Chapter 4: Enterprise risk management

COSO ERM
The COSO approach is a comprehensive enterprise risk management system that takes a top-down
approach to risk management and is widely used as a framework. For exam purposes the COSO
approach is ideal because you can concentrate on one set of terms, one set of objectives and one set of
steps. The COSO model begins from clear definition of risk management:
Enterprise risk management is a process,
• effected by an entity’s board of directors, management and other personnel,
• applied in strategy setting and across the enterprise,
• designed to identify potential events that may affect the entity and manage risk to be within its risk
appetite, and
• to provide reasonable assurance regarding the achievement of entity objectives
The COSO approach has four clear aims in providing reasonable assurance of achieving objectives
relating to:
• reliability of reporting
• compliance with laws and regulations
• strategic objectives
• operational objectives
Enterprise risk management encompasses six elements
i. Aligning risk appetite and strategy: linking risk with return in decision-making
ii. Enhancing risk response decisions: rigorous selection from avoidance, reduction, sharing and
accepting risk
iii. Reducing operational surprises and losses: through structured event identification and response
iv. Identifying and managing multiple and cross enterprise risks: assessing the myriad risks that
businesses face
v. Seizing opportunities: through proactive positioning
vi. Improving deployment of capital: obtaining robust risk information to assess capital needs

1
There are three essential characteristics that distinguish ERM from the standard risk management
process (silo approach):

Benefits ERM
Increasing the range of opportunities: By considering all possibilities—both positive and negative
aspects of risk—management can identify new opportunities and unique challenges associated with
current opportunities.
•Identifying and managing risk entity-wide: Every entity faces myriad risks that can affect many parts
of the organization. Sometimes a risk can originate in one part of the entity but impact a different part.
Consequently, management identifies and manages these entity-wide risks to sustain and improve
performance.
•Increasing positive outcomes and advantage while reducing negative surprises: Enterprise risk
management allows entities to improve their ability to identify risks and establish appropriate
responses, reducing surprises and related costs or losses, while profiting from advantageous
developments.
Reducing performance variability: For some, the challenge is less with surprises and losses and more
with variability in performance. Performing ahead of schedule or beyond expectations may cause as
much concern as performing short of scheduling and expectations. Enterprise risk management allows
organizations to anticipate the risks that would affect performance and enable them to put in place the
actions needed to minimize disruption and maximize opportunity.
•Improving resource deployment: Every risk could be considered a request for resources. Obtaining
robust information on risk allows management, in the face of finite resources, to assess overall
resource needs, prioritize resource deployment and enhance resource allocation.
•Enhancing enterprise resilience: An entity’s medium-and long-term viability depends on its ability to
anticipate and respond to change, not only to survive but also to evolve and thrive. This is, in part,
enabled by effective enterprise risk management. It becomes increasingly important as the pace of
change accelerates and business complexity increases.

2
Board of directors
The Board retains the overall responsibility for overseeing the governance of risk in the organisation
with respect to the identification and management of principal risks and ensuring the implementation
of appropriate control systems to manage these risks
• Board has responsibility for performing an organisation’s risk management process
• Rather, the board has an oversight responsibility and must ensure that it receives appropriate
assurance from management that the organisation has an appropriate risk management process in
place and that this process is used correctly
• Boards have a key role in determining an organisation’s risk appetite, as well as periodically
monitoring the organisation’s risk profile to ensure that the organisation remains within the agreed
appetite for risk
Risk committees
Board may delegate its duties in overseeing risk management activities to a board committee (Board
risk committee)
• The BRC is responsible to assist the Board in ensuring the risk management framework operates
effectively based on the risk management policies approved by the Board and has a broad mandate to
oversee the risk management activities
Key role
▪Provide high level guidance and direction on risk management
▪Establish and review the effectiveness of risk management framework
▪Review the outcomes of corporate risk profile and ensure the risks are being responded with
appropriate mitigation actions
▪Shape and reinforce organisation’s risk culture top down
▪Ensure adequate infrastructure, resources and systems are in place for effective risk management
CEO and executive management
CEO and Senior Management monitor and manage all material risks within the organization and
ensure continuous development and implementation of risk management in the organisation
• Senior management is responsible for ensuring that the day to day management of the financial
institution’s activities is consistent with the risk strategy, including the risk appetite, and policies
approved by the board
• All Departments generally, the day to day operational risk management resides with the individual
business units/divisions The individual division is directly responsible for the comprehensiveness of
the risks identified, their risk assessment, as well as action plans and identification of new risks as
they occur

