SMA - Enterprise Risk Management - Frameworks, Elements, and Integration

Enterprise Risk
Statement on
Management: Management
Accounting
Frameworks, FINANCE
GOVERNANCE,
RISK, AND
Elements, and COMPLIANCE
Integration
Published by
Institute of Management Accountants
IMA® would like to acknowledge the work of William G. Shenkir, Ph.D., CPA, and
10 Paragon Drive, Suite 1
Paul L. Walker, Ph.D., CPA, both of the McIntire School of Commerce, University of Montvale, NJ 07645
Virginia who were the authors of this SMA. Thanks also go to Patrick Stroh of www.imanet.org
UnithedHealth Group and Jeff Thomson, CMA, of IMA who served as reviewers and Copyright © 2011 by
Raef Lawson, Ph.D., CMA, CPA, of IMA who serves as series editor. Institute of Management Accountants
All rights reserved

Enterprise Risk Management
TABLE OF CONTENTS
I. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
II. Defining Risk and ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
III. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
IV. Total Risk Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
V. The Role of the Management Accountant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
VI. ERM Frameworks: A Global Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The Combined Code and Turnbull Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
King II Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
A Risk Management Standard by Federation of European Risk Management Association (FERMA). . . . . . . 8
Australian/New Zealand Standard 4360—Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
COSO’s Enterprise Risk Management—Integrated Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
IMA’s “A Global Perspective on Assessing Internal Control over Financial Reporting” . . . . . . . . . . . . . . . . . . . 10
Basel II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Standard & Poor’s and ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
VII. ERM Foundational Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Organizational Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Tone at the Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Risk Management Philosophy and Risk Appetite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Integrity and Ethical Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Scope and Infrastructure for ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Basic Components of ERM Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2
Set Strategy and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Identify Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Assess Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Treat and Control Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Communicate and Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
VIII. Integrating ERM into Ongoing Management Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Strategic Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Balanced Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Total Quality Management and Six Sigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Business Continuity (Crisis Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Corporate Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
The Board and Stock Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Risk Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Proxy Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Management’s Discussion and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
10-K Item 1A—Risk Factor Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Other Voluntary Disclosures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
IX. Transitioning from SOX to ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
X. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
TABLE OF EXHIBITS
Exhibit 1: Evolution of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Exhibit 2: COSO Enterprise Risk Management Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Exhibit 3: COSO Enterprise Risk Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exhibit 4: Core Components of a Risk-Based Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Exhibit 5: A Continuous Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Exhibit 6: Risk Identification Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Exhibit 7: Risk Quantitative and Qualitative Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Exhibit 8: Subjective Assessment of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Exhibit 9: Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Exhibit 10: Detailed Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3
Exhibit 11: Color-Coded Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Exhibit 12: Functional Risk Assessment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Exhibit 13: Linking Objectives, Events, Risk Assessment, and Risk Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Exhibit 14: Strategy, the Balanced Scorecard, and the Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Exhibit 15: Balanced Scorecard and Strategic Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Exhibit 16: Risk/Crisis Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Exhibit 17: Hallmarks of Best-Practice ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

I. RATIONALE nology group is concerned with security and systems

Leadership is about making a difference. If leaders of risks. The accounting and internal audit function focuses
organizations in the 21st Century are to make a differ- on risks caused by inadequate internal controls and
ence and grow their organizations to greatness, they trends in performance indicators. The general assump-
must have the capability to navigate in a very risky and tion is that executive management has their eyes on the
dangerous world. Thus, understanding and managing risk big picture of strategic risks facing the enterprise in the
has become imperative for successful leadership of short term and over the life of the strategic plan.
organizations in today’s world. As organizations grow in complexity and serve global
A variety of risks confront organizations today, and markets, the leadership challenge is to fully understand
any one of them could threaten an organization’s success how the various organizational units interact and relate
and ultimately lead to a decrease in stakeholder value. and, in turn, how the risks cut across the silos. Instead of
The need for greater risk awareness by leaders is driven managing risk in many individual silos, enterprise risk
by much more than just terrorism. Forces such as global- management (ERM) takes an integrated and holistic per-
ization and the geopolitical environment in which organ- spective on risks facing an organization. Risk-centric
izations operate add complexity to business, thereby leadership does not mean that the organization will be
increasing risks. Technology and the Internet require risk adverse, but that it strives to identify, assess, and
companies to rethink their business models, core strate- manage risks. When taking risks, the leadership does so
gies, and target markets. Customers have ever-increasing intentionally rather than unknowingly. The key is to take
demands for customized products and services leading to calculated risks across the enterprise and appropriately
more risks. If customer expectations are not met, market manage and mitigate the risks for the benefit of the
share and, ultimately, revenue and profits can be signifi- stakeholders.
cantly and quickly impacted. Organizations must also
comply with increased regulations in some cases and II. DEFINING RISK AND ERM
deregulation in others, both of which drive risks. Mergers Organizations are confronted by events that affect the 4
and restructurings are causing organizations to downsize execution of their strategies and achievement of their
and undergo changes in management responsibilities, objectives. These events can have a negative impact
which also creates the potential for enterprise risks. (risks), a positive impact (opportunities), or a mix of both
Another important driver for more attention to risk risk and opportunity. In the 2004 publication Enterprise
management is the accounting and reporting deficien- Risk Management—Integrated Framework: Executive
cies, such as unjustified revenue recognition and convo- Summary Framework, the Committee of Sponsoring
luted business transactions as found in special purpose Organizations of the Treadway Commission (COSO) stat-
entities and backdating of stock options. More complex ed that ERM is:
financial instruments such as derivatives are also part of • “A process, ongoing and flowing through an entity
the reality today, requiring greater understanding of the • Effected by people at every level of an organization
risks embedded in such instruments. Given all of these • Applied in strategy setting
forces, leaders must have a heightened state of awareness • Applied across the enterprise, at every level and
of the necessity for holistic risk management and for a unit, and includes taking an entity-level portfolio
stronger governance structure for their organization. view of risk
Well-managed organizations have always had some • Designed to identify potential events that, if they
focus on risk management, but typically it has been on an occur, will affect the entity and to manage risk with-
exposure-by-exposure basis through various risk man- in its risk appetite
agement silos. For example, the treasury function focuses • Able to provide reasonable assurance to an entity’s
on risks emanating from foreign currencies, interest management and board of directors
rates, and commodities—so called financial risks. An • Geared to achievement of objectives in one or more
organization’s insurance group focuses on hazard risks separate but overlapping categories.”
such as fire and accidents. Operating management looks
after various operational risks, and the information tech- Several points to emphasize from this broad defini-
tion include: 404 compliance requirement by employing a risk-

• Risk management should be viewed as a core based approach to identify, test, and document key
competency; and internal controls to assure investors on the quality of
• It is part of everyone’s job—whether at the level of the firm’s financial statements and related disclosures.
setting the organization’s strategy, a unit’s objec- The information in this SMA provides an overview for
tives, or running the daily operations. an organization considering implementation of ERM.
Organizations seek to create value for their stakehold- This document is not intended to provide a comprehen-
ers, and ERM is implemented with that goal in mind. sive discussion of ERM. Other sources, such as those
Accordingly, ERM is: identified in the bibliography, should also be consulted.
a structured and disciplined approach: It aligns strategy,
processes, technology, and knowledge with the pur- IV. TOTAL RISK CLASSIFICATION
pose of evaluating and managing the uncertainties the Taking the perspective of the total entity, risks may be
enterprise faces as it creates value.…It is a truly holis- classified in a variety of risk frameworks. One frequently
tic, integrated, forward-looking, and process-oriented used framework is:
approach to managing all key business risks and • Strategic Risk: examples include risks related to
opportunities—not just financial ones—with the intent strategy, political, economic, regulatory, and global
of maximizing shareholder value as a whole. market conditions; also could include reputation
The authors of this Statement on Management risk, leadership risk, brand risk, and changing cus-
Accounting (SMA) have stated in previous publications tomer needs.
that the goal of ERM is “to create, protect, and enhance • Operational Risks: risks related to the organization’s
shareholder value by managing the uncertainties that human resources, business processes, technology,
could either negatively or positively influence achieve- business continuity, channel effectiveness, cus-
ment of the organization’s objectives.” Given that ERM is tomer satisfaction, health and safety, environment,
applicable to all types of organizations, as noted below, product/service failure, efficiency, capacity, and 5
some might prefer to use the term “stakeholder value” in change integration.
this definition instead of “shareholder value.” • Financial Risks: includes risks from volatility in for-
eign currencies, interest rates, and commodities;
III. SCOPE also could include credit risk, liquidity risk, and
This SMA provides an overview of the ERM process market risk.
and frameworks. ERM frameworks can be adapted to • Hazard Risk: risks that are insurable, such as natural
fit the specifics of the organization’s culture and can be disasters; various insurable liabilities; impairment
implemented in large or small organizations, service of physical assets; terrorism.
or manufacturing businesses, profit, not-for-profit, or As noted in Exhibit 1: Evolution of Risk Management,
private entities. traditional risk management generally focused on finan-
The information in this SMA provides management cial risk and hazard risk. Approaching risk from an enter-
accountants and others interested in implementing ERM prise-wide perspective began to be considered and
with: implemented in the 1990s. This holistic risk approach
• A definition of ERM; should enable management to identify most of the key
• A classification of various risks; risks that confront the organization. Implementing ERM,
• An understanding of the roles and responsibilities however, does not mean that an organization will be able
of management accountants in ERM projects; to anticipate every risk that could result in loss of stake-
• An overview of ERM frameworks from several dif- holder value. The limitation of ERM is captured in the
ferent professional organizations around the world; aphorism: “There are known knowns, known unknowns,
• A discussion of the foundational elements of ERM; and unknown unknowns.” In the ERM process, known
• Suggestions of how ERM can enhance on-going risks will be identified, and some previously unknown
management activities; and risks will become known. Even with a robust process,
• Ideas for adding value to the Sarbanes-Oxley (SOX) however, some unknown risks will not be identified. The
EXHIBIT 1. EVOLUTION OF RISK MANAGEMENT

