BEC - Enterprise Risk Management Frameworks

Question 1

What Is Enterprise Risk Management (ERM)?

Answer 1

ERM is the culture, capabilities, and practices by which organizations manage risk to create, preserve, and realize value (performance).

1. ERM must be integrated with strategy setting and linked to organizational performance.
2. Risk is an uncertain event that will influence whether an organization achieves its strategic business goals. That is, risk is the likelihood that performance will be different from targeted.
   —> Note that COSO defines risk (counterintuitively for
   most people) as a neutral (i.e., neither negative nor
   positive) event. Hence, to COSO, risks can be
   negative or positive. For example:
   ——-> A negative risk is that the new accounting
   system that your company implemented fails to
   work and you cannot keep track of sales and
   inventory (e.g., the 1999 Hershey’s chocolate
   enterprise resource planning disaster).
   ——-> A positive risk might be that your company’s
   servers fail because demand for your project is
   so high (which occurred repeatedly in the early
   days of eBay).
3. Managing ERM includes focus on the following
   elements of an organization:
   a. Entity culture—An organization’s culture is the way
   that people in the organization think and behave.
   ——-> Culture reinforces and amplifies the
   organization’s mission and strategy when the
   culture backs these written documents with
   supportive actions and behaviors.
   ——-> Culture undermines these documents when it is
   hypocritical (i.e., when the mission and strategy
   say one thing but the organization’s culture and
   its leaders act inconsistently with these
   documents).
   b. Developing capabilities—Organizations must hire,
   foster, promote, and nurture skills and competence.
   One critical competence is the capacity to adapt to
   change, including changes in technology.
   c. Adaptation and integration of ERM practices—ERM
   is dynamic; it requires adaptation to special
   projects, new initiatives, and innovative
   technologies. ERM is also integrated into all
   divisions, business units, and functions in an
   organization.
4. Integrating with strategy-setting and performance—ERM must be integrated with an organization’s strategy, mission, and performance goals.
5. Managing risk to strategy and business objectives—
   Well-designed and implemented ERM provides an
   entity with a “reasonable expectation” (see definition
   in Section IV of this lesson) of achieving strategic
   goals.
   ——-> Reasonable expectations of achieving goals are
   not guarantees of success. Unforeseen events
   will occur; risks cannot be predicted with
   certainty. However, the chances of success
   increase to the extent that an organization
   regularly reviews and revises its ERM practices
   to changing conditions.
6. Linking to value through risk appetite—ERM occurs
   relative to an organization’s risk appetite (defined
   later in this lesson). The organization’s risk appetite is
   reflected in its mission, values, and strategy.
   –> Differing strategies expose an entity to different
   risks. Risk appetite must evolve and adapt to
   changing conditions. For example, a successful
   company will likely accept more risk in an
   economic downturn than when economic
   conditions are favorable.
7. Correcting Some Misconceptions of ERM
   a. ERM is not simply a listing of risks (this is called a
   “risk inventory”). ERM includes the practices,
   including creating an appropriate culture, to
   manage risks.
   b. ERM is not just for big corporations. ERM is
   essential for all organizations, regardless of size or
   mission.
   c. ERM is not the same as internal control. ERM
   includes a broader mandate than internal control,
   in that ERM considers risk appetite and strategy as
   central concerns.
   d. ERM cannot be an add-on activity that functions
   independent of the organization’s structure and
   processes. Instead, ERM must be integrated into
   and throughout the organization. Hence, ERM
   initiatives that are isolated (not integrated) are
   likely to be less effective at managing dynamic
   risks.

Question 2

Why Is ERM important? What is its organizational value?

Answer 2

1. Expanding Opportunities—Considering risk enables management to identify new opportunities and the challenges of existing opportunities. For example, considering the risks and opportunities of blockchain technologies may enable management to identify new applications of those technologies (e.g., enabling an automated multifactor security recognition system).
2. Identifying and Managing Entity-Wide Risk—Identifying and managing risk at an entity level enables considering the interactions of risks across the entity and their unique effects on segments or portions of the entity.
3. Increasing Positive and Reducing Negative Outcomes—By better identifying and managing risks, ERM enables entities to achieve superior performance.
4. Reducing Performance Variability—ERM enables assessing the risks of performance variability and acting to reduce undesirable variance.
5. Better Deploying Assets (and Human Resources)— Every risk demands resources. Better risk assessments and responses enable superior resource allocations.
6. Increasing Enterprise Resilience—Organizational survival depends on anticipating and responding to changing risks. Therefore, ERM improves survivability and organizational resilience.

Question 3

What Is the Board of Director’s Role in ERM?

Answer 3

The board of directors provides oversight of organizational ERM including reviewing, challenging, and concurring with management on:

1. Proposed strategy and risk appetite (see the definition below).
2. Aligning strategy and objectives with the entity’s mission and core values.
3. Major business decisions including mergers, acquisitions, capital allocations, funding, and dividend-related decisions.
4. Responding to significant fluctuations in entity performance or the entity’s portfolio risk assessment.
5. Responding to deviations from core values including fraud.
6. Approving management incentives and compensation.
7. Engaging in managing investor and stakeholder relations.
8. Creating and sustaining an organizational culture that enables responsible risk taking and risk management.

Question 4

ERM Terms - Core Values

Answer 4

he entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.

Question 5

ERM Terms - Enterprise risk management

Answer 5

The culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Question 6

ERM Terms - Entity

Answer 6

Any form of for-profit, not-for-profit, or governmental body. An entity may be publicly listed, privately owned, owned through a cooperative structure, or any other legal structure.

Question 7

ERM Terms - Event

Answer 7

An occurrence or set of occurrences.

Question 8

ERM Terms - Mission

Answer 8

The entity’s core purpose, which establishes what it wants to accomplish and why it exists.

Question 9

ERM Terms - Organizational sustainability

Answer 9

The ability of an entity to withstand the impact of large-scale events.

Question 10

ERM Terms - Performance management

Answer 10

The measurement of efforts to achieve or exceed the strategy and business objectives.

Question 11

ERM Terms - Portfolio view

Answer 11

A composite view of risk the entity faces, which positions management and the board to consider the types, severity, and interdependencies of risks and how they may affect the entity’s performance relative to its strategy and business objectives.

