By Mike Skorupski
August 17, 2020
Management consulting, corporate governance, risk management
In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued their Enterprise Risk Management—Integrated Framework, expanding on a previously issued framework. The expanded version defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. This framework was disseminated to the business community due to heightened concern about risk management practices in the field in the wake of high-profile business scandals and failures that plagued business communities across the world in the years preceding the new publication.
-1However, since “one size does not fit all”, identifying the right blend of ingredients of what constitutes an effective ERM system is in itself, a widely debated subject. The right “formula” will likely depend on the organization’s unique circumstances and the level of its business complexity among other factors. Smaller organizations that face great external pressures might be tempted to concentrate more on short-to-midterm goals or objectives to fulfil their immediate obligations toward stakeholders, and to postpone addressing longer-term objectives. On the other hand, when external pressures are lower, larger organizations might allow themselves the luxury of looking ahead to a wider time horizon with greater precision, and anticipating either positive or negative deviations from their objectives, properly assessing these deviations, prioritizing them, and mitigating or exploiting them as needed. Also, the tendency to concentrate on one particular time horizon or another will greatly depend on the governance structure, as well as the experience and objectivity of those at the helm, who are charged with steering the organization through vast oceans of uncertainty. Equally important, if not more so, are the specific individual elements which need to function collectively in order to elevate the ERM system as a management tool to the level at which it can enhance informed decision making, and thus reduce variability, by reducing negative outcomes and maximizing positive ones. There are certainly many organizational variables or nuances that will contribute to its overall success.
Now, let us look into the basic premise of ERM and some of its effects since the inception of the framework. The fundamental premise is that “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives” (COSO, 2004). The framework established eight interrelated components that were set to be derived from the way management runs an enterprise and were intended to be integrated with the management process. So far so good regarding the conceptual framework, but how has this framework weathered the storms of reality since the initial concept was introduced?
According to research conducted as part of the Association of International Certified Professional Accountants and North Carolina State University's Enterprise Risk Management Initiative for the 2017 Global Risk Oversight Report. Fewer than 20% of the Europe, UK or US based organizations surveyed for the report believe their risk management processes provide a unique competitive advantage. Only about 50% of respondents from around the world agreed with the statement "Risk exposures are considered when evaluating new strategic initiatives." (CGMA, 2017).
To fine-tune the concept of ERM and provide greater clarity as to its value creation capabilities, COSO updated the framework in 2017. Enterprise Risk Management - Integrating with Strategy and Performance (COSO, 2017) offers ideas on how a business's value can be preserved, or even enhanced, by incorporating and examining risks right from the strategy formulation stage. This approach elevates ERM from an operational- and compliance-focused information-gathering and reporting model by making it much more strategy-focused, so it can add tangible value for organizations. It is perhaps too early to tell whether or not this update will provide a more decisive answer to the dilemma of value creation, as since the COSO publication came out, more and more studies have been looking into the cause and effect relationship.
