ERM is an approach to aligning strategy, process, and knowledge in order to curtail surprises and losses as well as to capitalize on business opportunities. Many individuals associate risk with negative outcomes. However, there is a potential value component to risk assessment and management. Risk management is about balancing risk and reward. A well-designed risk management program encourages and allows an organization to take intelligent risks. It involves assessing quantitative factors and information as well as considering management experience and judgment. An effective risk management program entails balancing people and processes. Ultimately, an entity’s risk profile is affected by the actions and decisions of its board of directors, management, and employees.

One cannot talk about risk management without discussing risk assessment. The vast majority of organizations conduct some type of informal risk assessment process. As a result, these organizations have some form of risk management plan. This plan, in most cases, is not documented.

Initial introduction of formal risk assessment and risk management within an organization is critical to the ultimate success of the initiative. An entity must consider its culture and develop an approach that is most likely to result in success. The organization should take care not to overcomplicate or overwhelm individuals with technical terminology. Initial discussions should focus on the importance and the benefits of risk management. Employees should be encouraged to think and talk about the business and what could go wrong that might result in failure to achieve entity objectives and, as a result, have a negative effect on performance and/or perception.

Good risk management is essentially choice management. It is a continuous work in progress. An entity must identify risks and subsequently determine how it will address each one. The organization must decide the degree of risk it is willing to assume and address other identified risks, likely through mitigation. It is important to consider both tangible consequences, such as loss of revenue or drop in stock price, as well as intangible possibilities, such as public perception. Perception often is a major consideration in assessing positive or negative consequences. Organizations often evaluate risks in somewhat of a siloed process-considering the risk consequence to a single area of the business. Risks are inherently dynamic and interdependent. Consequences of unforeseen or unpredictable events typically affect multiple areas of a business. Therefore, aggregate entity consequences should be considered when conducting a risk assessment and designing a risk management program. Risks should not be separated into components and managed independently. Such an approach is rarely effective or successful. A holistic view of risk should be taken, including the contemplation of interdependencies.

Every organization is faced with uncertainty and risk. The challenge for management is to determine how much uncertainty to accept as it strives to improve stakeholder value.

Risk identification is a process designed to identify first both the strategic objectives and goals and then the potential internal and external events that can adversely affect the enterprise’s ability to achieve those objectives and goals.

Each entity should strive to build an integrated risk organization. This would include three components: (1) centralized risk management reporting to the chief executive officer and the board of directors, (2) an integrated risk management strategy that takes a holistic view of all types of risk within the organization, and (3) integration of risk management into business processes.

It is not easy to accomplish these stated objectives. The method and processes for execution may vary significantly based on the size, structure, and culture of the organization. Each company must determine the most practical method of implementation. However, this integrated approach will allow risk management to become an offensive weapon for management rather than the more common defensive reaction to incident occurrence.

Organizations should take a proactive approach to optimizing their risk profiles. Minimal investment in risk assessment and subsequent risk management program development and implementation can improve efficiency and reduce losses.

In 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission first issued a conceptual framework entitled Internal Control-Integrated Framework. COSO originally was charged with studying and reporting on factors that can lead to fraudulent financial reporting. The COSO Framework was intended for broad use by any organization, and it provides evaluation tools that can be utilized for comprehensive evaluation of control systems. This is evidenced in the general nature of the COSO definition of internal control:

Subsequently, with the passage of the Sarbanes-Oxley Act (SOX) in 2002, the Securities and Exchange Commission (SEC) suggested management use of the COSO Framework specifically for the design, build, and/or analysis of internal control over financial reporting. Details of the components of the COSO Framework and its use in the risk management and risk assessment process are presented in Chapters 5 and 6.

SOX established the Public Company Accounting Oversight Board (PCAOB), a private, nonprofit corporation whose mission is to oversee the auditors of public companies. To date, the PCAOB has issued five auditing standards (ASs); the most recent is AS No. 5, An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements. This standard directs auditors to adopt a top-down risk-based approach to internal control and compliance during the audit process. It points auditors toward initial review of entity-level controls and emphasizes the significance of strength at this level. In addition, the standard reinforces the importance of auditor focus on high-risk areas and situations and provides auditor guidance regarding the confirmation of risk mitigation in those identified areas.

In 2004, COSO published the ERM-Integrated Framework. It was issued to assist organizations to identify, assess, and manage risk effectively. The document establishes key risk management principles, concepts, language, and guidance with a goal of aiding an entity in formally establishing or improving its risk management. Details of the components of the Integrated Framework and its use in the risk management and risk assessment process are presented in Chapter 4.

The Auditing Standards Board has issued several Statement of Auditing Standards (SASs), commonly referred to as the Risk Assessment SASs (SAS 104–111), that outline auditor requirements, including documentation specifically associated with risk assessment. This guidance includes auditor requirements for understanding and documenting management’s risk assessment process as well as documentation of the auditor’s own risk assessment process as part of audit planning.

All of the standards and frameworks contain detailed guidance that is valuable to an entity when designing, building, and/or analyzing its internal control and risk management program. The remainder of the text refers to these documents extensively because of their definitions, concepts, and advice. Risk management involves risk assessment, which results in risk mitigation, which occurs through the existence or implementation of control activities. All of these are interrelated and defined as well as referenced in one or more of the documents mentioned.

Executive management in tandem with the board of directors should develop and document a strategy that outlines what the organization expects to accomplish-its goals-as well as the objectives it must achieve in order to realize the desired results. When determining a strategy, the board of directors and senior management may ask: How are we going to create value for our stakeholders? The answers manifest themselves in a strategic plan and associated objectives. A clearly documented strategy and associated objectives are critical to the development of an effective ERM program. An outline in these areas allows the organization to focus on opportunities presented in the strategic plan as well as to minimize the potential impact of threats. From a practical prospective, this may be a single-page document that outlines organization goals in terms of areas such as the customer, financial expectations, and products/services. The strategic plan, at the highest level, will aid in the facilitation of all future discussions regarding risk and risk mitigation. The organization should consider the strategy from a financial and an operational perspective. The absence of a documented strategy and objectives, including related policies and job descriptions that outline overall expectations and define roles and responsibilities, significantly impairs an entity’s ability to design and implement an effective ERM program.

Once the entity has documented and can articulate its strategy and related objectives, it can then develop and implement an ERM program. Doing this includes performance of a risk assessment, which includes considering what could go wrong that might prohibit the entity from achieving its objectives. Therefore, it is extremely difficult, if not impossible, to execute this process effectively if the strategy and objectives are not defined initially.

Part of the risk assessment process should include consideration of entity compliance with all applicable laws and regulations.

Ultimately the entity will seek to mitigate identified risks through numerous forms of control activities.

ERM is a structured...