Question 12

ERM Terms - Reasonable expectation

Answer 12

The amount of risk of achieving strategy and business objectives that is appropriate for an entity, recognizing that risk cannot be predicted precisely.

Question 13

ERM Terms - Risk

Answer 13

The possibility that events will occur and affect the achievement of strategy and business objectives. “Risks” (plural) refers to one or more potential events that may affect the achievement of objectives. “Risk” (singular) refers to all potential events collectively that may affect the achievement of objectives. Note that to COSO, a risk may be positive (an opportunity) or negative (a failure or setback).

Question 14

ERM Terms - Risk Appetite

Answer 14

The types and amount of risk that an organization is willing to accept in pursuit of value.

Question 15

ERM Terms - Risk Profile

Answer 15

A composite view of the risk assumed at a level of the entity or aspect of the business that positions management to consider the types, severity, and interdependencies of risks, and how they may affect performance relative to the strategy and business objectives.

Question 16

ERM Terms - Severity

Answer 16

A measurement of considerations such as the likelihood and impact of events or the time it takes to recover from events.

Question 17

ERM Terms - Strategy

Answer 17

The organization’s plan to achieve its mission and vision and apply its core values.

Question 18

ERM Terms - Uncertainty

Answer 18

The state of not knowing how or if potential events may occur.

Question 19

ERM Terms - Vision

Answer 19

The entity’s aspirations for its future state or what the organization aims to achieve over time.

Question 20

Mission, Vision, Values, and Strategy in ERM

Answer 20

1. ERM begins with an entity’s mission, vision, values,
   and strategy. These are:
   Mission—Why the entity exists (i.e., its core purpose). States what the entity wants to achieve.
   Vision—The entity’s aspirations for its future; states what the organization wants to achieve and be known for and as.
   Core values—The entity’s beliefs and ideals about morality (i.e., what is good or bad, acceptable or unacceptable); influences individuals’ and organizational behavior.
   Strategy—The organization’s plan to achieve its mission and vision and apply its core values.
2. Role of Risk in Strategy Selection—
   –> Three risks exist in strategy selection and implementation:
   –> Risk #1—Misalignment. Does our strategy align with
   our mission, vision, and core values?
   An organization or its executives may engage in
   behaviors that are inconsistent with the
   organization’s values. For example, Enron’s Code of
   Ethics (easily findable online) included many lofty
   statements about Enron’s outstanding reputation for
   fairness and honesty. This is a slam-dunk example of
   a deceitful strategy (cheat shareholders and
   customers) misaligning with a lofty mission and
   values statement.
   –> Risk #2—Implications. Do we understand the risk
   implications of our chosen strategy?
   Every strategy has its own risk profile. Identifying
   and quantifying these risks is a part of matching the
   strategy with the organization’s risk appetite.
   Identifying and quantifying risk—as a portfolio view
   of risk (discussed in
   the “ERM and Performance” lesson)–is challenging
   but essential to understanding the risk profile of the
   strategy chosen.
   –> Risk #3—Risks to Success. Will we be successful?
   Will we achieve the goals specified in our strategy? What are the influences on the viability of our strategy? (This is the least important of the three risks.)
   F or example, what might threaten our sales goals for this quarter?

Question 21

ERM and Performance

Answer 21

ERM is designed to improve organizational performance.

1. Risk and performance typically exist in a relationship such as is illustrated in the next figure.
   –> The horizontal axis in this figure illustrates
   performance outcomes, measured in return on
   assets (ROA).
   –> The vertical axis illustrates the risks associated with
   each performance outcome (with risk increasing
   from the bottom to the top of the figure).
   –> Note that risk increases with higher levels of
   performance.
   –> In this example, the organization has chosen a
   target performance of a 7% return on assets (ROA).
   —–> Choosing a higher target performance would
   require accepting more risk. Choosing a lower
   target performance would mean accepting less
   risk.
2. Performance measures may include:
   –> Financial measures, such as return on investments,
   revenue, or profitability.
   –> Operating measures, such as hours of operation,
   production volumes, or capacity percentages.
   –> Obligation (or contractual) measures, such as
   adherence to service-level agreements or
   regulatory compliance requirements.
   –> Project measures, such as having a new product
   launch on schedule.
   –> Growth measures, such as expanding market share
   in an emerging market.
   –> Stakeholder measures, such as the delivery of
   education and basic employment skills to those
   needing upgrades when they are out of work.

Question 22

Emerging Issues and Opportunities in ERM

Answer 22

1. Integrating Big Data into ERM—The growth and
   availability of big data will create emerging
   opportunities for continuous monitoring, advanced
   analytics, and data visualization. It will also create
   organizational risks related to data privacy, ethics,
   and information availability and transparency.
2. Integrating Artificial Intelligence (AI) into ERM—The
   pairing of big data with AI will enable the discovery of
   hidden relationships in data, which will create faster,
   more accurate, risk identification and responses.
3. Managing ERM Costs—Managing risk is costly; as
   ERM practices evolve, seeking maximum benefits at
   lower costs is an important challenge and goal.

Question 23

COSO’s Risk Management Framework

Answer 23

The ERM framework includes five components and 20 principles. These are illustrated below and discussed in this and the next lesson, “ERM Governance and Culture.”
The five components of the ERM framework are:
Governance and Culture—These are the cornerstones for the other ERM components. Governance is the allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. An organization’s culture is its core values, including how the organization understands and manages risk.
Strategy and Objective-Setting—ERM must integrate with strategic planning and objective setting. For example, an organization’s risk appetite is partly a function of its strategy. Business objectives are the practical implementation of a chosen risk appetite and strategy.
Performance—The “Introduction to COSO Enterprise Risk Management: Strategy and Risk” lesson gives examples of performance measures. Risk identification and assessment is concerned with developing an organization’s ability to achieve its strategy and business objectives, as measured by performance.
Review and Revision—Periodic and continuous review and revision of ERM processes enables an organization to increase the value of its ERM function.
Information, Communication, and Reporting—Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization’s risk, culture, and performance.