Enterprise Risk
Management
Strategic
Market Operational
Credit Credit Financial
Hazard Hazard Hazard
1970s 1980s 1990s
organization must have a business continuity or crisis work, the language of risk, and the value of proactive risk
management plan ready to execute when unknown risks management is an imperative for successful ERM
materialize and affect the organization negatively. Alter- deployment. The 2006 Oversight Systems “Financial 6
natively, unknown risks can create unique opportunities, Executive Report on Risk Management” shows that com-
and companies must be ready to capitalize on those panies are embracing the concept of ERM but continue
opportunities. to have difficulty with its implementation, noting that
68% of financial executives say their CEO is placing
V. THE ROLE OF THE MANAGEMENT greater emphasis on the management of all types of risk
ACCOUNTANT on a holistic basis, and 58% say their company has an
Adopting ERM is a major commitment for an organi- ERM approach that considers various risk category inter-
zation. Successful implementation requires champions at actions. On the other hand, only 41% believe there is a
the C-level (CEO, CFO, controller, chief audit executive, consistent and well communicated definition of “risk”
chief information officer) of the organization. Some com- across the enterprise, and only one-third of the financial
panies have appointed chief risk officers (CROs) or estab- executives surveyed believe there are formal training
lished executive-level risk committees, which may report programs for senior and line management.
directly to the board of directors audit committee, there- It is important for executive management to commu-
by enhancing their independence and importance. The nicate that they view ERM as an integral component of
ERM initiative gains momentum when it is strongly sup- sound business management. Implementing an integrat-
ported by the board of directors and audit committee. ed and holistic risk management approach across the
Executive management cannot merely begin the process entire organization will undoubtedly affect the role of
and then move on to other activities. The last thing most some well-ensconced fiefdoms engaged in silo risk man-
organizations need is another mandate imposed from on agement. Risk champions can be influential in getting
high and then left to wither and fade away. If ERM imple- general acceptance of ERM. It is important that execu-
mentation is to be successful, it cannot be viewed as tives set the tone at the top by calling for big picture
“another program from headquarters” or the “manage- alignment, strong corporate governance, and risk educa-
ment fad of the month.” Education in the ERM frame- tional programs.
The management accountant can make major contri- (crisis management) plans;
butions to moving the organization from silo risk man- • Advise on risk disclosures in the SEC Form 10-K
agement (or no meaningful risk management process at and the annual report;
all) to an integrated and holistic approach. In the migra- • Serve as a champion for strong corporate gover-
tion from a counter of wealth to assisting in the creation nance incorporating ERM; and
of wealth (i.e., independent strategic business partner), • Coach management on the value of extending SOX
the management accountant in the “new” era of the 404 compliance to encompass ERM, including busi-
finance organization is increasingly being asked to serve ness process owners and other operational func-
on, if not lead, cross-functional teams to implement criti- tions conducting a holistic assessment of risks
cal enterprise-wide initiatives. ERM provides a wealth of impacting achievement of their business objectives.
opportunities for the management accountant to help Once executive management has decided to embark
implement a disciplined, systematic process to maximize on implementing ERM, it is in the enlightened self-
the value of the enterprise. Some specific activities where interest of management accountants to do what they can
the skills and competencies of the management account- to keep the project moving. An effective ERM implemen-
ing professional can be useful in ERM implementation tation provides a context for management accountants to
include: perform their duties and responsibilities knowing that
• Serve as a champion for ERM, supporting the people at all levels of the organization are aware of risk
change from risk management in silos to ERM; while doing their work and are held accountable for how
• Help to resolve conflict between supporters of ERM they manage risks.
and traditional risk management approaches;
• Educate others in the organization of the ERM VI. ERM FRAMEWORKS:
process; A GLOBAL PERSPECTIVE
• Provide expertise to operational management on ERM is a globally accepted and growing field. As a
the organization’s ERM framework and process; result, a number of risk frameworks and statements have 7
• Serve on cross-functional and diverse ERM been published by professional organizations around the
committees; world. Some of the publications urge businesses to use
• Assist executive and operational management in these frameworks. Other risk frameworks have a “comply
analyzing and quantifying the organization’s risk or explain why not” approach. Still other frameworks are
appetite and risk tolerances for individual units; legally mandated or implied in their respective country.
• Assist in implementing ERM within the finance Some of the documents were written by guidance-setting
function; organizations such as COSO, while others were written
• Provide information to operational management to by individuals with a wide range of backgrounds, includ-
assist in risk identification; ing insurance, government, safety, and engineering. The
• Perform benchmarking studies for use in risk different backgrounds lead to very different approaches
identification; in these risk frameworks. Some lean toward financial
• Gather best practice information on ERM; reporting and internal control, and others lean toward
• Assist in quantifying impact and likelihood of indi- management, corporate governance, and accountability.
vidual risk on risk maps; Ambitiously, some even try to cover every possible aspect
• Assist in identifying and estimating costs and bene- of risk. Still, enterprise risk management frameworks are
fits of various risk mitigation alternatives, and valuable tools. They usually provide a diagram or
coach management in responding to risks; approach that includes the steps necessary for ERM
• Design reports to monitor risks and develop finan- implementation in addition to providing guidance and
cial and nonfinancial metrics to evaluate the effec- examples. In this section, the following ERM frameworks
tiveness of risk mitigation (treatment) actions; are briefly discussed:
• Advise management on integrating ERM with the • The Combined Code and Turnbull Guidance
balanced scorecard and budgeting process; • King II Report
• Participate in development of business continuity • A Risk Management Standard by the Federation of
European Risk Management Association (FERMA) • Risk management;

• Australian/New Zealand Standard 4360—Risk • Internal audit;
Management • Integrated sustainability reporting; and
• COSO’s Enterprise Risk Management—Integrated • Accounting and auditing.
Framework The King II Report also includes an appendix on “risk
• IMA’s “A Global Perspective on Assessing Internal management and internal controls.”
Control over Financial Reporting” (ICoFR) According to this report, the board is responsible for
• Basel II the risk management process and its effectiveness. The
• Standard & Poor’s and ERM board should:
• Set risk strategy policies;
THE COMBINED CODE AND TURNBULL GUIDANCE • Assess the risk process;
In the United Kingdom, the Financial Reporting • Assess the risk exposures, such as physical and
Council published the Combined Code on Corporate Gov- operational risks, human resource risks, technology
ernance (the Code) in 2003. Although the Code is not risks, business continuity and disaster recovery,
specifically labeled as an ERM framework, it does have credit and market risks, and compliance risks;
many similar aspects, and “risk” is mentioned more than • Review the risk management process and signifi-
100 times. The Code states that the role of the board is to cant risks facing the company; and
provide a framework of effective control so that risk is • Be responsible for risk management disclosures.
assessed and managed. The board is also required to
review the effectiveness of controls, including all controls A RISK MANAGEMENT STANDARD BY FEDERATION
over financial, operational, and compliance areas as well OF EUROPEAN RISK MANAGEMENT ASSOCIATION
as risk management systems. (FERMA)
In 2005, the Financial Reporting Council also pub- A consortium of U.K. organizations, including the
lished Internal Control—Revised Guidance for Directors Institute of Risk Management, the Association of Insur- 8
on the Combined Code, which is a revision of the Turnbull ance and Risk Managers, and the National Forum for
report first published in 1999. This guidance assumes Risk Management in the Public Sector, published A Risk
that a company’s board uses a risk-based approach to Management Standard (RMS) in 2004. The RMS repre-
internal control. The guidance suggests that to assess a sents best practices that companies can compare them-
company’s risk and control processes, the following ele- selves against to determine how well they are doing in the
ments must be reviewed: prescribed areas. It is not a lengthy document, but it does
• Risk assessment; provide a risk management process, which includes:
• Control environment and control activities; • Linkage to the organization’s strategic objectives;
• Information and communication; and • Risk assessment, which the RMS breaks down into
• Monitoring. risk analysis, risk identification, risk description,
The guidance offers sample questions that could be risk estimation, and risk evaluation;
used to assess the effectiveness of risk and control • Risk reporting;
processes. Questions related to risk assessment focus on • Decision;
the presence of clear objectives, effective direction on • Risk treatment;
risk assessment, measurable performance targets, identi- • Residual risk reporting; and
fication and assessment of all risks on an ongoing basis, • Monitoring.
and a clear understanding of acceptable risks.
AUSTRALIAN/NEW ZEALAND STANDARD 4360—
KING II REPORT RISK MANAGEMENT
The King Report on Corporate Governance for South Australia and New Zealand formed a joint technical
Africa (King II Report) was published in 2002 to promote committee composed of representatives from numerous
corporate governance. This report has five sections: organizations to publish two documents on risk manage-
• Board and directors; ment in 2004. The committee is diverse and includes
EXHIBIT 2. COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK
IC ON NG CE
TEG TI TI IAN
RA R L
RA E PO MP
ST OP RE CO
Internal Environment
Objective Setting
Subsidiary
Business Unit
Event Identification
Division
Entity Level
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Source: COSO, Enterprise Risk Management—Integrated Framework: Executive Summary, AICPA, New York, 2004, p. 7.
9
groups that focus on computers, customs, insurance, step “establishing the context,” the commentary focuses
defense, emergency management, safety, securities, and on understanding an organization’s objectives and its
accounting, among many others. This diverse background external and internal stakeholders. As another example,
leads to a different approach than is seen in other frame- the Guidance provides commentary on “criteria” for
works. The first document, initially published in 1999, is establishing the context, which include the kinds of con-
titled Risk Management (the Standard). The second com- sequences and the definition of likelihood. The commen-
panion document, Risk Management Guidelines (the Guid- tary on criteria further includes detailed case examples of
ance), provides insights on implementing the Standard. criteria and the related objectives.
The Standard can be applied to any type of organiza-
tion and to any project or product. It attempts to factor in COSO’S ENTERPRISE RISK MANAGEMENT—
both the upside and downside of risk. Although the Stan- INTEGRATED FRAMEWORK
dard specifies the elements of risk management, it is not COSO published Internal Control—Integrated Frame-
intended to enforce uniformity. Its objective is to provide work in 1992. It followed that in 2004 with publication of
guidance in several areas, some of which are: a basis for its ERM framework, Enterprise Risk Management—
decision making, better risk identification, gaining value, Integrated Framework (see Exhibits 2 and 3). As noted
resource allocation, improved compliance, and corporate previously, the COSO definition of ERM is very broad.
governance. The Standard’s risk management process The ERM framework is clearly distinct from COSO’s
includes establishing the context, identifying risks, ana- internal control framework. Currently, the Securities &
lyzing risks, evaluating risks, and treating risks. Exchange Commission (SEC) requires that companies
The Guidance document elaborates on each element attest in writing that their system of internal controls
of the risk management process. For example, for the over financial reporting is effective in accordance with a
EXHIBIT 3. COSO ENTERPRISE RISK COMPONENTS
INTERNAL ENVIRONMENT
Risk Management Philosophy – Risk Appetite – Board of Directors – Integrity and Ethical Values – Commitment to Competence –
Organizational Structure – Assignment of Authority and Responsibility – Human Resource Standards
OBJECTIVE SETTING
Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerances
EVENT IDENTIFICATION
Events – Influencing Factors – Event Identification Techniques –
Event Interdependencies – Event Categories – Distinguishing Risks and Opportunities
RISK ASSESSMENT
Inherent and Residual Risk – Establishing Likelihood and Impact – Data Sources –
Assessment Techniques – Event Relationships
RISK RESPONSE
Evaluating Possible Responses – Selected Responses – Portfolio View
CONTROL ACTIVITIES
Integration with Risk Response – Types of Control Activities – Policies and Procedures –
Controls Over Information Systems – Entity Specific
INFORMATION AND COMMUNICATION

