Courtesy: ISO 31000 Risk management internal auditor training
ERM frameworks defined
There are various important ERM frameworks, each of which describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
- Avoidance: exiting the activities giving rise to risk
- Reduction: taking action to reduce the likelihood or impact related to the risk
- Alternative Actions: deciding and considering other feasible steps to minimize risks
- Share or Insure: transferring or sharing a portion of the risk, to finance it
- Accept: no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
Casualty Actuarial Society framework
In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.” The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes. The risk types and examples include:
Hazard riskLiability torts, Property damage, Natural catastropheFinancial riskPricing risk, Asset risk, Currency risk, Liquidity riskOperational riskCustomer satisfaction, Product failure, Integrity, Reputational risk; Internal Poaching; Knowledge drainStrategic risksCompetition, Social trend, Capital availability
The risk management process involves:
- Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
- Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage.
- Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
- Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics.
- Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
- Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
- Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.
COSO ERM framework
The COSO “Enterprise Risk Management-Integrated Framework” published in 2004 (New edition COSO ERM 2017 is not Mentioned and the 2004 version is outdated) defines ERM as a “…process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components are:
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
- Monitoring
The four objectives categories – additional components highlighted – are:
- Strategy – high-level goals, aligned with and supporting the organization’s mission
- Operations – effective and efficient use of resources
- Financial Reporting – reliability of operational and financial reporting
- Compliance – compliance with applicable laws and regulations