Question 24

ERM Assessment

Answer 24

Organizations must assure their stakeholders that they can manage risk by assessing the entity’s capacity to manage risk. Such assessments

1. may be voluntary or may be required by law regulation.
2. should provide assurance that:
   —> The five components and 20 principles articulated
   herein are present and functioning in the
   organization.
   —> These components and principles are fully
   integrated, to ensure that decisions and actions
   respond appropriately to changing environments.
   —> The controls needed to achieve the principles
   articulated herein are present and functioning.

Question 25

Business Context

Answer 25

The trends, events, relationships and other factors that may influence, clarify, or change an entity’s current and future strategy and business objectives.

Question 26

Culture

Answer 26

An entity’s core values, including its attitudes, behaviors, and understanding about risk.

Question 27

Governance

Answer 27

The allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. Some aspects of governance fall outside ERM (e.g., board member recruiting and evaluation; developing the entity’s mission, vision, and core values).

Question 28

Practices

Answer 28

The methods and approaches deployed within an entity relating to managing risk.

Question 29

Risk Ceiling

Answer 29

The maximum level of risk established by an entity.

Question 30

Risk Capacity

Answer 30

The maximum amount of risk that an entity can absorb in the pursuit of strategy and business objectives.

Question 31

Risk Floor

Answer 31

The minimum level of risk established by an entity.

Question 32

Risk Range

Answer 32

The acceptable level of risk (highest to lowest) established by the organization. Similar to tolerance, but tolerance is a measure of performance while risk range is a statement about (or measure of) risk.

Question 33

Target Risk

Answer 33

The desired level of risk set by an entity.

Question 34

Tolerance

Answer 34

The boundaries of acceptable variation in performance related to achieving business objectives. Like risk range but risk range is a statement (or measure) of risk while tolerance is a measure of performance.

Question 35

1 ERM Governance and Culture - Exercise Board Risk Oversight

Answer 35

The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

1. Accountability and Responsibility
   - The board of directors has primary responsibility for risk oversight; management’s responsibility is the day-to-day management of risk.
   - The board must have the skills, experience, and business knowledge to exercise its risk oversight function. The expertise needed to exercise oversight may change with the business (e.g., increasing cyber risks may require IT expertise on a board).
2. Independence—The board must be independent of management. Potential impediments to board member independence include:
   - A substantial financial interest in the entity
   - Employment in an “executive capacity” in the organization (i.e., in a management position) or
   - Acting in a capacity to advise the board (e.g., as a consultant).
   - A material business or contractual relationship with the entity (e.g., as a supplier, customer, or service provider)
   - Substantial donations to the entity
   - A business or personal relationship with key stakeholders
   - Membership on a board with a potential conflict of interest to this board
   - Holding a position on the board for an extended period
3. Organizational Bias—The board must understand the potential for organizational biases (e.g., dominant personalities, disregarding information contrary to management’s wishes) and challenge management to overcome them.

Question 36

2 ERM Governance and Culture - Establish Operating Structures

Answer 36

The organization establishes operating structures that support the strategy and business objectives.

1. Operating Structure and Reporting Lines—The operating structure maps how an entity fulfills its daily responsibilities and aligns with the organization’s legal and management structure. Influences on an entity’s operating structure include:
   - Strategy and business objectives and related risks
   - Nature, size, and geographical distribution of the business
   - Assignment of authority, accountability, and responsibility across all levels
   - Reporting lines (direct versus secondary) and communication channels
   - External reporting requirements (e.g., financial, tax, regulatory)
2. ERM Structures—Many organizations have risk committees appointed by the board. Complex organizations may have multiple risk committees. All committees that are responsible for managing enterprise risk should include statements of committee authority, committee membership, expected frequency of meetings, committee responsibilities, and operating principles.
3. Authority and Responsibility—In entities with one board of directors, management designs and implements practices to achieve strategy and objectives. In entities with dual-board structures, a supervisory board focuses on long-term strategy and oversight while the management (or executive) board oversees daily operations.
   - Risk management is improved when:
   - –Management delegates responsibility only as required to achieve objectives.
   - –Management identifies transactions that require review and approval.
   - –Management identifies and assesses new and emerging risks.

Question 37

3 ERM Governance and Culture - Define Desired Culture

Answer 37

The board of directors and management define (and exhibit) the desired behaviors that characterize the entity’s desired culture.

1. Culture and Desired Behavior
   - Internal and external factors influence organizational culture:
   - -Internal influences include:
   - —Management judgment
   - —The level of autonomy provided to employees, employee and management interactions (e.g., formal vs. informal)
   - —Physical layout of the workplace (e.g., decentralized, centralized, or virtual)
   - —System of rewards, recognition, accountability, and compensation
   - -External influences include regulatory requirements and customer and investor expectations.
   - -In relation to risk, organizational culture exists on a continuum of risk averse, risk neutral, and risk seeking (aggression). A risk-aware culture may permit both approaches, if both are within the organization’s risk tolerance and appetite.
   - —Organizational units may choose to be more risk seeking or risk averse within the context of the entity’s overall risk appetite.
   - —For example, an aggressive sales unit may focus on sales without careful attention to regulatory compliance. In contrast, the risks of cloud storage may cause an organization to proceed with care and caution before contracting with a cloud service provider.
2. Judgment
   - Good judgment involves making thoughtful, rational decisions from available information. Judgment is required when little or contradicting information exists about alternatives or in periods of disruption to strategy, objective, performance, or risk profiles.

-Management judgment is susceptible to bias when over- or under-confidence exists in the organization’s capabilities. Management teams with extensive experience, demonstrated capabilities, and a well-defined risk appetite are likely to evidence better judgment than those with less experience, fewer capabilities, and a poorly identified risk appetite.

