COSO ERM2017 - Main - (Vol - 1)
COSO ERM2017 - Main - (Vol - 1)
COSO ERM2017 - Main - (Vol - 1)
June 2017
Volume I
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), which is dedicated to providing thought leadership through the development of
comprehensive frameworks and guidance on internal control, enterprise risk management, and fraud
deterrence designed to improve organizational performance and oversight and to reduce the extent of
fraud in organizations. COSO is a private sector initiative, jointly sponsored and funded by:
•• American Accounting Association
•• American Institute of Certified Public Accountants
•• Financial Executives International
•• Institute of Management Accountants
•• The Institute of Internal Auditors
©2017 All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any
form or by any means without written permission COSO.
Committee of Sponsoring Organizations of
the Treadway Commission
Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Auditors Financial Executives International
PwC—Author
Principal Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Global Project Lead Partner and Global Project Lead Director and Global
and Asia, Pacific, and Americas and APA Risk and Regulatory Risk Framework and Methodology
(APA) Advisory Leader Leader Leader
New York, USA Washington DC, USA British Columbia, Canada
ii Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Table of Contents
Applying the Framework: Putting It into Context 1
1. Introduction 3
Framework 25
8. Performance 65
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 iii
Applying the Framework: Putting It into Context
Applying the Framework:
Putting It into Context
1. Introduction
Integrating enterprise risk management
practices throughout an organization improves
decision‑making in governance, strategy,
objective‑setting, and day-to-day operations. It
helps to enhance performance by more closely
linking strategy and business objectives to risk.
The diligence required to integrate enterprise
risk management provides an entity with a clear
path to creating, preserving, and realizing value.
A discussion of enterprise risk management1 begins with this underlying premise: every entity—
whether for-profit, not-for-profit, or governmental—exists to provide value for its stakeholders. This
publication is built on a related premise: all entities face risk in the pursuit of value. The concepts and
principles of enterprise risk management set out in this publication apply to all entities regardless of
legal structure, size, industry, or geography.
Risk affects an organization’s ability to achieve its strategy and business objectives. Therefore, one
challenge for management is determining the amount of risk 2 the organization is prepared and able
to accept. Effective enterprise risk management helps boards and management to optimize out-
comes with the goal of enhancing capabilities to create, preserve, and ultimately realize value.
Management has many choices in how it will apply enterprise risk management practices, and
no one approach is universally better than another. Yet, for any entity, one approach may provide
increased benefits versus another or have a greater alignment with the overall management philos-
ophy of the organization. This Framework sets out a basic conceptual structure of ideas, which an
organization integrates into other practices occurring within the entity. Readers who are looking for
information beyond a framework, or for different practices they can apply to integrate the enterprise
risk management concepts into the entity, will find the appendices in Volume II to this publication
helpful.
1 Defined terms are linked to the Glossary of Key Terms when first used in the document.
2 In this publication, “risks” (plural) refers to one or more potential events that may affect the achievement of objectives.
“Risk” (singular) refers to all potential events collectively that may affect the achievement of objectives.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 3
Applying the Framework: Putting It into Context
service, and production capacity, which results in satisfied and loyal customers and
stakeholders.
•• Value is eroded when management implements a strategy that does not yield expected out-
comes or fails to execute day-to-day tasks. For example, value is eroded when substantial
resources are consumed to develop a new product that is subsequently abandoned.
•• Value is realized when stakeholders derive benefits created by the entity. Benefits may be mon-
etary or non-monetary.
How value is created depends on the type of entity. For-profit entities create value by successfully
implementing a strategy that balances market opportunities against the risks of pursuing those
opportunities. Not-for-profit and governmental entities may create value by delivering goods and ser-
vices that balance their opportunities to serve the broader community against any associated risks.
Regardless of the type of entity, integrating enterprise risk management practices with other aspects
of the business enhances trust and instills greater confidence with stakeholders.
3 Note that some entities use different terms, such as “credo,” “purpose,” “philosophy,” “fundamental beliefs,” and
“policies.” Regardless of the terminology used, the concepts underlying mission, vision, and core values provide a
structure for communicating throughout the entity.
4 Throughout this document, “enterprise risk management” refers to the culture, capabilities, and practices, integrated
with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing
value. It does not refer to a function, group, or department within an entity. Specific considerations on the operating
model are discussed in Appendix B in Volume II.
4 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Introduction
Governance
Governance forms the broadest concept. Typically, this refers to the allocation of roles, authorities,
and responsibilities among stakeholders, the board, and management. Some aspects of governance
fall outside enterprise risk management (e.g., board member recruiting and evaluation; developing
the entity’s mission, vision, and core values).
Performance Management
Performance relates to actions, tasks, and functions to achieve, or exceed, an entity’s strategy and
business objectives. Performance management focuses on deploying resources efficiently. It is
concerned with measuring those actions, tasks, and functions against predetermined targets (both
short- and long-term) and determining whether those targets are being achieved. Because a variety
of risks—both known and unknown—may affect an entity’s performance, a variety of measures may
be used:
•• Financial measures, such as return on investments, revenue, or profitability.
•• Operating measures, such as hours of operation, production volumes, or capacity percentages.
•• Obligation measures, such as adherence to service-level agreements or regulatory compliance
requirements.
•• Project measures, such as having a new product launch within a set period of time.
•• Growth measures, such as expanding market share in an emerging market.
•• Stakeholder measures, such as the delivery of education and basic employment skills to those
needing upgrades when they are out of work.
There is always risk associated with a predetermined performance target. For example, large-
scale agriculture producers will have a certain amount of risk relating to their ability to produce the
volumes required to satisfy customer demands and meet profitability targets. Similarly, airlines will
have a certain amount of risk relating to their ability to operate all flights on schedule. Yet, airline
companies may foresee less risk that they can operate 90% or even 80% of their scheduled flights
on time versus 100% of their scheduled flights. In both of these examples, there is an amount of risk
associated with managing to achieve the predetermined targets of performance—production volume
and flight operation.
An entity can enhance its overall performance by integrating enterprise risk management into day-
to-day operations and more closely linking business objectives to risk.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 5
Applying the Framework: Putting It into Context
Internal Control
Enterprise risk management incorporates some concepts of internal control. “Internal control” is the
process put into effect by an entity to provide reasonable assurance that objectives will be achieved.
Internal control helps the organization to identify and analyze the risks to achieving those objectives
and how to manage risks. It allows management to stay focused on the entity’s operations and the
pursuit of its performance targets while complying with relevant laws and regulations. Note, however,
that some concepts relating to enterprise risk management are not considered within internal control
(e.g., concepts of risk appetite, tolerance, strategy, and objectives are set within enterprise risk man-
agement but viewed as preconditions of internal control).
To avoid redundancy, some concepts relating to internal control that are common to both this
publication and Internal Control—Integrated Framework have not been repeated here (e.g., fraud
risk relating to financial reporting objectives, control activities relating to compliance objectives, and
ongoing and separate evaluations relating to operations objectives). However, some common con-
cepts relating to internal control are further developed in the Framework5 section (e.g., governance
of enterprise risk management). Please review Internal Control–Integrated Framework6 as part of
applying the Framework in this publication.
5 “Framework” refers collectively to the five components introduced in Chapter 5 and covered individually in Chapters 6
through 10.
6 Internal Control–Integrated Framework can be obtained through www.coso.org.
6 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Introduction
•• Identify and manage entity-wide risks: Every entity faces myriad risks that can impact many
parts of the entity. Sometimes a risk can originate in one part of the entity but affect a different
part. Management must identify and manage these entity-wide risks to sustain and improve
performance. For example, when a bank realized that it faced a variety of risks in trading
activities, management responded by developing a system to analyze internal transaction and
market information that was supported by relevant external information. The system provided
an aggregate view of risks across all trading activities, allowing drill-down capability to depart-
ments, customers, and traders. It also allowed the bank to quantify the relative risks. The
system met the entity’s enterprise risk management requirements and allowed the bank to bring
together previously disparate data to respond more effectively to risks.
•• Reduce performance variability: For some entities, the challenge is less about surprises and
losses, and more about performance variability. Performing ahead of schedule or beyond
expectations may cause as much concern as performing below expectations. For instance,
within a public transportation system, riders will be just as annoyed when a bus or train departs
ten minutes early as when it is ten minutes late: both can cause riders to miss connections.
To manage such variability, transit schedulers build natural pauses into the schedule. Drivers
wait at designated stops until a set time, regardless of when they arrive. This helps smooth out
variability in travel times and improve overall performance and rider views of the transit system.
Enterprise risk management allows organizations to anticipate the risks that would affect per-
formance and enable them to take action to minimize disruption.
•• Improve resource deployment: Obtaining robust information on risk allows management to
assess overall resource needs and helps to optimize resource allocation. For example, a down-
stream gas distribution company recognized that its aging infrastructure increased the risk of
a gas leak occurring. By looking at trends in gas leak–related data, the organization was able
to assess the risk across its distribution network. Management subsequently developed a plan
to replace worn-out infrastructure and repair those sections that had remaining useful life. This
approach allowed the company to maintain the integrity of the infrastructure while allocating
significant additional resources over a longer period of time.
Keep in mind that the benefits of integrating enterprise risk management practices with strategy-
setting and performance management practices will vary by entity. There is no one-size-fits-all
approach available for all entities. However, implementing enterprise risk management practices
will generally help an organization achieve its performance and profitability targets and prevent or
reduce the loss of resources.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 7
Applying the Framework: Putting It into Context
8 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
2. U
nderstanding the Terms: Risk and
Enterprise Risk Management
Defining Risk and Uncertainty
An entity’s strategy and business objectives may be affected by potential events. A lack of complete
predictability of an event occurring (or not) and its related impact creates uncertainty for an orga-
nization. Uncertainty exists for any entity7 that sets out to achieve future strategies and business
objectives. In this context, risk is defined as:
The possibility that events will occur and affect the achievement of strategy
and business objectives.
The box on this page contains terms that expand on and support
the definition of risk. The Framework emphasizes that risk relates •• Event: An occurrence or
to the potential for events, often considered in terms of severity. set of occurrences.
In some instances, the risk may relate to the anticipation of an •• Uncertainty: The state
expected event that does not occur. of not knowing how or
In the context of risk, events are more than routine transactions; if potential events may
they include broader business matters such as changes in the gov- manifest.
ernance and operating structure, geopolitical and social influences, •• Severity: A measurement
and contracting negotiations, among other things. Some events of considerations such as
that potentially affect strategy and business objectives are readily the likelihood and impact
discernable—a change in interest rates, a competitor launching a of events or the time it
new product, or the retirement of a key employee. Others are less takes to recover from
evident, particularly when multiple small events combine to create events.
a trend or condition. For instance, it may be difficult to identify
specific events related to global warming, yet that condition is gen-
erally accepted as occurring. In some cases, organizations may not even know or be able to identify
what events may occur.
