The new COSO ERM framework

Whenever we talk about risk management, what often comes to mind are worst-case scenarios, additional capital requirements, and crisis-management plans; the kind of things that keep management and the board of directors up at night. Risk management, as seen by many, is driven by value preservation and loss prevention which, at worst, stifle business growth. What we don’t usually consider is the good side of risk — as part of the value creation process and as a source of advantage.

THE CHALLENGE
In the 2017 PwC Management Association of the Philippines (MAP) Philippine CEO Survey, 46% of business leaders plan to expand their current business operations by taking opportunity of the tremendous growth and potential of the ASEAN region. However, a majority is cautious about the increasing complexity, volatility, and uncertainty of the business environment.

Taking their cue from the PwC Good Governance Advocate & Practitioners of the Philippines (GGAPP) survey on Corporate Governance, 78% of the respondents, representing directors, compliance, and corporate governance officers, indicated that they have implemented risk management systems to capture the organization’s risk exposures. However, the robustness of these systems and the quality and degree of implementation that influence the board’s and management’s ability to manage known and emerging risks remain a challenge.

Business leaders are looking at the risk management function to give them greater confidence in managing risks to achieve their strategy and business objectives. However, according to the 2016 PwC Global Annual Corporate Directors Survey, many boards are not receiving the risk information they need. Risk practitioners in these businesses are often seen as restrictive and worried, giving only warnings and information on negative consequences.

What if risk practitioners provide the opposite, that is, provide information that improves management’s and the Board’s confidence in achieving their strategy and business objectives? In short, providing insights to improve performance thus helping create, realize, and maintain value through a systematic way of managing risk.

THE UPDATED RESPONSE
In 2001, the Committee of Sponsoring Organization of the Treadway Commission (COSO) issued Enterprise Risk Management (ERM)-Integrated Framework which became one of the world’s most widely used risk management framework. However, since its issuance, the market has evolved, the business environment became more complex, technology-driven, and global in scale, and risk discussions have become more prominent at the board level.

Responding to these challenges, COSO unveiled its new ERM framework, Enterprise Risk Management- Integrating with Strategy and Performance on Sept. 7. PwC, having led the development of the 2001 Framework is also the principal author of this new Framework.

The Framework is applicable to organizations of all sizes and industries. Particularly for the financial services industry, the timing is ideal as the Bangko Sentral ng Pilipinas (BSP) recently issued BSP Circular No. 971 Guidelines on Risk Governance requiring BSP-supervised financial institutions to establish a risk governance framework that should be applied on an enterprise-wide level.

THE FRAMEWORK
During the process of strategy formulation and selection, organizations seek to optimize a range of possible outcomes, such as revenue and/or profitability. Since strategy selection involves making choices and accepting trade-offs, it only makes sense to apply risk management at the onset of strategic planning. However, current practices indicate that risk is evaluated only on a strategy that is already determined and risk management functions monitor risk on already-rolled-out strategy. The downside is that it raises the possibility that the chosen strategy may not be aligned with the organization’s mission and vision in the first place. The implications of this misalignment could have significant impact on the value creation process.

This is one of the areas the new COSO ERM Framework addresses. The updated Framework provides guidance to the board and senior management in integrating ERM with strategy and performance. The updated Framework now defines ERM as: The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value. The Framework provides increased emphasis on the following:

Strategy. The Framework elevates the discussion of strategy where risk management should be considered during the strategic planning process. This not only enhances strategy discussions but also provides the organization foresight into the risks associated with each strategy option. This way, risk advantage is achieved as organizations will be able to plan even better taking those risks into consideration during strategy selection to maximize desired outcomes.

Performance. The Framework enhances the integration of performance and ERM by exploring how organizations identify and assess the amount and type of risk taken in pursuit of its performance goals, including considerations on over- and under-performance. It facilitates the discussion about the relationship between risk appetite, risk profile, and performance and how risk changes with changes in performance.

Culture. The new definition of ERM puts culture upfront, which did not exist in the old one. ERM is more of a culture than a process or function. It is not risk culture but a culture’s consideration of risk. It is about having risk awareness and mindset in the organization starting with an effective tone-from-the-top from the board and management. The Framework considers and examines the role of culture and its relationship with conduct, ethics, and behavior.

Controls. The Framework delineates ERM from Internal Control. These two frameworks are distinct and provide different focus and therefore, complement each other. They do not compete; rather, they work together with the view of achieving performance objectives. Internal control provides assurance that objective are met while ERM provides confidence to business leaders in their strategic planning process and decision making.

The new Framework consists of five components and 20 principles that align to the business lifecycle of an organization from governance to monitoring, making the risk conversation more intuitive. These components are governance and culture, strategy and objective-setting, performance, review and revision, and information, communication and reporting. These components were developed from the viewpoint of the business to enable the integration, acceptance, and adoption of ERM by the business.

The Framework also emphasizes that risks arise and must be managed at all levels of the organization. Risk frameworks should ensure existing risk identification and assessment practices account for risks at different levels of the organization because risk responses may change at different altitudes within the organization.

THE WAY FORWARD
ERM should no longer focus principally on preventing the erosion of value and minimizing risk to an acceptable level (value preservation due to risk disadvantage) but in creating, preserving, and realizing value (value creation due to risk advantage) through effective risk management. ERM is now viewed as integral and critical to strategy setting and identification of opportunities to create and maintain value, making it a dynamic and integral part of managing an entity throughout the value chain.

As organizations navigate risk and uncertainty, always watchful for growth opportunities, they need to formulate strategies and regularly adjust these to meet the ever-changing business landscape. It is therefore vital to find, adopt, and apply a practical framework for optimizing strategy and performance.

Integrating ERM in strategy setting makes good business sense. Integrating ERM in strategy selection and implementation helps organization accelerate growth and enhance performance. All these add up to enable the organization gain and maintain competitive advantage.

The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. The content is for general information purposes only, and should not be used as a substitute for specific advice.

Ian T. Gonzales is a manager with the Risk Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.

+63 (2) 845-2728 ext. 3233

jesther.ian.gonzales@ph.pwc.com