3
Key role
Responsible for risk management within their sphere of operations, including review of existing
risk profiles and controls, develop and implement mitigation plans to manage the risks and
identification of new risks as they occur
Responsible for ensuring risk assessment is performed as part of their responsibility in evaluating
and making key strategic and operational decisions
Support the CEO and Senior Management in organisation wide risk management initiatives
Identify staff within their units to assist them in fulfilling their risk management responsibilities and
to work with risk function on risk management activities
Chief risk officer
Chief risk officers may be recruited as executive directors or as senior managers, which report to the
board via the CEO or finance director. Chief risk officers are especially common in organisations
which have implemented ERM processes
• The role of the chief risk officer (must be distinct from other executive functions and business line
responsibilities (BNM Risk governance guidance) independent!
Key role
To support the board and organisation wide risk committee, where appropriate, in the fulfilment of
their responsibilities Include raising any concerns the CRO may have regarding the risks associated
with strategic decisions, major risk exposures and internal control failures that may affect the
organisation’s ability to meet its objectives or regulatory obligations
To direct the work of the organisation’s risk function
To oversee the risk management activities of the whole organisation and ensure that risks are
managed in a manner consistent with the organisation’s appetite for risk, as well as its risk
management policies and procedures
To work with the compliance and internal audit functions to ensure that regulatory compliant risk
management governance arrangements are in place across the organisation
Risk manager and risk function
Generally, role of the risk manager and wider risk function is to oversee, coordinate and facilitate risk
management activity across an organisation
The risk management function must be independent of the business units whose activities and
exposures it reviews [BNM Risk governance guidance]
1) Develop and implement appropriate risk framework, methodologies and tools to facilitate
effective risk management throughout the organisation
2) Facilitate and coordinate the implementation of risk management processes
3) Provide consolidated reporting including reports on corporate and divisional risk profile to
Board Risk Committee and Management Risk Committee focusing on key significant risks
4) Monitor key risk across the organisation and monitor implementation status of risk mitigation
action plan of Divisions/ PERKESO offices to mitigate the identified risks
5) Monitor compliance with risk tolerance/appetite and risk limits of the organisation
6) Provide advisory support on ERM and internal controls, including independent view of risk
and

4
 7) Promote sound risk culture through risk awareness trainings and programmes to employees
Internal Audit
Provide assurance that an organisation’s risk management process is effective in terms of its design
and implementation
The internal audit function may conduct audits of the risk function and of the process that has been
developed to support the management of risk
• may also identify risk management related issues in terms of how the process is used and in terms of
specific control failures or new risk exposures
• In addition, where an organisation has determined its appetite for risk, the internal audit function
may provide an opinion on whether the organisation as a whole, as well as specific business units and
functions, are keeping the organisation’s risk profile within risk appetite
• The risk and audit functions will usually work closely together, supporting each other’s activities.
Such a close working relationship should not interfere with the independence of the internal audit
function
Case study
Chocs plc Background
Chocs plc (Chocs) was established in 1951 by Peter Davison. Despite the consistent success, business
growth is now slowing. The financial year-end results for 30th June 2019 reflect a turnover of
£425million (down by 7% from 2018) and a net worth of £642million (down by 5% from 2018).
A general decline in profits over the last five years has been attributed to increased competition, rising
prices of raw materials and increased labour costs worldwide.
Chocs has remained a family business in culture and ethos, and at age 99 Peter still tries to attend the
AGM each year. The CEO is now Susan Davison, Peter’s grand-daughter, she took over from her
father (Peter’s son, Ben, who remains as Chair) in 2011. Although in many ways unrecognisable from
1951, the Birmingham factory is still the head-office and is the centre of a highly modernised
production operation. An external stakeholder would consider this to be a business where all was
running well.
Chocs now has seven sites across the world employing approximately 1,800 people. They differ only
in size and capacity but all offer a generalised range of products. At the last Board meeting Susan
proposed a review of site capacity with a view to developing specialisation at certain sites, she was
concerned that the declining profitability was at least in part due to loss of focus and the risk of Board
complacency about future viability; this was not received well by Ben and further discussion was
deferred to the next meeting.
42% of Chocs shareholding remains with family and family trusts, the remaining 58% is traded
(infrequently) on the Alternative Investment Market after a successful IPO led by Ben in 2007. The
funding raised enabled expansion, modernisation and a capital return to the family shareholders. The
institutional and retail shareholders are mainly longer-term investors and have generally been satisfied
with dividend return and share price stability.

