the organization can gain insight into internal and external factors and their impact on risk. An organization sets its risk appetite in conjunction with The COSO exposure draft describes these five risk components as follows:
Components and Principles
According to the exposure draft, the COSO ERM framework consists of five interre- lated components. Exhibit 4-2 depicts these components and their relationship with the organization's mission, vision, and core values, and how they affect performance.
COSO discusses three inherent challenges that arise as part of establishing strat- egy and business objectives. These are:
I. The possibility of strategy not aligning. The mission and vision influence the acceptable types and amount of risk an organization is willing to take on. If a strategy is not aligned with the mission and vision, the organization's ability to realize its mission and vision may be significantly impaired. This can happen even when the misaligned strategy is successfully executed. Inte- grating ERM can help an organization avoid misaligning its strategy.
2. Implications from the strategy chosen. ERM can help an organization understand the potential outcomes of a strategy. Some strategies may appear to align with the mission and vision, but the outcomes may not help the organization realize its mission and vision, or there may be unintended con- sequences of the strategy. Thus, it is important to consider the implications of every strategy considered.
3. Risk to executing the strategy. There is always risk that the strategy will not be executed effectively and, therefore, not deliver the desired results.
Organizations must be cognizant of the inherent risks embedded in a strat- egy, and evaluate whether they have the capabilities to execute the strategy and achieve the desired results.
Strategy and Business Objectives
The COSO ERM exposure draft refers to strategy as "The organization's plan to achieve its mission and vision and apply its core values" and business objectives are defined as "Those measurable steps the organization takes to achieve its strat- egy." A well-defined strategy drives the efficient allocation of resources and effec- tive decision-making, which in turn help provide the direction for the business objectives. Thus, ERM is integrated with the process to establish strategy and business objectives.
considered in the context of strategic planning, and core values are considered in the context of the culture the organization wishes to embrace.
Those measurable steps the organiza- tion takes to achieve its strategy.
Business Objectives
The organization's plan to achieve its mission and vision and apply its core values.
Strategy
RISK MANAGEMENT 4-7 According to COSO, these five components contain a series of principles repre-
senting the fundamental concepts associated with each component. These prin- ciples are phrased to outline actions that organizations would do as part of their ERM practices. COSO considers these principles to be universal and part of any effective ERM initiative, but acknowledge that management must bring judgment to bear in applying them.
4. Risk Information, Communication, and Reporting: Communication is the continual, iterative process of obtaining information and sharing it throughout the entity. Management uses relevant and quality information from both internal and external sources to support enterprise risk manage- ment. The organization leverages information systems to capture, process, and manage data and information. By using information that applies to all components, the organization reports on risk, culture, and performance.
5. Monitoring Enterprise Risk Management Performance: By monitoring enterprise risk management performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes.
strategy-setting. The business objectives allow strategy to be put into prac- tice and shape the entity's day-to-day operations and priorities.
3. Risk in Execution: An organization identifies and assesses risks that may affect an entity's ability to achieve its strategy and business objectives. It prioritizes risks according to their severity and considering the entity's risk appetite. The organization then selects risk responses and monitors perfor- mance for change. In this way, it develops a portfolio view of the amount of risk the entity has assumed in the pursuit of its strategy and business objec- tives.
Source: Adapted from 2016 COSO's exposure draft for its ERM framework.
ENTERPRISE RISK MANAGEMENT COMPONENTS EXHIBIT 4-2
COSO ERM COMPONENTS
4·8 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
4. Demonstrates commitment to integrity and ethics. The organization demonstrates a commitment to integrity and ethical values.
1. Exercises board risk oversight. The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support manage- ment in achieving strategy and business objectives.
• The board has the primary responsibility for risk oversight, and in some coun- tries even has fiduciary responsibility to stakeholders. However, while the board has overall risk oversight responsibility, management is responsible for day-to- day risk management responsibility.
• The board should have sufficient skills, experience, and business knowledge to carry out its risk oversight responsibility.
• The board should be sufficiently independent to objectively carry out its over- sight responsibility.
• The board should understand the complexity of the organization to ensure the risk management approach is suitable relative to the strategy and business objectives.
• The board should ensure organizational bias or "groupthink" is minimized to ensure effectiveness of the risk management decisions.
2. Establishes governance and operating model. The organization establishes governance and operating structures in the pursuit of strategy and business objectives.
• The organization should establish an operating model and reporting lines that support its strategies and business objectives.
• ERM should be structured to ensure the right information is communicated to management in support of their decision-making.
• Authorities and responsibilities should be established to enable individuals to carry out their risk management responsibilities.
3. Defines desired organizational behaviors. The organization defines the desired behaviors that characterize the entity's core values and attitudes toward risk.
• The board and management shape a culture that reflects the core values and approach to ERM in the organization. They also define the desired behaviors of individuals, which should align with the organization's risk-taking philosophy.
Such a philosophy can range from risk averse to risk neutral to risk aggressive.
The culture and desired behaviors influence how the ERM framework is applied throughout the organization.
• Management helps to create a risk-aware culture by defining the characteristics needed to achieve the desired culture over time.
Risk Governance and Culture
At the time of publication, the exposure draft included 23 principles as shown in the numbered bullets. The additional explanations found in the sub-bullets are paraphrased from the respective chapters in the framework. [Note: Although the final framework was not available at the time of this publication, the authors believe some of these principles will be combined and modified slightly in the final framework. Readers are encouraged to visit www.coso.org for updates.]
The attitudes, behaviors, and under- standing about risk. both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.
Culture
RISK MANAGEMENT 4-9 7. Considers risk and business context. The organization considers potential
effects of business context on risk profile.
• An organization needs to understand its full business context, including the external environment, internal environment, and both external and internal stakeholder expectations.
• After understanding the business context, management can determine how that business context affects the organization's risk profile.
8. Defines risk appetite. The organization defines risk appetite in the context of creating, preserving, and realizing value.
• The exposure draft describes risk appetite as "the types and amount ofrisk, on a broad level, an organization is willing to accept in pursuit of value."