Organizations commonly focus on those risks that may result in a negative outcome, such as
damage from a fire, losing a key customer, or a new competitor emerging. However, events can
also have positive outcomes,8 such as better-than-forecast weather, stronger staff retention trends,
or improved tax rates, which should also be considered. As well, events that are beneficial to the
achievement of one objective may at the same time pose a challenge to the achievement of other
objectives. For example, a product launch with higher-than-forecast demand has a positive effect
on financial performance. However, it may also increase risk to the supply chain, which may result in
unsatisfied customers if the company cannot supply the product.
Some risks have minimal impact on an entity, and others have a larger impact. Enterprise risk
management practices help the organization identify, prioritize, and focus on those risks that may
prevent value from being created, preserved, and realized, or that may erode existing value. But, just
as important, it also helps the organization pursue potential opportunities.
7 “Entity” is a broad term that can encompass a wide variety of legal structures including for-profit, not-for-profit, and
governmental entities.
8 This Framework distinguishes between positive outcomes and opportunities. Positive outcomes relate to those
instances where performance exceeds the original target. Opportunities relate to an action or potential action that
creates or alters goals or approaches for creating, preserving, and realizing value.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 9
Applying the Framework: Putting It into Context
Recognizing Culture
Culture is developed and shaped by the people at all levels of an entity by what they say and do. It is
people who establish the entity’s mission, strategy, and business objectives, and put enterprise risk
management practices in place. Similarly, enterprise risk management affects people’s decisions
and actions. Each person has a unique point of reference, which influences how he or she identifies,
assesses, and responds to risk. Enterprise risk management helps people make decisions while
understanding that culture plays an important role in shaping those decisions.
Developing Capabilities
Organizations pursue various competitive advantages to create value for the entity. Enterprise risk
management adds to the skills needed to carry out the entity’s mission and vision and to anticipate
the challenges that may impede organizational success. An organization that has the capacity to
adapt to change is more resilient and better able to evolve in the face of marketplace and resource
constraints and opportunities.
Applying Practices
Enterprise risk management is not static, nor is it an adjunct to a business. Rather, it is continually
applied to the entire scope of activities as well as special projects and new initiatives. It is part of
management decisions at all levels of the entity.
The practices used in enterprise risk management are applied from the highest levels of an entity
and flow down through divisions, business units, and functions. The practices are intended to help
people within the entity better understand its strategy, what business objectives have been set,
what risks exist, what the acceptable amount of risk is, how risk impacts performance, and how they
are expected to manage risk. In turn, this understanding supports decision-making at all levels and
helps to reduce organizational bias.
10 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Understanding the Terms: Risk and Enterprise Risk Management
Linking to Value
An organization must manage risk to strategy and business objectives in relation to its risk appe-
tite—that is, the types and amount of risk, on a broad level, it is willing to accept in its pursuit of
value. The first expression of risk appetite is an entity’s mission and vision. Different strategies will
expose an entity to different risks or different amounts of similar risks.
Risk appetite provides guidance on the practices an organization is encouraged to pursue or not
pursue. It sets the range of appropriate practices and guides risk-based decisions rather than speci-
fying a limit.
Risk appetite is not static; it may change between products or business units and over time in line
with changing capabilities for managing risk. The types and amount of risk that an organization
might consider acceptable can change. For example, during good economic times, a successful and
growing company may be more willing to accept certain downside risk than when economic times
are bad and business outlooks deteriorate. Risk appetite must be flexible enough to adapt to chang-
ing business conditions as needed without waiting for periodic management reviews and approvals.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 11
Applying the Framework: Putting It into Context
While risk appetite is introduced here,9 the Framework sets out numerous instances where it is
applied as part of enterprise risk management. Some of the more important applications of risk
appetite are its:
•• Use by the organization in making decisions that enhance value.
•• Help in aligning the acceptable amount of risk with the organization’s capacity to manage risk
and opportunities.
•• Relevance when setting strategy and business objectives, helping management consider
whether performance targets are aligned with acceptable amount of risk.
•• Assistance in communicating risk profiles desired by the board.
•• Relevance and alignment with risk capacity.
•• Use in evaluating aggregated risk at a portfolio view.
Enterprise risk management helps management select a strategy that aligns anticipated value
creation with the entity’s risk appetite and its capabilities for managing risk more often and more
consistently over time. Managing risk within risk appetite enhances an organization’s ability to
create, preserve, and realize value.
9 Risk appetite is discussed further in the Framework under Principle 7: Defines Risk Appetite.
12 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
3. S
trategy, Business Objectives, and
Performance
Enterprise Risk Management and Strategy
Enterprise risk management helps an organization better understand:
•• How mission, vision, and core values form the initial expression of what types and amount of
risk are acceptable to consider when setting strategy.
•• The possibility that strategy and business objectives may not align with the mission, vision, and
core values.
•• The types and amount of risk the organization potentially exposes itself to by choosing a par-
ticular strategy.
•• The types and amount of risk inherent in carrying out its strategy and achieving business
objectives and the acceptability of this level of risk, and ultimately, value.
Figure 3.1 illustrates strategy in the context of mission, vision, and core values, and as a driver of an
entity’s overall direction and performance.
ing Implic
a l ign atio
ns
n ot f
ro
y
te g
m
the
tra
STRATEGY,
ib i li t y of s
st
rategy chosen
PERFORMANCE
R
ce
is
kt an
os
tr ate f or m
gy & p er
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 13
Applying the Framework: Putting It into Context
14 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy, Business Objectives, and Performance
Performance
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 15
Applying the Framework: Putting It into Context
Risk profiles that trend upwards, as shown in Figure 3.2, are typical of, but not limited to, business
objectives such as:
•• Oil and gas exploration: As exploration efforts for new oil and gas reserves target increasingly
remote and inaccessible areas, oil and gas companies likely face greater amounts of risk in an
effort to locate resources.
•• Recruitment of specialist resources: As entities pursue increasingly niche products or markets,
the risks associated with attracting and retaining expertise and experience in their workforce
increases.
•• Transportation and logistics: As the number of locations or volume of goods increases, the size
of the transportation fleet and complexity of operations grows, resulting in a higher amount of
risk.
•• Funding for capital works and improvements: In illiquid markets, or where consumer confidence
is low, the amount of risk associated with an entity’s ability to secure funding for capital works,
projects, or initiatives increases.
There is, however, no one universal risk profile shape or trend. Every entity’s risk profile will be
different depending on its unique strategy and business objectives. Organizations can use their
risk profiles to better understand the intrinsic relationship between risk, targeted performance, and
actual performance.
Risk profiles help management to determine what amount of risk is acceptable and manageable in
the pursuit of strategy and business objectives. Risk profiles10 may help management:
•• Understand the level of performance in the context of the entity’s risk appetite (see Principle 7:
Defines Risk Appetite).
•• Find the optimal level of performance given the organization’s ability to manage risk (see Princi-
ple 9: Formulates Business Objectives).
•• Determine the tolerance for variation in performance related to the target (see Principle 9: For-
mulates Business Objectives).
•• Assess the potential impact of risk on predetermined targets (see Principle 11: Assesses Sever-
ity of Risk and Principle 14: Develops Portfolio View).
While the risk profile shown here implies needing a specific level of precision, and perhaps data to
create, keep in mind that it can also be developed using qualitative information.
16 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
4. Integrating Enterprise Risk
Management
The Importance of Integration
An entity’s success is the result of countless decisions made every day by the organization that
affect the performance and, ultimately, the achievement of the strategy or business objectives. Most
of those decisions require selecting one approach from multiple alternatives. Many of the decisions
will not be simply either “right” or “wrong,” but will include trade-offs: time versus quality; efficiency
versus cost; risk versus reward.
When making such decisions, management and the board must continually navigate a dynamic
business context, which requires integrating enterprise risk management thinking into all aspects of
the entity, at all times. The Framework, therefore, views enterprise risk management in just that way.
It is not simply a function or department within an entity, something that can be “tacked on.” Rather,
culture, practices, and capabilities are, together, integrated and applied throughout the entity.
Integrating enterprise risk management with business activities and processes results in better infor-
mation that supports improved decision-making and leads to enhanced performance. In addition it
helps organizations to:
•• Anticipate risks earlier or more explicitly, opening up more options for managing the risks and
minimizing the potential for deviations in performance, losses, incidents, or failures.
•• Identify and pursue existing and new opportunities in accordance with the entity’s risk appetite
and strategy.
•• Understand and respond to deviations in performance more quickly and consistently.
•• Develop and report a more comprehensive and consistent portfolio view of risk, thereby allow-
ing the organization to better allocate finite resources.
•• Improve collaboration, trust, and information sharing across the organization.
Integration enables the organization to make decisions that are better aligned with the speed and
potential disruption of individual risks and the pursuit of new opportunities. Risk-aggressive entities
may need to obtain risk-related information quickly and have streamlined decision-making pro-
cesses in place in order to pursue fast-moving opportunities. For example, consider an investment
firm that has been presented with an opportunity to bid on a new deal, but is required to respond
within several hours. The firm’s risk management practices are well integrated with the capabilities
within the bidding process, allowing the organization to collect and review the available information
and make a decision in the time required.
Where risk management practices and capabilities are separate, collecting relevant information,
identifying stakeholders, and making decisions all take longer, and that can jeopardize an entity’s
ability to meet urgent deadlines. In short, the more risk aggressive the entity, the greater the value of
integration.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 17
Applying the Framework: Putting It into Context
Culture
Instilling more transparency and risk awareness into an entity’s culture requires actions such as:
•• Implementing forums or other mechanisms for sharing information, making decisions, and iden-
tifying opportunities.
•• Encouraging people to escalate issues and concerns without fear of retribution.
•• Clarifying and communicating roles and responsibilities for the achievement of strategy and
business objectives, including responsibilities for the management of risk.
•• Aligning core values, behaviors, and decision-making with incentives and remuneration models.
•• Developing and sharing a strong understanding of the business context and drivers of value
creation.
18 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Integrating Enterprise Risk Management
Capabilities
Enterprise risk management capabilities are integrated into the entity when:
•• Management is able to make decisions that are appropriate given its appetite, risk profile of the
entity, and the changes to the profile that occur over time.
•• The organization routinely hires capable individuals with relevant experience who can exercise judg-
ment and oversight in accordance with their responsibilities.
