C.

Enterprise Risk Management

In addition to an internal control framework, COSO has also developed a framework for enterprise risk management
(ERM). The framework defines ERM as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other
personnel, applied in a strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
ERM helps align the risk appetite of the organization with its strategy, enhances risk response decisions, reduces
operational surprises and losses, identifies and manages cross-enterprise risks, provides integrated responses to
multiple risks, helps the organization seize opportunities, and improves the deployment of capital.
A key aspect of ERM is the identification and management of events that have a negative impact, positive impact,
or both. Events with negative impact represent risks. Events with positive impact may offset negative impacts or
represent opportunities. The risk management process involves (1) identifying risks, assessing risks, prioritizing risks,
determining risk responses, and monitoring risk responses.
Everyone in the organization has some responsibility for ERM. The best run organizations have a culture of risk
management that is understood by every employee. Many organizations assign a risk officer, financial officer, and/
or internal auditor with key support responsibilities. The internal control of the organization is an integral part of the organization’s
ERM system.
1. Components of ERM
According to COSO, ERM consists of eight interrelated components, including (1) internal environment,
(2) objective setting, (3) event identification, (4) risk assessment, (5) risk response, (6) control activities, (7)
information and communication, and (8) monitoring.
a. Internal environment
The internal environment is the basis for all other components of ERM, providing discipline and structure.
It encompasses the tone of the organization, and sets the basis for how risk is viewed and addressed by an
organization’s people, including risk management philosophy and risk appetite, and integrity and ethical
values.
The board of directors is a critical part of the internal environment. The board provides oversight over
management’s implementation of ERM, helping to make sure that it is effective.
Integrity and ethical values help insure that management and other individuals within the organization are not
inclined to engage in unethical or illegal activities. Management sets an ethical tone by action and example,
and communicates the tone through codes of conduct and established policies. Management also should avoid
the use of incentives and temptations to engage in unethical behavior, unless effective controls are established
to prevent such behavior.
Other factors that contribute to an effective internal environment include competent, well-trained
employees, an appropriate organizational structure, properly assigned authority and responsibility, and
effective human resource policies and procedures.
An important aspect of the organization’s internal environment is its risk appetite. Risk appetite is the
amount of risk an organization is willing to accept to achieve its goals. It reflects the organization’s culture
and operating style and is directly related to the organization’s strategy. Some organizations consider risk
appetite qualitatively (e.g., low, moderate, high) while others consider risk quantitatively (e.g. in percentages).
Risk tolerance relates to the organization’s objectives. It is the acceptable variation with respect to a
particular objective.

EXAMPLE
Assume a company has an objective of 97% customer satisfaction rating. However, the company may tolerate as
low as a 94% customer satisfaction rating. The difference between 97% and 94% represents the company’s risk
tolerance with respect to the customer satisfaction rating.

b. Objective setting
Objectives must exist before management can identify potential events affecting their achievement.
Enterprise risk management ensures that management has in place a process to set objectives and that the
chosen objectives support and align with the organization’s mission and are consistent with its risk appetite.
The organization’s mission sets forth in broad terms what the organization aspires to achieve. Strategic
objectives are high-level goals aligned with the organization’s mission. These high-level objectives are
linked and integrated with the specific objectives established for various activities. By setting objectives the
organization can identify critical risk factors, which are the key things that must go right for the objectives
to be met.
Objectives may be divided into three categories: (a) operations objectives, which relate to the effectiveness
and efficiency of operations, (b) reporting objectives, which relate to reliable reporting of internal and
external, financial and nonfinancial information, and (c) compliance objectives which relate to adherence to
laws and regulations.
c. Event identification
Potential internal and external events affecting achievement of an organization’s objectives must be
identified, distinguishing between risks and opportunities. An event is an incident that occurs or might
occur that affects implementation of strategy or achievement of objectives. Events may be negative (risks),
positive (opportunities) or both. Risks require a response while opportunities should be channeled back to
management’s strategy or objective-setting processes. Some events may be external in nature, such as
those resulting from economic, natural environment, political, social, or technological factors. Other events
result from internal factors such as the organization’s infrastructure, personnel, processes, or technology.
 Event identification techniques include
(1) Event inventories. Developing a detailed listing of potential events.
(2) Internal analysis. This may be done at regular staff meetings. It may involve using information
from other stakeholders, such as customers, suppliers, etc.
(3) Escalation or threshold triggers. Management predetermines limits that cause an event to be further assessed.