Information – Communication
MONITORING 10
Ongoing Monitoring Activities – Separate Evaluations – Reporting Deficiencies
Source: COSO, Enterprise Risk Management—Integrated Framework: Executive Summary, AICPA, New York, 2004, p. 2.
“suitable” framework such as COSO’s 1992 internal con- comprehensive frameworks.

trol framework. Interestingly, the 2004 COSO ERM guid- COSO also published a volume of application tech-
ance is arguably more suitable for achieving the SEC’s niques to supplement the framework. This document
goal of developing and deploying “top-down, risk-based” provides examples to assist companies in implementing
management assessment guidance that helps lower the ERM. For example, the application techniques related to
costs associated with SOX 404 compliance. The COSO the internal environment component show sample risk
ERM framework notes that internal control is a part of management philosophy statements and illustrative
ERM. codes of conduct. Other examples are given for each of
The COSO ERM framework has eight interrelated the framework’s components.
components (see Exhibit 3). According to COSO’s ERM
framework, internal environment refers to the tone of IMA’S “A GLOBAL PERSPECTIVE ON ASSESSING
the organization, its risk appetite, and elements such as INTERNAL CONTROL OVER FINANCIAL
oversight by the board. The framework states that com- REPORTING”
panies must set objectives at the strategic level and must IMA developed a risk-based framework to assist com-
identify the risks and opportunities that impact the enti- pany management in better cost-effective compliance
ty. Risks must then be assessed, and a response to the risk with SOX 404 requirements. Titled “A Global Perspective
made—avoidance, reduction, sharing, or possibly accept- on Assessing Internal Control over Financial Reporting”
ance. Clearly, COSO’s ERM framework is one of the most (ICoFR), it includes self-assessments by CFOs and busi-
EXHIBIT 4. CORE COMPONENTS OF A RISK-BASED APPROACH
Assurance Context The outcome, objective, process, or subject

(self-determined or mandated) one or more stakeholders want some type of
formalized assurance on.
Threats to These are possible problems or situations

Achievement/Risks that could threaten the assurance context.
Control Portfolio—
the controls selected Controls are methods, procedures, equip-
______________________________ ment, or other things that provide addition-
______________________________ al assurance relevant risks are mitigated to
______________________________ an acceptable level.
(consciously or unconsciously)
Information that helps decision makers

assess the acceptability of residual risk.
Residual Risk Status Status data can include issues/concerns,
indicator data, impact information, impedi-
ments, risk sharing mechanisms, and other
11
Reexamine control design and/or assur- relevant data.
ance context and develop an action plan.
NO Is the residual risk status acceptable to the

Risk Sharing/ Acceptable? work unit? management? the board? exter-
Avoidance nal audit? regulators? other stakeholders?
YES
NO Portfolio Is this the lowest cost set of controls given

Optimized? our risk tolerance?
YES —Move on
Source: IMA, “A Global Perspective on Assessing Internal Control Over Financial Reporting,” September 2006, p. 10.
ness process owners. The framework, shown in Exhibit 4, delist; larger corporations employing full-time staffs and
has been market tested and draws on advances in global expensive consultants and not realizing the value in their
risk and quality management disciplines over many compliance programs; and an erosion of U.S. global com-
years. Some members of the business community have petitiveness. IMA developed the framework and deliv-
noted that SOX 404 requirements have resulted in small- ered it to the SEC in order to provide thought leadership
er publicly traded companies delisting or threatening to as the SEC develops its own version of management
assessment guidance, which many hope will address the The framework for evaluating insurers includes an
implementation issues associated with SOX 404 compli- assessment of risk management culture, risk controls,
ance in the more than three years since the Sarbanes- emerging risk management, risk and capital models, and
Oxley Act was passed. strategic risk management. S&P rates an insurer as weak,
ICoFR heavily relies on advances in global risk man- adequate, strong, or excellent. An adequate rating would
agement, including how to “treat” risks once an “assur- mean an insurer has “fully functioning risk control sys-
ance context” has been established with appropriate tems in place for all major risks.”
business objectives. The assurance context as it relates to
SOX 404 is materially fault-free financial statements VII. ERM FOUNDATIONAL ELEMENTS
enabled by an effective system of internal controls. The The essential components of most ERM frameworks
risk-based framework works equally well with other busi- are similar. They differ in the language used to describe
ness contexts/applications, however, such as business the components in the ERM process as well as in the
continuity planning, operations management, and cost number of specific steps. In implementing ERM, a com-
optimization. The ICoFR framework also relies on tradi- pany may want to adapt a generic framework to fit its cul-
tional Total Quality Management (TQM) principles. For ture, management philosophy, capabilities, needs,
example, once the assurance context has been established industry, and size. This section discusses the organiza-
and the initial control portfolio is selected to address tional context for ERM and the basic components in a
“threats to achievement” of objectives, the residual risk generic ERM framework.
that remains is quantifiable (e.g., by analysis of historical
error rates) and tested against preestablished bounds. ORGANIZATIONAL CONTEXT
This helps determine if the risk is acceptable or not. An effective ERM implementation requires an organi-
zational context that includes:
BASEL II • Tone at the top;
The Basel Committee on Banking Supervision updat- • Risk management philosophy and risk appetite; 12
ed its original Basel Accord with Basel II and its related • Integrity and ethical values; and
new framework. The framework is designed to improve • Scope and infrastructure for ERM.
the international banking system and make it stronger.
The framework is focused on maintaining consistent cap- Tone at the Top
ital adequacy requirements among banks. A key idea A necessary condition for effective ERM implementa-
behind the framework is that banks should match capital tion is the tone set by the board of directors and top man-
to the actual level of risks and to set minimum capital agement, who are ultimately responsible for risk
levels. The framework applies to “internationally active management. A board with a majority of independent
banks” and has three pillars: minimum capital require- directors should regularly seek executive management’s
ments, supervisory review, and market discipline. responses to these questions: “What are the company’s
top risks? What is their time horizon? And what is being
STANDARD & POOR’S AND ERM done to manage them?” The board discussion around
Standard & Poor’s (S&P) has already started to incor- these questions sends a message to top management that
porate a company’s ERM practice into the S&P rating of the board recognizes that any organization is vulnerable
the company. S&P currently applies this rating to both to risk, and they expect top management to maintain an
financial institutions and insurers. Its framework for effective risk management process. In turn, the impor-
evaluating ERM at banks includes a review of ERM poli- tance that top management places on effective ERM in
cies, ERM infrastructure, and ERM methodology. ERM its decisions sends a message to the entire organization.
policies should address risk culture, appetite, and strate- Again, if the organization’s risk committee and chief risk
gy; control and monitoring; and disclosure and aware- officer report directly to the audit committee of the
ness. ERM infrastructure covers risk technology, board of directors, this signals the importance of ERM.
operations, and risk training. ERM methodology refers to Risk Management Philosophy and Risk Appetite
capital allocation, model vetting, and valuation methods. The core of a company’s risk management philosophy
is how it views risks and considers them when making organizations must manage proactively.
decisions. Management seeks to create value by growing Formal codes of conduct that are constantly rein-
the company, and the risk management philosophy forced through training programs serve to set boundaries
serves as a control over which risks are acceptable in pur- for all employees as to what is unacceptable behavior.
suing growth opportunities. An organization usually can- Under SOX, the SEC was directed to set rules that require
not pursue all the numerous opportunities for growth a company to disclose if it has adopted a code of ethics or
that may be envisioned and must choose those that fall explain why it does not. This disclosure requirement
within its risk appetite and tolerance. enhances the internal environment supporting ERM
An organization’s risk management philosophy is implementation.
manifested in its risk appetite, which reflects how much
risk the company can optimally handle given its capabili- Scope and Infrastructure for ERM
ties and the expectation of its various stakeholders. The In launching an ERM initiative, the scope of the effort
company’s capabilities in terms of the core competencies should be stated clearly. Some organizations initially roll
of its people, technology, and capital are key determi- out their ERM effort in a specific operating unit and
nants of the amount of risk it can accept overall relative beta-test the framework they are using before imple-
to business and stakeholder objectives. The company’s menting it across the company. In addition, a decision
risk appetite influences its culture, strategic decisions, must be made on the risk infrastructure from a gover-
and operating style. The company’s stakeholders—share- nance and leadership accountability perspective. Will the
holders, executives, employees, and others—have expec- effort be overseen by a chief risk officer (CRO), the CFO,
tations concerning the organization’s appropriate an ERM advisory committee, or some combination? A
amount of risk, and, thus, they also influence the setting CRO supported by a cross-functional risk advisory com-
of the risk appetite. Companies should understand and mittee is one approach. Regardless of the approach, risks
be fully aware of the risk appetite of all stakeholders if identified are owned by the operating units, not the CRO
they wish to deliver optimal results. or a risk committee. Also, the ERM effort will not succeed 13
While risk appetite is a broad, entity-wide concept, without champions at the C-level supporting the risk
risk tolerance has a narrower focus. An organization may infrastructure and a major, enterprise-wide education
have different risk tolerances for its various operating effort on the ERM methodology.
units, but when the individual risk tolerances are com-
bined, they should fall within the overall risk appetite set BASIC COMPONENTS OF ERM FRAMEWORK
by top management and the board. This is the essence of The basic components found in most ERM frame-
ERM, which is an integrated, holistic view of risks, in works are (see Exhibit 5):
contrast with a silo approach to risk management. Addi- • Set strategy and objectives,
tionally, risk mitigation under ERM takes an enterprise • Identify risks,
perspective rather than inefficiently mitigating risks • Assess risks,
independently. • Treat risks,
• Control risks, and
Integrity and Ethical Values • Communicate and monitor.
Management’s uncompromising commitment to
integrity and ethical behavior in all areas of decision Set Strategy and Objectives
making are prerequisites to implementing effective ERM. The first step in the ERM framework requires an
If employees sense that management is cutting corners understanding and clarity of strategy and objectives. The
and not setting an example for acceptable behavior, they opportunities that a company decides to pursue are artic-
will likely follow suit and develop the same attitude about ulated in its strategy and objectives. Risks are the events
right and wrong, putting the organization’s reputation at or actions that jeopardize the achievement of the strategy
risk. An organization’s reputation takes years to build but and related objectives. On the up side, a holistic and
can be diminished quickly by unethical behavior. Reputa- proactive understanding of risk can lead to new or previ-
tion risk is recognized as one of the major risks that ously unidentified opportunities. The identification of
EXHIBIT 5. A CONTINUOUS RISK MANAGEMENT PROCESS
Set Strategy/Objectives
Communicate & Monitor Identify Risks
Control Risks Assess Risks
Treat Risks
Source: Adapted from The Institute of Chartered Accountants in England & Wales, No Surprises: The Case for Better Risk Reporting, ICAEW, London, U.K., 1999, p. 47.
risk is dependent on clarity of objectives for the unit the process, they may later lead to a major problem for
under analysis, which might be the overall organization, a the organization or a missed opportunity. At the conclu-
strategic business unit, a function, an activity, a process, sion of the risk identification process, the company
or a reporting and compliance requirement. should have its own list of risks or risk language, with an
One of the benefits derived from ERM is that the
implementation process may reveal that some objectives
EXHIBIT 6. RISK IDENTIFICATION TECHNIQUES
14
are not clear to all stakeholders or understood by those
responsible for achieving them. Employees may not INTERNAL INTERVIEWING AND DISCUSSION:
understand how their daily jobs and tasks relate to the • Interviews
objectives. At this point, some companies have found it • Questionnaires
necessary to devote effort in clarifying the unit’s objec- • Brainstorming
• Self-assessment and other facilitated workshops
tives before they can move on to the next step. ERM
• SWOT analysis (strengths, weaknesses, opportunities,
requires companies to state objectives clearly at every and threats)
level of the organization where risks are identified—
literally, from the workroom to the boardroom. EXTERNAL SOURCES:
• Comparison with other organizations
Identify Risks • Discussion with peers
• Benchmarking
A list of techniques available for identifying risks is
• Risk consultants
presented in Exhibit 6. (These techniques are discussed
in the SMA, Tools and Techniques of Enterprise Risk Man- TOOLS, DIAGNOSTICS, AND PROCESSES:
agement). The goal in identifying risks is to produce a • Checklists
comprehensive list of risks and to assess them, narrowing • Flowcharts
• Scenario analysis
the list down to the top risks facing the organization. In
• Business process analysis
selecting from the list of techniques, a consideration is • Systems engineering
the rigor of the technique and if it will encourage open- • Process mapping
ness among the participants. Because of the diversity and
complexity of risks, using several of the techniques on Source: American Institute of Certified Public Accountants
(AICPA) and Canadian Institute of Chartered Accountants
the list may be required to ensure that as many risks are (CICA), Managing Risk in the New Economy, AICPA, New York,
identified as possible. If some risks fail to be identified in 2000, p. 9.
EXHIBIT 7. RISK QUANTITATIVE AND QUALITATIVE TECHNIQUES
Qualitative and Quantitative Approaches to Assessment and Measurement
QUALITATIVE: QUALITATIVE/ QUANTITATIVE:

