Enterprise Risk Management (ERM)

Overview: ERM in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives at the Enterprise Level. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, and internal control. ERM is rapidly evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies, as well.

Recent COSO Views: On September 1, 2009, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a publication; Effective Enterprise Risk Oversight: The Role of the Board of Directors aimed at helping boards of directors strengthen their oversight of enterprise risks. The four-page publication calls attention to COSO’s views on ERM, particularly as they relate to Board Oversight.

An entity’s Board of Directors plays a critical role in overseeing an enterprise-wide approach to risk management. Because management is accountable to the board of directors, the board’s focus on effective risk oversight is critical to setting the tone and culture towards effective risk management through strategy setting, formulating high level objectives, and approving broad-based resource allocations. COSO’s ERM Framework highlights the following four areas that contribute to board oversight of enterprise risk management:

1. Understand the entity’s risk philosophy and concur with the entity’s risk appetite - Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value. Because boards represent the views and desires of the organization’s key stakeholders, management should have an active discussion with the board to establish a mutual understanding of the organization’s overall appetite for risks.
2. Know the extent to which management has established effective enterprise risk management of the organization - Boards should inquire of management about existing risk management processes and challenge management to demonstrate the effectiveness of those processes in identifying, assessing, and managing the organization’s most significant enterprise-wide risk exposures.
3. Review the entity’s portfolio of risk and consider it against the entity’s risk appetite - Effective board oversight of risks is contingent on the ability of the board to understand and assess an organization’s strategies with risk exposures. Board agenda time and information packets that integrate strategy and operational initiatives with enterprise-wide risk exposures strengthen the ability of boards to ensure risk exposures are consistent with overall appetite for risk.
4. Be apprised of the most significant risks and whether management is responding appropriately - Risks are constantly evolving and the need for robust information is of high demand. Regular updating by management to boards of key risk indicators is critical to effective board oversight of key risk exposures for preservation and enhancement of stakeholder value.