3. The organizational culture influences risk identification, assessment, and response. For example:
   - Culture and strategy—A risk-averse organization (and culture) may decline to pursue a strategy of fracking, mining, and drilling on untapped, suburban land where the risks of environmental or health harm is high.
   - Culture and risk assessment—Organizations may view the same event as either a negative or positive risk. For example, a risk-averse traditional retail organization (e.g., Sears) may view online sales as a threat to its brick-and-mortar business. In contrast, a risk-aggressive traditional retail company (e.g., Walmart) may see online sales as an opportunity to increase sales and market share.
   - Culture and resource allocations—A risk-averse entity may allocate more resources to increase its confidence in achieving specific objectives. In contrast, a risk-seeking entity may expend fewer resources in pursuit of specific objectives. For example, a risk-averse entity might purchase insurance to help achieve a business objective (e.g., reduced likelihood of losses due to cyber breaches), whereas a risk-seeking entity may choose to self-insure for these potential losses.
   - Culture and risk responses—A risk-averse entity may respond more quickly to variations in performance compared with a risk-aggressive entity. For example, a risk-averse airline may adjust flight schedules quickly in response to changing weather conditions. In contrast, a more risk aggressive bus company may maintain existing operations and schedules longer in response to adverse weather.
4. Aligning Core Values, Decision Making, and Behaviors—
   A failure to adhere to core values generally occurs for one of these seven reasons:
   -An inappropriate tone at the top exists (e.g., management claims strong ethics but doesn’t exhibit ethical behaviors).
   -The board fails to provide oversight of management.
   -Middle and functional managers are misaligned with the entity’s mission and core values.
   -Risk is not integrated into strategy setting and planning.
   -Unclear and untimely responses to risk and performance outcomes occur.
   -Excessive, inappropriate risk taking is not investigated or addressed.
   -Management or employees deliberately act inconsistently with core values.

Question 38

4 ERM Governance and Culture - Demonstrate Commitment to Core Values

Answer 38

The organization demonstrates a commitment to its core values.

1. Reflecting Core Values throughout the Organization
   - The communication of values within an organization is referred to as “tone.” A consistent tone establishes a common understanding of core values and desired behaviors. Aligning the tone and culture of an organization (e.g., “safety first”) enables stakeholders to feel confident that the organization will act in a manner consistent with its core values.
2. Embracing a Risk-Aware Culture—A risk-aware culture includes:
   - Strong leadership endorsement of risk awareness and appropriate tone.
   - A participative management style that encourages employees to discuss risks to the strategy and objectives. This includes open and honest discussions about risk.
   - Aligning risk awareness with behaviors and performance evaluation, including salary and incentive programs that align with the organization’s core values.
   - Encouraging risk awareness across the entity, including awareness that risk awareness is critical to success and survival.
3. Enforcing Accountability for Actions—This includes documenting and adhering to policies for accountability. Accountability is in evidence when:
   - Management and the board of directors clearly communicate expectations of accountability.
   - Management communicates risk information throughout the organization.
   - Employees commit to business objectives, including individual targets and performance within the entity’s objectives.
   - Management responds to deviations from standards and behaviors as appropriate (including terminations and correction actions, as needed).
4. Keeping Communication Open and Free from Retribution— In the risk-aware organization, managing risk is a part of all employees’ responsibilities. Open communication and risk transparency enables management and employees to work together to manage risks.
5. Responding to Deviations in Core Values and Behaviors— Deviations from standards must be addressed in a timely and consistent manner. Responses to deviations depend on the magnitude of the deviation (e.g., were laws broken?) and may range from termination (or even prosecution) to a formal warning. Consistency of responses enhances the entity’s risk-aware culture.

Question 39

5 ERM Governance and Culture - Attract, Develop, and Retain Capable Individuals

Answer 39

The organization is committed to building human capital that aligns with its strategy and business objectives.

1. Establishing and Evaluating Competence—Management, with board oversight, defines the human capital needed to achieve its strategy and business objectives.
2. Attracting, Developing, and Retaining Individuals—Management establishes structures and processes to attract, train, mentor (guide and develop), evaluate, and retain (through incentives, training, and credentialing) competent individuals.
3. Rewarding Performance—Incentives and rewards should be established by management and the board, consistent with the entity’s short- and long-term objectives. Designing incentive systems requires consideration of related risks (e.g., of ethical violations) and responses. Nonmonetary rewards (e.g., responsibility, visibility, recognition) may be important components of performance rewards. Management consistently applies performance measures and regularly reviews the entity’s measurement and reward system.
4. Addressing Pressure—Many sources of pressure exist in organizations, including performance targets, regular cycles of specific tasks (e.g., negotiating labor or sales contracts), unexpected business changes, and economic downturns. Organizations may seek to positively influence pressure by rebalancing workloads, increasing resource levels, or reiterating the importance of ethical behavior. Excessive pressure (which can fuel unethical behavior) often results from unrealistic performance targets (particularly for short-term results), conflicting business objectives of differing stakeholders, and an imbalance between short-term financial rewards and longer-term objectives (e.g., environmental sustainability).

Question 40

6 ERM Strategy and objective setting - Analyze the Business Context

Answer 40

The “business context” consists of the trends, events, relationships, and other factors that may influence, clarify, or change an entity’s strategy and business objectives. The risk-aware organization considers the potential effects of the business context on its risk profile. For example, the business context may be dynamic or static, complex or simple, and predictable or unpredictable.

1. The external environment and stakeholders influence the business context. For example, a regulatory agency may grant or deny an entity a license to operate or may force an entity to shut down. An investor may withdraw capital if she disagrees with an entity’s strategy or performance. The external environment can be categorized by the (quite weird) acronym: PESTLE (political, economic, social, technological, legal, environmental), as is illustrated in the next figure.
2. The internal environment consists of influences on strategy and business objectives from within. The next figure illustrates the categories of internal influences: capital, people, process, technology.
3. How Business Context Influences Risk Profile. The business context may influence an entity’s risk profile at three stages: past, present, and future performance.
   - - Past performance informs an organization’s expected risk profile.
   - - Current performance provides evidence of trends and influences on the risk profile
   - - Future expected performance helps an entity shape and create its risk profile

Question 41

7 ERM Strategy and objective setting - Define Risk Appetite

Answer 41

The organization defines risk appetite in the context of creating, preserving, and realizing value.

1. Applying Risk Appetite
   - -Many organizations develop strategy and risk appetite simultaneously and allow them to co-evolve.
   - -Some organizations quantify risk appetite (i.e., state it in numbers); others state risk appetite in words.
   - - Organizations will generally set risk capacity higher than risk appetite except in unusual, high-risk cases (e.g., under threat of bankruptcy).
2. Management and the board must make an informed choice of an appropriate risk appetite.