QUANTITATIVE:
Risk identification Probabilistic techniques:
Validation of risk impact
Risk rankings Cashflow at risk
Validation of risk likelihood
Risk maps Earnings at risk
Validation of correlations
Risk maps with impact Earnings distributions
and likelihood Risk corrected revenues
EPS distributions
Risks mapped to objectives Gain/loss
or divisions
Tornado charts
Identification of
risk correlations Scenario analysis
Benchmarking
Net present value
Traditional measures
LEVEL OF DIFFICULTY AND AMOUNT OF DATA REQUIRED
EXHIBIT 8. SUBJECTIVE ASSESSMENT OF RISK 15

BRAINSTORMING OUTPUT
SURVEY RESPONSES TOTAL
Risks: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Score
Sample Risk #1 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 17
Sample Risk #2 2 1 1 1 2 1 1 1 1 1 1 1 1 2 1 18
Sample Risk #3 2 1 2 1 2 1 2 1 1 1 1 1 1 1 1 19
Sample Risk #4 3 1 1 1 1 1 1 1 2 2 2 1 1 1 1 20
Sample Risk #5 3 1 2 1 1 2 1 2 1 2 1 1 1 1 1 21
Sample Risk #6 2 1 1 1 2 2 1 1 2 2 1 1 1 1 2 21
Sample Risk #7 3 2 3 1 1 1 1 1 2 1 2 1 2 1 1 23
Sample Risk #8 2 2 2 1 2 2 2 1 1 1 1 1 1 2 2 23
Sample Risk #9 3 2 1 1 2 2 1 1 2 1 1 2 2 2 2 25
Sample Risk #10 2 2 3 2 1 2 3 3 3 2 1 2 3 2 1 32
1 = very important 2 = somewhat important 3 = not important
agreement on the meaning of each one. This list is the Alternatively, a list of risks or a risk universe can be pro-
organization’s inherent risks, and once mitigation actions vided to those participating in the identification process.
are determined, what remains are residual risks. They, in turn, use this list to identify the risks relevant to
In identifying risks, one view is to start with a blank the organization. Some combination of these two
sheet of paper and develop the list of inherent risks by approaches also may be used to develop a comprehensive
applying of one or several of the techniques in Exhibit 6. list of risks.
Assess Risks high level of impact or significance. Alternatively, risks

Once risks have been identified, risk assessment is the can be assessed using a dollar level of impact. In addition
next step. A key to ERM is to know the risks the company to the impact or significance of risks, the probability of a
can control and those over which it has little or no control. A risk occurring should be considered. Once impact and
second and related key is to know which risks can and can- probability are determined, a risk map can be generated
not be measured. Knowing the importance of a risk through as illustrated in Exhibit 9.
risk assessment can lead to better management and As shown in Exhibit 10, risk maps can be more
resource allocation. Further, knowing how that risk interre- detailed by breaking down the impact into categories or a
lates with other risks in the organization can enhance ERM. dollar amount measured by a selected metric. The annu-
A 2005 survey by Protiviti indicated that companies use a alized impact can be measured in terms of some metric
variety of approaches in implementing ERM: such as earnings per share or net income. The probability
• 39% do risk assessment workshops; can also be expanded into categories such as greater than
• 32% do risk modeling; 90% chance, 30% to 60% chance, or less than 10% chance
• 30% have risk-based metrics; and of the risk event occurring.
• 28% do risk mapping. Some companies display risk in zones on maps desig-
Risks must be assessed or measured in some way. nated by color, as shown in Exhibit 11. A risk in the green
Exhibit 7 presents the variety of approaches available, zone indicates a low dollar impact and probability of
from qualitative to quantitative. occurrence, the yellow zone indicates moderate risk, and
When a risk is identified, the implication is that it has the risks with the highest impact and likelihood are in the
some significance and can be ranked on some scale of red zone.
importance. An example of a subjective assessment of An advantage of risk maps with colored zones is that
risk and related rankings is provided in Exhibit 8. In a companies that have assessed risks across the enterprise
risk assessment workshop, each participant can rank the can display the colors and compare the risk assessments
previously identified risk on a scale of 1 to 3, and the risks in a report. For example, the report in Exhibit 12 shows 16
can be sorted by the rankings. Management can then how each risk is assessed across the enterprise by every
focus on those risks that have been ranked as the most function or division. Resolving differences in risk assess-
important. ments and seeking possible risk solutions can lead to
Risks can also be assessed using a low, medium, or valuable discussions. Other quantitative analysis and risk
EXHIBIT 9. RISK MAP

HIGH
OF OBJECTIVES (SIGNIFICANCE)
High Impact High Impact

IMPACT ON ACHIEVEMENT
Low Likelihood High Likelihood
Low Impact Low Impact
Low Likelihood High Likelihood

