Enterprise Risk Management Frameworks Flashcards
In 2004, COSO issued Enterprise Risk Management (ERM) - Integrated Framework, to assist organizations in developing a comprehensive response to risk management
according to COSO, risk is the possibility that events will occur and affect the achievement of strategy and business objectives
Management decisions will affect the development of value, including its creation, preservation, erosion, and realization
Value creation - when benefits of value exceed the cost of resources used (people, capital, technology, process, brand, etc.)
Value preservation - when ongoing operations efficiently and effectively sustain created benefits (high customer satisfaction with profitable product lines)
Value erosion - when faulty strategy and inefficient/ineffective operations cause value to decline
Value realization - when benefits created by the organization are received by stakeholders in either monetary or nonmonetary form
*value is defined by the type of entity - for profit & not-for-profit/governmental
Mission, vision, and core values define what an entity strives to be and how it wants to conduct business
Mission - the core purpose of the entity, why it exists, and what it hopes to accomplish
Vision - the aspirations of the entity and what it hopes to achieve over time
Core Values - the entity’s beliefs and ideals about what is good or bad, acceptable and unacceptable, and the influence they have on the organization
As defined by COSO, enterprise risk management is the culture, capabilities, practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value
Culture - the collective thinking of the people within an organization; it plays an important role in shaping decisions regarding risk; core values correlate with culture
Capabilities (competitive advantage) - produces value for an entity; exploitation of competitive advantage and adaptation to change are skill sets embedded within ERM
Practices - ERM is an organizational practice continually applied to the entire scope of activities of the business; it is part of management decisions at all levels of the entity; it is neither static nor is it an adjunct or add-on to the business
Integration (with strategy-setting and performance) - strategy is set in a manner that aligns with mission and vision; business objectives flow from strategy and drive the activities of all business units and functions
Managing Risk (inked to value) - provide management and the board with a reasonable expectation that the organization’s overall strategy and business objectives can be achieved; an organization must continually review and manage the types and amounts of risk it is willing to accept in its pursuit of value
What is risk appetite?
the types and amounts of risk, on a broad level, that an organization is willing to accept in pursuit of value; it is a range rather than a specific value and provides guidance on the practices an organization is encouraged to pursue or not pursue
it can vary between products, business units, or over time in line with changing capabilities for managing risk and must be flexible enough to adapt to changing business conditions without approvals
ERM encompasses numbers themes and uses very specific terminology
risk inventory - all risk that could impact an entity
reasonable expectation - the amount of risk of having strategy and business objectives that is appropriate for an entity, recognizing that no one can predict risk with precision
business context - trends, events, relationships, and other factors that may influence, clarify, or change an entity’s current and future strategy and business objectives
risk capacity - the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives
risk profile - a composite view of the risk assumed at a particular level of the entity or aspect of the business that positions management to consider the types, severity, and interdependencies of risk and how they may affect performance relative to the strategy and business objectives
portfolio view - a composite view of risk the entity faces which positions management and the board to consider the types, severity, and interdependencies of risk and how they may affect the entity’s performance relative to its strategy and business objectives
organizational sustainability - the ability of an entity to withstand the impact of large-scale events
performance management - the measurement of efforts to achieve or exceed the strategy and business objectives
ERM is depicted as a series of sequential yet intertwined components that drive an organization toward enhanced value
the tone at the top and communication are linked, and weave into the similarly linked efforts to develop overall strategy, specific business objectives, and manage performance to the achievement of value
mission, vision, and values drive the process but are also affected by performance, as management constantly reviews its risks and its ability to create value
What are the 5 interrelated components of ERM and their 20 supporting risk management principles?