5
Governance
Chocs has seven directors; three months ago, you were appointed as Company Secretary reporting to
the CEO.
• two executive directors – Susan Davison (CEO) and Kenneth Dwight (CFO);
• three family NEDs – Ben Davison (Chairman) and two of his cousins (Peter Balfour and Elsie
Davison) – family NEDs are proposed and elected by a council representing family shareholders;
• two independent NEDs – Ramesh Singh (based in Mumbai) and Stefan Volski (based in
Warsaw).
The board meets eight times a year (four times in Birmingham and four times at different operating
sites of the business). An Audit Committee and a combined Remuneration and Nomination
Committee each meet three times a year, usually coinciding with a board meeting. All NEDs are the
constituent committee members, and all meetings are attended by the executive directors.
The AIM investors have been happy with this governance arrangement thus far, not least because the
financial returns have remained consistent and in line with expectations.
Risk and control

• The key strategic and operational decisions throughout the business seem to be made through
closed and un-minuted weekly meetings between Ben (Chairman), Susan (CEO) and Peter
Balfour (family NED).
• Papers presented to Board meetings are short, succinct headline summaries from each
operating business.
• Decisions seem to have already been made and are only brought to the Board for ratification.
You have discussed this with Kenneth who told you that this was the culture, he was
sometimes at these meetings and that he was treated as family, as his partner is a nephew of
Ben.
• As Chocs has large scale production capability, health and safety (H&S) features frequently
in operational reports, but again is only ever summarised in Board papers, usually in the form
of pie charts. Having analysed the figures further, you find that there has been an increase in
reportable Health and Safety (H&S) incidents at five out of the seven sites across the past 24
months, but this is barely mentioned in the board reports.
• Having read through the Board and Committee papers for the past three years, you find there
is very little record of how the directors view the alignment of strategy, risk and control. Each
site keeps their own version of a register of the risks pertinent to their site (partly to keep the
local H&S regulators satisfied).
• Each site has a high level of autonomy with regard to its approach to risk management.
• Monthly local reports regarding risk and any related incidents are amalgamated by a team at
the Chocs site in Ireland using a spreadsheet to provide a set of charts which appear as an
appendix to the Board papers.
• There is no minuted record of director discussion of any level of risk strategy, although you
assume this must have happened as there are oblique references to a number of accidents
across the world, and to two deaths that have occurred on Chocs sites (one in Poland earlier in
the year, and one in Brazil last year).
• Control, in so far as it exists at all, seems to be delegated to a very low level on individual
sites, and then discussed only confidentially at the weekly closed meetings. Stefan has
discussed with you his concerns regarding a lack of risk management awareness. He is also
surprised at the lack of apparent concern from the English directors; he has assumed that they

6
 just have more experience than him of running this type of business. He is aware of his duties
under UK law and plans to raise the issue at the Board meeting, scheduled to be held on the
Choc’s site at Sao Paulo next month. He has talked to Ben about the whole H&S and CSR
approach but has been told that “CSR is just another acronym designed to take valuable
director time”.
It has also been brought to your attention in a conversation with Stefan that cocoa farmers in South
America have staged a series of protests over low wages and payments that they have been receiving
for their goods and services. Chocs has been wrongly implicated as one of the companies who have
attempted to hold down prices. This has received media attention and support groups are threatening a
media campaign to boycott Chocs‟ products.
1. Discuss how Chocs could improve its approach to Enterprise Risk Management. Suggest the
nature and roles of the people that might be required to drive this initiative.