LOW
LOW HIGH
LIKELIHOOD OF OCCURRENCE
EXHIBIT 10. DETAILED RISK MAP
? Probability of Occurrence
Critical >$15M 5
High $10M-$15M 4
Severity of Impact
Moderate $5M - $10M 3
Low $1M - $5M 2
Not
< $1M 1
Significant
Annualized impact measured 1 2 3 4 5

in terms of ?
< 10% 10% - 30% 30% - 60% 60% - 90% >90%

Probability measured over a
one-year time horizon
Highly
Slight Not Likely Likely
Likely
Expected
17
EXHIBIT 11. COLOR-CODED RISK MAP
9
RED
8
ZONE
7
6
Impact
YELLOW
5
ZONE
4
3
GREEN
2
ZONE
1
1 2 3 4 5 6 7 8 9
Likelihood
EXHIBIT 12. FUNCTIONAL RISK ASSESSMENT SUMMARY
Corporate Risk Assessment

2000/2001
5
1
n #2
n #4
n #6
n #3
n #9
n #5
n #8
n #7
n #1
n #1
n #1
n #1
n #1
n #1
n #1
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
ctio
COMPARISON OF
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
Fun
FUNCTIONAL RISK ASSESSMENTS
1. External Environment
2. Customer (Internal & External)

Needs
3. Culture
4. Operations
5.Communications
6. Security
7. Human Resource
8. Information Availability
Processing Technology
9. Financial
10. Legal/compliance
18
11. Management and Monitoring
Source: Paul L. Walker, William G. Shenkir, and

Thomas C. Barton, Enterprise Risk Management: GOOD CAUTIONARY DANGER
Pulling It All Together, The Institute of Internal
Auditors Research Foundation, 2002, p.45.
tools are discussed in Tools and Techniques of Enterprise Treat and Control Risks
Risk Management. After risks are identified and assessed, management
When placing risks on a map, they can be presented must decide how to respond to them. One of the goals of
based on the inherent assessment, which is the level of ERM should be to make conscious decisions about risk.
risk in each event before any mitigation action is taken. The actions that management might take for a given risk
Residual risk is what remains after management has tak- include: avoidance, reduction, sharing, and acceptance.
en a mitigation action. Risk maps can also be presented Management determines its response to a risk by consid-
showing the residual risk. As an example, a company ering the impact a given decision will have, the likelihood
identified numerous risks as part of its risk identification of the risk, and the costs and benefits of its action. The
process. One of the key risks was financial risks, but the goal is to take actions that will bring the organization’s
company’s executives and internal auditors believed that overall residual risk within its risk appetite. As noted pre-
strong controls were already in place for the identified viously, risk tolerances may vary, but overall they should
financial risks. Therefore, their residual risk was low in fall within the risk appetite approved by executive man-
this area, and the company chose to focus on other of the agement and the board. Linking inherent and residual
top risks identified. risk with risk tolerance is illustrated in Exhibit 13. In this
EXHIBIT 13. LINKING OBJECTIVES, EVENTS, RISK ASSESSMENT, AND RISK RESPONSE
• 180 new qualified staff across all manufacturing divisions to meet customer demand
OPERATIONS without overstaffing
OBJECTIVE
• Maintain 22% staff cost per dollar order
OBJECTIVE UNIT
Number of qualified staff hired
OF MEASURE
TOLERANCE 165–200 new qualified staff, with staff cost between 20% and 23% per dollar order
Inherent risk assessment Residual risk assessment
RISKS Likelihood Impact Risk Response Likelihood Impact
DECREASING
Contract in place
NUMBER OF 10% reduction in 10% reduction in
with a third party
QUALIFIED 20% hiring →18 unfilled 10% hiring→18 unfilled
hiring agency to
CANDIDATES positions positions
source candidates
AVAILABLE
5% reduction 2% reduction
19
UNACCEPTABLE
in hiring due to Review of hiring in hiring due to
VARIABILITY IN
30% poor candidate process conducted 20% poor candidate
OUR HIRING
screenings→9 every two years screening→4
PROCESS
unfilled positions unfilled positions
ALIGNMENT
WITH Response expected to bring company within risk tolerance
RISK TOLERANCE
Source: COSO, Enterprise Risk Management—Integrated Framework: Application Techniques, New York, 2004, p.56.
analysis, the first risk analyzed was the number of avail- company identified an earthquake as a risk. After study-
able qualified candidates. The company identified several ing the earthquake risk thoroughly, the company decided
related risks and then adopted a risk management strate- that it needed to focus on several related risks. For exam-
gy. Through its action, management concluded the likeli- ple, the company’s buildings could be earthquake secure,
hood of the risk was reduced from 20% to 10%. but its suppliers’ buildings or employees’ homes may not
To respond and treat a risk properly, companies must be safe. Other related and critically important risks were
also source the risk to the root causes. For example, a how a potential earthquake would affect customer serv-
grain company identified weather as a risk. After study- ice, research and development on new products, and
ing the risk, the company decided the risk it needed to expansion into new markets. The destruction of the
manage was grain volume, not the weather. Many things physical facilities by an earthquake had far-reaching
affected grain volume besides weather, such as loss of implications that had to be analyzed.
product in shipping and handling or waste. Similarly, a Treating and controlling risks can require a variety of
actions. For example, companies can implement new ments at the division or function level provide senior
policies and controls, purchase derivatives, hire new management with valuable information on how middle
management, or implement new training programs. This management views the top risks facing the organization.
variety of risk treatment approaches is why ERM is a Ongoing monitoring with key performance indicators
much broader concept than financial reporting and inter- (KPIs) and key risk indicators (KRIs) occurs in well man-
nal control risk. Of course, companies can still just accept aged organizations as a normal course of conducting
and bear the risk if doing so is in alignment with its stake- business. Under ERM, monitoring is enhanced by incor-
holders’ expectations. For example, some airlines have porating information on risk identification and assess-
more aggressive approaches to managing the risk of fuel ment and identifying the owners of specific risks.
price increases and decreases than do others. Monitoring is discussed further in the next section.
An insurance and financial services company discov-
ered its sales force had slowly become out of control. To VIII. INTEGRATING ERM INTO ONGOING
promote sales, the sales force developed their own train- MANAGEMENT ACTIVITIES
ing material that was not authorized by the company. The The business environment is constantly changing.
sales force was increasingly dishonest with customers Consequently, implementing ERM is a continuous
and told them to ignore notices from the company about process much like the organization’s strategy that ERM
premiums. Further, they asked customers to sign blank helps to achieve. Sustaining ERM requires constant
withdrawal forms, which allowed the sales team to with- attention by C-level executives, and integration into
draw funds from the customers’ accounts. Simultaneous- ongoing management initiatives stresses its importance
ly, the company also faced risks related to industry trends to associates at all levels. When ERM is seen as sound
that indicated a shrinking market in one of their key business management rather than “the management fad
product areas. It is probable that the broader industry of the month,” it becomes an integral part of the organi-
trends and declining market were the root cause of the zation’s DNA. Some of the opportunities for integrating
pressure on the sales force and marketing areas. The ERM in ongoing management activities include: 20
company responded by hiring a new CEO with expertise • Strategic planning;
in areas into which the company wanted to expand. Addi- • Balanced scorecard (BSC);
tionally, the company adopted new sales and marketing • Budgeting;
policies to control the risk of the sales force misleading • Total Quality Management and Six Sigma;
customers by using unauthorized advertising and train- • Business continuity (crisis management);
ing material. The company also implemented customer • Corporate governance; and
support lines to help resolve disputes with customers and • Risk disclosures.
engaged independent industry organizations to verify The relationship between strategic planning, the bal-
with customers that they were knowledgeable about anced scorecard, and budgeting is shown in Exhibit 14.
what they had purchased.
STRATEGIC PLANNING
Communicate and Monitor The COSO definition of ERM states that ERM is part of
Organizations are generally involved in distributed strategy setting. ERM and strategy setting should be
risk taking as each operating unit faces risk in pursuing viewed as complementing each other and not as independ-
its profit objectives and goals to grow its piece of the ent activities. If strategy is formulated without identifying
business. The desired outcome for ERM is not that the risks embedded in the strategy and assessing and man-
organizations become risk adverse, but that proactive, aging those risks, the strategy is incomplete and at risk of
risk-based decision making is fostered at all levels of the failure. Similarly, if ERM does not begin with holistically
organization and managers knowingly and intentionally identifying risks related to the company’s strategy, the
take risk while utilizing appropriate risk indicators. effort will be incomplete by failing to identify some very
Accordingly, communication of risk-related information important risks. Mismanagement of strategic risks has
must flow down, across, and up the organization. As illus- been shown to be the cause for loss of major shareholder
trated in Exhibit 12, summary reports of risk assess- value, as pointed out by the following two studies:
EXHIBIT 14. STRATEGY, THE BALANCED SCORECARD, AND THE BUDGET
Strategy
Revise the Revise the

