An organization’s internal environment is responsible for generating reliable financial reporting and complying with laws and regulations. Internal business process improvement methods establish best practices and strengthen corporate governance and risk management. Consider the COSO framework using the PowerPoint presentation and the ERM Framework graphic in this week’s Resources. Write a 1-2 page paper using an internal environment that you are familiar with and complete the COSO framework for this environment as outlined below. For example, an internal environment might be the development of an organization’s incentive systems.State the control objectivesIdentify the risk sourcesPerform a risk assessmentDevelop a risk responseDetermine the control activitiesProvide a method of informing and communicating the resultsDiscuss the process that is used for monitoring the informationYour 1- to 2-page paper should reflect the application of the Resources presented this week, as well as knowledge gained from previous weeks’ Required or Optional Readings.Be sure to support your work with specific citations from this week’s Learning Resources and any additional resources.
Unformatted Attachment Preview
Ten steps to enterprise-wide risk
Priscilla Burnaby and Susan Hass
Priscilla Burnaby is a
Professor at Bentley
Susan Hass is a Professor
at Simmons College,
Purpose – The purpose of this paper is to discuss the objectives of enterprise-wide risk management
(ERM), the Committee of Sponsoring Organizations (COSO) ERM Framework, and outline a method to
implement ERM in organizations.
Design/methodology/approach – This paper delineates ten steps organizations can use to develop a
viable ERM system for any organization.
Findings – It is highly recommended that a high-level risk officer with visible support from senior and
board level executives has a separate function to oversee the development of an ERM department.
Practical implications – Although the internal audit department has a large role in evaluation and
monitoring the ERM system, it is management’s responsibility to develop a strong ERM function that ties
corporate strategy, the budget, controls, and the entity’s performance measurement systems to risk
Originality/value – The cost to the entity of implementing and maintaining of an ERM system is grossly
out-weighed by the results and knowledge gained in evaluating, assessing, and overseeing risk to
insure achievement of strategic objectives over the short- and long-term life of the organization.
Keywords Risk management, Control systems, Risk assessment, Reports
Paper type Viewpoint
What impact will increased gasoline prices have on the price of plastic? Will political
instability in Latin America affect the supply of raw materials in the next six months? In the
next year? In the next two years? Has global warming really changed the ocean tides, and if
so, will it affect the planned wind farm off the New England shoreline? Will my secret formula
for our best selling chili remain safe or will hackers be able to get through our security
system? If I vertically integrate, my company’s value will increase but so will my exposure to
external risks. These and many other economic events lead to risks that affect business on a
daily basis and are part of doing business. Companies need to build risk management into
their corporate strategy and daily operations. To hold risks in check, organizations must plan
to protect themselves so that only an acceptable level of residual risk remains. Each
company’s managers decide what their risk appetite is and what the costs and benefits are
for risk avoidance or risk acceptance.
Received: 29 October 2007
Revised: 19 March 2008
Accepted: 5 June 2008
The growing trend is for companies to take an enterprise-wide risk management (ERM)
approach to protecting themselves against the many risks of running an organization. There
is interest in accelerating the evolution of ERM as a core business process (Francis and
Richards, 2007). All entities face a multitude of risks that if not identified and integrated into
an overall business strategy may result in lost revenues or a business failure. Several
organizations, including the US government, have made it a priority for companies to create
risk and control systems that result in reliable financial reporting systems that have adequate
controls. The Institute of Internal Auditors (IIA) Research Foundation has listed the study of
VOL. 9 NO. 5 2009, pp. 539-550, Q Emerald Group Publishing Limited, ISSN 1472-0701
current practices in ERM and Performance Measurement Systems as one of its top research
priorities for both operational and financial reporting. The Institute of Internal Auditors
Research Foundation Sub-committee on Risk Management states that, ‘‘many companies
and organizations have recognized the need to effectively identify and manage a
combination or basket of threats and exposures facing them in today’s complex, global
environment’’ (The Institute of Internal Auditors Research Foundation, 1999).