• -Multiple acceptable approaches exist to determining and expressing risk appetite. (See the next example for examples of risk appetite expressions.)
• —For some entities, “low” or “high” appetite may be sufficient. Other entities will prefer a more detailed or quantitative approach: for example, by expressing risk appetite in financial results or a beta measure (i.e., a measure of the volatility of a stock compared to the stock market) of its stock.
• -Risk appetite may include considering an entity’s:
• —Risk profile (i.e., a composite assessment of risks, including consideration of risk types, severity, and interdependence).
• —Risk capability (i.e., the maximum amount of risk that an entity can absorb in pursuing its strategy and business objectives).
• —ERM capability and maturity. Organizations with more mature and capable ERM initiatives are likely to have greater insight into risk appetite and influences on risk capacity than are entities with less mature and less capable ERM functions.

3. Articulating Risk Appetite.
   Risk appetite may be articulated relative to strategy and business objectives, business objective categories, or performance targets. The next example illustrates a university’s articulation of its risk appetite.
4. Using Risk Appetite
5. Risk appetite guides an organization’s resource allocations including to operating units. In making such allocations, management may, for example, allocate more resources to business objectives with a lower risk appetite and fewer resources to business objectives with a higher risk appetite.
6. Risk appetite must align and articulate with related concepts such as risk tolerance (i.e., the acceptable boundaries of performance) and risk indicators or triggers (which tie risk measures to actions). The next figure illustrates these relationships.

Question 42

8 ERM Strategy and objective setting - Evaluate Alternative Strategies

Answer 42

The organization evaluates alternative strategies and their potential impact on the risk profile.

1. The strategy must align with the mission, vision, and core values and with the organization’s risk appetite
2. The organization must understand the implications of the chosen strategy related to the business context, resources, and organizational capabilities. The organization must also understand the assumptions underlying the strategy.
3. Popular approaches to evaluating strategy include a SWOT analysis (strengths, weaknesses, opportunities, threats).
   The example in the next figure illustrates one organization’s approach to evaluating alternative strategies.
   —- The strategy must be periodically reevaluated and assessed. A change in strategy must be implemented if the organization determines that the current business context will lead it to exceed its risk capacity or will require more resources than are available.

Question 43

9 ERM Strategy and objective setting - Formulate Business Objectives

Answer 43

The organization considers risk while establishing the business objectives at various levels that align and support strategy.

1. The first COSO ERM lesson gave categories of business objectives.
2. Business objectives must align with the strategy.
3. Management must fully understand the implications of a chosen business strategy.

–A chosen strategy must have a reasonable expectation of achievement within the organization’s risk appetite and available resources. The next example illustrates organizational consideration of the implications of a chosen business strategy.

—-Setting performance measures and targets. Organizations set performance targets to monitor performance and support the achievement of business objectives. The example in the next figure illustrates business objectives and related performance measures and targets.

• —Understanding and using Tolerance. Tolerance is the acceptance range of variation in performance. To illustrate tolerance, the next figure adds a range of acceptable variation around the desired target risk to the analysis of risk shown previously. In the figure, the maximum acceptable risk (i.e., the risk ceiling) is found at point A, where the level of risk appetite intersects with the upper limit of tolerance.
• —–While risk appetite is broad, tolerance is tactical (operational) and focused. Specifically, tolerance should be measurable and measured. In contrast, risk appetite may be stated in numbers (quantitatively) or in words (qualitatively, e.g., “low” or “high”).
• —–Variations in performance can exceed or trail targeted performance. Exceeding variation is called positive while trailing variation is called negative.
  (a) . Tolerance may be set at different distances from target performance, as is illustrated in the next example. That is, tolerance limits need not be symmetrical. Specifically, in the example, the target number of incidents is five, the ceiling number of incidents is seven (2two away from the target) while the floor number of incidents is zero (five away from the target).
• —–While risk appetite is broad, tolerance is tactical (operational) and focused. Specifically, tolerance should be measurable and measured. In contrast, risk appetite may be stated in numbers (quantitatively) or in words (qualitatively, e.g., “low” or “high”). The example in the next figure illustrates tolerance statements. Notice that the “Minimize missed calls” example that is discussed in the figure illustrates asymmetric tolerance.

Question 44

ERM Framework principles

Answer 44

• —-ERM Governance and Culture —–
  1. Exercise Board Risk Oversight
  2. Establish Operating Structures
  3. Define Desired Culture
  4. Demonstrate Commitment to Core Values
  5. Attract, Develop, and Retain Capable Individuals
• —-ERM Strategy and objective setting—–
  6. Analyze the Business Context
  7. Define Risk Appetite
  8. Evaluate Alternative Strategies
  9. Formulate Business Objectives
• —-ERM and Performance—–
  10. Identify Risk
  11. Assess Severity of Risk
  12. Prioritize Risks
  13. Implement Risk Responses
  14. Develop Portfolio view
• —ERM Monitoring, Reviewing, and Revision —–
  15. Assess Substantial Change
  16. Review Risk and Performance
  17. Pursue ERM Improvement

Question 45

Assumption

Answer 45

An assertion (belief) about a characteristic of the future that underlies an organization’s ERM plan. For example, a business might assume that the demand for routers will not change substantially.

Question 46

Bot

Answer 46

A software application that runs automated (usually simple) tasks (scripts) on the internet. For example, bots to search a website (e.g., eBay, airlines) for bargains. Also called an internet bot or web robot.

Question 47

Key Performance Indicators (KPI’s)

Answer 47

High-level measures of historical performance of an entity and/or its major units.

Question 48

Stress Testing

Answer 48

A method (that is common and often required by regulators for banks) for testing a risk portfolio (e.g., of loans in a bank) using simulation. In a stress test, the assumptions about risk are manipulated to assess how different “stressors” (i.e., risks) will affect a risk portfolio.

Question 49

Performance Measures

Answer 49

measurable targets that are compared with outcomes. For example, a goal of no more than seven lost-time incidents at a factory is a performance measure.

