The risk management process is established to identify and assess potential events that may impact or cause damage to the organization. This involves controlling risk factors and continuously managing workflows and activities with the aim of reducing the causes of incidents that could harm the organization, while also lowering the risk level and potential damage to an acceptable threshold. There is a system for sufficient and appropriate assessment, control, and monitoring.
Enterprise Risk Management (ERM), according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a process developed by the organization's board, management, and personnel to define risk management across the organization that is interconnected with strategy and operational performance in a participatory manner.
The ERM framework is recognized as a guideline for promoting risk management and is a universal best practice under the "Enterprise Risk Management Integrating with Strategy and Performance (COSO ERM 2017)" framework.
This approach integrates organizational risk management with strategy and operational performance to clarify the importance of organizational risk management in strategic planning and its significance in applying risk management alongside regular operations throughout the organization. The framework consists of five key components and 20 principles as outlined in the image below.
The key components and principles of COSO ERM 2017 are divided into five components and 20 principles, which work in alignment with the normal operational procedures of the organization, ranging from mission, vision, core values, strategy development, objective setting, implementation, performance, and value creation. The important details are as follows:
Component 1: Governance and Culture
This serves as the foundation for all components that lead to effective risk management within the organization. Corporate governance is crucial for determining the organization's direction, emphasizing accountability in the risk management process as part of the organizational culture, connecting ethical values, desired behaviors, and risk awareness, which is reflected in various decisions. This component consists of the following five principles:
- Principle 1: Exercise Board Risk Oversight
- Principle 2: Establishes Operating Structure
- Principle 3: Defines Desired Culture
- Principle 4: Demonstrate Commitment to Core Values
- Principle 5: Attracts, Develops, and Retains Capable Individuals
Component 2: Strategy and Objective-Setting
Organizations can manage risk by integrating it with their strategic planning process through defining strategies and objectives based on mission goals. Organizations should define acceptable risks in alignment with their strategic objectives. Additionally, the organization's objectives should guide the strategy implementation, including routine operations, which are critical factors in identifying, assessing, and responding to risks. This component consists of the following four principles:
- Principle 6: Analyze Business Context
- Principle 7: Define Risk Appetite
- Principle 8: Evaluate Alternative Strategies
- Principle 9: Formulate Business Objectives
Component 3: Performance
This component begins with identifying and assessing risks that may affect the ability to achieve the organization's strategic goals and objectives, prioritizing risks based on the level of opportunity and potential impact. This leads to consideration of the risk levels acceptable to the organization, enabling the selection of risk response methods while considering the overall risk magnitude, including performance reviews for systematic improvements, changes, and corrections. These processes provide a comprehensive view of significant risk exposure that the organization may face in achieving its strategic goals and objectives. This component consists of the following five principles:
- Principle 10: Identifies Risk
- Principle 11: Assesses Severity of Risk
- Principle 12: Prioritizes Risks
- Principle 13: Implements Risk Responses
- Principle 14: Develops Portfolio View
Component 4: Review and Revision
Organizations should regularly review their risk management processes to examine and enhance risk management approaches to remain appropriate even amidst significant changes. Management should consider the overall risk management capabilities to effectively enhance organizational value and capacity. This component consists of the following three principles:
- Principle 15: Assesses Substantial Change
- Principle 16: Reviews Risk and Performance
- Principle 17: Pursues Improvement in Enterprise Risk Management
Component 5: Information, Communication, and Reporting
Communication involves gathering and sharing necessary information and data across the organization from both internal and external sources. Management will utilize this relevant information to support organizational risk management through data collection, processing, and management concerning risk management. This enables the organization to report risk information, organizational culture, and performance to stakeholders effectively, accurately, and precisely. This component consists of the following three principles:
- Principle 18: Leverages Information Systems
- Principle 19: Communicates Risk Information
- Principle 20: Reports on Risk, Culture, and Performance
These 20 components and principles can be considered for use in risk management for all types of organizations or agencies, emphasizing the importance of integrating risk management across the organization into participatory decision-making. However, management and the board may prioritize specific components or principles based on contextual conditions, applications, and the benefits the organization seeks to gain from effective and efficient risk management.
Risk management is relevant to personnel at all levels within the organization. Management and all personnel must collaboratively consider and conduct in-depth analyses to connect good risk management processes with strategy formulation, policy planning, objectives, and operational activities to help prevent adverse events and drive the organization toward achieving its goals under the Enterprise Risk Management framework.
Sources:
Dr. Awirut Chatmalathong, Consultant and the Executive Team, Risk Management Center, Chulalongkorn University, "Risk Management Manual," Chulalongkorn University, pages 12-21.
COSO. (2017). “Enterprise Risk Management Integrating with Strategy and Performance” 2017 [Online] Retrieved from www.coso.org