Scorecard Strategy
Balanced Scorecard
Budget
Allocate Review
Operations
A study by Mercer Management Consulting analyzed but the decision is made to pursue it through a joint ven-
the value collapses in the Fortune 1,000 during 1993- ture—a decision to share the risk. Still another alterna-
1998. The analysis found that 10% of the Fortune tive strategy with considerable risk embedded in it might
1,000 lost 25% of shareholder value within a one- be pursued incrementally—a decision to reduce the risk.
month period. Mercer traced the collapses back to Strategy formulation is enhanced by ERM because risks
their root causes and found that 58% of the losses are identified and the strategic alternatives are assessed
were triggered by strategic risk, 31% by operational given the company’s risk appetite. In turn, without a well
risk, and 6% by financial risk. Hazard risk did not articulated strategy, the foundation for implementing
cause any of the decrease in shareholder value. A ERM is insufficient. Viewing the two together forms the 21
more recent study by Booz Allen Hamilton analyzed basis for a strategy-risk-focused organization. For exam-
1,200 firms during 1999-2003 with market capitaliza- ple, the front-end of the strategy formulation process is
tions greater than $1 billion. The poorest performers typically an environmental scan. Performed comprehen-
were identified as companies that trailed the lowest- sively, this scan reveals risks and opportunities.
performing index for that period, which was the S&P
500. The primary events triggering the loss of share- BALANCED SCORECARD
holder value were strategic and operational failures. The balanced scorecard (BSC) is a tool for communi-
Of the 360 worst performers in the study, 87% of cating and cascading the company’s strategy throughout
value destruction suffered by these companies relat- the organization. The conventional BSC captures the
ed to strategic and operational mismanagement. company’s strategy in four key perspectives:
• Customer;
When formulating the company’s strategy, top man- • Internal;
agement analyzes its strategic alternatives and identifies • Innovation and learning; and
events that could threaten their achievement. As the • Financial.
risks embedded in each strategic alternative are identi- Combining the BSC with ERM can enhance perfor-
fied and placed on a risk map, the alternative can be eval- mance management. In the BSC, objectives are identified
uated against the organization’s capabilities and how it for each of the perspectives, and, as noted previously,
aligns with the risk appetite. Some strategies might be ERM begins with an understanding of objectives. For
outside the risk appetite of the company, and a decision is each BSC perspective, metrics (KPIs) are selected and
made not to pursue them—a decision to avoid the risk. stretch targets are set. ERM adds value to the BSC
Other strategies may be very risky but can be managed through the identification of events (risks) that could
and monitored carefully and, thus, will be pursued—a stand in the way of achieving the targets in each of the
decision to accept the risk. Another strategy may be risky, four perspectives. By monitoring the KPIs, management
EXHIBIT 15. BALANCED SCORECARD AND STRATEGIC RISK ASSESSMENT
Learning and Growth Objectives Mitigation Process
Suggested Owner of
Risk Focus
No. Objective Risk Control In Place Effectiveness* Comments Corrective
Number Area
Processes Action
* Effectiveness Rating: 1 to 10, with 10 being very effective.
can assess how effectively their risk mitigation efforts are commitment to achieve the organization’s long-term
working. In effect, the KPIs for each perspective also strategy. The annual budget can be integrated with ERM
serve as key risk indicators (KRIs), although they are not to provide insights on what the strategic business unit’s
initially selected for that purpose. For example, if a target leadership sees as the threats to meeting its financial
for customer satisfaction is not achieved, it suggests that plan. In the conventional budgeting process, the leader- 22
some risks related to the item exist. The same metric can ship of the strategic business unit presents its profit plan
be used for monitoring both strategy and risk. to senior management, who probe and ask questions to
The conventional BSC can be integrated with ERM to uncover the risks implicit in the numbers.
manage and monitor risk related to the strategic objec- A risk map presented with the unit’s budget provides
tives. Using a risk scorecard for the key risks identified in information to senior management on what the major
each BSC perspective is a way to assign responsibility for threats are to meeting the financial plan for the year. The
managing the risk. As shown in Exhibit 15, the special risk map gives senior management a point of departure in
risk scorecard begins with the articulation of the specific the budget review process without having to waste time
objectives for the particular perspective. Next, for each of uncovering the implicit budget risks. Operating units
those objectives, the key risks are identified along with should know their risks if they are to have any chance of
suggested control processes. The focus area identifies the accomplishing the plan. An additional benefit of including
risks as strategic, operational, or financial. Management’s a risk map on the budget risks is that, as the various budg-
self assessment of its risk mitigation actions is shown in ets and risk maps are reviewed by senior management,
the worksheet by asking: “Is it in place? If so, how effec- they can compare the risks they have identified in the
tive is it?” The last column focuses on identifying the strategic plan with those identified by the operating units.
owner of the risk, who will be held accountable for man- Any disparities in how the two groups perceive the risks
aging it. Maintaining the risk scorecard on the company’s facing the organization can be analyzed further.
intranet allows management to review the scorecard at When a risk map accompanies the budget, senior
any time, adding strength to the accountability for the management can ask questions about the expenses in the
management of the risk. budget that relate to risk mitigation decisions for the
high impact/high likelihood risks (the red zone risks in
BUDGETING Exhibit 11). If a decision was made not to mitigate certain
A company’s budget reflects the current-year financial risks, it also is important to understand the impact on the
EXHIBIT 16. RISK/CRISIS ACCELERATION
A. Risk Occurrence B. Crisis Occurrence— C. Crisis Occurrence—

Gathering Storm Catastrophic Force
IMPACT
MASS
MASS
LIKELIHOOD ACCELERATION ACCELERATION
Source: Paul L. Walker, William G. Shenkir, and Thomas C. Barton, Enterprise Risk Management: Pulling It All Together,
The Institute of Internal Auditors Research Foundation, 2002, p.100.
unit’s cost structure by taking that action. Another rele- is, some unknown risks will remain unknown at the end
vant issue is to understand to what extent the cost of mit- of the process. A company prepares for these unknown
igating or accepting a risk has been built into the price of risks through its business continuity, or crisis manage-
the product or service. ERM coupled with the budget ment, plan—an essential element of the ERM process.
review process can enrich a discussion and lead to a bet- A crisis is a point at one end of a continuum, with risks
ter understanding of the threats standing in the way of at the other end. With Internet-based new media like 23
making budget. bloggers, message boards, chat rooms, e-mail lists, and
independent news websites, a company must be prepared
TOTAL QUALITY MANAGEMENT AND SIX SIGMA to recognize a crisis and respond swiftly to contain it
Quality initiatives focus on improving the efficiency before damage is done to its reputation and brands. A
and effectiveness of detailed processes. ERM requires company will need to “play war games” to test the crisis
clarity of objectives at all levels of the enterprise, and the management plan and ensure that all the key employees
objectives of specific processes can be addressed by uti- know their roles. In addition, an essential part of the
lizing quality tools and methodologies. When an organi- preparation is communication about the plan to the
zation has implemented a quality initiative, information entire work force in advance of a crisis.
is available on detailed processes. In turn, this informa- When a crisis occurs, it does not evolve in a linear
tion can be evaluated within the larger context of the way: If it is not recognized quickly and if efforts are not
enterprise to identify risks in an ERM implementation. made to contain it, a series of reactions and events in
Also, quality initiatives can provide information on plan- other areas either within and/or outside the organiza-
ning the mitigation action for a process risk. The process tion may be triggered. Exhibit 16 shows the “triggering
risk owner and source of the risks should be identified or ballooning” impact of a crisis and how it may develop
when implementing the quality initiative. This informa- exponentially. As an example, a major company sold
tion should be insightful in treating the inherent risk some contaminated product in two countries that
with some control mitigation action. Once the control is caused some users to become ill. A failure by the com-
implemented, the gap between the inherent risk and pany to recognize the crisis quickly led the governments
residual risk should be clearly evident. of the two countries to pull the product from store
shelves. After some delay, the CEO traveled from the
BUSINESS CONTINUITY (CRISIS MANAGEMENT) U.S. to the countries and eventually apologized publicly.
Regardless of how robust effort of risk identification The damage was done, however, as the company’s stock
price fell, and the CEO was eventually replaced. sibility to discuss the company’s policies with respect to
risk assessment and risk management. In commentary
CORPORATE GOVERNANCE on this requirement, the governance rules note that the
ERM ties in closely with corporate governance job of the CEO and senior management includes assess-
because it: ing and managing risk. Additionally, the NYSE rules state
• Improves information flows between the company that the audit committee of the board should discuss
and the board regarding risks; policies with the CEO and senior management that gov-
• Enhances discussions of strategy and the related ern the risk process.
risks between executives and the board; The NASDAQ exchange also issued new rules of gov-
• Monitors key risks by accountants and manage- ernance for listed companies, which were approved by
ment with reports to the board; the SEC. NASDAQ stated that its goals for corporate gov-
• Identifies acceptable levels of risks to be taken and ernance enhancement included empowering sharehold-
assumed; ers and enhancing disclosure. NASDAQ’s corporate
• Focuses management on the risks identified; governance requirements address distribution of reports,
• Improves disclosures to stakeholders about risks independent directors, audit committees, shareholder
taken and risks yet to be managed; meetings, quorums, solicitation of proxies, conflicts of
• Reassures the board that management no longer interests, shareholder approval, stockholder voting
manages risk in silos; and rights, and codes of conduct. NASDAQ did not incorpo-
• Knows which of the organization’s objectives is at rate risk or an ERM process into its listing requirements,
greatest risk. however.
As noted in the list, the flow of risk information to the
board is critical in improving corporate governance. For RISK DISCLOSURES
example, a major U.S. retailer presents its risk maps to its Increasingly, companies are disclosing more informa-
audit committee to keep the committee members fully tion about the risks they face. In some instances, this risk 24
informed. It also communicates to the audit committee information is the result of new regulatory requirements.
its action plans for the risks and how those risks are mon- In others, it is a management decision.
itored. Finally, it informs the audit committee on how the
risk assessment and metrics used to monitor the risk Proxy Statements
relate to shareholder value measurements. Currently, no disclosures about risk management
Another example of how risk information enhances infrastructure, processes, or management and board
corporate governance is from a not-for-profit organiza- responsibility in the area of risk are required in proxy
tion. This entity analyzes risks by division and by the top statements. Disclosures in the audit committee charter,
100 executives. The results of this risk analysis is dis- however, may mention “business risk and control” or
cussed with the organization’s board and top executives, indicate that the audit committee is asking the following
who also use the risk information as an input into their groups about significant risks: executive management,
strategic planning. This organization identifies any risks the CFO, and the independent accountant.
over a materiality level or risk tolerance level and
requires automatic reporting to the board as well as Management’s Discussion and Analysis
development of an action plan by the division manager “Meaningful disclosures” was the purpose of the 2003
who owns that risk. guidance by the SEC on the Management’s Discussion
and Analysis (MD&A) section of Form 10-K. According to
THE BOARD AND STOCK EXCHANGES the SEC, a good MD&A section should help an investor
The corporate governance rules of the New York Stock see material opportunities, challenges, and risks for both
Exchange (NYSE), which were approved by the SEC on the short and long term. Further, the company should
November 4, 2003, incorporate elements of risk assess- discuss actions taken related to these opportunities and
ment and management into the listing requirements. The risks. The SEC added that this information may not be
NYSE rules state that it is the audit committee’s respon- accounting information necessarily, but it instead might
be nonfinancial information. Nonfinancial information nies are delisting or threatening to delist to avoid regula-
related to opportunities and risks could be key indicators, tion. The SEC is in the process of developing risk-based,
key variables, time-to-market, or information on cus- practical management assessment guidance to help fix
tomer satisfaction, employee retention, or business strat- this problem, which impacts shareholder value and U.S.
egy. The ERM process and the management accountant global competitiveness. It would seem a natural fit for
could be a valuable source for gathering and reporting ERM to be considered more actively as part of the solu-
the potential implications of this information. tion for a risk-based compliance solution, whether it be
the COSO ERM framework, IMA’s guidance approach, or
10-K Item 1A—Risk Factor Disclosures an alternative approach. Stronger internal controls, more
Effective December 1, 2005, SEC rules mandate “risk effective corporate governance, and implementation of
factor disclosure” in a new item 1A of the company’s ERM can lead to improved stability, reaction time, and
Form 10-K. Companies are also required to issue quarter- increased shareholder value. A risk-based approach can
ly updates for material changes in the risk factors. The help reduce the number of key controls that companies
SEC noted that some companies already disclose some are testing and documenting, significantly lowering the
risk related to forward-looking statements, but it is man- cost of compliance.
dating that every company identify risk factors explicitly. Many companies created large, full-time internal
The risk factor disclosures are to be based on “an evalua- staffs to focus on SOX compliance and work with the
tion of the material risks facing the issuer.” As such, com- independent auditors. They also report some marginal
panies have to know and evaluate their risks. The SEC decreases in compliance costs and related headcount.
believes these new disclosures are not too burdensome These resources going forward could be directed to an
because companies will have internal controls over finan- ERM program, which addresses risks more holistically
cial reporting and disclosure controls and procedures than that required by SOX. The key, however, is properly
already in place. trained and certified specialists who are knowledgeable
in all aspects of ERM. 25
Other Voluntary Disclosures Companies that have implemented SOX and Section
Even if the above disclosures are made by companies, 404 compliance efforts have learned how to identify
this does not mean that a company actively and continu- important financial statement accounts and disclosures,
ously manages its risks as part of its strategic and opera- how to design effective control systems, and how to test
tional planning processes. Boards, shareholders, and those systems. They have also learned that excessive con-
other stakeholders should want to know more about a trols can be just as bad as no controls. Section 404
company’s ERM process. This applies to public or private requires a company to identify and manage the risks
organizations. related to financial reporting. Audit committees have
Some companies publicly disclose that they have an now become accustomed to discussing these financial
ERM process. Other companies disclose that they have a reporting risks.
risk committee, CRO, or risk infrastructure. Still others Audit committees and the entire board of directors
disclose software they are using for ERM. One biotech should now take the next step and expand into ERM.
company discloses key process/operational risks in addi- There is even more to be gained by managing all risk, not
tion to other risk factors and how those risks fit into just financial reporting risk. Given that most financial
ERM. They further disclose how they are measuring and reporting failures are business failures first, it should
managing that risk. come as no surprise that ERM not only adds shareholder
value, but it also leads to better communication with
IX. TRANSITIONING FROM SOX TO ERM stakeholders and possibly fewer business failures.
Companies have incurred significant costs to comply
with the Sarbanes-Oxley legislation, especially Section X. CONCLUSION
404. Although most large companies comply, their efforts ERM is a powerful management tool, but successful
may not be cost effective from the shareholders’ perspec- implementation requires champions at the C-level and
tive. Additionally, some smaller publicly traded compa- education and training for managers and associates at all
EXHIBIT 17. HALLMARKS OF BEST-PRACTICE ERM Integration of ERM with ongoing management activi-
ties serves to embed risk management throughout a com-
pany. As companies attempt to implement ERM, some
1. Engaged senior management and board of direc-
tors that set “the tone from the top” and provide best practices (presented in Exhibit 17) can be a valuable
organizational support and resources. reference. ERM is essential in today’s business environ-
ment where companies are required to disclose risk fac-
2. Independent ERM function under the leader- tors in the financial reports and the board of directors
ship of chief risk officer (CRO), who reports direct- regularly question top management about the company’s
ly to the CEO with a dotted line to the board.
risk.
3. Top-down governance structure with risk com-
mittees at the management and board levels, rein- GLOSSARY
forced by internal and external audit.
Impact – The significance of a risk to an organization.
4. Established ERM framework that incorporates
Impact captures the importance of the risk. It can be
all of the company’s key risks: strategic risk, busi-
ness risk, operational risk, market risk, and credit measured quantitatively or qualitatively.
risk. Inherent Risk – The level of risk that resides with an event
or process prior to management taking a mitigation
5. A risk-aware culture fostered by a common lan- action.
guage, training, and education, as well as risk- Likelihood – An estimate of the chance or probability of a
adjusted measures of success and incentives.
risk event occurring.
6. Written policies with specific risk limits and Opportunity – The upside of risks.
business boundaries, which collectively represent Residual Risk – The level of risk that remains after man-
the risk appetite of the company. agement has taken action to mitigate the risk.
7. An ERM dashboard technology and reporting

