Is ERM just a more mature way to implement Internal Controls (part 2 of 2)?
Question asked by Web User
(part 2 of 2) I have worked with A-123 and Internal Controls for years, but now I am hearing a lot about ERM. Isn’t this just a more mature way to implement internal controls? After all, the GAO Green Book states that internal control is a process “…that provides reasonable assurance that the objectives of an entity will be achieved.” Is this the same as saying risk is well managed?
AFERM Experts Say...
Previously, I shared thoughts on the relationship between internal control and risk management. These two terms are not synonyms, and to understand their relationship is important to achieving any organization’s full set of objectives. However, how does Enterprise Risk Management (ERM) factor into this discussion? Is ERM simply a new term for discussing risk management, or is there more to the story?
COSO released their first Internal Control—Integrated Framework in 1992, which was revised in 2013. In 2004, COSO released their Enterprise Risk Management—Integrated Framework, and a 2016 update was recently published. However, there has never been a “Risk Management Framework” by COSO. Does this infer that ERM is simply a new name for what was previously known as risk management? While this might be a fair question looking only at the title of their existing frameworks, a quick review of the COSO Enterprise Risk Management–Integrated Framework Executive Summary would show that there are aspects of ERM that go beyond traditional risk management.
Given an understanding that risk is the uncertainty of achieving an objective, risk management can be employed anytime we have established an objective. This might be completing a major project, or it might be as simple as getting to an appointment on time. The traditional approach to managing risk prior to ERM would be to look at each of the identified risks independently, and then seek to manage that risk without consideration of the other objectives and risks also being managed in the organization. In this traditional approach, the CIO manages information technology risks on his or her own, the CFO manages financial and reporting risks independent of others, program managers focus on their specific program risks, etc.
In contrast to this traditional approach to risk management, the current update to the COSO ERM Framework indicates that ERM seeks to:
• Establish risk governance and appropriate culture
• Align risk management with strategy and performance
• Develop a portfolio view of risk across the enterprise
• Flow risk information up, down and across the enterprise
This goal of fully integrating risk management across the enterprise in a manner that allows for the balancing of results sought, resources to be consumed, and risks to be accepted, directly contributes to the ultimate goal of generating maximum value for the organization’s key stakeholders. This is the goal of ERM, something that clearly cannot be accomplished when risks are managed only within functional, programmatic, or organizational silos.
One important aspect of ERM is that it “…facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.” While giving a nod to integrated risks, the 2004 ERM COSO is relatively silent on this critical distinction between ERM and traditional risk management. However, the revised ERM framework clearly goes farther in recognizing this important aspect of ERM by establishing one of the 23 principles as “Develops Portfolio View”. An integrated, portfolio view of risk across an organization is unique to ERM, and is a key differentiator between ERM and traditional risk management. This concept underlies the definition of ERM offered by OMB A-11, when it defines ERM as “an effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos”.