In the USA, the Sarbanes-Oxley (SOX) Act of 2002 (Act) (Securities and Exchange
Commission, 2002) requires annual reports to contain an internal control report and for the
CEO and the CFO to certify to the fairness of the public reports. The Act also requires that
organizations select a control framework. In 2004, the Committee of Sponsoring
Organizations (COSO) created the Enterprise Risk Management Framework to provide
guidance for entities in developing control systems that aid organizations in managing risk.
Based on this report, The IIA (The Institute of Internal Auditors, 2004) released guidelines
delineating the internal auditor’s role in ERM. This role includes giving assurance on the
management process for reviewing the management of key risks.
The purpose of this paper is to discuss the objectives of ERM, the COSO ERM Framework,
and to outline ten steps to implement ERM in your organization.
Enterprise-wide risk management
The objectives of enterprise-wide risk management are first, to develop strategic corporate
objectives that are measurable, second, to identify risks that would prevent accomplishing the
corporate objectives, and, third, to identify controls that would mitigate those risks. Closely
linking risk management to strategy is the hallmark of true ERM programs (Francis and
Richards, 2007). Risk is anything that gets in the way of an organization achieving its’
objectives. Risks are inevitable and are a function of the strategic objectives and the way an
organization is run. Managers put assets at risk to achieve objectives. Risk is the uncertainty of
plans and decision outcomes (McNamee and Selim, 1998). It is the anxiety of unknown future
events and the negative consequences of their outcomes (Irwin, 2007). ERM includes the
analysis of risks surrounding the development of performance measures, critical success
factors, and efficient systems based on corporate strategy and corporate objectives to
influence decision making and managerial action plans. ERM activities can be performed by a
management team, department, external auditors, consultants, or internal auditors.
An example of a risk management process is the Australian Customs Service’s six-step
continuous improvement process at the operational and tactical risk management levels
(McNamee and Selim, 1998):
1. Risk identification. What could go wrong, how it happens, and why it happens.
2. Risk analysis. Estimating the likelihood and consequences of the decision.
3. The risk management solution. Various mitigation treatments, including controls.
4. Evaluation and audit. Subsequent review of the effectiveness of the risk management
5. Performance measurement. Review of the costs of risk mitigation.
6. Final review. Gleaning the lessons learned to serve as a guide for future situations.
Fidelity Investment’s Risk Management Department has developed a form for each of their
divisions to report on a few key performance measures based on the division’s objectives
that tie to corporate objectives. They also report on any losses incurred and their cause. The
Risk Management Department compiles this information for upper management and the
Board of Directors (Gaquin, 1999).
External auditors now begin their financial statement audits by examining the underlying
business strategy and objectives of the organization to determine if the organization has
controls in place that result in reliable financial information. Auditing firms offer a more
in-depth risk assessment beyond the needs of the financial statement audit (Deloitte &
PAGE 540 CORPORATE GOVERNANCE VOL. 9 NO. 5 2009
Touche, 1998; Coopers & Lybrand, 1998). An example of a large auditing firm adopting a
process risk-based approach is KPMG’s Business Measurement Process (BMP). BMP
incorporates analysis of the entity’s strategy in a ‘‘top down’’ risk-based process approach
for a financial statement audit (Bell et al., 1997).
The IIA conducted a study, Risk Management: Changing the Internal Auditor’s Paradigm
(McNamee and Selim, 1998). Their research indicated a rapid change in the internal audit
process from a passive and reactive control-based auditing approach to an active and
anticipative risk-based audit approach. At a time when outsourcing the internal audit
function is an option for an organization, the internal audit department needs to provide
services that can be shown as value-added. With their knowledge of the organization and
their skills in audit, research, and analysis, internal auditors should play a key role in
enterprise-wide risk management. As they have been using risk models to determine which
areas to audit in an organization, internal audit departments have a great deal of experience
in analyzing risk.
