DUE TO THE ever-changing nature of risk, we often hear terms such as ‘emerging risks’ and ‘disruptions’ popping up in discussions among top executives and in the boardroom. Together with higher expectations from stakeholders on transparency and accountability, a robust framework to manage risk is needed.
The Committee of Sponsoring Organisations of the Treadway Commission (COSO), that launched the Enterprise Risk Management – Integrated Framework in 2004, released an updated framework in September 2017. COSO engaged PwC as the principal author of the update.
The new framework, now titled Enterprise Risk Management – Integrating with Strategy and Performance, focuses on the role of risk management in strategic planning. While the framework maintains the strengths of its original version ie the key concepts of risk management, it gives more detailed guidance on the integration of risk and strategy.
To enhance the risk management practices in an organisation, it’s important for all parties to understand their roles. T
he three lines of defense model can be a very useful tool to enable effective Enterprise Risk Management (ERM), from the strategy-setting level to the business process or day-to-day operations level.
Then, internal control comes into play. For example, once a particular strategy is set, you will have an idea what direction the company should go. The controls then need to be put in place in order to support the execution of that strategy.
If your strategy is to reduce the delivery time of the finished product to your end-customers, and you decide to outsource some of the delivery operations to a local logistics service provider, you will need to put in place a rigorous process to oversee the performance of that vendor.
When we apply the three lines of defense model to our example, the first line is the process owner who oversees the vendor’s performance, who should be able to identify potential risks relating to that process and then design the key controls necessary to manage those risks. The second line is normally the risk management unit, which provides education and advice about risk and control to the first line, as well as putting in place the framework to manage the risk.
The third line is an internal audit function which is an independent party that will review the risk and control of the business processes to ensure they’re efficient and effective.
By adopting the updated COSO ERM Framework, all three lines of defense will result in the organisation being in a better position to identify and respond to key risks associated with its strategy.
Risk and control are two sides of the same coin. In order to make a meaningful risk assessment and implement a risk response, we need to understand internal controls. Controls help to give confidence to the management that things are going in the way they should be ie that business processes are being carried out to achieve the objectives through the efficiency of operations, the reliability of reporting, and compliance with relevant laws and regulations.
When implementing a risk response, control activities help to ensure that response is executed properly. Risk management is also a process, like any other process, where controls need to be in place to ensure that operations are performed as intended.
So, you need to ask yourself, is your organisation ready to link strategy to risk management and set up good internal controls?
Contributed by VARUNEE PRIDANONDA, Partner – Governance, risk and internal audit services at firstname.lastname@example.org