Like its internal control counterpart, the ERM framework is presented in the form of a three-dimensional matrix. The matrix includes four categories of objectives;
There are eight components of enterprise risk management, which are further explained below. Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix for applying the framework.
As outlined by COSO, the ERM framework provides eight components for use when evaluating ERM:
1. Internal environment: This component reflects an entity’s enterprise risk management philosophy, risk appetite, board oversight, commitment to ethical values, competence and development of people, and assignment of authority and responsibility. It encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people.
2. Objective setting: Management sets strategic objectives, which provide a context for operational, reportingand compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response.
3. Event identification: Management identifies potential events that may positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives and performance goals. Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses.
Potentially positive events represent opportunities, which management channels back into the strategy and objective-setting processes.
4. Risk assessment: Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon.
5. Risk response: Management considers alternative risk response options and their effect on risk likelihood and impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired risk tolerances. Risk response planning drives policy development.
6. Control activities: Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed.
7. Information and communication: The organization identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities. Effective communication also flows down, across and up the organization.Reporting is vital to risk management and this component delivers it.
8. Monitoring: Ongoing activities and/or separate evaluations assess both the presence and functioning ofenterprise risk management components and the quality of their performance over time.
The thought process underlying the above framework works in the following manner: For any given objective, such as operations, management must evaluate the eight components of ERM at the appropriate level, such as the entity or business unit level.
ERM framework integrates risk management process.