Ten steps to risk management
The following outlines ten steps to develop a viable ERM system for any organization. The
ten steps are:
1. Mandate from the top.
2. ERM department and buy-in.
3. Decide on control framework.
4. Determine all risks.
5. Assess risks.
6. Business units objectives and performance measures.
7. Objectives and control summary.
8. Monthly ERM reporting system.
9. Analysis by ERM department.
10. Continuously monitoring the process.
It is recommended that a high-level risk officer have a separate function to oversee the
development of an ERM department. Although the internal audit department can have a
significant role in evaluation and monitoring the ERM system, it is management’s
responsibility to develop a strong ERM function that ties corporate strategy, budget,
controls, and performance measurement systems to risk management.
Step 1. Mandate from the top
In order for a formal and documented ERM process to work, it must be mandated by the
board of directors (Board), chief executive officers, and other top level management of the
organization. Because business is risk management, understanding the risks accepted by
the company as it pursues its strategy to achieve its objectives is essential for the board and
relevant stakeholders (King, 2001). Risk management is central to the execution of the
organization’s strategy so there must be a linkage between the organization’s strategic plan
and initiatives and an understanding of all organizational risks across the entity. The
coordination of risk assessment and strategy development will assure that both internal and
external stakeholders will consistently manage organizational risk effectively and efficiently.
A mandate from the top is needed to assure the risk management team’s success in
establishing the ERM program to aid in the achievement of organizational goals.
To understand the financial commitment the process will take, the Board should oversee a
study to estimate the cost to implement an ERM department. Once the costs are understood,
it may be best to hire an expert consulting team to provide technical assistance to
VOL. 9 NO. 5 2009 CORPORATE GOVERNANCE PAGE 541
management in the development of an implementation plan and to designate an internal
team to be responsible for the implementation. To be successful over time, a separate
department for ERM should be empowered to collect risk reports monthly and assimilate
information to be reviewed by the Board. At a minimum for smaller organizations, there
should be a chief risk officer assigned to monitor the process.
Step 2. ERM department and buy-in
There should be several layers of ownership for the ERM process. A senior level manager
must be responsible for development of the ERM Department and role-out process. This is
the ERM champion who will determine the appropriate levels of resources and time
commitment needed. A team of senior managers must drive assessment, evaluation, and
development of an action plan. They will develop the time table for implementation and
educational programs, hold meetings with each area to develop risk report requirements,
and create a procedure manual for all participants.
Execution of the ERM process will be implemented by a management team at all levels of the
organization. A formal process with a realistic timeline must be established. All members of
the organization need to participate to insure that all risks are known and that key risks are
managed by department or reporting unit under a comprehensive master plan. The internal
audit department cannot be responsible for risk management but can be involved in the
development and monitoring of the risk management plan.
Ownership also means accountability. Individuals that oversee risk management activities in
each department must be accountable for the quality of their risk reports and activities under
the risk management umbrella. Having concentrated ownership ensures accountability.
Well-managed organizations will also tie individual compensation and promotion to the
success of risk management initiatives.
Although the mandate for risk management comes from the highest level and a senior level
risk champion oversees risk management activities, employees at all levels within the
organization are responsible for the success of the risk management initiative. Existing risk
managers should be enlisted in this effort to help train and educate all employees about risks
and risk management.
Without everyone in the organization understanding the importance of a successful risk
management initiative, the company may be at risk for significant loss due to little known, but
not unknown, risks. For example, a purchasing agent may know of anticipated limitations in
the supply of a key raw material and try to manage the problem himself. He fails to report this
situation in the periodic risk reporting system. When the supply of this key resource is
reduced to unacceptable levels, the company, but not the employee, is taken by surprise.