•• The organization has access to capable individuals, subject matter experts, or other technical
resources to support decision-making.
•• When making necessary investments in technology or other infrastructure, management considers
the tools required to enable enterprise risk management responsibilities.
•• Vendors, contractors, and other third parties are considered in discussions of risk and performance.
Practices
Enterprise risk management practices are inte-
Example 4.1: Integration in Practice
grated when:
•• Setting strategy explicitly considers risk when The management of a large government
evaluating options. department integrates enterprise risk manage-
ment practices with the monthly performance
•• Management actively addresses risk in pursuit
management meetings. At these meetings,
of its performance targets.
they analyze performance and discuss new,
•• Activities are developed to regularly and emerging, and changing risks that affect their
consistently monitor performance results ability to effectively serve the public. This
and changes in the risk profile throughout the promotes greater transparency and increased
entity. responsiveness to the most important risks,
•• Management is able to make decisions sharing of ideas on how best to approach the
that are in line with the speed and scope of risk, and greater consistency on deploying
changes in the entity. risk responses across the operations of the
department.
Example 4.1 describes integration in practice.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 19
5. Components and Principles
Components and Principles of Enterprise Risk
Management
The Framework consists of the five interrelated components of enterprise risk management. Figure
5.1 illustrates these components and their relationship with the entity’s mission, vision, and core
values. The three ribbons in the diagram of Strategy and Objective-Setting, Performance, and
Review and Revision represent the common processes that flow through the entity. The other two
COSO
ribbons, Infographic
Governance with Principles
and Culture, and Information, Communication, and Reporting, represent sup-
porting aspects of enterprise risk management.
The figure further illustrates that when enterprise risk management is integrated across strategy
development, business objective formulation, and implementation and performance, it can enhance
value. Enterprise risk management is not static. It is integrated into the development of strategy,
formulation of business objectives, and the implementation of those objectives through day-to-day
decision-making.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 21
Applying the Framework: Putting It into Context
It prioritizes risks according to their severity and considering the entity’s risk appetite. The organi-
zation then selects risk responses and monitors performance for change. In this way, it develops a
portfolio view of the amount of risk the entity has assumed in the pursuit of its strategy and entity-
COSO Infographic with Principles
level business objectives.
•• Review and Revision: By reviewing enterprise risk management capabilities and practices, and the
entity’s performance relative to its targets, an organization can consider how well the enterprise risk
management capabilities and practices have increased value over time and will continue to drive
value in light of substantial changes.
•• Information, Communication, and Reporting: Communication is the continual, iterative process
of obtaining information and sharing it throughout the entity. Management uses relevant information
from both internal and external sources to support enterprise risk management. The organiza-
tion leverages information systems to capture, process, and manage data and information. By
ENTERPRISE RISK
using information that applies to all components, MANAGEMENTreports on risk, culture, and
the organization
performance.
Within these five components are a series of principles, as illustrated in Figure 5.2. The principles repre-
sent the fundamental concepts associated with each component. These principles are worded as things
organizations
MISSION, VISION would do as STRATEGY
part of the entity’s enterprise
BUSINESS risk management practices. While these ENHANCED
IMPLEMENTATION princi-
ples are universal and form
& CORE VALUES
part of any effective FORMULATION
DEVELOPMENT
enterprise
OBJECTIVE
risk management initiative, management
& PERFORMANCE
must
VALUE
bring judgment to bear in applying them. Each principle is covered in detail in the respective chapters on
components.
12 Additional discussion on controls to effect principles is set out in Internal Control—Integrated Framework.
22 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Components and Principles
In these three considerations, being “present” means the components, principles, and controls exist in
the design and implementation of enterprise risk management to achieve strategy and business objec-
tives. Being “functioning” means they continue to operate to achieve strategy and business objectives.
And “operating together” refers to the interdependencies of components and how they function cohe-
sively. Organizations may place different emphasis on specific principles and apply them differently,
depending on the benefits an organization seeks to attain through enterprise risk management.13 When
these components, principles, and supporting controls are present and functioning, the organization can
reasonably expect that enterprise risk management is helping the entity create, preserve, and realize
value.
Different approaches are available for assessing enterprise risk management. When the assessment is
performed to communicate to external stakeholders, it would be conducted considering the principles
set out in the Framework. When assessing enterprise risk management for internal purposes, some orga-
nizations may choose to use some form of maturity model in completing this evaluation, recognizing that
the model must be tailored to address the complexity of the business. Factors that add complexity may
include, among other things, the entity’s geography, industry, nature, extent and frequency of change
within the entity, historical performance and variation in performance, reliance on technology, and the
extent of regulatory oversight.
During an assessment, management may also review the suitability of those capabilities and practices,
keeping in mind the entity’s complexity and the benefits the organization seeks to attain through enter-
prise risk management.
13 Potential benefits relating to enterprise risk management are set out in Chapter 1: Introduction.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 23
Framework
Framework
COSO Infographic Expanded Graphic
Introduction
An entity’s board of directors plays an important role in governance and significantly influences enter-
prise risk management. This Framework uses the term “board of directors” or “board” to encompass the
governing body, including board, supervisory board, board of trustees, general partners, or owner.
Where the board is independent from management and generally comprises members who are experi-
enced, skilled, and highly talented, it can offer an appropriate degree of industry, business, and technical
input while performing its oversight responsibilities. This input includes scrutinizing management’s activ-
ities when necessary, presenting alternative views, challenging organizational biases, and acting in the
face of wrongdoing. Most important, in fulfilling its role of providing risk oversight, the board challenges
management without stepping into the role of management.
Another critical influence on enterprise risk management is culture. Whether the entity is a small family-
owned private company, a large, complex multinational, a government agency, or a not-for-profit
organization, its culture reflects the entity’s core values: the beliefs, attitudes, desired behaviors, and
importance of understanding risk. Culture supports the achievement of the entity’s mission and vision.
An entity with a culture that is risk-aware stresses the importance of managing risk and encourages
transparent and timely flow of risk information. It does this with no assignment of blame, but with an
attitude of understanding, accountability, and continual improvement.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 27
Framework
28 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
Independence
The board overall should be independent. Independence enhances directors’ ability to be objec-
tive and to evaluate the performance and well-being of the entity without any conflict of interest or
undue influence of interested parties. The board demonstrates its independence through each board
member displaying his or her individual director’s ability to be objective (see Example 6.1).
An independent board serves as a check and balance on management, ensuring that the entity is
being run in the best interests of its stakeholders rather than of a select number of board members
or management.
While independence is often a larger focus within publicly traded companies, similar considerations
apply to private entities, government bodies, and not-for-profit entities.
Organizational Bias
Bias in decision-making has always existed and always will. It is not unusual to find within an entity
evidence of dominant personalities, overreliance on numbers, disregard of contrary information,
disproportionate weighting of recent events, and a tendency for risk avoidance or risk taking. So the
question is not whether bias exists, but rather how bias affecting decisions relating to enterprise risk
management can be managed. The board is expected to understand the potential organizational
biases that exist and challenge management to overcome them.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 29
Framework
The organization considers these and other factors when deciding what operating structure to
adopt. For example, the board of directors determines which management roles have at least a
dotted line to the board to allow for open communication of all important issues. Similarly, direct
reporting and informational reporting lines are defined at all levels of the entity.
30 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
14 The chief risk officer is the individual who is delegated authority for enterprise risk management; other names for
this role may be “head of enterprise risk management,” “head of risk,” “director of enterprise risk management,” or
“director of risk.”
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 31
Framework
Clearly defining authority is important, as it empowers people to act as needed in a given role but
also puts limits on authority. Risk-based decisions are enhanced when management:
•• Delegates responsibility only to the extent required to achieve the entity’s strategy and business
objectives (e.g., the review and approval of new products involves the business and support
functions, separate from the sales team).
•• Specifies transactions requiring review and approval (e.g., management may have the authority
to approve acquisitions).
•• Considers new and emerging risks as part of decision-making (e.g., a new business partner is
not taken on without exercising due diligence).
32 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
A well-defined culture does not imply a template approach to enterprise risk management. That is,
managers of some operating units may be prepared to take more risk, while others may be more
conservative. For example, an aggressive sales unit may focus its attention on making a sale without
careful attention to regulatory compliance outside the desired risk appetite, while the personnel in
the contracting unit may focus on maintaining full compliance well within the desired risk appetite.
Working separately, these two units could adversely affect the entity, but by having a shared under-
standing of acceptable risk decisions, they can respond appropriately within the defined risk appetite
to achieve the strategy and business objectives.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 33
Framework
Effect of Culture
The culture of an organization affects how risk is identified, assessed, and responded to from the
moment of setting strategy through to execution and performance. Examples include:
•• Scoping of strategy and business objective-setting: The culture of an organization may affect
the types of strategic alternatives being considered. For example, despite promising feasibility
studies, a risk-averse organization may choose not to expand mining and drilling operations
into new geographies.
34 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
•• Applying rigor to the risk identification and assessment processes: Depending where an
organization sits on the culture spectrum, the nature and types of risks and opportunities
may differ. What are viewed as potential risks by a risk-averse entity may be considered
as opportunities worthy of pursuit by another. For example, increasing demand for online
ordering may be seen as a risk for a traditional retail manufacturer but as an opportunity
to increase sales by a retailer looking to grow sales and market share.
•• Selecting risk responses and allocating finite resources: A risk-averse entity may allocate
risk responses or additional resources in order to gain higher confidence of the achieve-
ment of a specific business objective. The costs and benefits associated with incremental
risk responses may be interpreted less favorably by more risk-aggressive entities. For
example, purchasing additional insurance may be favored by risk-averse entities, but may
be viewed as an inefficient use of financial resources by another.
•• Reviewing performance: Trends in the risk profile or business context may be addressed
differently by entities on different points of the culture spectrum. A risk-averse entity may
make changes more quickly to risk responses as variations in performance are identified.
Entities that are more risk aggressive may wait longer before making changes or may
make smaller changes. For example, airlines may adjust flight schedules more quickly in
response to adverse changes in weather conditions than train or bus companies, which
may be able to continue operating without disruption for longer.
In a risk-aware culture, personnel know what the entity stands for and the boundaries within
which they can operate. They can openly discuss and debate which risks should be taken to
achieve the entity’s strategy and business objectives, with the result being employee and man-
agement behaviors that are more consistently aligned with the entity’s risk appetite.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 35
Framework
36 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 37
Framework
Enforcing Accountability
The board of directors ultimately holds the chief executive officer15 accountable for managing the
risk faced by the entity by establishing enterprise risk management practices and capabilities to
support the achievement of the entity’s strategy and business objectives. The chief executive officer
and other members of management, together, are responsible for all aspects of accountability—from
initial design to periodic assessment of the culture and enterprise risk management capabilities.
