Enterprise Risk Management

7.1 RISK MANAGEMENT FUNDAMENTALS

An effective risk management process requires four steps:
(1) risk identification,
(2) quantitative or qualitative assessment of the documented risks,
(3) risk prioritization and response planning, and
(4) risk monitoring.
Some in business today typically just assess an area as high‐, medium‐, or low ‐risk and then
make quick insurance or risk protection decisions based on those options, others use more
sophisticated qualitative or quantitative tools to help them understand and evaluate their risks.
Risk Identification
This risk identification process should occur at multiple levels with an understanding that a risk
that impacts an individual business unit or project may not have a great impact on the entire
enterprise or beyond.
A good way to start the risk identification process is to begin with a high ‐level enterprise chart
that lists corporate‐level as well as operating units. Each of those units may have facilities in
multiple global locations and also may consist of multiple and different types of operations. Each
separate facility will then have its own departments or functions. Some of these facilities may be
closely connected to one another, while others represent little more than corporate investments.
Key Risk Assessments
A simple but often effective approach here is to take the list of identified risks discussed
previously and circulate them to key managers with a questionnaire asking for each risk:
 What is the likelihood of this risk occurring over the next one‐year period? Using a
scoring range of 1 to 9, assign a best‐guess score as follows:
o Score 1 if you see almost no chance of that risk happening during the period.
o Score 9 if you feel the event will almost certainly happen during the period.
o Score 2 through 8 depending on where you feel the likelihood falls in this range.
 What is the significance of the risk in terms of cost to the enterprise? Again using a 1 ‐to ‐
9 scale, scoring should depend on the financial significance of the risk. A risk whose
costs could lower earnings per share by perhaps 1 cent might qualify for the maximum
score of 9.
Probability and Uncertainty
When a large number of risks have been identified, management should think of the individual
estimated risk likelihoods and occurrences in terms of two‐digit probabilities ranging from 0.01
to 0.99. Rather, the joint probability of two independent events is the product of the two separate
probabilities using the formula:
Pr Event (1) × Pr(Event 2) = Pr(Both Events)
Risk Interdependencies
Risk independencies must be considered and evaluated throughout the organizational structure.
Any entity should be concerned about risks at all levels of the organization but only really has
control over the risks within its own sphere.
Risk Ranking
The risk significance and probabilities of occurrence are often called the risk drivers or the
primary risks for a set of identified risks. Management must identify these unit‐by ‐unit assessed
risks to make certain that risk likelihood and significance estimates are appropriate throughout.

Quantitative Risk Analysis: Expected Values and Response Planning

There is little value in identifying signify cant risks unless an enterprise has at least some
preliminary plans for the action steps necessary if they incur one of them. Some hypothetical
risks, labeled A, B, and C, illustrate this type of thinking:
Risk A: Loss of up to X% market share due to changing consumer tastes.
 Estimate the reduction in sales and loss of profits due to the X% drop.
 Estimate how much it will cost to begin to restore the lost market position.
Risk B: Temporary loss of major manufacturing facility for X days due to hurricane.
 Estimate the best‐ and worst‐case costs to get the plant temporarily repaired and back in
operation within X days.
 Estimate the extra labor and production costs incurred during the interim.
Risk C: Loss of information systems for X days due to a pernicious computer virus.
 Estimate the business and profitability loss during the down period.
  Estimate the cost to transfer operations to the business continuity site.
Quantitative Risk Analysis: Risk Monitoring
Accurate monitoring processes are an essential component of risk management. An enterprise
may have gone through an elaborate process to identify its more significant risks. However, the
current status of those risks needs to be monitored on a regular basis with changes made to the
identified risks as necessary.

7.2 COSO ERM: ENTERPRISE RISK MANAGEMENT

COSO Enterprise Risk Management is a framework to help enterprises have a consistent
definition of their risks. Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
Professionals should consider these key points and concepts supporting the COSO ERM
framework definition, including:
 ERM is a process.
 The ERM process is implemented by people in the enterprise.
 ERM is applied through the setting of strategies across the overall enterprise.
 An enterprise’s risk appetite must be considered.
 ERM provides only reasonable, not positive, assurance on objective achievements.
 An ERM is designed to help attain the achievement of objectives.

7.3 COSO ERM KEY ELEMENTS

This COSO ERM framework with the components of:

 Four columns representing the strategic objectives of enterprise risk;
 Eight horizontal rows or risk components; and
  Multiple levels to describe any enterprise, from a headquarters entity level to individual
subsidiaries. Depending on organization size, there can be many slices of the model here.
COSO ERM: The Internal Environment Component
The COSO ERM internal environment component consists of the following elements:
 Risk management philosophy
 Risk appetite
 Board of directors’ attitudes
 Integrity and ethical values
 Commitment to competence
 Organizational structure
 Assignments of authority and responsibility
 Human resources standards
COSO ERM Objective Setting
Ranked right below the internal environment in the COSO ERM framework, objective setting
outlines important conditions to help management create an effective ERM process. COSO ERM
emphasizes that a mission statement is a crucial element for setting objectives; it is a general,
formalized statement of purpose and a building block for the development of specific functional
strategies.
Objectives must exist before management can identify potential events affecting their
achievement. ERM ensures that management has in place a process to set objectives and that the
chosen objectives support and align with the entity's mission and are consistent with its risk
appetite.