Question 50

10 ERM and Performance - Identify Risk

Answer 50

The organization identifies risk that impacts the performance of strategy and business objectives.
More specifically, the entity uses operating structures to identify new and emerging risks to enable timely responses. Such risks may arise from:
A change in business objectives (e.g., the entity adopts a new strategy)
A change in business context. For example, a change in:
Customer preferences for digital or environmentally friendly products
Regulation that results in new requirements for the entity
Discoveries. For example, the discovery of detrimental environmental effects from fracking (i.e., the process of injecting liquid at high pressure into subterranean rocks to obtain oil or gas)
Cascading effects from previous changes. For example, a significant increase in sales results in inadequate production quantity and capacity.
Disruptive (substantial) effects may also occur from events or circumstances. Examples of potentially disruptive effects include:
Emerging technologies (e.g., the digitalization and globalization of data and information).
Expanding role and use of big data and data analytics, which may improve the ability of both the entity and its competitors to identify risks and their implications.
Depleting natural resources, which may influence the supply, demand, and location of products and services.
Rise of virtual entities, such as bots (see definition at the end of this lesson) and AI (artificial intelligence)–driven intelligent systems, which can influence the supply, demand, and distribution channels of markets.
Mobile workforces (e.g., the widespread availability of online, temporary labor, such as Upwork).
Labor shortages (i.e., the difficulty of finding and retaining appropriate skills and talent).
Shifts in lifestyle, healthcare, and demographics (i.e., the aging of some countries, such as Japan and Germany, and the growth of young consumers in other countries, such as in Central Africa).
Risk Inventory—A risk inventory is a listing of an entity’s known risks. Risk inventories are more useful when risks are categorized—for example, by financial, customer, compliance, or IT risks.
The next figure illustrates that risks may have differing levels of impact. For example, risk 1 potentially impacts the strategy, risk 2 potentially impacts two business objectives, risk 3 potentially impacts two entity-level objectives, and risk 4 potentially impacts one entity-level objective.
Approaches and Methods of Identifying Risk
Multiple, acceptable approaches exist to identifying risks. Risk identification may be integrated into:
Ongoing processes, such as budgeting, planning and performance reviews, and
Activities targeted at risk identification such as questionnaires, workshops, and interviews.
Many approaches to risk identification are technology-based (e.g., data analytics and AI). Larger and more complex organizations are likely to use multiple risk identification methods.
Risk identification methods may include:
Cognitive computing—AI methods of data mining and analysis.
Data tracking of past events to help predict future occurrences. Data sources may include third-party databases that provide industry or region data about potential risks.
Interviews that probe individual’s knowledge of past and potential events. For large groups, questionnaires or surveys may be used.
Key risk indicators (KRIs) are qualitative or quantitative measures that help identify risk changes. Risk indicators should not be confused with performance measures, which are typically retrospective.
Process analysis involves diagramming a work process to better understand the interrelationships of its inputs, tasks, outputs, and responsibilities. Once mapped, risks can be identified and considered in relation to business objectives.
Workshops bring together individuals from divergent functions and levels to draw on the group’s collective knowledge and develop a list of risks.
Assumptions (defined at the end of this lesson) underlie risk assessments. When entities make assumptions explicit, risk assessments improve. In one case, management set objectives based on an assumption that the exchange rate for a local currency (where a product was manufactured) would remain unchanged. However, when the exchange rate increased by more than 10%, a new risk (to meeting profitability targets) emerged.
Crafting precise, well-formed versus vague risk statements.
Precise risk statements are preferred to vague risk statements. The example in the following figure illustrates precise and imprecise risk statements:
Prospect theory and the “framing” of risks
Prospect theory argues that, in most settings, losses are more consequential than gains and that how a risk is “framed” (i.e., presented) influences how people respond to it. For example, when a risk is framed as a gain (i.e., getting a sure thing versus a likelihood of getting something), most people prefer the sure thing (i.e., a risk-averse choice). In contrast, when a risk is framed as a loss (i.e., losing something versus a likelihood of losing something), most people prefer the risky alternative (i.e., a risk-seeking choice).
Prospect theory matters to ERM since the way that a risk is presented (as a gain or a loss) can influence people’s response to it.

Question 51

11 ERM and Performance - Assess Severity of Risk

Answer 51

The severity of risks should be assessed at multiple levels. Risks at higher levels (i.e., that influence strategy and entity-wide objectives) are more likely to influence the entity’s overall reputation and brand than risks that occur at lower levels (e.g., to a business unit’s objectives).
The next figure illustrates four scenarios that relate to addressing differing levels of risk severity.
In scenario 1, risk 1 could impact the overall business objectives and entity objective 1. For example, a safety failure in a manufacturing process can, if sufficiently severe, impact the entity’s business objectives.
In scenario 2, risk 2 could impact entity-level business objectives but not the overall business objectives. For example, a backlog of transactions waiting to be processed may pose a risk to the operating unit business objectives but not overall business objectives. However, if the backlog grows, overall objectives could be imperiled.
In scenario 3, two risks have moderately severe assessments, but together they impact business objectives and the entity more significantly and therefore are assessed as more severe. For example, an inability to recruit competent support employees (risk 1) (e.g., in a legal department), represents a low risk to each operating unit but may be exacerbated (worsened) in an economic downturn (risk 2). Hence, the two risks together pose a more severe impact than either risk does alone.
In scenario 4, some risks impact the entire entity. For example, the risk of a hostile takeover bid by competitors impacts the strategy of the entity but may not impact business-level objectives individually.
Selecting Severity Measures—Severity measures should align with the size, complexity, and nature of the entity and its risk appetite. Severity measures may include:
Impact—The result or effect of a risk, which may be stated as a possible range of impacts and may be positive or negative.
Likelihood—The possibility of a risk occurring expressed as a probability (in words or numbers) or as a frequency. For example:
In words (qualitative)—“The possibility of a major fire in a manufacturing plant (with associated impacts on production and sales) within the next 12 months is remote.”
In numbers (quantitative)—“The possibility of a major fire in a manufacturing plant (with associated impacts on production and sales) within the next 12 months is 5%.”
Frequency—“A major fire in a manufacturing plant (with associated impacts on production and sales) is likely to occur once every 25 years.”
Risk severity should be assessed on the same time horizon as strategy and business objectives. Risks related to the mission, vision, and core values should be assessed on a longer time horizon.
Risk assessment may use qualitative (words) approaches (e.g., interviews, workshops, benchmarking) or quantitative (numbers) approaches (e.g., modeling, decision trees, Monte Carlo simulations).
The example in the following figure illustrates the alignment of business objectives and risk with measures of risk severity.
Risk assessment should consider:
Inherent risk (i.e., the risk in the absence of efforts to address it);
Target residual risk (i.e., the desired amount of risk after actions to address it); and
Actual residual risk (i.e., the realized risk after taking actions to address it).
Actual residual risk should be less than or equal to target residual risk. When actual residual risk exceeds target risk, additional actions must be taken to reduce risk.
Displaying risk assessment results—Assessment results are often displayed on a heat map (the next figure), which plots risk likelihood against risk impact. The heat map is color coded to indicate risk severity. Management may use the risk profile to confirm that performance is within tolerance and that risk is within appetite.
A risk-aware organization identifies triggers that will prompt a reassessment of risk severity. Triggers are often changes in the business context but may also include changes in risk appetite. Examples of potential triggers include an increase in customer complaints, a downturn in a critical economic index, a sales decrease, or a spike in employee turnover or accidents. Triggers may also come from a competitor—such as the recall of a competitor’s product or the competitor releasing a new competing product.
Bias (e.g., through framing) may result in a risk being over- or underestimated. The careful presentation of risks (remember prospect theory) may reduce potential biases.

