Benefits of enterprise risk management

COSO highlights a number of advantages of adopting the process of enterprise risk

management.

The framework demonstrates to managers the need to consider risk

Alignment of risk toleration. They then set objectives aligned with business strategy
appetite and and develop mechanisms to manage the accompanying risks and to
strategy ensure risk management becomes part of the culture of the
organisation, embedded into all its processes and activities.

Link growth, risk Risk is part of value creation, and organisations will seek a given level
and return of return for the level of risk tolerated.

Choose best risk Enterprise risk management helps the organisation select whether to
response reduce, eliminate or transfer risk.

Minimise
By identifying potential loss-inducing events, the organisation can
surprises and
reduce the occurrence of unexpected problems.
losses

Identify and The framework means that managers can understand and aggregate
manage risks connected risks. It also means that risk management is seen as
across the everyone's responsibility, experience and practice is shared across
organisation the business and a common set of tools and techniques is used.

Provide For example risks associated with purchasing, over and under supply,
responses to prices and dubious supply sources might be reduced by an inventory
multiple risks control system that is integrated with suppliers.

Seize By considering events as well as risks, managers can identify

opportunities opportunities as well as losses.

Rationalise Enterprise risk management allows management to allocate capital

capital better and make a sounder assessment of capital needs.

Criticisms of enterprise risk management

There have been some criticisms made of COSO’s framework:

Internal focus

One criticism of the ERM model has been that it starts at the wrong place. It begins with the
internal and not the external environment. Critics claim that it does not reflect sufficiently the
impact of the competitive environment, regulation and external stakeholders on risk appetite
and management and culture.

Risk identification

The ERM has been criticised for discussing risks primarily in terms of events, particularly
sudden events with major consequences. Critics claim that the guidance insufficiently
emphasises slow changes that can give rise to important risks, for example changes in
internal culture or market sentiment.

Risk assessment

The ERM model has been criticised for encouraging an over-simplified approach to risk
assessment. It has been claimed that the ERM encourages an approach which thinks in
terms of a single outcome of a risk materialising. This outcome could be an expected
outcome or it could be a worst-case result. Many risks will have a range of possible
outcomes if they materialise, for example extreme weather, and risk assessment needs to
consider this range.

Stakeholders

The guidance fails to discuss the influence of stakeholders, although many risks that
organisations face are due to a conflict between the organisation’s objectives and those of
its stakeholders.

Impacts of enterprise risk management

Although COSO’s guidance is non-mandatory, it has been influential because it provides

frameworks against which risk management and internal control systems can be assessed
and improved. Corporate scandals, arising in companies where risk management and
internal control were deficient, and attempts to regulate corporate behaviour as a result of
these scandals have resulted in an environment where guidance on best practice in risk
management and internal control has been particularly welcome.

The COCO framework

A slightly different framework is the criteria of control or COCO framework developed by the
Canadian Institute of Chartered Accountants (CICA).

Purpose
The COCO framework stresses the need for all aspects of activities to be clearly directed
with a sense of purpose. This includes:

● Overall objectives, mission and strategy

● Management of risk and opportunities
● Policies
● Plans and performance measures.

The corporate purpose should drive control activities and ensure controls achieve
objectives.

Commitment

The framework stresses the importance of managers and staff making an active
commitment to identify themselves with the organisation and its values, including ethical
values, authority, responsibility and trust.

Capability

Managers and staff must be equipped with the resources and competence necessary to
operate the control systems effectively. This includes not just knowledge and resources but
also communication processes and co-ordination.

Action

If employees are sure of the purpose, are committed to do their best for the organisation
and have the ability to deal with problems and opportunities then the actions they take are
more likely to be successful.

Monitoring and learning

An essential part of commitment to the organisation is a commitment to its evolution. This

includes: 

● Monitoring external environments

● Monitoring performance
● Reappraising information systems
● Challenging assumptions
● Reassessing the effectiveness of internal controls

Above all each activity should be seen as part of a learning process that lifts the
organisation to a higher dimension.

5. Evaluating control systems (last in table of contents)

A number of factors should be considered when evaluating control systems.

Principles or rules

Having rules requiring organisations to implement internal controls should mean that
controls are applied consistently by organisations. External stakeholders dealing with these
organisations will have the assurance that they should have certain prescribed controls in
place. However this does not mean that all organisations will be operating the same
controls with the same effectiveness.

A principles-based approach to internal control implementation means that organisations

can adopt controls that are most appropriate and cost-effective for them, based on their size
and risk profile, and the sector in which they operate.

Assessment of control systems

The following general points apply to review of control systems.

Objectives

The controls in place need to help the company fulfil key business objectives, including
conducting its operations efficiently and effectively, safeguarding its assets and responding
to the significant risks its faces.

Links with risks

Links between controls and risks faced are particularly important, with the organisation
needing a clear framework for dealing effectively with risks. Key elements are the board
defining risk appetite, which will determine which risks are significant. There need to be
reliable systems in place for identifying and assessing the magnitude of risks.

Control system compatibility

Guidance on control procedures needs to be supported by other aspects of the control

system, and the overall systems need to deliver a consistent message about the importance
of controls. Human resource policies and the company's performance reward systems
should provide incentives for good behaviour and deal with flagrant breaches.

Mix of controls

Detailed controls at the transaction level will not make all that much difference unless there
are other controls further up the organisation. There should ideally be a pyramid of controls
in place, ranging from corporate controls at the top of an organisation (for example ethical
codes), management controls (budgets), process controls (authorisation limits) and
transaction controls (completeness controls). Controls shouldn't just cover the financial
accounting areas, but should include non-financial controls as well.

Human resource issues

How well control procedures operate will also be determined by the authority and abilities of
the individuals who operate the controls. There need to be clear job descriptions that
identify how much authority and discretion individuals have at different levels of the
organisation. Controls can be also be undermined if the people who operate them make
mistakes. Therefore managers and staff need to have the requisite knowledge and skills to
be able to operate controls effectively. Documentation and training will be required, and
individuals' abilities assessed on a continuing basis as part of the appraisal process.

Control environment

The control environment matters because the company's culture will determine how
seriously control procedures are taken. If there is evidence that directors are overriding
controls, this will undermine them. If staff resent controls, they may be tempted to collude to
render controls ineffective.

Review of controls

Directors should demonstrate their commitment to control by reviewing internal controls.

Information sources

In order to carry out effective reviews of controls, the board needs to ensure it is receiving
sufficient information. There should be a system in place of regular reporting by
subordinates and control functions, also reports on high-risk activities. The board needs
also to receive confirmation that weaknesses identified in previous reviews have been
resolved. Finally there also needs to be clear systems of reporting problems to the board.

Feedback and response

A basic principle of control system design is that the feedback received should be used as
the basis for taking action to change the controls or modify the overall control systems.
There should be rapid responses if serious problems are picked up, for example
involvement of senior management in reviewing possible fraud.

Costs and benefits

Rational consideration of whether the costs of operating controls are worth the benefits of
preventing and detecting problems should be an integral part of the board's review process.
Directors may decide not to operate certain controls on the grounds that they are prepared
to accept the risks of not doing so.