The Tribune

Enterprise Risk Management (ERM) is a process, implemented by a company’s board of directors, management and other personnel, which is applied in strategy setting across the enterprise. It is designed to identify potential events that may affect the company, and manage risk such that it remains within its risk appetite, while providing reasonable assurance regarding the achievement of corporate objectives.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO), which defined the integrated framework for ERM, subsequently came up with an updated definition which focuses on the culture, capabilities and practices integrated with strategy setting and performance, and which companies rely on to manage risk in creating, preserving and realising value.

Enterprise risk management thus provides a framework (set of rules) for managing risks, which typically involves:

• Identifying particular events or circumstances relevant to your company’s objectives (risks and opportunities)

• Assessing them in terms of likelihood and magnitude of impact

• Determining a response strategy (accept, avoid, transfer, share)

• Monitoring progress (self-assessments, internal audits, etc.)

The updated COSO framework itself is a set of principles organised into five inter-related components:

1. Governance and Culture: Governance sets your company’s tone, reinforcing the importance of, and establishing, oversight responsibilities for enterprise risk management. Culture pertains to ethical values, desired behaviours and the understanding of risk in your entity (via the Board and management).

2. Strategy and Objective-Setting: Strategy and objective-setting work together in the strategic planning process. Your risk appetite is established and aligned with strategy and business objectives. Putting your strategy into practice serves as a basis for identifying, assessing and responding to risks.

3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritised by severity in the context of your risk appetite. The company then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders (management, Board, shareholders, regulators etc.).

4. Review and Revision: Via an evaluation or review of your company’s performance, management can consider how well the enterprise risk management components are functioning over time and, with any substantial changes, determine what revisions are needed via self-assessments, internal audits etc.

5. Information, communication, and reporting: ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the company via water coolers, meetings, e-mails and newsletters etc.

The five components in the updated COSO framework are supported by a set of principles. These principles cover everything from governance to monitoring. They are manageable in size, and describe practices that can be applied in different ways for different companies regardless of size, type or sector. Adhering to these principles can provide management and the Board with a reasonable expectation that your entity understands and strives to manage the risks associated with its strategy and business objectives.

NB: Anishka Collie has more than 19 years’ experience in external auditing, internal audit, corporate governance, enterprise risk management and internal controls. She focuses on clients in the financial services industry and has presented at numerous auditing and accounting seminars. Anishka is a licensed member of the Bahamas Institute of Chartered Accountants (BICA).