COSO ERM Framework Implementation: Beyond Checklists and Templates
14 June 2018
The release of the 2017 COSO ERM Framework changed the conversation about how companies consider the relationship between risk and value — from one that is typically only considered as an erosion to value to one that can, when properly embedded in an organisation’s DNA, lead to value creation.
In fact, I think it’s fair to say that this link — between risk, strategy and performance — is one of the defining features of the 2017 Framework.
But we also learned that once people began to use the new Framework, they wanted a bit more.
As part of our rollout, the team and I had the privilege of traveling around the world talking with risk professionals, C-Suites and boards about these new concepts of enterprise risk management. Invariably we were asked if there was a checklist, a step-by-step case study, or a template — some kind of road map for implementation.
While we wanted to give our colleagues practical tools for implementing these new principles, we were also wary of suggesting there was a standardised, or “official” method for doing so.
After all, every organisation is unique to itself, to its industry, and to its operating environment. And risk management is as much an art as a science — in many ways it’s the nuances that are the most critical factors in both success and risk management.
So we decided that a far better method would be to offer illustrations that could illuminate the principles of our new ERM Framework.
For example: What are the types of benefits that you're seeking to derive from implementing ERM? What are the culture, capabilities and practices that you have to work with? And, based on those competencies, what is the most suitable approach for implementing its various parts?
I’m proud to share the result of all these conversations, interviews, and research into real-world industry practices. We call it the Compendium of Examples: nine examples that bring to life how organisations of varying types and sizes, across varying industries and jurisdictions, might choose to apply the principles and concepts of ERM.
In each example, the central character is an individual facing a typical business challenge — the launch of a new product, an investment decision, a resourcing challenge — the types of issues and decisions that businesspeople are facing every single day. These examples showcase how risk management — whether in culture, capabilities or practices — actually supports that decision making process… and leads to improved outcomes.
My hope is that risk professionals, boards and senior management alike enjoy reading the stories we’ve laid out — and that they spark innovation and creativity around how to weave enterprise risk management into the DNA of their own organisation.
As always, I love to know what you think @Dchesl