Enterprise Risk Management

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives”. A very convoluted definition. In English ERM is a process implemented at the top management of the organization designed to proactively identify risk across the entire enterprise. This definition is broad for a reason. ERM is:

  • A process, ongoing and flowing through an entity
  • Effected by people at every level of an organization
  • Applied in strategy-setting methodology
  • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
  • Designed to identify potential events affecting the entity and manage risk within its risk appetite
  • Able to provide reasonable assurance to an entity’s management and board
  • Geared to the achievement of objectives in one or more separate but overlapping categories – it is “a means to an end, not an end in itself.”

ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. It advances the maturity of the enterprises capabilities around managing risk. Before a company can assert it is applying ERM it must address ALL of the above concepts embodied in COSO’s definition.