Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. A variety of strategies are available, depending on the type of risk and the type of business.
“Risk comes from not knowing what you’re doing.”- Warren Buffett
Managing risks is all about measuring and prioritizing risks so that Risks are managed within defined tolerance thresholds without being over controlled or foregoing desirable opportunities. This requires a risk assessment process that is suitable for the entity. It’s another cost benefit scheme. If you over control risks, that will result in compliance implementation costs and lost opportunities. If you do less, the enterprise runs the risk of losses and penalties/compliance risks.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.
In 2001, COSO initiated a project to develop a framework that would be readily usable by management to evaluate and improve their organizations’ enterprise risk management. High-profile business scandals and failures (e.g. Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) led to calls for enhanced corporate governance and risk management. As a result the Sarbanes-Oxley Act was enacted. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. The Internal Control – Integrated Framework continues to serve as the broadly accepted standard for satisfying those reporting requirements; however, in 2004 COSO published Enterprise Risk Management – Integrated Framework. COSO believes this framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.
Four categories of business objectives
This enterprise risk management framework is still geared to achieving an entity’s objectives; however, the framework now includes four categories:
1. Strategic: high-level goals, aligned with and supporting its mission
2. Operations: effective and efficient use of its resources
3. Reporting: reliability of reporting
4. Compliance: compliance with applicable laws and regulations
Risk event identification and risk response also needs to be built into the risk assessment process.
Don’t follow the following quote in the compliance arena: “Only those who will risk going too far can possibly find out how far one can go.”- T. S. Eliot, because this is for business and innovation and not for pushing the limits on compliance!