Maturing Risk Management in Light of COSO Updates
Recent updates to the COSO framework serve to clarify the significance of the connection between risk, strategy and performance. Protiviti’s Jim DeLoach discusses how organizations can get the most out of their ERM programs and three keys to advancing ERM.
In 2017, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission released its updated framework on Enterprise Risk Management. While the concepts in the update aren’t new, the emphasis is markedly different, with a focus on what’s important in maximizing the value of ERM. I would argue that, considering the updated ERM framework, all companies should take a fresh look at their risk management in view of the new digital era in which they do business.
Since the 2007-2008 financial crisis, many ERM implementations have been oriented around answering three questions:
- Do we know what our key risks are?
- Do we know how they’re being managed?
- How do we know?
In responding to these three questions, executive management and boards in some companies have made progress in differentiating the truly critical enterprise risks from the risks associated with day-to-day business operations.
That is all well, but is it enough? Ask yourself the following questions:
- Will our ERM approach help us identify strategic errors in time? Based on a study of over 1,000 large U.S. public companies, 81 percent of organizations experiencing dramatic losses of enterprise value over a 10-year period incurred those losses because of major strategic blunders. The study was based on the premise that all the occurrences contributing to the loss should have been anticipated. But they weren’t – and they likely will not be if ERM is more focused on operational, financial and compliance issues than on strategic issues.
- Is our organization able to recognize the signs of disruptive change, and is it agile and resilient enough to adapt to change? Powerful mega-trends can potentially disrupt established businesses and continue to compress the half-life of business models. To stay ahead of the disruption curve, business leaders must quickly discern the vital signs of technological advances, geopolitical developments, competitor actions and other changes and how they affect their markets and business model. What good is ERM if it isn’t helping organizations position themselves as early movers in these dynamic times?
- Will our CEO “dance until the music stops”? Just prior to the onset of the 2007-2008 financial crisis, when the CEO of a major global bank was asked about the risks his bank was taking in the U.S. subprime mortgage market, he made the famous comment that “as long as the music is playing … we’re still dancing.” This quote is the stuff of legends, as it raises the question as to whether an organization truly considers risk and return in its decision-making or blindly follows the herd. It implies a view that an exit can be managed effectively when the music stops. Simply stated, this begs the question: What will the bank do when the market crashes and the fire sales begin?
- Do we know what we don’t know? Are we prepared for an unexpected surprise? “Stuff happens” is the lesson from the financial crisis. It was learned again in the Japanese tsunami in 2011. No organization or brand is immune to the risk of surprise. How prepared is the organization to respond to the occurrence of a high-impact, high-velocity and high-persistence risk event?
- Is everyone competing for capital and funding with rose-colored glasses? Is management reducing the risk of bias in decision-making processes involving resource and budget allocations? Are both risk and opportunity considered when significant investments and capital expenditures are proposed? Resource and budget allocations shouldn’t be a grabfest.
Yes, companies have made progress, but depending on the answers to the questions above, more needs to be done.
COSO’s Framework Could Change the Conversation
The updated framework clarifies the importance of the connection among risk, strategy and enterprise performance. Its title says it all – “integrating with strategy and performance.” It begins with an underlying premise that every entity exists to provide value for its stakeholders and faces uncertainty in the pursuit of that value. Therefore, the framework itself focuses on preserving and creating enterprise value with an emphasis on managing risk within the entity’s risk oversight. The framework states:
[T]he challenge for management is to determine how much uncertainty – and therefore how much risk – the entity is prepared and able to accept. Effective [ERM] allows management to balance risk and opportunity, with the goal of enhancing the capacity to create, preserve and ultimately realize value.
The framework introduces five interrelated components and outlines 20 relevant principles arrayed among those components. Its principles-based structure is a significant improvement over its 2004 counterpart, as it offers a benchmarking option for companies seeking to enhance their ERM approach. The framework focuses on integrating ERM with the core processes that matter, a concept embodied in the definition of ERM: “[T]he culture, capabilities and practices integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value.” While a standalone process may be considered useful by some, it is not ERM as COSO defines it.
The following observations address critical aspects of ERM, as defined by COSO:
- Integrate ERM with strategy – COSO asserts there are three dimensions to integrating ERM with strategy-setting and execution: risks to the execution of the strategy, implications from the strategy (meaning each strategic option has its unique risk-reward trade-off and risk profile) and the possibility of the strategy not aligning with the enterprise’s mission, vision and core values. All three dimensions need to be considered as part of the strategic-management process.
- Integrate risk with performance – COSO makes it clear that risk reporting is not an isolated exercise. Operating within the bounds of an acceptable variation in performance provides management with greater confidence that the entity will achieve its business objectives and remain within its risk appetite.
- Lay the foundation for ERM with strong risk governance and culture – The board and CEO must be vigilant in ensuring that pressures within the organization are neither excessive nor incenting unintended consequences (e.g., unmanageable bias, flawed decisions, reckless risk-taking and irresponsible and/or illegal behavior). Such pressures are spawned by unrealistic performance targets, conflicting business objectives of different stakeholders, disruptive change altering the fundamentals underlying the business model and imbalances between rewards for short-term financial performance and long-term focused stakeholders.
