Think of risk management and what often comes to mind is worst-case scenarios and crisis management plans, the kinds of things that keep executives and their boards up at night. But what if risk could also make best-case scenarios more likely? What if risk practitioners could show they made strategic plans better … or improved the achievement of business objectives? Would executive teams and boards pay more attention – and sleep a little better?
We think so and we think that time has arrived. We’re working with other leading risk experts and business thinkers to improve how organizations of all types and sizes manage risk and, under an engagement for the Committee of Sponsoring Organizations of the Treadway Commission (COSO), we’ve reached a next phase in the development of enterprise risk management (ERM). This time around, ERM is at the center of discussions on strategy, culture, performance and, yes, risk.
On June 15, 2016, COSO released a draft update to its ERM-Integrated Framework for an approximate 100+ day public comment period. The draft is the product of input from hundreds of business executives and risk professionals from across the world.
The draft Framework update advances the 2004 version (see sidebar) in ways that could make ERM even more effective. It recognizes that boards and executives today have more awareness and oversight of risk management, and have asked for improved risk information to support strategic decision-making. Among the changes are four particular emphases.
1. Consider risk explicitly in strategy
Senior management and boards commonly ask risk management functions to manage execution risk. Yet research from PwC’s Strategy& strategy-consulting arm indicates that 80% of underperforming companies lost their way due to strategic missteps – not operational or compliance errors. The draft Framework update still supports execution, but it will also help boards and executives with considering risk in the strategic planning process, so they’re more likely to have better strategies in the first place, and are better prepared for the risks that come from executing the strategy.
The proposed Framework breaks down the alignment of risk and strategy into three separate dimensions:
1. Risk to the strategy: considers the potential effect of risks during the execution of the strategy, highlighting when strategy may need to be revisited.
2. Implications from the strategy: considers the risks coming from the selected strategy, to help the organization prepare for them in execution.
3. Risk of the strategy: considers the alignment of strategy with an organization’s mission, vision and core values.
“Risk to the strategy” has traditionally been assigned to strategy functions, in an effort to prevent the potential erosion of value. However, the “implications from the strategy” and the “risk of a strategy not aligning” have potentially bigger impacts on performance. Indeed, a strategy’s risk profile, the assumptions and implications underpinning its selection, drives the creation of value. And that’s what the draft Framework update helps to make clear: ERM can do its part in the selection of strategy, rather than solely managing risk after the strategy is selected.
2. Reframe risk in terms of performance
To the uninitiated, risk can sound like an abstract concept; terms such as “risk appetite” and “risk profiles” often don’t translate well to other parts of the business. There’s no better way to make those abstractions concrete than to place risk in the context of performance.
After all, achieving business objectives requires a certain amount of risk taking. And that risk can result in variations in performance. So why manage the pursuit of business objectives separately from risk?
The draft Framework update makes clear how ERM can reframe the risk discussion in terms of setting performance goals and determining acceptable variations in performance. The performance framing is subtle, but it has big impacts. For one thing, it makes it clearer that risk and risk management are fundamental to business decision-making – not separate from it. What’s more, the Framework translates risk-centric language into business-centric language, encouraging more conversations about risk throughout the organization and leading to a more risk-aware culture. As a result, through this reframing, it enables organizations to extract more value from their ERM efforts.
3. Don’t forget culture
Every organization’s culture – the shared behaviors, emotions and mindsets of people in the organization – is as unique as its strategy. One organization may be assertive in its strategy and risk appetite, while another may be more conservative. Each should have a culture to match. It may be harder to change the culture than the strategy, so it’s important to make sure they’re aligned from the get-go.
The draft Framework update details the importance of culture and behavior. Boards and management define desired behaviors for the organization – and the individuals within it – that reflect the organization’s core values and attitudes toward risk. It’s the culture that then drives the desired behaviors in day-to-day decision-making. The Framework evaluates the different factors behind where an organization falls on a culture spectrum and the characteristics needed to achieve a risk-aware culture over time. And, because culture influences the practices of an organization, the way it manages risk, makes decisions and pursues opportunities, it has a big impact on whether and how well it executes its strategy.
4. Integrate internal control
Like the proverbial chicken and the egg, enterprise risk management and internal control have intertwined origins and interlinked destinies. They’re complementary, not competitive, frameworks.
Internal control and enterprise risk management work together through the common lens of performance. They have different focal points: internal control provides assurance on objectives relating to operations, compliance, and reporting, while ERM gives leaders confidence in their strategic planning, resource allocation and risk response decisions. ERM goes beyond periodic risk and process-level control identification to deliver critical insights for high-stakes decisions.
Effective internal control is critical and fundamental to successful enterprise risk management and performance, but internal control alone will not drive strategic results. On the other hand, enterprise risk management that is not built on a foundation of effective internal control may not only inhibit performance, but careen the organization toward hazards. Optimizing performance is not possible without both.
The draft Framework update recognizes the importance of internal control within the context of enterprise risk management. Where applicable, it also directs readers to the 2013 COSO Internal Control - Integrated Framework where a more comprehensive discussion of internal control is available.
There’s so much more to the draft Framework update, but we thought we’d touch on the four themes that we think will have significant impact on ERM – and ultimately on performance. They’re important enough to highlight for management and board members (even those who aren’t Audit Committee members) and, we dare say, they’re exciting for risk practitioners.
We’ll continue to explore these and other topics; visit www.pwc.com/coso-erm to sign up for periodic updates on COSO ERM. We also encourage you to review and comment on the draft Framework during the comment period, which ends on September 30. Visit erm.coso.org to download the draft Framework and for instructions on how you can share your feedback.
Originally issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Enterprise Risk Management – Integrated Framework is one of the most widely recognized and applied enterprise risk management frameworks in the world. It provides a principles-based approach to help organizations design and implement enterprise-wide approaches to risk management.
After a decade of experience with the ERM Integrated Framework and with evolving practices in enterprise risk management, opportunities to get more value out of ERM became evident. Encouraged by the progress, COSO set out to update the ERM Integrated Framework and to further address the alignment of risk, strategy and performance. In 2014 COSO re-engaged PwC to serve as the project team.
A draft of the updated Framework was released on June 15, 2016. The proposed Framework, now called Enterprise Risk Management – Aligning Risk with Strategy and Performance, provides boards and management with principles to manage risk, from strategy-setting through execution, and recognizes the increasingly important connection between strategy and performance.
For more information on the COSO ERM Framework, please visit our microsite.
 Christopher Dann, Matthew Le Merle and Christopher Pencavel, “The Lesson of Lost Value,” strategy+business (Winter, 2012).
PwC will not independently validate the feedback received from third-party sources for consideration in the continued development of the Framework