ERM implementation is a challenge to many companies, as defined by COSO. For example, the COSO definition makes clear that application of ERM must be across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk. Unless the implementation of ERM is applied uniformly across the company and is a holistic and comprehensive focus on all key business risks, it is not truly enterprisewide.
Furthermore, unless this implementation is tightly linked to the assessment and formulation of business strategy, it is not meeting the COSO requirements. While some companies have begun their journey to implement ERM, few of them have completed it.
It is however good to note that ERM does not guarantee the success of a business. It provides better information to managers and a more robust process for them to deploy, but does not necessarily transform a poor manager into a good manager.
COSO points out that “limitations result from the realities that human judgment in decision-making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented because of human failures such as simple errors or mistakes, controls can be circumvented through collusion by two or more people, and management has the ability to override enterprise risk management decisions.”
The COSO definition also refers to “reasonable assurance.” According to COSO, “reasonable assurance reflects the notion that uncertainty and risk relate to the future, which no one can predict with precision.” In addition, COSO states on page 8 of the framework:
Reasonable assurance does not imply that enterprise risk management frequently will fail. The cumulative effect of risk responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an entity may not achieve its objectives.
However, an uncontrollable event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk management can experience a failure. Reasonable assurance is not absolute assurance.
ERM implementation is important in the success of company risk management.