Customizing Enterprise Risk Management

Article excerpt

The COSO ERM integrated framework can help companies develop a holistic view of risk. But it's not one-size-fits-all.

WHEN THE COMMITTHE OF SPONSORING Organizations of the Treadway Commission (COSO) published its enterprise risk management integrated framework in 2004, the document received a warm welcome from companies looking for better ways to identify and manage the myriad risks they face. And because the framework integrates internal controls and enterprise risk management (ERM), it seemed a perfect fit for organizations looking to leverage the work they were doing to comply with the Sarbanes-Oxley Act of 2002.

At the very least, the framework has raised awareness at the senior executive and board levels about the need for companies to understand the key risks they face, measure their tolerance for those exposures, develop a process to manage them and ensure that their risk profile is regularly updated.

"The COSO framework has been a lever that has pushed those efforts further along," says Michael Chagares, a director with Mercer Oliver Wyman, a financial services strategy and risk management consulting firm headquartered in New York City. "It has gotten companies to think about risk in a more strategic way. And if they understand risks better and how those risks align with objectives, they can manage those risks better and close gaps in order to achieve objectives with more predictability and less volatility."

But while most observers agree that the framework has had a positive impact on the prevalence and effectiveness of ERM, some experts point out that risk management executives might be tempted to treat the COSO framework as just another compliance requirement or as a shrink-wrapped solution to risk management issues that are complex and unique to each organization. It's neither of those, and companies need to carefully calibrate this risk management tool to get the best results.

No Turnkey Solution

The COSO ERM framework builds on an earlier tool developed by that organization, its internal control integrated framework, to coordinate risk management, internal controls and enterprise performance management. However, unlike the internal control framework, the ERM framework includes a process for setting objectives. It also helps companies identify exposures and allocate resources to manage them. "Companies get the most benefit from ERM when they evaluate risk as part of strategic planning," notes Miles Everson, a partner in PricewaterhouseCoopers' advisory services practice in New York City. "ERM needs to become part of the way the company runs the business. Therefore, companies should not just add a separate ERM process; they should modify the existing strategic planning process to incorporate ERM."

James Lam, president of James Lam & Associates, a risk management consulting firm based in Wellesley, Mass., warns against treating the COSO ERM framework as a turnkey risk management solution. "The usefulness of any framework is to provide structure so that companies can design processes and procedures within that structure to accompush their goals," he says. "Companies are not well-served by taking the framework off the shelf and fitting their requirements into the framework. The framework needs to be adapted to the company's internal requirements."

For example, in Lam's view, the COSO ERM framework doesn't place enough emphasis on classifying risks or identifying key risk indicators, both of which are instrumental in providing the necessary information to support management decision-making. Many companies will need to modify the framework or develop their own ERM programs to ensure the availability of that information. "The COSO ERM framework alone will not get you to where you want to be," observes Lam.

Adapting the Framework

For insight into ways to adapt the framework to meet their needs, companies can look to the pioneers - businesses that implemented enterprise risk management before COSO published its ERM framework. …