COSO recently released an update to the 2004 Enterprise Risk Management – Integrated Framework, which has served as a valuable resource for many organizations in implementing and running their enterprise risk management (ERM) programs.
The original Integrated Framework introduced many of the key concepts that credit unions and other organizations of all types use as a model in designing their ERM programs. It described the ERM process as a tool in identifying the key risks that might jeopardize their abilities to achieve financial and other objectives. It described eight key steps in administering the ERM process to help improve performance by understanding risk exposures, assessing the exposures, identifying the key responses that mitigate risks, and providing the information to the people in the organization that can use it to improve performance:
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring
COSO’s update reinforces these concepts and provides additional guidance. Notably, it expands on governance, strategy setting, and the consideration of risk appetite. Generally, the update places much greater emphasis on setting risk appetite, and linking risk appetite and risk management to organizational performance through the setting of strategy, in order to provide value to the organization. It relates mission, vision and core values, to evaluating and setting strategies, and shows the link to enhanced performance. It helps describe the roles of the board, senior management, risk management and other groups in the ERM process. The update presents five interrelated components to essentially replace the eight original COSO steps:
- Governance and culture
- Strategy and objective-setting
- Performance (i.e., risk identification, assessment, and responses)
- Review and revision
- Information, communication and reporting
The update then defines 20 principles organized under the five components and provides a great deal of information on those components. The update also introduces the concept of using risk profiles, encompassing performance, risk, risk capacity, risk appetite and risk tolerances, to assist the organization in setting strategies that are consistent with risk appetite and its goals.
Finally, the Update re-emphasizes the benefits of successful ERM activities. The COSO presentation that summarizes the Update reminds us that “integrating ERM with business practices results in better information that supports improved decision-making and leads to enhanced performance.” An effective ERM program helps an organization avoid surprises, identify emerging risks and opportunities, improve risk and return trade-offs, and understand its overall risk profile, all in a manner that leads to value creation and improved risk management across the organization.
We at Rochdale Paragon are excited by the changes, and particularly appreciate the ways in which the Update links ERM and risk management with risk appetite, return, and the setting of strategies. We believe that credit unions should explore the Update to better understand how its application can improve the success of their ERM programs and would be pleased to speak with you about how your organization can enhance its ERM processes. Also, be sure to stay tuned for our next article building on the new COSO framework and offering practical ways to more effectively tie your enterprise risk management programs to strategy.
For additional information on how Rochdale Paragon can assist with your planning efforts, please contact Jeff Owen at (913) 890-8011, jowen@rochdaleparagon.com.