Accountability for enterprise risk management is demonstrated in each structure used by the entity.
Management provides guidance to personnel so they understand the risks. Management also
demonstrates leadership by communicating the expectations of conduct for all aspects of enterprise
risk management. Such leadership from the top helps to establish and enforce accountability and a
common purpose.
Accountability is evident in the following ways:
•• Management and the board of directors clearly communicating the expectations (e.g., develop-
ing and enforcing standards of conduct).
•• Management ensuring that information on risk flows throughout the entity (e.g., communicating
how decisions are made and how risk is considered as part of decisions).
•• Employees committing to collective business objectives (e.g., aligning individual targets and
performance with the entity’s business objectives).
•• Management responding to deviations from standards and behaviors (e.g., terminating person-
nel or taking other corrective actions for failing to adhere to organizational standards; initiating
performance evaluations).
15 The Framework refers to “chief executive officer.” Other terms describing this senior leadership position that may be
used include “chief executive,” “president,” “managing director,” or “deputy.”
38 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
In addition, management provides the board of directors with an appropriate level of risk information
to gauge whether current enterprise risk management practices are appropriate. The board of direc-
tors can provide risk oversight only if it is given timely and complete information, and when the lines
of communication are open to discuss issues with management.
The entity that demonstrates open communication and transparency provides a variety of channels
for both management and personnel to report concerns about potentially inappropriate or excessive
risk taking, business conduct, or behavior without fear of retaliation or intimidation. The entity also
prohibits any form of retaliation against any individual who participates in good faith in any investi-
gation of behavior that is not in line with the standards of conduct and risk appetite. Personnel who
engage in inappropriate or unlawful retaliation or intimidation are subject to disciplinary action.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 39
Framework
40 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
Throughout this process, any behavior not consistent with standards of conduct, policies, perfor-
mance expectations, and enterprise risk management responsibilities is identified, assessed, and
corrected in a timely manner.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 41
Framework
In addition, organizations must continually identify and evaluate those roles that are essential to
achieving strategy and business objectives. The decision of whether a role is essential is made by
assessing the consequences of having that role temporarily or permanently unfilled. The question
needs to be asked: How will strategy and business objectives be achieved if the position of, for
example, the chief executive officer is left unfilled?
Rewarding Performance
Example 6.5: Performance, Incentives, and
Performance is greatly influenced by the extent Rewards
to which individuals are held accountable and
how they are rewarded. It is up to management A family-owned furniture manufacturer is trying
and the board of directors to establish incentives to win customer loyalty with its high-quality
and other rewards appropriate for all levels of furniture. It engages its workforce to reduce
the entity, considering the achievement of both production defect rates, and it aligns its perfor-
short-term and longer-term business objectives. mance measures, incentives, and rewards with
Establishing such incentives and rewards requires both the operating units’ production goals and
appropriately assessing and prioritizing risks and the expectation to comply with all safety and
developing detailed risk responses. Conversely, quality standards, workplace safety laws, cus-
under a program of incentives, those individuals tomer loyalty programs, and accurate product
who do not adhere to the entity’s standards of recall reporting. Once they aligned business
conduct are sanctioned and not promoted or objectives with incentives and rewards, the
otherwise rewarded. company noted in the staff a greater sense of
accountability and more willingness to work
Salary increases and bonuses are common
together to address challenges, and ultimately
incentives, but non-monetary rewards such as
there was a measurable decline in product
being given greater responsibility, visibility, and
defects.
recognition are also effective. Management
consistently applies and regularly reviews the
entity’s measurement and reward structures in conjunction with its desired behavior. In doing so, the
performance of individuals and teams are reviewed in relation to defined measures, which include
business performance factors as well as demonstrated competence (see Example 6.5).
Addressing Pressure
Pressure in an organization comes from many sources. The targets that management establishes for
achieving strategy and business objectives by their nature create pressure. Pressure also may occur
during the regular cycles of specific tasks (e.g., negotiating a sales contract), and it may sometimes
be self-imposed. Unexpected change in business context, such as a sudden dip in the economy,
can also add pressure.
Pressure can either motivate individuals to meet expectations or cause them to fear the conse-
quences of not achieving strategy and business objectives. In the latter case, individuals may
circumvent processes or engage in fraudulent activity. Organizations can positively influence
pressure by rebalancing workloads or increasing resource levels, as appropriate, and continue to
communicate the importance of ethical behavior.
Excessive pressure is most commonly associated with:
•• Unrealistic performance targets, particularly for short-term results.
•• Conflicting business objectives of different stakeholders.
•• Imbalance between rewards for short-term financial performance and those for long-term
focused stakeholders, such as corporate sustainability targets (see Example 6.6).
42 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Governance and Culture
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 43
COSO Infographic Expanded Graphic
Introduction
Every entity has a strategy for bringing its mission and vision to fruition, and to drive value. It can be
a challenge to assess whether the strategy will align with mission, vision, and core values, but it is a
challenge that must be taken on. By integrating enterprise risk management with strategy-setting, an
organization gains insight into the risk profile associated with strategy and the business objectives.
Doing so guides the organization and helps to sharpen the strategy and the tasks necessary to carry
it out.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 45
Framework
46 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
An entity’s internal environment is anything inside the entity that can affect its ability to achieve its
strategy and business objectives (Figure 7.2). Internal stakeholders are those people working within
the entity who directly influence the organization (board directors, management, and other person-
nel). As entities vary greatly in size and structure, internal stakeholders may affect the organization
differently as a whole than at the level of division, operating unit, or function.
16 External environment categories may also be considered as potential risk categories when identifying and
assessing risks.
17 Internal environment is explored in detail in the Governance and Culture component (Chapter 6).
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 47
Framework
48 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 49
Framework
50 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Management may also consider the entity’s risk profile, risk capacity, enterprise risk management
capability and maturity, among other things, when determining risk appetite.
•• Risk profile provides information on the entity’s current amount of risk and how risk is dis-
tributed across the entity, as well as on the different categories of risk for the entity. New
organizations will not have an existing risk profile to draw from, but they may be able to get
valuable information from their industry and competitors.
•• Risk capacity is the maximum amount of risk the entity can absorb in pursuit of strategy and
business objectives. If risk appetite is very high, but its risk capacity is not large enough to
withstand the potential impact of the related risks, the entity could fail. On the other hand, if the
entity’s risk capacity significantly exceeds its risk appetite, the organization may lose opportu-
nities to add value for its stakeholders.
•• Enterprise risk management capability and maturity provide information on how well enterprise
risk management is functioning. A mature organization is often able to define enterprise risk
management capabilities that provide better insight into its existing risk appetite and factors
influencing risk capacity. A less mature organization with undefined enterprise risk management
capabilities may not have the same understanding, which can result in a broader risk appetite
statement or one that will need to be redefined sooner. Enterprise risk management capabil-
ity and maturity also influence how the organization adheres to and operates within its risk
appetite.
Some organizations will develop and articulate risk appetite using other approaches, such as risk
categories. These approaches are sometimes easier to manage and assess. However, they can also
result in organizations managing risk in silos rather than taking an integrated view of enterprise risk
management.
Risk appetite is communicated by management, endorsed by the board, and disseminated through-
out the entity. Disseminating risk appetite is important, as the goal is for all decision-makers to
understand the risk appetite they must operate within, especially those who perform tasks to achieve
business objectives (e.g., local sales forces, country managers).
18 Formulating business objectives is discussed in Principle 9. They are included here to better illustrate how risk
appetite cascades from strategy through business objectives.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 51
Framework
Most organizations will choose to communicate risk appetite broadly across the entity. Some may
choose to focus on senior roles that have direct responsibility for managing performance. This may
occur, for instance, where there is sensitivity to competitor activity, access to private or confidential
information, or potential for risk appetite to impede compliance with obligations. In some instances,
organizations may also choose to communicate risk appetite to external stakeholders, either in its
entirety or in an abbreviated form.
Lower Higher
A university has set its strategy focusing on its role as a preeminent teaching and research university
that attracts outstanding students and as a desired place of work for top faculty. The university’s risk
appetite statements acknowledge that risk is present in every activity. The critical question in estab-
lishing the risk appetite is how willing the university is to accept risk related to each area. To answer
that question, management uses a continuum to express risk appetite for the university’s major busi-
ness objectives (teaching, research, service, student safety, and operational efficiency). They place
various risks along the continuum as a basis for discussion at the highest levels.
52 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Example 7.5 illustrates how one organization cascades risk appetite through statements aligned with
high-level business objectives that, in turn, align with the overall entity strategy.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 53
Framework
54 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 55
Framework
The amount of effort expended and the level of precision required to evaluate alternative strategies
will vary by the significance and complexity of the decision, the resources and capabilities available,
and the number of strategies being evaluated. The more significant or complex the decision, the
more detailed the evaluation will be, perhaps using several approaches.
Popular approaches to evaluating alternative strategies are SWOT analysis,21 modeling, valuation,
revenue forecast, competitor analysis, and scenario analysis. The evaluation is typically performed
by management who have an entity-wide view of risk and understand how strategy affects perfor-
mance. That is, management understands at the entity level how a chosen strategy will support
performance across different divisions, functions, and geographies.
When developing alternative strategies, management makes certain assumptions. These underlying
assumptions can be sensitive to change, and that propensity to change can greatly affect the risk
profile. Once a strategy has been chosen, and by understanding the propensity of assumptions to
change, the organization is able to develop requisite oversight mechanisms relating to changing
assumptions.
Example 7.6 illustrates one organization’s approach for evaluating the possibility of alternative
strategies not aligning with mission and vision and implications from the alternative strategies on
the entity’s risk profile. This example also illustrates the need to understand competing priorities
between customers, employees, and shareholders.
21 SWOT is an acronym for strengths, weaknesses, opporunities, and threats. A SWOT analysis is a structured planning
method that evaluates those four elements.
56 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 57
Framework
A global camera manufacturer used to sell film cameras, but as digital cameras became more
popular, the company started to experience lower sales. In response, it has modified its strat-
egy by adapting to a changing consumer need and new technology. It now develops digital
cameras and mitigates the risk that its products may become obsolete. These changes to
strategy are supported by changes to relevant business objectives and performance targets.
