The past few days have allowed most of us a break from the daily grind: to visit and remember our dearly departed, spend more time with the living, reflect on life, or just take a breather. But as we go back to our organizations and resume regular programming, we find ourselves starting the penultimate month of the year.
In the coming weeks, we will spend our time trying to complete projects and tasks before the year ends, or eagerly anticipate and prepare for the Christmas and New Year festivities. Corporate citizens may enter the final stages of planning for the next business year, and prepare to execute the projects to meet their objectives. But we need to recognize that these actions are influenced largely by our culture, capabilities and practices for addressing risk: the possibility that events will occur and affect the achievement of strategy and business objectives.
REFOCUSING THE SPIRIT OF ERM
Managing risk to achieve objectives has always been at the core of enterprise risk management (ERM). However, the new COSO ERM Framework (Enterprise Risk Management – Integrating with Strategy and Performance), published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and developed by PwC, takes it further.
In the new framework, ERM transcends beyond being primarily a “process” designed to identify potential events that may affect achievement of entity objectives. It is now defined as “the culture, capabilities and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value.” From this definition I’d like to put special focus on the following aspects which are highlighted in the new definition:
• Culture: Primarily influenced by people’s words and actions within the organization, culture plays an important part in decision making. How individuals perceive risk, especially the choices and actions they take, is influenced by culture, together with their unique points of reference and ERM practices.
• Capabilities: Managing risk requires skills both to carry out the organizational strategies and anticipate potential challenges in achieving objectives. Organizations need these capabilities coupled with the agility to adapt to the changing business landscape.
• Practices: ERM is not a collection of standards or manuals left to collect dust on the shelves. It is continually applied throughout organizational activities and levels, allowing the organization to understand its strategy, business objectives, attendant risks, the impact of these risks and how they should be managed.
While other elements of the ERM definition complete the full spectrum of its essence and applications, these three key terms are the precursors to effectively bring the other ERM definition components to action.
UNDERSTANDING ERM COMPONENTS AND PRINCIPLES
To support this new definition, the framework now consists of five interrelated components, providing the “organizational soul” that gives life to the entity’s mission, vision and core values. These components are supported by “principles” that organizations apply as part of their ERM practices.
• Governance & Culture: This component covers aspects of the organization’s tone on the importance of and oversight for ERM, as well as ethical values, desired behaviors and understanding of risk. Supporting principles relate to: exercising Board risk oversight; establishing operating structures; defining the desired culture; demonstrating commitment to core values; and attracting, developing and retaining capable individuals.
• Strategy & Objective-Setting: This highlights the interaction of ERM, strategy and objective-setting in the strategic planning process. How much and the categories of risk the organization is willing to take (risk appetite), and the business objectives defined will guide risk identification, assessment and response. Supporting principles relate to: analyzing the business context, defining risk appetite, evaluating alternative strategies, and formulating business objectives.
• Performance: This includes the most familiar aspects of ERM – identification, assessment, prioritization and response to risks affecting strategy and business objectives. Supporting principles relate to: identifying risk, assessing the severity of risk, prioritizing risk, implementing risk responses, and developing a portfolio view.
• Review & Revision: This involves the review of organizational performance to consider how ERM components function as basis for potential changes and enhancements. Supporting principles relate to: assessing substantial change, reviewing risk and performance, and pursuing improvement in enterprise risk management.
• Information, Communication & Reporting: This encompasses the continual process of sourcing and distributing information, to and from internal or external sources, flowing across various organizational levels. Supporting principles relate to: leveraging information systems; communicating risk information; and reporting on risk, culture and performance.
In the new COSO ERM diagram illustrating the components and the enterprise journey from its mission/vision/core values to enhanced value, the five components are represented as “ribbons” intertwined in the enterprise journey with two perspectives: (1) Strategy & Objective-Setting, Performance and Review & Revision – representing common processes flowing through the organization; and (2) Governance & Culture and Information, Communication & Reporting – representing supporting aspects providing the foundation for implementing the other components.
LOOKING AT YOUR CORPORATE RISK CULTURE, CAPABILITIES AND PRACTICES
Before we dig deeper into the components, we reckon, how do we assess where we are right now on these components? If we go “organizational soul searching” to understand what we have and don’t have, what will be our basis?
Whether we do it for our internal organizational improvement, or to demonstrate to external entities how we manage risk, the framework provides criteria in conducting an assessment. These criteria help us ascertain if our ERM culture, capabilities and practices allow the organization to manage its risks.
In conducting an ERM assessment, what do we examine and consider? Traditionally, we look at whether the components, principles and controls are (1) present and (2) functioning within the period of our assessment. However, it is also important that we look at how they operate together as part of the whole ERM system. These components are interdependent and rely on their individual effectiveness to provide the input to the other components. Likewise, the assessment should consider management’s judgment in the application of these principles. Particular attention should be given to the organization’s complexity, business and regulatory environment, and operational maturity, among others.
A detailed discussion and examples of the principles supporting Governance & Culture and Information, Communication & Reporting will be covered in Part 2 of this series.
The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. The content is for general information purposes only, and should not be used as a substitute for specific advice.
Alvin Dave M. Pusing is a senior manager with the Risk Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.
+63 (2) 845 2728 ext. 3232