RIMS Membership Has a Say in COSO’s New ERM Framework

When Risk & Insurance Management Society (RIMS) members use the new ERM framework published Sept. 6 by the Committee of Sponsoring Organizations of theTreadway Commission (COSO), they may recognize their own ideas prominently displayed. Carol Fox, RIMS vice president of strategic initiatives announced the call for public comment on Risk Management Monitor in June 2016. She said feedback from the industry, and particularly RIMS members, is reflected in COSO’s ERM Framework: Integrating with Strategy and Performance.

“RIMS members took advantage of the unique opportunity to influence one of the industry’s major guidance documents. For several weeks, members collaborated and drafted a response, which was publicly available through the end of last year,” said Fox, who participated on the project’s advisory council. “We were very appreciative that COSO reached out to RIMS and other professional associations, whose input strengthened the content, ideas and approaches featured in Integrating with Strategy and Performance.

A summary of the public comment feedback includes:

  • More than 200 responses–double that of the internal control update
  • Over 70% of responses from individuals
  • Over 50% of participation outside of North America
  • Almost 50% had affiliations beyond COSO memberships
  • Almost 50% of respondents had 10 or more years of risk management experience
  • Positive ratings outnumbered negative ratings by 4.5 to 1

The new publication serves as an update to 2004’s Enterprise Risk Management – Integrated Framework, which is internationally regarded as the standard for applied risk management frameworks. Developed by PwC under the direction of the COSO Board, its simple, five-component structure considers various viewpoints and operating structures while highlighting the importance of enterprise risk management in strategic planning. It also emphasizes embedding ERM throughout an organization, as risk influences strategy and performance throughout the organization.

“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” said COSO Chair Robert B. Hirth Jr. “Our overall goal is to continue to encourage a risk-conscious culture.”

Enterprise Risk Management: Integrating with Strategy and Performance is available in printed form, e-book, on-line subscription and pdf licensing for large organizations, accounting and consulting firms. Additionally, COSO is planning for the framework to be translated into several languages, including Chinese, Japanese, Spanish and French.

Visit www.coso.org for purchase information and for a link to the framework’s executive summary.

10 Tips to Excel in ERM

05a9ef2CHICAGO—For many risk managers looking to implement enterprise risk management programs, one of the biggest challenges is figuring out how to do it properly. Unfortunately, as Steve Zawoyski, ERM leader at PwC, pointed out in a session at this year’s RIMS ERM Conference, you will never find the perfect ERM program—it’s basically as mythical as a unicorn. But there are certain key steps you can take to increase your chances for a successful ERM program. Zawoyski’s top tips are:

  1. Establish ERM program objectives. One of the common stumbling blocks to a successful program is the lack of agreement as to why you are doing this in the first place. Some may be doing it in order to make better decisions around strategy while others have governance concerns in mind or are simply doing it because the board said so. Establishing proper objectives will allow you create the program that works best for your organization.
  2. Manage stakeholders. There are likely multiple parties that have a vested interest in your ERM efforts from the board to business managers to legal and audit to regulators. You will need to consider all of their specific needs and concerns.
  3. Align risk functions. Risk management is part of every division’s responsibility. Getting everyone on the same page will avoid allowing fatigue to set in over yet another risk management effort.
  4. Align risk and management processes. It is important to understand how the business is being managed and connect to those processes in order to be in a position share information up and down the organizational hierarchy.
  5. Define risk. The traditional definition of risk denotes a hazard or a failure of some process. Make sure you organization understands that risk is merely uncertainty that can have both a positive or negative impact on objectives. It is ok to take on risk.
  6. Give credit. Different functions already have risk management capabilities and processes. Rather than reinvent the wheel, harvest the data and expertise already out there and build off that. Don’t build unnecessary steps into the process when those areas are already being addressed.
  7. Remember that risk is a four-letter word. Risk is an overused, ambiguous word with an often negative connotation. Risks are nothing more than variables that can present opportunities for greater success.
  8. Beware of risk categories. Labels like operational, financial, strategic or technology are overemphasized and not how business units think of risk. It is more effective to talk about risk in terms of management of hazards, compliance obligations or other uncertainties.
  9. Do your research. It is vital to develop a thorough understanding of the business and its drivers, from its capabilities to its competitive advantages to its strategic priorities and objectives.
  10. Simplify risk appetite. Risk appetite should be considered on a risk-by-risk basis and should boil down to a simple question of once risk controls and processes are in place, are you satisfied with the results?

ERM implementation can be challenging. But according to Zawoyski, it is all about keeping it simple for the stakeholders, ensuring that value is created, aligning to the business and evolving over time. By approaching your program in this way, all stakeholders will understand their role and how ERM relates to the overall strategy of the organization.

Who’s Committing Economic Crime?

According to a recent survey from PricewaterhouseCoopers, economic crime is on the rise, particularly in the United States. Of organizations in the U.S., 45% suffered from some type of fraud in the past two years, compared to the global average of 37%. Further, 23% of companies that reported economic crime experienced accounting fraud, up from 16% in 2011.

So who is committing these crimes?

External perpetrators are on the rise, closing the gap with internal perpetrators — it’s now 45% versus 50%, respectively. But the profile of these internal actors has changed since the last survey in 2011. Now, most internal frauds are perpetrated by middle management (54%, compared to 45% in 2011), and fraud by junior staff has dropped by almost half, now totaling 31%. The typical internal fraudster is now a white male in middle management, age 31-40, who has been with the company for six years or more.

Internal Fraudster Profile

In good news, PwC also found that awareness of risk is higher among U.S. companies, for example, seven out of 10 American respondents perceived an increased risk of cybercrime in the last two years, compared to just under half globally. The C-suite is also increasingly getting the message about the risk of economic crime:

C-Suite and Economic Crime

For more details on the 2014 Global Economic Crime Survey, check out the report from PwC here.