Enterprise Risk Management (Preview)

Chapter 1 – Risk Management Awareness 25 In 2017, COSO released its Enterprise Risk Management – Integrating with Strategy and Performance framework, which highlights the importance of considering risk in the context of strategy and performance. The framework emphasizes the need to identify and manage risks associated with strategies and related objectives, to achieve better performance and create value. The framework is a set of twenty principles organized in five interrelated components: 1) governance and culture; 2) strategy and objective-setting; 3) performance; 4) review and revision; and 5) information, communication and reporting. In the words of COSO, the principles of the framework “describe practices that can be applied in different ways for different organizations regardless of size, type, or sector.” 33 The COSO ERM framework is depicted as a deoxyribonucleic acid (DNA) strand, reflecting that ERM needs to be embedded in the fabric of an organization. A free download of the executive summary of the framework is available at www.coso.org. It should be noted that COSO also publishes a separate Internal Control – Integrated Framework that was updated in 2013. The COSO internal control framework and the COSO ERM framework are distinct, each with a different focus, and do not supersede one another. 34 The COSO internal control framework provides guidance for internal controls related to operational, reporting and compliance objectives. As such, it tends to be used to design compliance programs, and to meet requirements of the Sarbanes-Oxley Act. On the other hand, the COSO ERM framework is used to design risk management frameworks, structures and processes, and to integrate ERM with strategy and performance. Both frameworks provide guidance in the form of principles that should be met. They are conceptual and not prescriptive with respect to how things have to be done, or what specific rules need to be followed or implemented. ISO 31000 Risk Management Guidelines The International Organization for Standardization (ISO) is an independent, non- governmental international organization based in Switzerland. Its members consist of national standards bodies representing 162 countries. 35 Some of these members are government entities, while others represent associations of the private sector. The American National Standards Institute (ANSI) is the United States member of ISO, and the Standards Council of Canada (SCC) is the Canadian member. The purpose of ISO is to help its members share knowledge and expertise, and develop voluntary standards in areas of interest for industry and governments. The standards are developed as principles and guidance to help organizations design and implement sound management practices. For example, ISO standards include quality management, environmental management, occupational health and safety, food safety management, medical devices, etc. ISO standards are numbered for reference. In 2018, the ISO 31000 Risk Management – Guidelines were updated, which provide a voluntary international standard for risk management. The guidelines outline eight principles that should guide the application of risk management. These principles reflect the attributes (qualities or characteristics) of effective risk management. The ISO guidelines also include a risk management framework that helps organizations develop and implement their own framework for risk management. In addition, the guidelines propose