EXAMPLE
A company may identify a potential pricing issue when competitor sales prices change by a predetermined percentage.

(4) Facilitated workshops or interviews. This technique involves soliciting information about events
from management and staff. For example, a facilitator may lead a discussion of events that might
affect achieving an organization’s objectives.
(5) Process flow analysis. Involves breaking processes down into inputs, tasks, responsibilities, and
outputs to identify events that might adversely affect the process.
(6) Leading event indicators. This technique involves monitoring data correlated to events, to identify
when the event is likely to occur.
(7) Loss event data methodologies. By developing repositories of data on past loss events, management
can identify event trends and the root causes of events. Management can also perform black swan
analysis which involves evaluating the occurrence of events that had negative effects and were
unanticipated or viewed as highly unlikely.
d. Risk assessment
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be
managed. Management should assess both inherent risk and residual risk for an event. Inherent risk is the risk
to the organization if management does nothing to alter its likelihood or impact. Residual risk is the risk of the
event after considering management’s response. Risks are assessed in terms of their likelihood of occurring
and their impact (e.g., financial effect). Management often uses qualitative techniques to assess risk when
risks do not lend themselves to quantification or when sufficient reliable data is not available to use a
quantitative model. Probabilistic or nonprobabilistic models may be used to quantify risk. Probabilistic
models associate
a range of events and the resulting impact with the likelihood of those events based on certain assumptions.
Examples of probabilistic models include value at risk, cash flow at risk, earnings at risk, and development of
credit and operational loss distributions. Nonprobabilistic models use subjective assumptions in estimating the
impact of events without quantifying an associated likelihood. Examples of nonprobabilistic models include
sensitivity measures, stress tests, and scenario analysis.
e. Risk response
In this aspect of ERM, management selects risk responses that are consistent with the risk appetite of the
organization including
(1) Avoidance. This response involves exiting the activity that gives rise to the risk.
(2) Reduction. This response involves taking action to reduce risk likelihood or impact, or both.
For example, this might involve managing the risk or adding additional controls to processes.
(3) Sharing. This response involves reducing risk likelihood or impact by transferring or sharing a portion
of the risk. Techniques for sharing include insurance, hedging, and outsourcing.
(4) Acceptance (retention). No action is taken because the risk is consistent with the risk appetite of the organization.
All risk responses must be assessed in terms of their costs and benefits to select the responses that should be
implemented. The position that is best suited to devise and execute risk procedures for a particular department
is the manager of the department.
f. Control activities
Policies and procedures should be established and implemented to help ensure the risk responses are
effectively carried out.
g. Information and communication
Relevant information is identified, captured, and communicated to enable people to carry out their
responsibilities. Information is needed at all levels of the organization to identify, assess and respond to risks.
Communication should effectively convey the importance and relevance of effective ERM, the organization’s
objectives, the organization’s risk appetite and risk tolerances, a common risk language, and the roles and
responsibilities of personnel in effecting and supporting the components of ERM.
 h. Monitoring
The entire ERM process should be monitored to make needed modifications. Monitoring is
accomplished by ongoing management activities, and separate evaluations, such as those
performed by internal auditors.
2. Limitations of ERM
In considering limitations of ERM, three distinct concepts must be recognized:
a. Risk relates to the future which is uncertain,
b. ERM provides information about risks of achieving objectives but it cannot provide even
reasonable assurance that objectives will be achieved, and
c. ERM cannot provide absolute assurance with respect to any of the objective categories.
Specific limitations include the following:
(1) The effectiveness of ERM is subject to the limitations of the ability of humans to
make judgments about risk and impact.
(2) Well-designed ERM can break down.
(3) Collusion among two or more individuals can result in ERM failures.
(4) ERM systems can never be perfect due to cost-benefit constraints.
(5) ERM is subject to management override.