Michiel Jorna's picture

Over the last few years the focus on ‘being in control’ has grown. Organizations are increasingly (often forced by regulations) building and implementing processes to underpin the company’s ‘In Control Statement’. The inevitable extra costs and efforts made are often seen as a burden distracting people from what they should focus on: doing business!

On the other side organizations are more than ever aware of the importance of managing risks. One of the reasons for this is that (financial) disasters seem to occur on a regular basis to remind us of the perils of ‘not getting it right’. Creating value or doing business is impossible without taking risks. The question however is how much risk, how much uncertainty is acceptable given the objective to create value?

Enterprise Risk Management helps organizations to deal with this. It enables the identification of events that are related to achieving a certain objective which either lead to the identification of risks, or the identification of opportunities. The disadvantage of ‘control’ is combined with the benefits from new opportunities identified as part of the risk management process.

COSO II ERM Framework

The COSO II ERM Framework is widely accepted as a standard for implementing enterprise risk management.

A well-designed and operated enterprise risk management framework can provide the management of organizations with reasonable assurance that:

  • They understand the extent to which the entity’s strategic objectives are being achieved,
  • They understand the extent to which the entity's operations objectives are being achieved,
  • The financial reporting is reliable, and
  • Applicable laws and regulations are being complied with.

The COSO II ERM Framework consists of 8 related elements (see figure 1). These elements are aligned to the way a company is managed and inseparably related to the management process.

Internal Environment

The internal environment describes the risk culture of an organization that defines how risk is viewed and addressed by the organization. It includes the risk management philosophy, risk appetite, integrity and ethical values, and the environment in which they operate.

Objective Setting

Without defined objectives it’s impossible to identify potential events affecting the achievement of objectives. Enterprise risk management ensures that a process is in place to set objectives (aligned with the entity’s mission and consistent with its risk appetite).

Event Identification

By identifying internal and external events that influence the realization of the objectives, it becomes possible to define opportunities and threats. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment

Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

Risk Response

Several reactions are possible when a risk occurs. Risks can be avoided, accepted, reduced or shared.

Management selects the correct risk response, developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities

Procedures are established and implemented to help ensure the risk responses are effectively carried out. Here you can think about explicit control measures to mitigate the risk, management reviews, reporting, physical controls (assets, values, stock), controls based in performance indicators and/or segregation of duties.

Of course it’s very important to keep in mind that the costs of the control activities are aligned to the potential loss of the risk which is reduced or mitigated.

Information and Communication

Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.


The entirety of enterprise risk management is monitored and modifications made as necessary.

‘In Control’ or ‘In Business’?

Effective enterprise risk management definitely helps management to be in business, to achieve objectives. But enterprise risk management, no matter how well designed and operated, does not ensure an organization’s success. The achievement of objectives is affected by limitations inherent in all management processes. Enterprise risk management does not change an inherently poor manager into a good one!

The same story goes for control. Controls can be circumvented by the collusion of two or more people, and management has the ability to override the enterprise risk management process, including risk responses and controls.

ERM is however the best guarantee management can get in finding the right balance between being ‘In Business’ and being ‘In Control!

For more information on governance, risk, and compliance management topics, visit www.grc-lounge.com.

Tags: LoungeTalk