ERM for a changing world

By Paul L. Walker, CPA, Ph.D.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its new ERM framework. Here are suggestions for using the framework to maximum effect:

Check alignment. Compare your current ERM practices to the five components and 20 principles of the framework, Enterprise Risk Management — Integrating With Strategy and Performance. Your board may (and should) ask you how your organization matches up or what changes might be necessary.

Identify opportunities. Dig deep on certain principles that might add the most value and might help your organization manage risk better. For example, take a serious look at Principle 1 on board risk oversight. Has the organization or the board ever assessed how your risk oversight is set up and how it works? Board risk oversight is a principle worth doing right.

Scrutinize all that is new. Pay close attention to Principle 15, which says to identify risks in new systems, new acquisitions, new regulations, changes in compensation, new programs, etc. The biggest risks might be in any new transactions and decisions organizations make, and not necessarily in the objectives. At a minimum, it might be better to build in risk identification as part of these processes rather than waiting for a survey, interview, or annual risk assessment.

Consider strategic risk. Studies show that strategic risk is commonly the biggest value killer. Therefore, determine if you have ever applied strategic risk tools to strategic risk or if you have just categorized some risks as strategic. One way to find out is to take all of your currently identified strategic risks and categorize them according to the three strategic risk dimensions identified in the framework: risks in setting strategy, risks in strategic alignment, and risks in implementing the strategy. If all of your risks line up under one dimension, you may have a lot more work to do before you can be sure you've identified all of your strategic risks.

Challenge your strategy. Principle 8 clearly says to evaluate alternative strategies. Your strategy and the risk to that strategy should be challenged. In today's disruptive business environment, not doing so is unwise.

Look at business context. Further consider Principle 6 — evaluating business context. Does your organization identify the risks in a changing landscape? It is a principle, but it is also a smart way to run a company.

Find connections. Resolve to look for the interconnectedness of risks (Principle 14). Do you know which risks are connected and which ones might all happen at the same time? Not knowing this means you are likely under-managing the risk.

See where other principles apply. Finally, dig deeper on other principles and examine how they might apply to your organization. Principles 3, 9, 11, 12, and 17 also may be especially useful for boards. Remember that managing risk better helps you create value, and the framework is a tool to help you do that effectively.

COSO's 20 principles

1. Exercises board risk oversight

2. Establishes operating structures

3. Defines desired culture

4. Demonstrates commitment to core values

5. Attracts, develops, and retains capable individuals

6. Analyzes business context

7. Defines risk appetite

8. Evaluates alternative strategies

9. Formulates business objectives

10. Identifies risk

11. Assesses severity of risk

12. Prioritizes risks

13. Implements risk responses

14. Develops portfolio view

15. Assesses substantial change

16. Reviews risk and performance

17. Pursues improvement in enterprise risk management

18. Leverages information and technology

19. Communicates risk information

20. Reports on risk, culture, and performance

—By Paul L. Walker, CPA, Ph.D. (, James J. Schiro/Zurich Chair in Enterprise Risk Management, executive director, Center for Excellence in ERM, St. John's University. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, a JofA editorial director, at or 919-402-2112.

Where to find November’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.