COSO ERM Event Identification

Many enterprises today have strong performance monitoring tools in place, with the monitoring
process of costs, budgets, quality assurance, compliance, and the like. However, going beyond a
meter on a production assembly line, monitoring processes should include:
 External economic events
 Natural environmental events
 Political events.
 Social factors.
 Internal infrastructure events
 Internal process–related events
 External and internal technological events
COSO ERM Risk Assessment
A key part of this risk assessment process, however, is the need to consider the very important
concepts of inherent and residual risks as well as:
 Inherent risk defined as potential for waste, loss, unauthorized use, or misappropriation
due to the nature of an activity itself. Inherent risk is outside the control of management
and usually stems from external factors.
 Residual risk. This is the risk that remains after other management responses to risk
threats and countermeasures have been applied.
COSO ERM Risk Response Elements
the COSO ERM’s risk response process calls for a careful review of estimated risk likelihoods
and potential impacts, with consideration given to their associated costs and benefits, to develop
appropriate risk response strategies, following any of four basic risk strategies:
 Avoidance. This is a strategy of walking away from a risk—such as selling a business
unit that gives rise to a risk, exiting from a risky geographical area, or dropping a product
line.
 Reduction. A wide range of business decisions may be able to reduce certain risks.
 Sharing. Virtually all enterprises regularly share some of their risks through the purchase
of insurance, but other risk‐sharing techniques are available as well.
 Acceptance. This is the strategy of no action, such as when an enterprise self-insures by
taking no action to reduce a potential risk.
COSO ERM Control Activities
ERM’s control activities are the policies and procedures necessary to ensure action on identified
risk responses. Although some of these activities may only relate to an identified and approved
risk response in an area of the enterprise, they often overlap across multiple functions and units.
risk event identification, assessment, and response processes, risk monitoring requires the
following steps:
 (1) Develop a strong understanding of the significant risks and establish control procedures
to monitor or correct for them.
(2) Create fire drill–type testing procedures to determine if those risk‐related control
procedures are working effectively.
(3) Perform tests of risk‐monitoring processes to determine if they are working effectively
and as expected.
(4) Make adjustments or improvements as necessary to improve risk‐monitoring processes.

7.4 OTHER DIMENSIONS OF COSO ERM: ENTERPRISE RISK OBJECTIVES

Each component of COSO ERM operates in this three‐dimensional space where each must be
considered in terms of the other related categories. The top‐facing components of strategic,
operations, reporting, and compliance risk objectives are important for understanding and
implementing COSO ERM.
Operation Risk Management Objective
There are many types of operations risks that can impact an enterprise. Following the three‐
dimensioned ERM framework, the operations‐level risk objective calls for the identification of
risks for each enterprise unit or component.
Reporting Risk Management Objective
This ERM objective covers the reliability of an enterprise’s reporting, including the internal and
external reporting of financial and nonfinancial data. Accurate reporting is critical to an
enterprise’s success in many dimensions.
Legal and Regulatory Compliance Risk Objectives
COSO ERM recommends that compliance‐related risks be considered for each of the risk
framework components, whether in the context of the internal environment, objective setting, or
risk monitoring, as well as across the enterprise. These are important elements of the risk
management framework that need to be communicated and understood.

7.5 ENTITY‐LEVEL RISKS

Environmental-type risks that can affect multiple cycles and financial statements areas, risks
recorded in an engagement file using one or more of the entity level categories will appear in all
risk report (e.g., RRPT, risk report at the top of all Risk Response Programs, etc.)
Risks are identified through organization‐wide objective setting, they should be considered on an
entity wide basis as well as by individual operating units. Those individual unit risks should be
first reviewed and consolidated to identify any key risks that may impact the overall
organization. In addition, any organization‐wide risks should be identified.
7.6 PUTTING IT ALL TOGETHER: AUDITING RISK AND COSO ERM PROCESSES
An enterprise’s appetite for risk, the need to look at an enterprise’s overall portfolio of risks, and
the need to apply risk management within the context of overall strategy setting, COSO ERM
provides an excellent platform for considering an enterprise’s overall risk environment.
 Process Flowcharting: can be useful in describing how risk management operates in an
enterprise. This requires looking at documentation prepared for risk‐related processes,
determining if they are correct given current conditions, and describing the overall
adequacy of all levels of enterprise risk processes.
 Reviews of risk and control materials: An ERM process often results in a large volume of
guidance materials, documented procedures, report formats, and the like. There may
often be value to an internal audit to review the risk and control materials from an
effectiveness perspective.
 Benchmarking: The process of looking at functions in another environment to assess their
operations and to develop improved approaches based on the best practices of others.
 Questionnaires: questionnaires can be sent out to designated stakeholders with requests
for specific information. This is often a valuable internal audit technique.