Risk – Any event or action that can keep an organization 26
from achieving its objectives.
capability that integrates key quantitative risk
Risk Appetite – The overall level of risk an organization is
metrics and qualitative risk assessments.
willing to accept given its capabilities and the expecta-
8. Robust risk analytics to measure risk concentra- tions of its stakeholders.
tions and interdependencies, such as scenario and Risk Tolerance – The level of risk an organization is will-
simulation models. ing to accept around specific objectives. Risk toler-
ance is a narrower level than risk appetite.
9. Integration of ERM in strategic planning, busi-
ness processes, and performance measurement.
BIBLIOGRAPHY
10. Optimization of the company’s risk-adjusted American Institute of Certified Public Accountants (AIC-
profitability via risk-based product pricing, capital PA) and Canadian Institute of Chartered Accountants
management, and risk-transfer strategies.
(CICA), Managing Risk in the New Economy, AICPA,
Source: James Lam & Associates Inc., “Hallmarks of Best-Practice
New York, 2000.
ERM,” Financial Executive, January/February 2005, p. 38. Augustine, N.R., “Managing the Crisis You Tried to Pre-
vent,” Harvard Business Review, November-December
1995, pp. 147-158.
levels of the organization as well as for the board. In Barton, Thomas L., William G. Shenkir, and Paul L. Walk-
today’s risky world, companies can no longer rely on a er, Making Enterprise Risk Management Pay Off,
silo approach to risk management. An integrated and Financial Executives Research Foundation, Upper
holistic perspective of all the risks facing the organiza- Saddle River, N.J., 2001.
tion is needed. A risk-centric organization does not avoid Barton, Thomas L., William G. Shenkir, and Paul L. Walk-
risks, but rather it knowingly takes risks aligned with its er, “Managing Risk: An Enterprise-wide Approach,”
risk appetite. Financial Executive, March-April 2001, pp. 48-51.
Basel Committee on Banking Supervision, International Epstein, Marc J., and Adriana Rejc, Identifying, Measur-
Convergence of Capital Measurement and Capital Stan- ing, and Managing Organizational Risks for Improved
dards, A Revised Framework, June 2004. Performance, Society of Management Accountants of
Bernstein, P.L., Against the Gods: The Remarkable Story of Canada and AICPA, 2005.
Risk, John Wiley & Sons, Inc., New York, 1996. Federation of European Risk Management Associations,
Bodine, S., A. Pugliese, and P.L. Walker, “A Road Map to A Risk Management Standard, 2003.
Risk Management,” Journal of Accountancy, Decem- Financial and Management Accounting Committee of
ber 2001. the International Federation of Accountants (IFAC),
Brancato, Carolyn, Enterprise Risk Management: Beyond prepared by PricewaterhouseCoopers, Enhancing
the Balanced Scorecard, The Conference Board, New Shareholder Wealth by Better Managing Business Risk,
York, 2005. IFAC, New York, 1999.
Burns, Judith, “Everything You Need to Know About Financial Reporting Council, The Combined Code on Cor-
Corporate Governance…,” The Wall Street Journal, porate Governance, 2003.
October 27, 2003, p. R6. Financial Reporting Council, Internal Control: Revised
Byrne, John, “Joseph Berardino (Cover Story),” Business Guidance for Directors on the Combined Code, 2005.
Week, August 12, 2002, pp. 51-56. Gates, Stephen, and Ellen Hexter, From Risk Manage-
Committee of Sponsoring Organizations of the Treadway ment to Risk Strategy, The Conference Board, New
Commission (COSO), Internal Control—Integrated York, 2005.
Framework: Executive Summary Framework, AICPA, Gibbs, Everett, and Jim DeLoach, “Which Comes
New York, 1992. First…Managing Risk or Strategy-Setting? Both,”
COSO, Enterprise Risk Management—Integrated Frame- Financial Executive, February 2006, pp. 35-39.
work: Executive Summary, AICPA, New York, 2004. Hands On, “Risk Management Issues for Privately Held
COSO, Enterprise Risk Management—Integrated Frame- Companies,” ACC Docket, May 2006, pp. 76-88.
work: Application Techniques, AICPA, New York, King Committee on Corporate Governance, King Report 27
2004. on Corporate Governance for South-Africa, Institute of
Corporate Executive Board, Confronting Operational Directors in Southern Africa, 2002.
Risk—Toward an Integrated Management Approach, Institute of Chartered Accountants in England and Wales
Corporate Executive Board, Washington, D.C., 2000. (ICAEW), No Surprises: The Case for Better Risk
DeLoach, J.W., Enterprise-wide Risk Management: Strate- Reporting, ICAEW, London, 1999.
gies for Linking Risk and Opportunity, Financial Times IMA, “IMA Announces Bold Steps to ‘Get it Right’ on Sar-
London, 2000. banes-Oxley Compliance,” December 21, 2005.
Deloitte & Touche LLP, Perspectives on Risk for Boards of IMA, “A Global Perspective on Assessing Internal Con-
Directors, Audit Committees, and Management, trol over Financial Reporting (ICoFR),” Discussion
Deloitte Touche Tohmatsu International, 1997. Draft for Comment, September 2006.
Economist Intelligence, Managing Business Risks—An James Lam & Associates Inc., “Hallmarks of Best-
Integrated Approach, The Economist Intelligent Unit, Practice ERM,” Financial Executive, January/Febru-
New York, 1995. ary 2005, p. 38.
Economist Intelligence, Enterprise Risk Management— Joint Standards Australia/ Standards New Zealand Com-
Implementing New Solutions, The Economist Intelli- mittee, Risk Management, Standards Australia/Stan-
gent Unit, New York, 2001. dards New Zealand, 2004.
Emen, Michael S., Corporate Governance: The View from Joint Standards Australia/Standards New Zealand Com-
NASDAQ, NASDAQ, 2004. mittee, Risk Management Guidelines, Standards Aus-
tralia/Standards New Zealand, 2004.
Kaplan, Robert S., and David P. Norton, “The Balanced Sarbanes-Oxley Act of 2002, H.R. 3763.
Scorecard—Measures that Drive Performance,” Schwartz, Peter, The Art of the Long View, Currency Dou-
Harvard Business Review, January-February 1992, bleday, New York, 1991.
pp. 71-79. Shaw, Helen, “The Trouble with COSO,” CFO, March 15,
Kaplan, Robert S., and David P. Norton, “Putting the Bal- 2006, pp. 1-4.
anced Scorecard to Work,” Harvard Business Review, Shenkir, W., and Paul L. Walker, “Enterprise Risk Man-
September-October 1993, pp. 134-147. agement and the Strategy-Risk-Focused Organiza-
Kaplan, Robert S., and David P. Norton, The Balanced tion,” Cost Management, May-June 2006, pp. 32-38.
Scorecard, Harvard Business School Press, Boston, Simons, Robert L., “Control in an Age of Empowerment,”
Mass., 1996. Harvard Business Review, March-April 1995, pp. 80-
Kaplan Robert S., and David P. Norton, The Strategy- 88.
Focused Organization, Harvard Business School Press, Simons, Robert L., “How Risky Is Your Company?” Har-
Boston, Mass., 2001. vard Business Review, May- June 1999, pp. 85-94.
Kocourek, Paul, Reggie Van Lee, Chris Kelly, and Jim Slywotzky, Adrian J., and John Drzik, “Countering the
Newfrock, “Too Much SOX Can Kill You,” Biggest Risk of All,” Harvard Business Review, Reprint
Strategy+Business, Reprint, January 2004, pp. 1-5. R0504E, April 2005, pp. 1-12.
McNamee, D., and G.M. Selim, Risk Management: Chang- Smith, Carl, “Internal Controls,” Strategic Finance,
ing the Internal Auditor’s Paradigm, The Institute of March 2006, p. 6.
Internal Auditors Research Foundation, Altamonte Smith, Wendy K., and Richard S. Tedlow, “James Burke: A
Springs, Fla., 1998. Career in American Business (A) (B),” Harvard Busi-
Miccolis, J.A., K. Hively, and B.W. Merkley, Enterprise ness School Case 9-389-177 and 9-390-030, Harvard
Risk Management: Trends and Emerging Practices, Business School Publishing, 1989.
The Institute of Internal Auditors Research Founda- Smutniak, John, “Living Dangerously: A Survey of Risk,”
tion, Altamonte Springs, Fla., 2001. The Economist, January 24, 2004, pp. 1-15. 28
Nagumo, T., “Aligning Enterprise Risk Management with Standard and Poor’s, Criteria: Assessing Enterprise Risk
Strategy through the BSC: The Bank of Tokyo-Mit- Management Practices of Financial Institutions, Rat-
subishi Approach,” Balanced Scorecard Report, Har- ing Criteria and Best Practices, September 22, 2006.
vard Business School Publishing, Reprint No. B0509D, Standard and Poor’s, Insurance Criteria: Refining the
September-October 2005, pp. 1-6. Focus of Insurer Enterprise Risk Management Criteria,
Nagumo, T., and Barnby S. Donlon, “Integrating the Bal- June 2, 2006.
anced Scorecard and COSO ERM Framework,” Cost Stroh, Patrick, “Enterprise Risk Management at United
Management, July/August 2006, pp. 20-30. Health Group,” Strategic Finance, July 2005, pp. 27-
National Association of Corporate Directors, Report of 35.
the NACD Blue Ribbon Commission of Audit Commit- Thornton, Emily, “A Yardstick for Corporate Risk,” Busi-
tees—A Practical Guide, 1999. ness Week, August 26, 2002, pp. 106-108.
New York Stock Exchange (NYSE), Final NYSE Corporate Treasury Board of Canada Secretariat, Integrated Risk
Governance Rules, November 4, 2003. Management Framework, 2001.
Nottingham, L., A Conceptual Framework for Integrated Treasury Board of Canada Secretariat, Integrated Risk
Risk Management. The Conference Board of Canada, Management Framework: A Report on Implementation
1997. Progress, 2003.
Oversight Systems, “The 2006 Oversight Systems Finan- U.S. Securities and Exchange Commission (SEC), “Com-
cial Executive Report on Risk Management,” 2006. mission Guidance Regarding Management’s Discus-
Protiviti, U.S. Risk Barometer—Survey of C-Level Execu- sion and Analysis of Financial Condition and Results
tives with the Nation’s Largest Companies, 2005. of Operations,” Release No. 33-8350, December 19,
Protiviti, Guide to Enterprise Risk Management, 2006. 2003.
Protiviti, Guide to Enterprise Risk Management: SEC, “Securities Offering Reform,” Release No. 33-8591,
Frequently Asked Questions, 2006. December 1, 2005.
Walker, Paul L., William G. Shenkir, and Thomas L. Bar-