Mitigating Bias
Bias always exists, but an organization should try to be unbiased—or to mitigate any bias—when it
is evaluating alternative strategies. The first step is to identify any bias that may exist during strat-
egy-setting. Where such bias exists, the organization should take steps to mitigate that bias. Bias
may prevent an organization from selecting the best strategy to both support the entity’s mission,
vision, core values, and to reflect the entity’s risk appetite.
58 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 59
Framework
60 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 61
Framework
Understanding Tolerance
Closely linked to risk appetite is tolerance— Figure 7.5 Risk Profile Showing Tolerance
the acceptable variation in performance. It
describes the range of acceptable outcomes Tolerance
Risk
Having an understanding of the tolerance
for variation in performance enables man-
agement to enhance value to the entity. For
instance, the right boundary of acceptable
variation should generally not exceed the point
where the risk profile intersects risk appetite.
But where the right boundary is below risk Performance
appetite, management may be able to shift Risk profile Risk appetitle Risk capacity
its targets and still be within its overall risk
appetite. The maximum point where the performance target could be set is where the right boundary
of tolerance intersects with risk appetite (“A” in Figure 7.5).
Unlike risk appetite, which is broad, tolerance is tactical and focused. That is, it should be expressed
in measurable units (preferably in the same units as the business objectives), be applied to all busi-
ness objectives, and be implemented throughout the entity. In setting tolerance, the organization
considers the relative importance of each business objective and strategy. For instance, for those
objectives viewed as being highly important to achieving the entity’s strategy, or where a strategy is
highly important to the entity’s mission and vision, the organization may wish to set a lower range of
tolerance. Tolerance focuses on objectives and performance, not specific risks.
Operating within defined tolerance provides management with greater confidence that the entity
remains within its risk appetite and provides a higher degree of comfort that the entity will achieve its
business objectives.
62 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Strategy and Objective-Setting
It is common for organizations to assume that exceeding variation in performance is a benefit, and
trailing variation in performance is a risk. Exceeding a target does usually indicate efficiency or good
performance, not simply that an opportunity is being exploited. But trailing a target does not neces-
sarily mean failure: it depends on the organization’s target and how variation is defined (see Example
7.11).
Organizations should also understand the relationship between cost and tolerance so they can
deal effectively with associated risk. Typically, the narrower the tolerance, the greater amount of
resources required to operate within that level of performance. Consider airlines, for example, which
track on-time arrivals and departures. An airline may decide to stop serving several routes because
its on-time performance does not fit within the airline’s revised (decreased) tolerance. The airline
would then need to weigh the cost implications of forgoing service revenue to realize a decreased
variation in its performance target.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 63
COSO Infographic Expanded Graphic
8. Performance
Performance
Principles Relating to Performance
ENTERPRISE RISK MANAGEMENT
PERFORMANCE
Introduction
Creating, preserving, realizing, and minimizing the erosion of an entity’s value is further enabled by iden-
tifying, assessing, and responding to risk that may impact the achievement of the entity’s strategy and
business objectives. Risks originating at a transactional level may prove to be as disruptive as those iden-
tified at an entity level. Risks may impact one operating unit or the entity as a whole. They may be highly
correlated with factors within the business context or with other risks. Further, risk responses may require
significant investments in infrastructure or may be accepted as part of doing business. Because risk ema-
nates from a variety of sources, a range of responses is required from across the entity and at all levels.
This component of the Framework focuses on practices that support the organization in making decisions
and achieving strategy and business objectives. To that end, organizations use their operating structure to
develop a practice that:
•• Identifies new and emerging risks so that management can deploy risk responses in a timely manner.
•• Assesses the severity of risk, with an understanding of how the risk may change depending on the
level of the entity.
•• Prioritizes risks, allowing management to optimize the allocation of resources in response to those risks.
•• Identifies and selects responses to risk.
•• Develops a portfolio view to enhance the ability for the organization to articulate the amount of risk
assumed in the pursuit of strategy and entity-level business objectives.
Figure 8.1 illustrates that these practices are iterative, with the inputs in one step of the process typically
being the outputs of the previous step. The practices are performed across all levels and with responsibili-
ties and accountabilities for appropriate enterprise risk management aligned with severity of the risk.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 65
Framework
Figure 8.1: Linking Risk Assessment Processes, Inputs, Approaches, and Outputs
• Probabilisticmodeling Assessment
• Non-probabilistic Approaches
modeling
• Judgmental
Evaluations
• Benchmarking
66 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Identifying Risk
The organization identifies new, emerging, and changing risks to the achievement of the entity’s
strategy and business objectives. It undertakes risk identification activities to first establish an
inventory of risks, and then to confirm existing risks as being still applicable and relevant. As enter-
prise risk management practices are progressively integrated, the knowledge and awareness of
risks is kept up-to-date through normal day-to-day operations. Some entities will supplement those
activities from time to time in order to confirm the completeness of the risk inventory. How often an
organization does this will depend on how quickly risks change or new risks emerge. Where risks are
likely to take months or years to materialize, the frequency at which risk identification occurs will be
less than where risks are less predictable or will occur at a greater speed.
New, emerging, and changing risks include those that:
•• Arise from a change in business objectives (e.g., the entity adopts a new strategy supported by
business objectives or amends an existing business objective).
•• Arise from a change in business context (e.g., changes in consumer preferences for environ-
mentally friendly or organic products that have potentially adverse impacts on the sales of the
company’s products).
•• Pertain to a change in business context that may not have applied to the entity previously (e.g.,
a change in regulations that results in new obligations to the entity).
•• Were previously unknown (e.g., the discovery of a susceptibility for corrosion in raw materials
used in the company’s manufacturing operations).
•• Were previously identified but have since been altered due to a change in the business context,
risk appetite, or supporting assumptions (e.g., a positive increase in the expected sales fore-
casts affecting production capacity).
Emerging risks arise when business context changes, and they may alter the entity’s risk profile
in the future. Note that emerging risks may not be understood well enough to identify and initially
assess accurately, and may warrant re-identification more frequently. Additionally, organizations
should communicate evolving information about emerging risks.
Identifying new and emerging risks, or changes in existing risks, allows the organization to look to
the future and gives them time to assess the potential severity of the risks as well as to take advan-
tage of these changes. In turn, having time to assess the risk allows the organization to anticipate the
risk response, or to review the entity’s strategy and business objectives as necessary.
Some risks may remain unknown—risks for which there was no reasonable expectation that the
organization would consider during risk identification. These typically relate to changes in the busi-
ness context. For example, the future actions or intentions of competitors are often unknown, but
they may represent new risks to the performance of the entity.
Organizations want to identify those risks that are likely to disrupt operations and affect the rea-
sonable expectation of achieving strategy and business objectives. Such risks represent significant
change in the risk profile and may be either specific events or evolving circumstances. The following
are some examples:
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 67
Framework
•• Emerging technology: Advances in technology that may affect the relevance and longevity of
existing products and services.
•• Expanding role of big data and data analytics: How organizations can effectively and efficiently
access, transform, and analyze large volumes of structured and unstructured data sources.
•• Depleting natural resources: The diminishing availability and increasing cost of natural
resources that affect the supply, demand, and location for products and services.
•• Rise of virtual entities: The growing prominence of virtual entities that influence the supply,
demand, and distribution channels of traditional market structures.
•• Mobility of workforces: Mobile and remote workforces that introduce new activities to the day-
to-day operations of an entity.
•• Labor shortages: The challenges of securing labor with the skills and levels of education
required by entities to support performance.
•• Shifts in lifestyle, healthcare, and demographics: The changing habits and needs of current and
future customers as populations change.
•• Political environment: Actions by a government that alter operations of an industry in a country.
Embedded in identifying risk is identifying opportunities.22 That is, sometimes opportunities emerge
from risk. For example, changes in demographics and aging populations may be considered as both
a risk to the current strategy of an entity and an opportunity to renew the workforce to better pursue
growth. Similarly, advances in technology may represent a risk to distribution and service models for
retailers as well as an opportunity to change how retail customers obtain goods (e.g., through online
service). Where opportunities are identified, they are communicated through the organization to be
considered as part of setting strategy and business objectives.
22 This Framework distinguishes between positive events and opportunities. Positive events are those instances where
performance exceeds the original target. Opportunities are actions or potential actions that create or alter goals or
approaches for creating, preserving, and realizing value.
68 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Because the impact of risks cannot be limited to specific levels or functions, identification activities
should capture all risks, and regardless of where they are identified, all risks form part of the entity’s
risk inventory. For example, an entity that identifies risks at the strategy level relating to board gover-
nance and achieving diversity targets must also consider these risks at a business objective level. Or
an organization that identifies the risk of missing a customer billing deadline at a business objective
level should consider the impact of that risk at the entity level.
To demonstrate that a comprehensive risk identification has been carried out, management will
identify risks and opportunities across all functions and levels—those risks that are common across
more than one function, as well as those that are unique to a particular product, service offering,
jurisdiction, or other function.
•• Cognitive computing allows organizations to collect and analyze large volumes of data to detect
future trends and meaningful insights in new and emerging risks as well as changes in existing
risks more efficiently than a human.
•• Data tracking from past events can help predict future occurrences. While historical data
typically is used in risk assessment—based on actual experience with severity—it can also be
used to understand interdependencies and develop predictive and causal models. Databases
developed and maintained by third-party service providers that collect information on incidents
and losses incurred by industry or region may inform the organization of potential risks. These
are often available on a subscription basis. In some industries, consortiums have formed to
share internal data.
•• Interviews solicit the individual’s knowledge of past and potential events. For canvassing large
groups of people, questionnaires or surveys may be used.
•• Key indicators are qualitative or quantitative measures that help to identify changes to existing
risks. Risk indicators should not be confused with performance measures, which are typically
retrospective in nature.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 69
Framework
•• Process analysis involves developing a diagram of a process to better understand the inter-
relationships of its inputs, tasks, outputs, and responsibilities. Once mapped, risks can be
identified and considered against relevant business objectives.
•• Workshops bring together individuals from different functions and levels to draw on the group’s
collective knowledge and develop a list of risks as they relate to the entity’s strategy or busi-
ness objectives.
Whatever approaches are selected, an organization considers how changes in assumptions under-
pinning the strategy and business objectives may create new or emerging risks. For example, in one
case management assumed an exchange rate on par with the local currency for importing raw mate-
rials. The actual exchange rate, however, declined by more than 10%, which created a new risk to
meeting overall profitability targets. Additionally, management considered the business context—the
expected economic outlook for the entity, changing customer preferences, and anticipated growth
rates when conducting risk identification.
When identifying risks, the organization should aim to precisely describe the risk itself, rather than
other considerations of that risk, such as the root causes of the risk, the potential impacts of the risk,
or the effect of the risk being poorly implemented. Figure 8.4 compares descriptions of these other
considerations, which are less helpful, to precise risk descriptions, which are preferred.