Question 52

12 ERM and Performance - Prioritize Risks

Answer 52

The organization prioritizes risks as a basis for selecting risk responses. Prioritization assesses risk severity compared to risk appetite.
Greater priority (importance) may be given to risks that are likely to approach or exceed risk appetite.
The criteria for prioritizing risks may include:
Adaptability—The capacity of an entity to adapt and respond to risks (e.g., responding to changing demographics, such as the age of the population and the impact on business objectives relating to product innovation).
Complexity—The scope and nature of a risk to the entity's success. The interdependency of risks will typically increase with complexity (e.g., risks of product obsolescence and low sales to a company's objective of being market leader in technology and customer satisfaction).
Velocity—The speed with which a risk impacts an entity. A high-velocity risk may move the entity quickly away from the acceptable variation in performance (e.g., the risk of disruptions due to strikes by port and customs officers affecting objectives of efficient supply chain management).
Persistence—How long a risk impacts an entity (e.g., the persistence of adverse media coverage and impact on sales objectives following the identification of potential brake failures and subsequent global car recalls) influences its priority.
Recovery—The capacity of an entity to return to tolerance (e.g., continuing to function after a severe flood or other natural disaster). Recovery excludes the time taken to return to tolerance, which is considered part of persistence, not recovery.
Risks with similar severity may receive differing priorities. For example, two risks may be assessed as “medium” severity, but one may receive higher priority because it has greater velocity and persistence. The next example illustrates this point.
Risk appetite also influences prioritization, as illustrated in the next example.
Risk prioritization should occur at all levels of an organization; different risk priorities may be assigned at different levels. For example, high-priority risks at the operating level may be low-level risks at the entity level.

Question 53

13 ERM and Performance - Implement Risk Responses

Answer 53

The organization identifies and selects risk responses. Acceptable risk response categories include:
Accept—No action is taken to change the severity of the risk. Appropriate when the risk is already within risk appetite. Risk that is outside the entity’s risk appetite and that management seeks to accept will generally require approval from the board or other oversight bodies.
Avoid—Act to remove the risk, which may mean ceasing a product line, declining to expand to a new geographical market, or selling a division. Choosing avoidance suggests that the organization was unable to identify a response that would reduce the risk to an acceptable level of severity.
Pursue—Accept increased risk to achieve improved performance. This may include adopting more aggressive growth strategies, expanding operations, or developing new products and services. When choosing to pursue risk, management understands the nature and extent of any changes required to achieve desired performance while not exceeding the boundaries of acceptable tolerance.
Reduce—Act to reduce the severity of the risk. This includes many possible business decisions that reduce risk to an amount of severity aligned with the target residual risk profile and risk appetite.
Share—Reduce the severity of the risk by transferring or sharing a portion of it. Common techniques include outsourcing to specialist service providers, purchasing insurance products, and engaging in hedging transactions. As with the “reduce” response, sharing risk lowers residual risk.
In some situations, an entity may need to revisit its business objectives and strategy to reformulate them as a part of responding to a severe risk (e.g., the threat the bankruptcy).
Influences on management’s decision to select and deploy risk responses include the business context, costs and benefits, obligations and expectations, risk priority, risk appetite, and risk severity.
It is often easier to measure the costs of risk responses than their benefits (since costs are more tangible and measurable than are expected losses)
The next example illustrates a risk response.

Question 54

14 ERM and Performance - Develop Portfolio Review

Answer 54

The organization develops and evaluates a portfolio view of risk.
Using the portfolio view of risk enables an organization to identify risks that are severe at the entity level. This enables management to assess whether the entity’s residual risk profile aligns with its risk appetite.
Developing a Portfolio View—Multiple acceptable methods exist for creating a portfolio view of risk. One approach is to begin with major risk categories with metrics such as capital at risk (i.e., a loss to investors’ principal investment). The next figure illustrates a portfolio view of risk. It begins with a strategy view and proceeds to entity objective, business objective, risk, and risk categories views.
A portfolio view of risk may represent differing levels of integration. COSO identifies four levels of risk integration, which are presented below from least to most integrated.
Minimal integration—the risk view. The entity identifies and assesses risk at the event level. The focus is on events, not objectives. An example of minimal integration is focusing on the risk of a breach of an IT system in relation to the risk of complying with local regulations.
Limited integration—risk category view. The entity identifies and assesses risk at the risk inventory (i.e., category) level. For example, the creation of a compliance department will aid the entity in managing the risk of complying with local regulations.
Partial integration—risk profile view. The entity identifies and assesses risk at the business objective level and considers dependencies among objectives. For example, the entity considers all business objectives that have compliance-related risks.
Full integration—portfolio view. The entity identifies and assesses risk at the strategy and business objectives level. Greater integration improves support for risk-related decision making. Compared to the previous examples, the board and management focus more on the achievement of strategy. For example, the board reviews and challenges management to articulate its strategy related to achieving operational excellence, including the management of compliance-related objectives and related risks.
Analyzing the Portfolio View
The portfolio view of risk requires both quantitative (numeric) and qualitative (in words) risk assessment methods.
Management should “stress test” the risk portfolio, to assess the effect of hypothetical changes in the business context (e.g., “what if sales drop by 10%?”). Such analysis is likely to reveal new and emerging risks and to clarify the adequacy of planned risk responses.

