The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its new ERM framework. Here are suggestions for using the framework to maximum effect:
Check alignment. Compare your current ERM practices to the five components and 20 principles of the framework, Enterprise Risk Management — Integrating With Strategy and Performance. Your board may (and should) ask you how your organization matches up or what changes might be necessary.
Identify opportunities. Dig deep on certain principles that might add the most value and might help your organization manage risk better. For example, take a serious look at Principle 1 on board risk oversight. Has the organization or the board ever assessed how your risk oversight is set up and how it works? Board risk oversight is a principle worth doing right.
Scrutinize all that is new. Pay close attention to Principle 15, which says to identify risks in new systems, new acquisitions, new regulations, changes in compensation, new programs, etc. The biggest risks might be in any new transactions and decisions organizations make, and not necessarily in the objectives. At a minimum, it might be better to build in risk identification as part of these processes rather than waiting for a survey, interview, or annual risk assessment.
Consider strategic risk. Studies show that strategic risk is commonly the biggest value killer. Therefore, determine if you have ever applied strategic risk tools to strategic risk or if you have just categorized some risks as strategic. One way to find out is to take all of your currently identified strategic risks and categorize them according to the three strategic risk dimensions identified in the framework: risks in setting strategy, risks in strategic alignment, and risks in implementing the strategy. If all of your risks line up under one dimension, you may have a lot more work to do before you can be sure you've identified all of your strategic risks.
Challenge your strategy. Principle 8 clearly says to evaluate alternative strategies. Your strategy and the risk to that strategy should be challenged. In today's disruptive business environment, not doing so is unwise.
Look at business context. Further consider Principle 6 — evaluating business context. Does your organization identify the risks in a changing landscape? It is a principle, but it is also a smart way to run a company.
Find connections. Resolve to look for the interconnectedness of risks (Principle 14). Do you know which risks are connected and which ones might all happen at the same time? Not knowing this means you are likely under-managing the risk.
See where other principles apply. Finally, dig deeper on other principles and examine how they might apply to your organization. Principles 3, 9, 11, 12, and 17 also may be especially useful for boards. Remember that managing risk better helps you create value, and the framework is a tool to help you do that effectively.
COSO's 20 principles
1. Exercises board risk oversight
2. Establishes operating structures
3. Defines desired culture
4. Demonstrates commitment to core values
5. Attracts, develops, and retains capable individuals
6. Analyzes business context
7. Defines risk appetite
8. Evaluates alternative strategies
9. Formulates business objectives
10. Identifies risk
11. Assesses severity of risk
12. Prioritizes risks
13. Implements risk responses
14. Develops portfolio view
15. Assesses substantial change
16. Reviews risk and performance
17. Pursues improvement in enterprise risk management
18. Leverages information and technology
19. Communicates risk information
20. Reports on risk, culture, and performance
—By Paul L. Walker, CPA, Ph.D. (firstname.lastname@example.org), James J. Schiro/Zurich Chair in Enterprise Risk Management, executive director, Center for Excellence in ERM, St. John's University. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, a JofA editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.