By J. Stephen McNally, CPA, CMA

Your organization has a vision. You have defined your strategies and goals, and have made specific choices on how to bring your strategic plan to life. But to achieve your organization’s objectives without too many surprises, and to prepare for the surprises that may occur anyway, effectively leveraging risk management is mission-critical.¹

When it comes to enterprise risk management (ERM), the effort can be as much of an art as it is a science. From day-to-day operational decisions being made in the trenches to the overarching strategic decisions made in the boardroom, rarely are the choices you face a simple “either/or.” Typically, you face a variety of alternatives, each with its own potential outcomes and unique risks. By effectively leveraging risk management, you can optimize the range of possibilities available to you.

But how do you effectively leverage ERM? The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) newly released ERM framework can help.

COSO ERM Framework

COSO’s overall mission is “to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.”² COSO is widely known for its Internal Control Integrated Framework (ICIF), originally released in 1992 and refreshed in 2013. The ICIF is used by many organizations to improve governance and control, including nearly all public companies subject to Sarbanes-Oxley Act (SOX) requirements.

To complement the ICIF, COSO released the Enterprise Risk Management – Integrated Framework in 2004. For many of the same reasons the ICIF was updated – including globalization, new technologies, evolving business models, and other recent changes that drive volatility, ambiguity, and risk complexity – the COSO board decided to update the original ERM framework. So, COSO published its new ERM framework, titled Enterprise Risk Management – Integrating with Strategy and Performance, in June 2017.

ERM Defined

The new framework defines ERM as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”³

For better understanding beyond knowing the definition, it may be helpful to clarify what ERM is not:

• A function or department
• A listing or inventory of risks
• A checklist
• Limited to addressing inventory control
• Limited to a certain size or type of organization

ERM helps management link an organization’s mission, vision, and core values into its strategy, business objectives, and performance. Likewise, ERM can lead to management’s discovery that there is a potential misalignment.

After defining the organization’s strategies, ERM enables management to identify potential risks to achieving its objectives and to address these risks accordingly. Thus, with ERM, management can better fulfill its role, from strategic decision-making through to performance.

ERM Structure

COSO’s new ERM Framework is a set of principles organized into five interrelated components:

• Governance and Culture
• Strategy and Objective-Setting
• Performance
• Review and Revision
• Information, Communication, and Reporting

These five interrelated components are further supported by a set of 20 principles, covering everything from governance and defining risk appetite to monitoring and reporting on risk, culture, and performance.

According to COSO, “Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risk associated with its strategy and business objectives,”⁴ thereby achieving success in the art and science of ERM.

You can learn more by downloading a free copy of the executive summary of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance at www.coso.org.

¹ “Risk: Leverage It. Control It. Win!," by J. Stephen McNally, Pennsylvania CPA Journal, winter 2015, pp. 26-29.
² www.coso.org
³ COSO Enterprise Risk Management: Integrating with Strategy and Performance, p.109.
⁴ COSO Enterprise Risk Management: Integrating with Strategy and Performance, executive summary, p. 7.

J. Stephen McNally, CPA, CMA, is a member of the Institute of Management Accountants Global Board of Directors and has served as an IMA technical advisor for several COSO-related projects. He can be reached at j_stephen_mcnally@att.net.