Enterprise Risk Management

The changes taking place within today's business environment have greatly increased the risks that must be identified and addressed by executives and operating managers. "Risk" in this context is not defined as the traditional risk of financial loss, but rather the risk that an entity will not achieve its business objectives. This broader perspective of risk has made traditional models of internal control obsolete and creates a compelling need for organisations of all types to embrace an integrated framework of control. An integrated control framework is a holistic approach to designing control systems that link process, people, objectives and controls to their relevant risks. This proactive approach is based on the Committee of Sponsoring Organisations of the Treadway Commission “Enterprise Risk management” framework, which came together as a response to financial fraud in the early to mid 1980s.

This framework ensures that control mechanisms are balanced with relevant risks and that processes will be neither over-controlled nor under-controlled. The focus on business objectives and risks ensures that controls will be cost-effective and that, with continuous monitoring, they will adapt dynamically to changing business risk factors. Management, using the integrated control framework, determines key objectives, assesses and quantifies risks, creates the conditions necessary for control and monitors the effectiveness of those controls. PwC professional staff may help management understand the nature and extent of the company’s exposures and will provide a basis for setting the overall risk management culture in the organisation and directing resources and risk mitigation efforts to the areas of highest risk.

Moreover, PwC may organise Risk & Control Self Assessment workshops which involve management and staff in identifying risks and the effectiveness of the control environment established to mitigate those risks. RCSA has evolved since the 1980’s and is considered the current best practice in managing risk and improving the control environment. Workshops avoid any prescription to the process and provide a methodology where management and staff can focus on the issues which are relevant to their specific situation. Focus can be maintained by using experienced, independent facilitators to guide the process. To maximise the value of the workshop, participants should be drawn from those who are familiar with the process and understand the issues. Involving a range of seniority of people can ensure that all the issues are identified.

The use of technology ensures that everybody contributes to the meeting on equal terms, no-one dominates the proceedings and all the participants come away feeling that they have had every opportunity to express themselves and ensure the real issues come out on the table. This is especially valuable for Risk & Control Self Assessment. The experience of PricewaterhouseCoopers is that every participant feels that he or she has contributed to the full in these electronically supported workshops.