Potential effects of • The risk that bank reconcilia- • The risk of incorrect payments
poorly implemented risk tions fail to identify incorrect to customers impacting the
responses payments to customers entity’s financial results
• The risk that quality assurance • The risk of product defects
checks fail to detect product impacting quality and safety
defects prior to distribution goals
70 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Accordingly, organizations are encouraged to describe risks by using a standard sentence structure.
Here are two possible approaches:
•• The possibility of [describe potential occurrence or circumstance] and the associated impacts
on [describe specific business objectives set by the organization].
-- Example: The possibility of a change in foreign exchange rates and the associated
impacts on revenue.
•• The risk to [describe the category set by the organization] relating to [describe the possible
occurrence or circumstance] and [describe the related impact].
-- Example: The risk to financial performance relating to a possible change in foreign
exchange rates and the impact on revenue.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 71
Framework
Assessing Risk
Risks identified and included in an entity’s risk inventory are assessed in order to understand the
severity of each to the achievement of an entity’s strategy and business objectives. Risk assess-
ments inform the selection of risk responses. Given the severity of risks identified, management
decides on the resources and capabilities to deploy in order for the risk to remain within the entity’s
risk appetite.
72 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 73
Framework
23 Additional measures, including persistence, velocity, and complexity, are discussed in Principle 14.
74 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Severity measures should align with the strategy and business objectives. Example 8.2 illustrates
how an organization identifies the risks to its business objectives and applies appropriate measures.
When different impacts are identified for a business objective, management provides guidance on
how to assess the severity of the impact. Where multiple impacts result in different assessments of
severity or require a different risk response, management determines if additional risks need to be
identified and assessed separately.
Assessment Approaches
Risk assessment approaches may be qualitative, quantitative, or a combination of both.
•• Qualitative assessment approaches, such as interviews, workshops, surveys, and benchmark-
ing, are often used when it is neither practicable nor cost-effective to obtain sufficient data
for quantification. Qualitative assessments are more efficient to complete; however, there are
limitations in the ability to identify correlations or perform a cost-benefit analysis.
•• Quantitative assessment approaches, such as modeling, decision trees, Monte Carlo simula-
tions, etc., allow for increased granularity and precision, and support a cost-benefit analysis.
Consequently, quantitative approaches are typically used in more complex and sophisticated
activities to supplement qualitative techniques. Quantitative approaches include:
-- Probabilistic models (e.g., value at risk, cash flow at risk, operational loss distributions)
that associate a range of events and the resulting impact with the likelihood of those
events based on certain assumptions. Understanding how each risk factor could vary
and impact cash flow, for example, allows management to better measure and manage
the risk.
-- Non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective
assumptions to estimate the impact of events without quantifying an associated like-
lihood on a business objective. For example, scenario analysis allows management to
understand the impact on a business objective to increase profitability under different
scenarios, such as a competitor releasing a new product, a disruption in the supply chain,
or an increase in product costs.
Depending on how complex and mature the entity is, management may rely on a degree of judgment
and expertise when conducting the modeling. Regardless of the approach used, any assumptions
should be clearly stated.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 75
Framework
The anticipated severity of a risk may influence the type of approach used. In assessing risks that
could have extreme impacts, management may use scenario analysis, but when assessing the
effects of multiple events, management might find simulations more useful (e.g., stress testing).
Conversely, high-frequency, low-impact risks may be more suited to data tracking and cogni-
tive computing. To reach consensus on the severity of risk, organizations may employ the same
approach they used as part of the risk identification.
Assessments may also be performed across the entity by different teams. In this case, the organiza-
tion establishes an approach to review any differences in the assessment results. For example, if one
team rates particular risks as “low,” but another team rates them as “medium,” management reviews
the results to determine if there are inconsistencies in approach, assumptions, and perspectives of
business objectives or risks.
Finally, part of risk assessment is seeking to understand the interdependencies that may exist
76 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
between risks. Interdependencies can occur where multiple risks impact one business objective
or where one risk triggers another. Risks can occur concurrently or sequentially. For example, for
a technology innovator the delay in launching new products results in a concurrent loss of market
share and dilution of the entity’s brand value. How management understands interdependencies will
be reflected in the assessment of severity.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 77
Framework
•• Confirm that risk is within risk appetite. Figure 8.9: Business Objective Risk Profile
•• Compare the severity of a risk at various
points of the curve. Target
•• Assess the disruption point in the curve,
at which the amount of risk greatly
exceeds the appetite of the entity and
may impact its performance or the
Risk
achievement of its strategy and busi-
ness objectives.
In addition, management considers how dif-
ferent risks may present different impacts to
the same business objective. For example,
a hardware store franchise identifies the
risk of poor sales due to not stocking a
Performance
diverse product range that will appeal to a
Risk curve Risk appetitle Target
broad group of customers. Management is
Actual performance
also aware that changes in marketing and
advertising efforts can significantly affect
sales. Focusing on the business objective of sales, management is able to better understand the
risks that have an impact on sales. Understanding the severity of different risks to the same busi-
ness objective, management can make risk-aware decisions about the diversity of products in stock
and the desired budget to spend on marketing and advertising costs in order to manage the risk of
low sales.
Bias in Assessment
Management should identify and mitigate the effect of bias in carrying out risk assessment prac-
tices. For example, confidence bias may support a pre-existing perception of a known risk.
Additionally, how a risk is framed can also affect how risks are interpreted and assessed. For
example, for a given risk, there may be a range of potential impacts, each with a separate likelihood.
Thus, a risk with a low likelihood but high impact could have the same outcome as a high likelihood,
low impact; however, one risk may be acceptable to the organization while the other is not. As such,
the manner in which the risk is presented and framed to management is critical to mitigate any bias.
Bias may result in the severity of a risk being under- or overestimated, and limit how effective the
selected risk response will be. Underestimating the severity may result in an inadequate response,
leaving the entity exposed and potentially outside of the entity’s risk appetite. Overestimating the
severity of a risk may result in resources being unnecessarily deployed in response, creating ineffi-
ciencies in the entity. Additionally, it may hamper the performance of the entity or affect its ability to
identify new opportunities.
78 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Prioritizing Risk
Example 8.3: Prioritizing Risk
Risks with similar assessments of severity may
be prioritized differently. That is, two risks may For a large restaurant chain, responding to the
both be assessed as “medium,” but management risk that customer complaints remain unre-
may give one more priority because it has greater solved and attract adverse attention in social
velocity and persistence (see Example 8.3), or media is considered a greater priority than
because the risk response for one risk provides a responding to the risk of protracted contract
higher risk-adjusted return than for other risks of negotiations with vendors and suppliers. Both
similar severity. risks are severe, but the speed and scope of
How a risk is prioritized typically informs the risk on-line scrutiny may have a greater impact on
responses that management considers. The most the performance and reputation of the restau-
effective responses address both severity (impact rant chain, necessitating a quicker response to
and likelihood) and prioritization of a risk (velocity, negative feedback.
complexity, etc.).
24 The criteria may also be used as a consideration when assessing the severity of a risk as discussed in Principle 11.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 79
Framework
Risks of greater priority are more likely to be those that affect the entity as a whole or arise at the
entity level. For example, the risk that new competitors will introduce new products and services
to the market may require greater adaptability and a review of the entity’s strategy and business
objectives in order for the entity to remain viable and relevant.
Bias in Prioritization
Management must strive to prioritize risks and manage competing business objectives relating to
the allocation of resources free from bias. Competing business objectives may include securing
additional resources, achieving specific performance measures, qualifying for personal incentives
and rewards, or obtaining other specific outcomes.
80 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 81
Framework
82 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Additional Considerations
Selecting one risk response may introduce new risks that have not been previously identified or may
have unintended consequences. For example, for the fruit farmer in Example 8.5, the risk of floods
damaging the crops was reduced by purchasing insurance; however, the farmer may now be at risk
of low cash flow.
For newly identified risks, management should assess the severity and related priority, and deter-
mine the effectiveness of the proposed risk response. On the other hand, selecting a risk response
may present new opportunities not previously considered. Management may identify innovative
responses, which, while fitting with the response categories described earlier, may be entirely
new to the entity or even an industry. Such opportunities may surface when existing risk response
options reach the limit of effectiveness, and when further refinements will likely provide only mar-
ginal changes to the severity of a risk. Management channels any new opportunities back to
strategy-setting.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 83
Framework
84 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
•• Partial Integration—Risk Profile View: Adopting a more integrated view, an organization focuses
on business objectives and the risks that align with those objectives (e.g., all objectives poten-
tially impacted by compliance‑related risks). Further, dependencies that may exist between
business objectives are identified and considered. For example, an objective of enhancing
operational excellence may be a prerequisite for strengthening the balance sheet and growing
market share. This view relies on information used to create the risk-centric or risk-category
view.
•• Full Integration—Portfolio View: At this level, the focus shifts to the overall entity strategy and
business objectives. Greater integration supports identifying, assessing, responding to, and
reviewing risk at the appropriate levels for decision-making. Boards and management focus
greater attention on the achievement of strategy while responsibility and management of
business objectives and individual risks within the risk inventory cascade throughout the entity.
Using the same example, the board reviews and challenges management on how the entity is
enhancing its operational excellence including the management of compliance-related risks.
In developing the portfolio view, organizations may observe risks that:
•• Increase in severity as they are progressively consolidated to higher levels within the entity.
•• Decrease in severity as they are progressively consolidated.
•• Offset other risks by acting as natural hedges.
•• Demonstrate a positive or negative correlation to changes occurring in the severity of
other risks.
Our strategy is to leverage product design and customer service to become the industry leader
Improving Investing in
Optimizing Minimizing Safisfying All Maintaining Market Leader
Quality Best-in-Class
Working Losses and Compliance Customer on Innovative
of Credit Technology
Capital Inefficiencies Obligations Satisfaction New Products
Portfolio Solutions
Risk View
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 85
Framework
Using Figure 8.10 as an example, an organization develops its portfolio view and observes the fol-
lowing characteristics:
•• Severity of technology disruptions increases as risks are progressively aggregated, recognizing
the reliance that multiple businesses have on common operating systems and technology.
•• Risk of counterparty defaults decrease in severity as the entity does not have a single creditor
considered large enough to impact the entity as a whole.
•• Risk of low sales from multiple operating units may act as a natural hedge where low sales in
one operating unit are offset by strong sales in another.
•• Risk of currency fluctuations may also act as a natural hedge where currency changes in one
country offset changes in another.