Question 55

15 ERM Monitoring, Reviewing, and Revision - Assess Substantial Change

Answer 55

The organization identifies and assesses changes that may substantially affect strategy and business objectives.

1. Substantial changes bring new or altered risks, which must be identified and integrated into the organization’s risk portfolio. Hence, organizations must continually monitor for new or altered risks.
2. Identifying substantial changes, evaluating their effects, and responding to the changes are iterative processes. Postevent reviews, following substantial changes, can help determine the lessons that can be applied to future events.
3. Examples of substantial changes include:
   - -In the internal environment:
   - —Rapid growth—When operations expand quickly, existing structures, business activities, information systems, or resources may be inadequate to address expanding roles and responsibilities. Risk oversight roles and responsibilities may need to be redefined accordingly. For instance, supervisors may fail to adequately supervise added manufacturing shifts or an increase in employees.
   - —Innovation—Major innovations introduce new risks. For example, introducing consumer sales through mobile devices may require new system access controls.
   - —Major changes in leadership or personnel—A new management team member may misunderstand the entity’s culture or may focus on performance to the exclusion of risk appetite or tolerance.
   - -In the external environment, a changing regulatory or economic environment can increase competitive pressures or change operating requirements. Such changes can introduce new or altered risks. For instance, if toxic chemicals are released in a populated area (e.g., at the Union Carbide plant in Bhopal, India), new industry-wide restrictions may regulate production, shipping, or logistics.

Question 56

16 ERM Monitoring, Reviewing, and Revision - Review Risk and Performance

Answer 56

The organization reviews entity performance and considers related risks.

1. Periodically, organizations must review their ERM capabilities and practices. Such reviews seek answers to questions such as:
   - -How has the entity performed? This review will identify variances and seek their causes. This may include using measures relating to objectives or other key metrics.
   - —For example, consider an entity that has committed to opening five new office locations every year to support its longer-term growth strategy to build a presence across the country. The organization has determined that it could continue to achieve its strategy with only three offices opening and would be taking on more risk than desired if it opened seven or more offices. The organization therefore monitors performance and determines whether the entity has opened the expected number of offices and how those new offices are performing. If the growth is less than planned, the organization may revisit the strategy.
   - -What risks influence performance? Reviewing performance confirms whether risks were previously identified or whether new, emerging risks have occurred. The organization also reviews whether the actual risk levels are within the boundaries established for tolerance. For example, reviewing performance helps confirm that the risk of delays due to additional permit requirements for construction did occur and affected the number of new offices opened, and whether the number of offices to be opened is still within the range of acceptable performance.
   - -Is the entity taking sufficient risk to attain its target? When failing to achieve its target, the organization must determine if the failure is due to the impact of risks or due to assuming insufficient risk to achieve the target.
   - —Using the example related to opening new office locations, imagine that the entity opens only three offices. In this case, management observes that the planning and logistics teams operate below capacity and that other resources set aside to support the opening of new offices are unused. Hence, insufficient risk was taken by the entity despite having allocated sufficient resources.
   - -Were risk estimates accurate? When risk has been inaccurately assessed, the organization determines why. To answer that question, the organization must challenge the understanding of the business context and the assumptions underpinning the initial risk assessment. It must also determine whether new information will help refine the risk assessment.
   - —For example, suppose that in the earlier example, the entity opens five offices. It also observes that the estimated amount of risk was lower than the actual risks that occurred (e.g., there were fewer problems and delays than expected).
2. A finding that performance fell outside of tolerance or that the risk profile significantly differed from expected may motivate a review of business objectives, strategy, culture, target performance, severity of risk analysis, risk prioritization, risk responses, or risk appetite.
   - -Revising risk appetite will require review and approval by the board or other risk oversight body (e.g., a risk committee).

Question 57

17 ERM Monitoring, Reviewing, and Revision - Pursue ERM Improvement

Answer 57

The organization pursues improvement of its ERM activities and functions. Continual evaluation of ERM activities may be fruitfully embedded in ongoing business processes and practices (e.g., budgeting, performance reviews). Separate, periodic evaluations are also useful. Opportunities to improve ERM may arise in any of the following areas:
New technology may provide opportunities for efficiency.
For example, emerging data mining and automated content (e.g., sentiment) analysis methods can provide quick assessments of customer satisfaction with products.
Historical Shortcomings—Reviewing performance can identify historical shortcoming, including the causes of past failures. This can inform ERM efforts.
For example, an auto parts manufacturer notes that it has insufficiently captured past currency fluctuation risks. It implements new monitoring processes to improve its assessment of these risks.
Organizational change may be needed to support changing risks or governance structures.
For example, in one organization the ERM function reported to the chief financial officer. However, to improve its alignment of strategy and ERM, the entity created a strategy group to whom the realigned ERM function reported. These changes enabled the organization to better align its strategy with its ERM function.
Risk Appetite—Performance reviews enable refinement of risk appetite.
For example, management monitored the performance of a new product over a year and determined that the market was less volatile than originally forecasted. Accordingly, management assesses whether it can increase its risk appetite for similar product launches.
Risk Categories—Continuous improvement efforts can identify patterns and relationships that lead to revised risk categories.
For example, one organization did not include cyber risk as a threat until it began offering online products. After offering online products, it revised its categories to include cyber risk.
Communications—Reviewing performance can identify outdated or inadequate communication processes.
For example, through review, an organization determines that employees are not reading emails related to monitoring emerging risks. In response, the organization works with supervisors to highlight the relevance of these communications; in addition, it moves the most important of these communications to the organization’s instant messaging system.
Peer Comparison (Benchmarking)—Reviewing industry peer data may provide insight into industry performance tolerance (i.e., the range of acceptable outcomes).
For example, a global shipping organization discovers during a benchmarking exercise that operations in Asia are performing far below its major competitor. As a result, it reviews and revisits its strategy and objectives to increase its performance in Asia.
Rate of Change—Management must consider the rate of business context change and disruption.
For example, a software company that makes a mobile app for retailers (i.e., a rapidly changing market and industry) will have more frequent opportunities to improve its ERM processes than a company in the metal wholesaling business (i.e., which buys and delivers metal for manufacturing), a currently stagnant industry.