The company must react immediately, but does not have a contingency plan, since
leadership was not aware of the problem. If the employee truly understood the nature of ERM
and its import to the entity, the risk would have been included in the department’s analysis
and monitored with plans in place time to find an alternative source or resource with minimal
Step 3. Decide on control framework
In order for ERM to work, organizations must commit to the adoption of an internal control
framework. The existence of a satisfactory internal control structure reduces the probability
of errors and irregularities. In the USA, the SOX Act of 2002 (Act) (Securities and Exchange
Commission, 2002) requires annual reports to contain an internal control report and for the
CEO and the CFO to certify to the fairness of the public reports. In 2002, internal auditors’
audit scope increased when the IIA expanded their role to include assurance services and
consulting to improve the effectiveness of risk management, control, and the governance
As a response, in 2004 the COSO expanded their suggested control framework from five
elements to eight to better address how organizations could better manage enterprise risk.
The components were derived from the way management operates a business, and they
PAGE 542 CORPORATE GOVERNANCE VOL. 9 NO. 5 2009
should be integrated with the management process. A summary of the eight components
can be found in Table I. This is one of several internal control frameworks available for use by
Step 4. Determine all risks
An effort must be made across the entity to collect all known or anticipated risks. If risks are
managed in organizational silos, poor communication and the resultant ignorance of the full
potential of organizational threats could result in an iceberg of risk. Known risks are reduced
and the hidden ones could sink the corporate ship (Rasmussen and McClean, 2007). All
employees are responsible for identifying and sharing potential organizational risks. Those
that affect the achievement of the organization’s strategy are most important, but this
assessment will be done in a later step. Based on discussion across the organization, a Risk
Dictionary should be developed so that everyone agrees on the meaning of each risk term.
This Risk Dictionary will be used in all education programs to roll out the ERM program to
each department or unit. This step is just a data collection and risk definition effort. Value
Table I Components of internal control
Description of component
Actions, policies, and procedures that reflect the
overall attitude of top management, directors,
and owners of an entity about control and its
Precondition to event identification, risk
assessment, and risk response
Management identification of interrelationships
between potential events and categorization of
Management’s consideration of the extent to
which potential events might have an impact on
achievement of objectives
Management’s determination on how to respond
to assessed relevant risks
Policies and procedures that help ensure that
management’s risk responses are carried out
Information and communication
Information to be identified, captured,
communicated in a form that enable personnel to
carry out their responsibilities
A process that assesses both the presence and
functioning of its components and the quality of
their performance over time
Risk management philosophy
Board of directors
Integrity and ethical values
Commitment to competence
Management’s philosophy and operating style
Assignment of authority and responsibility
Human resource policies and practices
Factors influencing strategy and objectives
Methodologies and techniques
Risks and opportunities
Inherent and residual risk
Likelihood and impact
Methodologies and technologies
Correlation of events
Identify risk responses
Evaluate possible risk responses
Integration with risk response
Types of control activities
Strategic and integrated systems
Source: Committee of Sponsoring Organizations (2004)
VOL. 9 NO. 5 2009 CORPORATE GOVERNANCE PAGE 543
judgments as to likelihood of an event occurring or financial impact are not to be made at this
time. Based on the area’s objectives, each reporting department or entity needs to provide
input on the risks of not achieving the objectives. At the stage of designing the area’s report,
the objectives and risks will be tied to performance measures.
Includable risks must go beyond consideration of compliance, legal, and financial risks.
Look at internal risks (information technology, business processes, support and
documentation) and external risks (political, social, environmental, governmental and
economic) (DeLoach, 2000). Many organizations currently spend significant time and
money on compliance risks from laws and regulations. To limit the risk assessment to
compliance related areas would seriously undermine the value of this effort.
The accumulated risk list should be very extensive. An evaluation of the risk exposures
cannot be made at the business unit level that identified it initially, since the linkage of risks
across the entity may indicate it is more significant than initially thought. Consider the
following risk groups when accumulating the Risk Dictionary:
reputation – negative public relations;
business operations – fraud, lost revenue, unauthorized actions;
regulatory compliance – SOX, SEC, EPA, laws at all levels;
contractual obligations – joint ventures, vendor …
Purchase answer to see full