•• Strong positive correlation between risk of product recalls and the risk of compliance breaches
increases the priority of risk responses to both risks.
•• Strong positive correlation between the business objectives requires investing in best-in-class
technology solutions and minimizes losses and inefficiencies that are taken into account when
selecting associated risk responses.
Developing a portfolio view of the risks to the entity enables risk-based decision-making and helps
set performance targets and manage changes in either the performance or the risk profile. Important
considerations in setting targets and responding to change include understanding which risks are
likely to increase or decrease, whether new risks are introduced, and whether existing ones become
less relevant. By using a portfolio view to understand the relationship between risk and performance,
the organization can assess the results of the strategy and business objectives in accordance with
the entity’s risk appetite.
86 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Performance
Stress testing helps an organization understand how the shape or height of the risk curve may
respond to potential changes. For example:
•• Validation of events that could become disruptive and cause the risk curve to exceed risk appe-
tite (e.g., the magnitude of a potential funding gap that impacts the viability of the business,
which would be represented by the intersect of the risk curve with the risk appetite of the entity.
•• The extent to which the risk curve may shift up or down in response to a change (e.g., con-
firming to what extent changing economic health indicators such as unemployment levels and
gross domestic product represent a sufficient deterioration in the business context and causing
the risk curve to shift up).
•• Risk responses that can cause sections of the curve to become flatter (e.g., diversifying prod-
ucts entering into new financial hedging strategies or purchasing additional insurance).
•• The ease at which the organization can move along the curve. The speed and agility of the
organization to make decisions and travel along the risk curve to a new desired intersection of
risk and performance (e.g., the ability and speed of adjusting production volumes in response
to changes in sales).
These practices help to assess the Figure 8.11: Risk Profile Showing Risk as a
adaptive capacity of the entity. They Portfolio View
also invite management to challenge the
assumptions underpinning the selection
of the entity’s strategy and assessment Target
of the risk profile. As such, analysis of
the portfolio view can also form part of
an organization’s evaluation in select-
ing a strategy or establishing business
Risk
∑ total risks
that represent
the portfolio
view
Performance
Risk profile Risk appetite
Risk at target level
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 87
COSO Infographic Expanded Graphic
Introduction
An entity’s strategy or business objectives and enterprise risk management practices and capabili-
ties may change over time as the entity adapts to shifting business context. In addition, the business
context in which the entity operates can also change, resulting in current practices no longer
applying or sufficient to support the achievement of current or updated business objectives. As nec-
essary, the organization revises its practices or supplements it capabilities.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 89
Framework
Internal Environment
•• Rapid growth: When operations expand quickly, existing structures, business activities,
information systems, or resources may be affected. Information systems may not be able to
effectively meet risk information requirements because of the increased volume of transactions.
Risk oversight roles and responsibilities may need to be redefined in light of organizational and
geographical changes due to an acquisition. Resources may be strained to the point where
existing risk responses and actions break down. For instance, supervisors may not successfully
adapt to higher activity levels that require adding manufacturing shifts or increasing personnel.
•• Innovation: Whenever innovation is introduced, risk responses and management actions will
likely need to be modified. For instance, introducing sales capabilities through mobile devices
may require access controls specific to that technology. Training may be needed for users.
Innovation technology may also enhance enterprise risk management. For example, a new
system of using mobile devices that captures previously unavailable sales information gives
management the ability to monitor performance, forecast potential sales, and make real-time
inventory decisions.
•• Substantial changes in leadership and personnel: A change in management may affect enter-
prise risk management. A newcomer to management may not understand the entity’s culture
and may have a different philosophy, or may focus solely on performance to the exclusion of
risk appetite or tolerance.
90 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Review and Revision
External Environment
•• Changing regulatory or economic environment: Changes to regulations or in the economy
can result in increased competitive pressures, changes in operating requirements, and dif-
ferent risks. If a large-scale failure in operations, reporting, and compliance occurs in one
entity, regulators may introduce broad regulations that affect all entities within an industry.
For instance, if toxic material is released in a populated or environmentally sensitive area, new
industry-wide transportation restrictions may be introduced that affect an entity’s shipping
logistics. If a publicly traded company is seen to have poor transparency, enhanced regulatory
reporting requirements may be introduced for all public companies. The revelation of patients
being treated poorly in one care facility may prompt additional requirements for all care facil-
ities. And a more competitive environment may drive individuals to make decisions that are
not aligned with the entity’s risk appetite and increase the risk exposures to the entity. Each of
these changes may require an organization to closely examine the design and application of its
enterprise risk management.
Identifying substantial changes, evaluating their effects, and responding to the changes are iterative
processes that can affect several components of enterprise risk management. It can be useful to
conduct a “post mortem” after a risk event to review how well the organization responded and to
consider what lessons learned could be applied to future events.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 91
Framework
92 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Review and Revision
If an organization determines that performance does not fall within its acceptable variation, or that
the target performance results in a different risk profile than what was expected, it may need to:
•• Review business objectives: An organization may choose to change or abandon a business
objective if the performance of the entity is not achieved within acceptable variation.
•• Review strategy: Should the performance of the entity result in a substantial deviation from
the expected risk profile, the organization may choose to revise its strategy. In this case, it
may choose to reconsider alternative strategies that were previously evaluated, or identify new
strategies.
•• Review culture: An organization may wish to review its culture and determine whether it is
embracing the actions in a risk-aware manner. Is the organization comfortable taking enough
risk to succeed, or is it prone to taking too much risk and incurring adverse outcomes?
•• Revise target performance: An organization may choose to revise the target performance level
to reflect a better understanding of the reasonableness of potential performance outcomes and
the corresponding severity of risks to the business objective.
•• Reassess severity of risk results: An organization may re-do the risk assessment for relevant
risks, and results may alter based on changes in the business context, the availability of new
data or information that enables a more accurate assessment, or challenges to the assumptions
underpinning the initial assessment.
•• Review how risks are prioritized: An organization may decide to either raise or lower the priority
of identified risks to support reallocating resources. The change reflects a revised assessment
of the prioritization criteria previously applied.
•• Revise risk responses: An organization may consider altering or adding responses to bring
risk in line with the target performance and risk profile. For risks that are reduced in severity,
an organization may redeploy resources to other risks or business objectives. For risks that
increase in severity, the organization may bolster responses with additional processes, people,
infrastructure, or other resources. As part of reviewing risk responses, the organization may
also consider monitoring activities developed and implemented as part of internal control.26
•• Revise risk appetite: Corrective actions are typically undertaken to maintain or restore the align-
ment of the risk profile with the entity’s risk appetite, but can extend to revising it. However, this
action requires review and approval by the board or other risk oversight body.
The extent of any corrective actions must align with the magnitude of the deviation in performance,
the importance of the business objective, and the costs and benefits associated with altering risk
responses. Consider, for example, a small retailer that stocks a significant portion of its inventory
from local producers. The retailer monitors the financial results of its shop on a weekly basis and
realizes locally produced goods are not sufficiently profitable to meet its financial goals. It there-
fore decides to revise its business objective of sourcing locally and begins to import less expensive
goods to improve its financial performance. The retailer also recognizes that this change may affect
other risks, such as logistics, currency fluctuations, and time to market.
Where reviewing performance repeatedly identifies new risks that were not identified through the
organization’s risk identification practices, or where the actual risk is inconsistent with severity
ratings, management determines whether a review of enterprise risk management practices is
warranted. A more detailed discussion on reviewing the risk assessment practices can be found in
Principle 17.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 93
Framework
94 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Review and Revision
Pursuing Improvement
Even those entities with suitable enterprise risk
management can become more efficient. By Example 9.2: Continual Improvement
embedding continual evaluations into business
practices, organizations can systematically iden- A government agency learns that it has stron-
tify potential improvements to their enterprise risk ger practices in place for establishing and
management practices. Separate evaluations may implementing governance capabilities and
also be helpful.27 Pursuing improved enterprise for instilling the desired culture. Conversely,
risk management should occur throughout the the organization’s practices for establishing
entity (see Example 9.2). and implementing information and communi-
cations capabilities present opportunities for
Management pursues continual improvement improvement. While management monitors
throughout the entity (functions, operating units, improvement opportunities for all enterprise risk
divisions) to improve the efficiency and useful- management components, it concentrates on
ness of enterprise risk management at all levels. developing its information and communications
Opportunities to revisit and improve efficiency practices.
and usefulness may occur in any of the following
areas:
•• New technology: New technology may offer an opportunity to improve efficiency. For example,
an entity that uses customer satisfaction data finds it voluminous to process. To improve effi-
ciency it implements a new data-mining technology that pinpoints key data points quickly and
accurately.
•• Historical shortcomings: Reviewing performance can identify historical shortcomings or the
causes of past failures, and that information can be used to improve enterprise risk manage-
ment. For example, management in an entity observes that there have been shortcomings
noted over time related to risk assessment. Although management compensates for these, the
organization decides to improve its risk assessment practices to reduce the number of short-
comings and enhance enterprise risk management.
•• Organizational change: By pursuing continual improvement, an organization can identify the
need for organizational changes such as a change in the governance structure. For example,
an enterprise risk management function reports to the chief financial officer, but when the entity
redevelops its strategy group, it decides to realign the responsibility for enterprise risk manage-
ment to that reorganized group.
•• Risk appetite: Reviewing performance provides clarity on factors that affect the entity’s risk
appetite. It also gives management an opportunity to refine its risk appetite. For example, man-
agement may monitor the performance of a new product over a year and assess the volatility
of the market. If management determines that the market is performing well and is less volatile
than originally thought, the organization can respond by increasing its risk appetite for similar
future initiatives.
•• Risk categories: An organization that continually pursues improvement can identify patterns as
the business changes, which can lead the entity to revise its risk categories. For example, one
27 Readers may also wish to review the discussion on monitoring activities in Internal Control–Integrated Framework.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 95
Framework
entity’s risk categories does not include cyber risk, but now that the entity has decided to offer
several on-line products and services, it is revising the categories to include cyber risk so it can
accurately map its strategy.
•• Communications: Reviewing performance can identify outdated or poorly functioning com-
munication processes. For example, in reviewing performance an organization discovers that
emails are not successfully communicating its initiatives. In response, the organization decides
to highlight initiatives through a blog and instant message feed to appeal to its changing
workforce.
•• Peer comparison: Reviewing industry peers can help an organization determine if it is operating
outside of industry performance boundaries. For example, a global package delivery provider
discovered during a peer review that its operations in Asia were performing significantly below
its major competitor. Consequently, it is planning to review and, if necessary, revise its strategy
to increase its competitiveness and, hence, its performance in Asia.
