COSO Enterprise Risk Management (ERM) Framework
Effective ERM delivers value in the following areas;
- Aligning strategy with risk appetite
- Identifying and managing multiple and cross-enterprise risks
- Enhancing risk response decisions
- Reducing operational surprises and losses
- Seizing opportunities
- Improving deployment of capital
At one level, ERM is common sense. It is rapidly growing in popularity as a business strategy, but bold ambition often erodes to silo implementation for a specialist group, separated from day-to-day business reality.
Why is this?
In the taxonomy of risk and control, it is reasonable to depict ERM as a progressive approach from Risk, which may be mitigated by Policy, itself implemented as a Control, which should be Monitored for effective operation, as should the process itself. Monitoring, in this instance, addresses both the monitoring of a control and the monitoring of the process itself for exceptions. Irrespective of controls, monitoring key processes is an essential way to integrate the facts of the business operation into the perception and management of risk.
Consider the image above where the parking lot barrier represents a Control (requirement for employee access credentials) that automates a Policy (no unauthorized access). It can be proven to be 100% effective in performance in response to employee ID cards being presented, but with the onset of winter, the snowfall gives us a little more insight into the facts.
Without facts, there is only opinion!
Of course, monitoring will inevitably give rise to exceptions (the tire tracks in the snow), against which action, operational refinement and/or remediation procedures should be applied. When the incidence of a specific type of exception spikes, this may indicate more systemic issues with regard to risk profile and the effectiveness of higher level policies designed to mitigate such risks. We can consider this model almost as a hierarchy as in the diagram below.
One of the challenges to effective ERM is the fact that ‘proactively assessing and addressing risks’ requires some feedback loop between ‘Act’ (remediation and/or other corrective action) and the ‘Risks’ and ‘Policies’ themselves. For many organizations, stuck in a risk management process dependent upon periodic management assertion or attestation or occasional data sampling activities, there is somewhat of a miracle required . . .
In reality, an integrated end-to-end ERM cycle is less a hierarchical process but more a continuous cycle of interacting events. Plan, Act, Monitor and adjust are a continuous improvement cycle that addresses both the planned and ever changing current and future business processing.
M.C. Escher’s metaphor of the impossible waterfall is pertinent here. Although the gravity of the Risk definition and assessment, the Policies to manage, the Controls to enforce and the Monitor to validate drives the water to the lowest point, Remediation Action ultimately affects the risk profile itself as well as potential policy implementation. To extend the metaphor: the risk lifecycle (water) should flow back to the top of the waterfall to guarantee a continuous, virtuous cycle.
As an example, the cycle for a common business risk is plotted in the picture below.
In our work with client organizations and leading Governance, Risk and Compliance (GRC) solution vendors around the world, we recognise, and implement, more of an integrated end-to-end process for risk management from “Fact to Act”.
Implementing “Fact to Act” or integrated ERM
Success in integrated ERM requires a common understanding and agreement over the end-to-end process/philosophy. A framework for management to both implement and optimize the guidance of the various streams of activity is critical.
ERM is a powerful toolkit to integrate management intent and response across the business. It has the potential to dramatically shorten the cycle time and increase the fidelity of signals in the business creating actionable opportunities for management. It will focus management attention to the real relevant risks and opportunities relevant to the organization’s objectives, showing value from ownership with lower total cost of ownership compared to non-integrated stovepipe addressing of ERM elements. Enabling the ERM community with in-process analytics to deliver facts into decision making, and a coherent end-to-end process to execute, then we may have the opportunity to move from “Assessment to Judgement” to more of a ‘Fact to Act’ philosophy.
If you are interested in finding out more, we are hosting a webcast on the 12th July 2018 which will delve into this topic and how to avoid stagnant GRC thinking.