GO PRO
Governance and culture
strategy and Objective-setting
Performance
Review and revision
information, communication, and reporting (Ongoing)
Governance and Culture
DOVES
defines Desired culture - an entity’s culture influences how the organization identifies risk, what types of risk it accepts, and how it manages risk; culture is a specturm that progresses from risk averse, to risk neutral, and extends to risk aggressive
exercises board Oversight - the board is expected to have the skills, experience, and business knowledge to understand the entity’s strategy, stay informed on relevant issues, and maintain an active and accountable role that is independent and conscious of potential bias
demonstrates commitment to core Values - without support from the top of the organization, risk awareness can be undermined and risk-inspired decisions may be inconsistent with those values
attracts, develops, and retains capable individuals (Employees) - this starts with the board and its selection of executive leadership; the selection of team members is typically delegated to appropriate levels of management; HR assists management in assembling competent team members through consideration of knowledge, skills, experience; maintenance of the current talent pool is preparation for succession as someone could fill a crucial role
establishes operating Structure - this describes how an entity organizes and carries out its day-to-day operations and contributes to the alignment of risk management practices with core values
Strategy and Objective-Setting
SOAR
evaluates alternative Strategies - strategy is evaluated from two perspectives: (1) the possibility that the strategy does not align with the mission, vision, and core values of the entity (2) the implications from the chosen strategy; misaligned strategies may impede achievement of the mission and fulfillment of the entity’s mission; the implications of each strategy include risks and opportunities of each strategy; identified risks collectively form a risk profile and serve as the basis for developing and evaluating alternative strategies
formulates business Objectives - the measurable steps that an organization makes to achieve its strategy; the alignment of business objectives to strategy supports the entity in achieving its mission and vision; monitoring performance includes the concept of tolerance; tolerance is the range of acceptable outcomes related to achieving a business objective within the risk appetite tolerance is also referred to as the acceptable variance in performance
Analyzes business context - business context may be dynamic, complex, and even unpredictable; business context usually considers both external and internal environments
defines Risk appetite - the context of creating, preserving, and realizing value; ultimately, risk appetite is expressed in the context of objectives
Performance
VAPIR
develops portfolio View - allows management and the board to consider the type, severity, and interdependencies of risks and how they may affect performance and align with the overall risk appetite
Assesses severity of risk - it is evaluated after it has been identified; resources and capabilities are deployed to keep the risk within the entity’s risk appetite based on the assessment; the severity of a risk is assessed at multiple levels of an entity, and severity measures relate to impact and likelihood; risk assessment includes the concepts of:
inherent risk - risk to an entity in the absence of any direct or focused actions by management to alter its severity
target residual risk - amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives knowing that management will implement or has implemented direct or focused actions to alter the severity of the risk
actual residual risk - the risk remaining after management has taken action
Prioritizes risk - risks that result in the entity approaching the risk appetite for specific business objectives are typically given higher priority
Identifies risks - new and emerging risks are identified and currently assessed risks are reevaluated using various techniques
implements risk Responses - they may trigger a review of strategic and business objectives; the responses are classified as:
accept - no action is taken to change the severity of the risk
avoid - action is taken to remove the risk
pursue - action is taken that accepts increased risk to achieve improved performance
reduce - action is taken to reduce the severity of the risk
share - action is taken to reduce the severity of the risk
Review and Revision
SIR
assesses Substantial change - assessments may include identifying internal and external environmental changes related to the business context as well as changes in culture
pursues Improvement in enterprise risk management - opportunities to revising and improve efficiency and usefulness may occur in any area
Reviews risk and performance - evaluations may relate to potentially incorrect assumptions, poorly implemented practices, entity capability, or cultural factors
Information, Communication, and Reporting (Ongoing)
TIP
leverages information and Technology - relevant information helps the organization be more agile in its decision making and provides a competitive advantage
communicates risk Information - communication is made to internal and external stakeholders and with the board of directors; communication techniques vary widely and must be evaluated for effectiveness
reports on risk, culture, and Performance - this is done at multiple levels across the entity; it can be either qualitative or quantitative; the frequency of reporting should be commensurate with the severity and priority of risk
