Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all General articles

Why Do We Need Enterprise Risk Management?

November 01, 2007

by Dennis Irwin

For the last few years, enterprise-wide risk management has been a buzz saw ripping through corporate America and the world.  The opinions of corporate managers range from "Enterprise risk is not required, therefore not needed" to “Oh My Gosh! How am I going to do this on top of everything else I need to do?”

There is a whole new industry growing in response to management’s concern there are unidentified risks to their organization.

Risk means different things to different people.  For some it may be identified as the monster in the closet or under the bed when you were a child.  Others may identify risk akin to the concern of parents for their children.  And for some, risk may be pictured as that bull chasing you as you are running down the streets of Pamplona.  However you view risk, it can be distilled down to a common essence – the anxiety of unknown future events and the negative consequences that may affect you (or your organization).

The COSO report that started it all

Business organizations have been forced to re-evaluate how they view and manage their internal control structure since the 1992 publication of the report Internal Control – Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (more affectionately known as COSO).  The report highlighted the need to focus on controls that enhanced and improved efficiency and effectiveness of operations, accurate financial reporting, and adherence to rules and regulations.  After the report was issued, business managers and boards spent the next 10 years developing programs, procedures, and systems to meet the expectations set forth in 1992.

In the fall of 2001, COSO began a study designed to help organizations manage risk.  Early on in the study, they concluded there was a body of documentation on the subject, but a framework or codified structure was absent.  During the period of the framework’s development, there was a series of high-profile business scandals and failures through which investors, company personnel, and other stakeholders suffered tremendous losses.  In the aftermath, calls were made for enhanced corporate governance and risk management with new laws, regulations, and listing standards.

Among the outgrowths in the United States is the Sarbanes-Oxley Act of 2002, and similar legislation has been enacted or is being considered in other countries.  This legislation extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. Internal Control – Integrated Framework continues to serve as the broadly accepted standard for satisfying those reporting requirements.

Follow-up report focuses on risk management

The need for an enterprise risk management framework became even more compelling in September of 2004, when COSO published Enterprise Risk Management – Integrated Framework.

This report expands on internal control by providing a more robust and extensive focus on the broader subject of enterprise risk management.  It is not intended to replace the internal control framework, but rather incorporates the internal control framework within it. Even so, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.

Fulfilling the requirements of Section 404 of the Sarbanes-Oxley Act proved to be a complicated and expensive process for many public companies, yet these requirements cover only a portion of the total risk facing businesses.  Strategic, operational, and compliance risk factors that lie outside the financial reporting and internal controls areas of Section 404 contribute greatly to the total risk portfolio of an organization.  Any of these broad business risks can also damage a company’s reputation, result in significant liability, and lead to substantial loss of business value and ultimately to the company’s financial statements.

Boards of directors have become increasingly aware of the need to address all associated enterprise risks.  They are looking for ways to meet their responsibilities as directors, mitigate their own personal liability, and improve the business.  They are struggling to find ways to inculcate or institutionalize a more coordinated and comprehensive process of managing risks − enterprise risk management (ERM).

Using the COSO framwork as a starting point

Executive management and directors frequently do not have the tools or resources to get started.  They may not understand the differences between internal control and ERM.  Using the COSO framework is a practical way to take advantage of what is currently being done in organizations and move forward while managing costs from the beginning by leveraging the successes gained from internal control improvement programs of the past.

The starting point is to identify the organization’s risk appetite and risk management strategy.  Beginning with the review of risk-related activities the organization has already put into place, identify and prioritize currently known risk gaps, thereby making significant progress on developing and operating an effective and efficient ERM program.

Next, review those identified risks and determine if those risks are or can be avoided, reduced, shared, or accepted.  Is there a methodology to determine which risk response decision is used in any given situation?  Who makes that decision and how often is that strategy reviewed?

Third, reduce surprises and losses.  The development of a proactive process to continuously scan the organization’s (and industry’s) operating horizon for new and/or dormant risk threats is critical in effectively managing risk and the associated cost.

Fourth, use organizational synergies to manage multiple and cross-enterprise risks.  In many organizations, risks are managed in haphazard and fragmented ways.  Many companies do not use a holistic view linking risk management activities to their business strategies.  Only some risks are being identified and managed, with limited or no coordination.  Some key risks are not on the radar screen.  Tunnel vision affects some activities that restrict their view to a controls-based or regulatory-compliance requirement, scrutinizing risk threats too narrowly.  There may be minimal or no coordination at all to take advantage of value available in aggregating these compliance risk management activities within an effective risk management approach.  The consequences of fragmented approaches can result in unnecessary write-offs and poor financial performance.

Fifth, consider the full range of potential events and, when possible, turn potential risks into opportunities.  Again, this can only be done if the organization has an attitude and culture of looking forward and acting proactively.

Sixth, use and improve current control activities, information and communication channels, and active management monitoring techniques to ensure that (a) strategic decisions are carried out, (b) successes and failures are communicated so adjustments to the process are made timely, and (c) management is proactive in managing operations.

Finally, go back to step one and start all over.  ERM is a process that does not end.  Do not fall into the trap of making ERM a project. As any good manager will tell you, it is cheaper to run a process than it is to fulfill a project.  ERM, when done effectively, will reap benefits for the organization with every pitfall and surprise it avoids.

Source: Figure 1 COSO ERM Framework Cube from Institute of Internal Auditors, September 2005, Applying COSO’s Enterprise Risk Management – Integrated Framework.

About the Author

Dennis Irwin is an Internal Audit Manager in Wipfli's Health Care Practice.  He is a well-rounded finance and accounting professional with particular knowledge in internal audit and compliance issues.  With over 14 years of experience, Dennis is able to identify enterprise-wide risk and control issues and develop and implement cost effective strategies to mitigate risk and enhance controls.  He can be reached at our Milwaukee office at 414.431.9303 or dirwin@wipfli.com.