ton, Enterprise Risk Management: Pulling It All
Together, The Institute of Internal Auditors Research
Foundation, 2002.
Walker, Paul L., William G. Shenkir, and Thomas L. Bar-
ton, “ERM in Practice,” Internal Auditor, August 2003,
pp. 51-55.
Walker, Paul L., William G. Shenkir, and C. Stephen
Hunn, “Developing Risk Skills: An Investigation of
Business Risks and Controls at Prudential Insurance
Company of America,” Issues in Accounting Education,
May 2001, pp. 291-304.
29

SMA - Enterprise Risk Management - Frameworks, Elements, and Integration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SMA - Enterprise Risk Management - Frameworks, Elements, and Integration

Uploaded by

Copyright:

Available Formats

Enterprise Risk

Elements, and COMPLIANCE

All rights reserved

Exhibit 1: Evolution of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Exhibit 2: COSO Enterprise Risk Management Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Exhibit 3: COSO Enterprise Risk Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Exhibit 4: Core Components of a Risk-Based Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Exhibit 5: A Continuous Risk Management Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Exhibit 6: Risk Identification Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Exhibit 7: Risk Quantitative and Qualitative Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Exhibit 8: Subjective Assessment of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Exhibit 9: Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Exhibit 10: Detailed Risk Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Exhibit 12: Functional Risk Assessment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Exhibit 14: Strategy, the Balanced Scorecard, and the Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Exhibit 15: Balanced Scorecard and Strategic Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Exhibit 16: Risk/Crisis Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Exhibit 17: Hallmarks of Best-Practice ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

I. RATIONALE nology group is concerned with security and systems

tion include: 404 compliance requirement by employing a risk-

EXHIBIT 1. EVOLUTION OF RISK MANAGEMENT

Credit Credit Financial

Hazard Hazard Hazard

1970s 1980s 1990s

European Risk Management Association (FERMA) • Risk management;

EXHIBIT 2. COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK

Information & Communication

EXHIBIT 3. COSO ENTERPRISE RISK COMPONENTS

INFORMATION AND COMMUNICATION

“suitable” framework such as COSO’s 1992 internal con- comprehensive frameworks.

EXHIBIT 4. CORE COMPONENTS OF A RISK-BASED APPROACH

Assurance Context The outcome, objective, process, or subject

Threats to These are possible problems or situations

Information that helps decision makers

NO Is the residual risk status acceptable to the

NO Portfolio Is this the lowest cost set of controls given

EXHIBIT 5. A CONTINUOUS RISK MANAGEMENT PROCESS

Communicate & Monitor Identify Risks

Control Risks Assess Risks

EXHIBIT 7. RISK QUANTITATIVE AND QUALITATIVE TECHNIQUES

Qualitative and Quantitative Approaches to Assessment and Measurement

QUALITATIVE: QUALITATIVE/ QUANTITATIVE:

Net present value

LEVEL OF DIFFICULTY AND AMOUNT OF DATA REQUIRED

EXHIBIT 8. SUBJECTIVE ASSESSMENT OF RISK 15

Assess Risks high level of impact or significance. Alternatively, risks

EXHIBIT 9. RISK MAP

High Impact High Impact

Low Likelihood High Likelihood

Low Impact Low Impact

Low Likelihood High Likelihood

EXHIBIT 10. DETAILED RISK MAP

Moderate $5M - $10M 3

Low $1M - $5M 2

Annualized impact measured 1 2 3 4 5

< 10% 10% - 30% 30% - 60% 60% - 90% >90%

EXHIBIT 12. FUNCTIONAL RISK ASSESSMENT SUMMARY

Corporate Risk Assessment

2. Customer (Internal & External)

Source: Paul L. Walker, William G. Shenkir, and

Inherent risk assessment Residual risk assessment

RISKS Likelihood Impact Risk Response Likelihood Impact

EXHIBIT 14. STRATEGY, THE BALANCED SCORECARD, AND THE BUDGET

Revise the Revise the