FREQUENTLY ASKED QUESTIONS
In today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring the organization’s business opportunities and risks. The question is: How does an organization take practical steps to link opportunities and risks when managing the business? And further: What does this have to do with risk management?
In August 2004, the Treadway Commission’s Committee of Sponsoring Organizations (COSO) issued its Enterprise Risk Management – Integrated Framework after completing a developmental project spanning a three-year period. The framework, which includes an executive summary and application techniques, expands on the previously issued Internal Control – Integrated Framework to provide a more robust and extensive focus on enterprise risk management (ERM). As explained in the foreword to the framework: “While [the framework] is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.”
At Protiviti, we believe that ERM implementation should be integrated with strategy-setting. ERM redefines the value proposition of risk management by elevating its focus from the tactical to the strategic. ERM is about designing and implementing capabilities for managing the risks that matter. The greater the gaps in the current state and the desired future state of the organization’s risk management capabilities, the greater the need for ERM infrastructure to facilitate the advancement of risk management capabilities over time. COSO’s new framework provides criteria against which companies can benchmark their risk management practices and processes. The framework provides a common language that fosters communication among executives, directors, auditors and advisors, and we encourage everyone with an interest in implementing ERM to read and understand it.
Many are asking questions about the value proposition of ERM and practical steps on how to implement it. While we do not have all the answers, we attempt to address in this publication some of the most commonly asked questions with respect to ERM. This publication is designed to answer your questions without making you wade through material with which you are already familiar. It often refers to the COSO framework, which readers can obtain at www.coso.org. It offers ideas, suggestions and insights to executives responsible for ERM implementation. It is intended for use as a reference tool rather than as a book to be read from cover to cover. It is supplemented by Issue 6 of Volume 2 of The Bulletin, “Enterprise Risk Management: Practical Implementation Advice,” which provides an overview for C-level executives and directors and is available at www.protiviti.com.
As companies gain more experience with implementing ERM, we expect to update this publication from time to time. If we do so, we will post information at www.protiviti.com. Protiviti periodically publishes ERM performer profiles on KnowledgeLeaderSM to provide ERM case examples and plans to publish a book including such profiles from time to time.
This publication is neither intended to be a legal analysis nor a detailed “cookbook” of steps to take in every situation. Accordingly, companies should seek out appropriate advisors for counsel on specific questions as they evaluate their unique circumstances.
