CHAPTER THREE
ERM Defined
IN 2004, THE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) of the Treadway Commission issued a document entitled Enterprise Risk Management-Integrated Framework. The publication was made available to provide management guidance for the development, evaluation, and/or improvement of its risk management. Those familiar with the original COSO Framework, which was published in 1992, will note many similarities in the structure, including the defined components and objectives, as well as the guidance contained in the Integrated Framework.
COSO defines enterprise risk management (ERM) as:
a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.1
Further examination of this definition requires focus on a number of important attributes when designing, implementing, and/or analyzing an ERM solution. Considerations include these points:
- Enterprise risk management is a process. This statement suggests that a risk management solution is a continuous practice. It requires monitoring and consistent review.
- Each individual member of the organization is responsible for risk assessment and risk management. Certain groups or individuals may have greater influence and responsibility than others, ...