- Tie risk considerations into decision-making processes – COSO defines “relevant information” as information that facilitates informed decision-making. The more information contributes to increased agility, greater proactivity and better anticipation by the enterprise, the more relevant it is and the more likely the organization will be to execute its strategy successfully, achieve its business objectives and establish sustainable competitive advantage.
Every organization is different according to its industry, strategy, structure, culture, business model and financial wherewithal. As companies use the COSO Framework to evaluate their current ERM approach, they will be able to address the above elements of ERM.
Three Keys to Advancing ERM
In advancing ERM, we suggest organizations focus on three keys:
Key #1: Position the organization as an early mover – When a market shift creates an opportunity to create enterprise value or invalidates critical assumptions underlying the strategy, it may be in an organization’s best interests to recognize that insight and act on it as quickly as possible. The following question applies to every organization: When the entity’s fundamentals change, which side of the change curve will it be on? Will it be facing a market exploitation opportunity, or will it be looking at the emerging risk of an outdated strategy?
Time advantage is attained when the organization obtains knowledge of a unique market opportunity or an emerging risk and creates decision-making options for its leaders before that knowledge becomes widely known. Shouldn’t ERM contribute that advantage?
Key #2: Address challenges of risk reporting – Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. In contrast to the three questions cited at the beginning of this article, to truly impact decision-making, risk reporting must address three questions:
- Are we riskier today than yesterday?
- Are we entering a riskier time?
- What are the underlying causes?
Risk reporting is often not actionable enough to support decision-making processes. And until it is designed to answer these three questions, it won’t be. However, once it does, it becomes the key to evolving ERM from a “risk-listing” process to a “risk-informed” decision-making discipline. Shouldn’t ERM capabilities answer these three questions?
Key #3: Preserve reputation by maximizing the lines of defense – How do organizations safeguard themselves against reputation-damaging breakdowns in risk and compliance management? The widely accepted lines-of-defense model consists of three lines of defense in which the business unit management and process owners whose activities give rise to risk comprise the first line, independent risk and compliance functions are the second line and internal audit the third line. The tone of the organization – the collective impact of the tone from the top, tone from the middle and tone at the bottom on risk management, compliance and responsible business behavior – lays the cultural foundation for the effective functioning of each of the three lines of defense.
Arguably, the final line of defense is senior management and the board. For example, top management acts on risk information on a timely basis when significant issues are escalated and involves the board in a timely manner when necessary. Shouldn’t ERM drive the risk governance and culture that enable these disciplines to function effectively?
These three keys offer a focused line of sight for companies seeking to advance their ERM approach consistent with the COSO Framework.
Forget about ERM being an overlay on the core business processes that matter. If senior managers are concerned about that, their advisers either don’t understand what ERM is – given how COSO has defined it – or are asking the wrong questions. Companies have a choice in driving the maturity of their ERM approach, as there is no one-size-fits-all approach in terms of implementing it. However, the elements summarized above must be addressed effectively.
Think of the relationship of ERM with the processes the CEO values most as analogous to the contribution of salt, pepper and other seasonings to a sumptuous meal. The whole idea is to enhance the odds of the organization achieving its objectives by enabling it to become more adaptive and agile in the face of an increasingly volatile, complex and uncertain world. The capabilities of the digital age are being used to enhance business processes across the organization. Shouldn’t they be used to upgrade ERM capabilities, as well?
Questions for Executive Management and Boards of Directors
The following are some suggested questions executives and directors may consider, based on the risks inherent in the entity’s operations:
- Is the board satisfied the organization is adaptive to change, and is management considering the effects of volatility, complexity and uncertainty in the marketplace when evaluating alternative strategies and executing the strategy?
- Should management consider the principles supporting effective implementation of ERM, as set forth by COSO, to ascertain whether improvements are needed to the enterprise’s risk management?
 “The Lesson in Lost Value,” Christopher Dann, Matthew Le Merle and Christopher Pencavel, Strategy+Business, November 2012, available at www.strategy-business.com/article/00146?gko=f2c51. This study is the most recent one we could find. As it is based on the period ended December 31, 2011, we recognize that a more recent study period might reflect different results. For example, a study period since 2008 would reduce the effect of failures resulting from the 2007-2008 financial crisis and incorporate the more recent trend of digital transformation. Since the crisis, the capital markets have increased; therefore, it’s likely that many of the “losers” of enterprise value are companies that deployed flawed strategies and/or failed to adapt to shifting markets. Whatever the actual percentage, we believe it to be significant.
 “Citigroup’s Chuck Prince Wants to Keep Dancing, and Can You Really Blame Him?” wpcomimportuser, Time, July 10, 2007, available at https://business.time.com/2007/07/10/citigroups_chuck_prince_wants/.