•• Rate of change: Management considers the rate that the business context evolves or changes.
For example, an entity in an industry where technology is quickly changing or where organiza-
tional change happens often may have more frequent opportunities to improve the efficiency
and usefulness of enterprise risk management, but an entity operating in an industry with a
slower rate of change in technology will likely have fewer opportunities.
96 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
COSO Infographic Expanded Graphic
10. Information, Communication, and
Introduction
Advances in technology and business have resulted in exponential growth in volume of, and atten-
tion on, data. Organizations today are challenged by the enormous quantity of data and the speed
at which it all must be processed, organized, and stored. With so much data available, organizations
may be feeling weighed down by “information overload.” In this environment, it is important that
organizations provide the right information, in the right form, at the right level of detail, to the right
people, at the right time.
Organizations transform data into information about stakeholders, products, markets, and compet-
itor actions. Through their communication channels, they can provide timely, relevant information to
targeted audiences. Organizations can also structure data and information into consistent catego-
ries. In this way, they can identify risks that could affect the entity’s strategy and business objectives.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 97
Framework
98 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Information, Communication, and Reporting
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 99
Framework
Data Sources
Data that is transformed into information becomes knowledge (e.g., analysis of comments posted
on social media identifies potential risks to the entity’s brand). Therefore, data requirements should
be based on information requirements. Example 10.2 illustrates how a company determines that it
requires data in order to provide compliance information to an external stakeholder.
Data can be collected from a variety of sources and in a variety of forms. Figure 10.1 lists examples
of structured and unstructured data.
100 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Information, Communication, and Reporting
Managing Data
Data must be well managed to provide the right information to support risk-aware decisions. That
requires capturing and preserving the quality of the data while allowing different technologies to
exchange and use it. Effective data management considers three key elements: data and informa-
tion governance, processes and controls, and architecture.
•• Data and information governance help to deliver standardized, high-quality data to end users
in a timely, verifiable, and secure manner. They also help to standardize data architecture,
authorize standards, assign accountability, and maintain quality. As well, they define clear roles
and responsibilities for data owners and risk information owners.
•• Processes and controls help an entity reinforce the reliability of data and allow for corrections
to be made as needed. For example, organizations may have a process to identify instances
and patterns of both low- and high-quality data, and whether that data is relevant to meeting
requirements. Or they may be able to identify data consistency, redundancy, availability, and
accuracy. But managing data requires more than using processes and controls to ensure its
quality. It also involves preventing issues of quality from occurring in the first place.
•• Data management architecture refers to the fundamental design of the technology. It is com-
posed of models, policies, rules, or standards that dictate which data is collected and how it is
stored, arranged, integrated, and put to use in systems and in the organization. Organizations
implement standards and provide rules for structuring information so that the data can be reli-
ably read, sorted, indexed, retrieved, and shared with both internal and external stakeholders,
ultimately protecting its long-term value.
Changing Requirements
Management leverages and designs its technology to meet a broad range of requirements, includ-
ing those due to internal and external changes. As entities respond to changes in the business
context in which they operate and adapt their strategy and business objectives, they must also
review their technologies. For instance, shifting customer expectations may require organizations to
change their technology to allow for more timely information gathering and more active reviewing of
comments on social media.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 101
Framework
102 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Information, Communication, and Reporting
Methods of Communicating
For information to be received as intended, it must be communicated clearly. To be sure com-
munication methods are working, organizations should periodically evaluate them. This can be
done through existing processes such as stating expectations for enterprise risk management in
employee performance goals and subsequent periodic performance evaluations.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 103
Framework
Communication methods vary widely, from holding face-to-face meetings, to posting messages
on the entity’s intranet, to announcing a new product at an industry convention, to broadcasting to
shareholders globally through social media and newswires.
Communication methods can take the form of:
•• Electronic messages (e.g., emails, social media, text messages, instant messaging).
•• External/third-party materials (e.g., industry, trade, and professional journals, media reports,
peer company websites, key internal and external indexes).
•• Informal/verbal communications (e.g., one-on-one discussions, meetings).
•• Public events (e.g., roadshows, town hall meetings, industry/technical conferences).
•• Training and seminars (e.g., live or on-line training, webcast and other video forms, workshops).
•• Written internal documents (e.g., briefing documents, dashboards, performance evaluations,
presentations, questionnaires and surveys, policies and procedures, FAQs).
In addition to the list above, separate lines of communication are needed when normal channels
are inoperative or insufficient for communicating matters requiring heightened attention. Many
organizations provide a means to communicate anonymously to the board of directors or a board
delegate—such as a whistle-blower hotline. Many organizations also establish escalation protocols
and policies to facilitate communication when there are exceptions in standards of conduct or inap-
propriate behaviors occurring.
104 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Information, Communication, and Reporting
It is also important to understand the governance and operating structures of respective report
users. Each report user will require different levels of detail of risk and performance information in
order to fulfill their responsibilities in the entity. Reporting must also make clear the interrelationships
between users, and the related effect across the entity.
Risk information presented at different levels cascades down into the entity and flows up to support
higher levels of reporting. For example, reports to the board support decisions on risk appetite
and company strategy. Reports to senior management present a more granular level and support
decisions on strategic-setting and budgeting, as well as decisions at the divisional and/or func-
tional level. The next layer of reporting is even more granular and supports divisional and functional
leaders in planning, budgeting, and day-to-day operations. This level of reporting should align with
senior management reporting and board reporting. At higher levels, risk reporting encapsulates the
portfolio view.
Risk reporting may be done by any team within the operating structure. Teams prepare reports, dis-
closing information in accordance with their risk management responsibilities. For example, teams
may prepare risk information as part of financial and budgeting planning submissions to support
requests for additional resources to maintain or prevent the risk profile from deteriorating.
Reporting Attributes
Reporting combines quantitative and qualitative risk information, and the presentation can range
from being fairly simple to more complex depending on the size, type, and complexity of the entity.
Risk information supports management in decision-making, although management must still exer-
cise judgment in the pursuit of business objectives as well as the business context.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 105
Framework
In reporting, history can relay meaningful, useful information, but an emphasis on being forward-
looking is of more benefit. Knowing the end-to-end processes taken to fulfill an entity’s mission
and vision, as well as the business environment in which the entity operates, can help management
connect historical information to potential early-warning information. Early-warning analytics of key
trends, emerging risks, and shifts in performance may require both internal and external information.
Types of Reporting
Risk reporting may include any or all of the following:
•• Portfolio view of risk outlines the severity of the risks at the entity level that may impact the
achievement of strategy and business objectives. The reporting of the portfolio view highlights
the greatest risks to the entity, interdependencies between specific risks, and opportunities.
The portfolio view of risk is typically found in management and board reporting.
•• Profile view of risk, similar to the portfolio view, outlines the severity of risks, but focuses on
different levels within the entity. For example, the risk profile of a division or operating unit may
feature in designated risk reporting for management or those areas of the entity.
•• Analysis of root causes enables users to understand assumptions and changes underpinning
the portfolio and profile views of risk.
•• Sensitivity analysis measures the sensitivity of changes in key assumptions embedded in strat-
egy and the potential effect on strategy and business objectives.
•• Analysis of new, emerging, and changing risks provides the forward-looking view to anticipate
changes to the risk inventory, effects on resource requirements and allocation, and the antici-
pated performance of the entity.
•• Key performance indicators and measures outline the tolerance of the entity and potential risk
to a strategy or business objective.
•• Trend analysis demonstrates movements and changes in the portfolio view of risk, risk profile,
and performance of the entity.
•• Disclosure of incidents, breaches, and losses provides insight into effectiveness of risk
responses.
•• Tracking enterprise risk management plans and initiatives provides a summary of the plan and
initiatives in establishing or maintaining enterprise risk management practices. Investment in
resources, and the urgency by which initiatives are completed, may also reflect the commitment
to enterprise risk management and culture by organizational leaders in responding to risks.
Risk reporting is supplemented by commentary and analysis by subject matter experts. For
example, compliance, legal, and technology experts often provide commentary and analysis on the
severity of risk, effectiveness of risk responses, drivers for changes in trend analysis, and industry
developments and opportunities the entity may have.
106 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Information, Communication, and Reporting
There are a number of ways management may report to a board, but it is critical that the focus of
reporting be the link between strategy, business objectives, risk, and performance. Reporting to
the board is the highest level of reporting and will include the portfolio view. Reporting to the board
should foster discussions of the performance of the entity in meeting its strategy and business
objectives and impact of potential risk in meeting those objectives.
Reporting on Culture
An entity’s culture is grounded in behavior and attitudes, and measuring it is often a very complex
task. Reporting on culture may be embodied in:
•• Analytics of cultural trends.
•• Benchmarking to other entities or standards.
•• Compensation schemes and the potential influence on decision-making.
•• “Lessons learned” analyses.
•• Reviews of behavioural trends.
•• Surveys of risk attitudes and risk awareness.
Key Indicators
Key indicators are used to predict a risk man-
ifesting. They are usually quantitative, but can Example 10.5: Using Key Indicators
be qualitative. Key indicators are reported to the
levels of the entity that are in the best position A government agency wants to retain compe-
to manage the onset of a risk where neces- tent individuals. The business objective that
sary. They should be reported in tandem with supports retaining competent individuals has as
key performance indicators to demonstrate the a target maintaining turnover rates at less than
interrelationship between risk and performance. 5% per year. A key indicator would be a per-
Key indicators support a proactive approach to centage of personnel eligible to retire within five
performance management (see Example 10.5). years. Anything higher than 5% indicates that
risk to the target is potentially manifesting. A
Key indicators and key performance indicators key performance indicator is the actual turnover
can be reflected in a single measure. For example, rate. Key performance indicators are based
in a manufacturing company, production volumes on historical performance, and while under-
and the thresholds around them can be viewed standing historical performance can establish
through a risk lens. Production volumes above the baselines, the rate trending upwards would not
target can be seen as potential risks to quality, necessarily identify a risk manifesting.
and production volumes below the target can
suggest potential risk such as supplier delays,
labor shortages, or equipment downtime.
Key indicators are reported along with corresponding targets and acceptable variations. Knowing
where an entity lies on the culture spectrum, whether risk averse or risk aggressive, will help deter-
mine the key indicators and key performance indicators that are tracked as well as the acceptable
variation in performance.
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 107
Framework
108 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017
Glossary of Key Terms
Enterprise Risk Management— Integrating with Strategy and Performance • June 2017 109
Index
110 Enterprise Risk Management— Integrating with Strategy and Performance • June 2017