companies and industries, management processes as they become aware of new or
such as large banks, it is common to see a dedicated developing practices. This ongoing improvement process is
enterprise risk management unit to support the overall ERM particularly important with the increased focus on ERM by
effort including establishing ERM policies and practices for regulators, rating agencies, and the SEC.
their business units. However, because ERM is a process,
ii. initial Action Steps and Objectives
Building off the “Keys to Success,” this section of the A recent COSO thought paper, Effective Enterprise Risk
thought paper details an initial action plan and steps to Management: The Role of the Board of Directors, notes that;
support development of a tailored ERM initiative. The
plan reflects some simple, basic steps for implementing “An entity’s board of directors plays a critical role
ERM, including the key step of performing an initial risk in overseeing an enterprise-wide approach to risk
assessment. In Appendix B – “Where to Start: Draft management. Because management is accountable to the
Action Plan for an ERM Initiative” – we have included an board of directors, the board’s focus on effective oversight
example action plan, which can be further adapted for use is critical to setting the tone and culture towards effective
by organizations. And in Appendix C – “Frequently Asked risk management through strategy setting, formulating
ERM Questions” – we have included responses to some high level objectives, and approving broad-based resource
1
common questions related to ERM that directors and senior allocations.”
management should find useful.
The board and senior management should agree on their
Step 1. initial objectives regarding ERM, its benefits and their
Seek board and Senior Management expectations for successful ERM. At a high level, there
Leadership, involvement and Oversight should be clear agreement and alignment of the board’s and
The board of directors and senior management set the senior management’s expectations, timing and expected
tone for the organization’s risk culture. Their involvement, results. This should include agreement on the resources to
leadership and oversight are essential for the success of be made available and targets dates for the effort. The board
any ERM effort. should also consider the timing and level of status reporting
that will be required to effectively monitor and oversee the
ERM effort.
1 Download COSO’s Effective Enterprise Risk Management: The Role of the Board of Directors thought
paper from COSO’s website (www.coso.org).
w w w . c o s o . o r g
