Enterprise Risk Management (ERM): from COSO framework to improvement


Companies compete nowadays in an completely different environment compared with just 10 years ago. In this scenario, even the risk management evolved: from quantitative-driven systems to also consider qualitative variables, from a merely financial perspective to a human-centric risk approach, until reaching holism.

Actually, even today, risk is often perceived by companies as hostile, and not in a broad sense, neutrally as expected results’ variability. Therefore, these companies tend to transfer risk to third parties, avoiding an internal minimization and so related opportunities. On the other hand, there are more and more outsourced risk “by definition”: Cloud Computing, for instance, as the currently most recurring IT outsourcing paradigm, still presents various crucial cybersecurity risks for companies. Every risk may be accompanied by an opportunity, every risk may represent a tool for steering and grow the business, as long as there is risk judgement and risk acceptance.

A further point analyzed is how to avoid the so called decoupling, namely an ERM implementation that only aims to achieve validation, regardless to the substantial adoption.

Finally, it is common ground that Enterprise Risk Management generates, no matter how, positive outcomes: Baxter et al. showed this through the Tobin’s q (Baxter, Axter, Bedard, Hoitash, Yezegel, 2012). It could be interesting if future researches investigate the optimal investments allocation in ERM from a macroeconomic point of view, evaluating the total net surplus/deficit and potential losses for the society.

Table of Contents

  1. Introduction
  2. What is Enterprise Risk Management?
    1. Risk business models
  3. COSO
  4. How to implement ERM
  5. Improving ERM: on going challenges
    1. Internal audit role
  6. Risks in the twenties: cause for reflection
  7. References

What is Enterprise Risk Management?

We are assuming that general risks are unwanted likely events, while particular risks are fundamentally business-related (operational, strategic, financial, etc.), and since companies regularly exchange feedback with its external environment (i.e. open system), the Enterprise Risk Management (ERM) stands as a comprehensive solution in order to manage risks defending business continuity and minimizing their impact on the overall performance.

Enterprise risk management (ERM) emerged in the early 1990s, before, the risk management was almost fragmentary. It has proved to be important, above all, against disruptive events: without an integrated architecture for risk management, when they occur, they could declare the end of the company, regardless capitalization. Not by chance, we hear a lot nowadays about Black Swans (Taleb, 2007), as events with an outlier risk, extreme impact and not predictable in advance (e.g. Katrina, 9/11 or Coronavirus pandemic).

ERM is involved in the change of the risk-return relationship approach, where ERM acts not as an insurance – because there will always be risks – but as a rational way to (try to) get out alive.

Risk business models

We can distinguish four main ERM configurations:

  1. Risk-silo management: following a traditional silos classification of risks (market risk, credit risk, etc.). Value at Risk (VaR) technique is here adopted in order to minimize risks through evaluating the Default Probability and Unexpected Loss;
  2. Integrated-risk management: aggregating metrics in order to estimate the Economic Risk Capital that should cover the exposure related to a highly-risky event, and so the (maximum) Risk Tolerance Index when investing;
  3. Risk-based management: applying the Value Based Management approach to risk management, so integrating risk in the value generation for shareholders (Zagaria, 2017). In this sense, it is possible to evaluate performance, bearing in mind risks, in two ways:
    1. Risk-Adjusted Return on Capital: risk-adjusted net profit divided by economic capital;
    2. Economic Value Added (EVA): net profit less the capital cost/charge for raising it;
  4. Holistic-risk management: integrating qualitative or non-joinable risks pertinent to the accomplishment of performance target(s). Strategic risks, environmental risks or reputational risks are treated here.


The “best-in class” framework was developed by Committee of Sponsoring Organizations: the COSO model.

[…] A disciplined approach aligning strategy, processes, people, technology, and knowledge to manage uncertainties as the enterprise creates value.

KPMG, 2002

The main COSO assumption states that organizational structure must be aligned with organizational objectives in four categories:

  • Strategic: high-level goals to achieve a stated mission;
  • Operations: effective and efficient use of its resources;
  • Reporting: reliability of reporting of operating and financial results;
  • Compliance: efforts to comply with applicable laws and regulations.

Moreover, the COSO scope was expanded in 2009 by the issuance of ISO-31000 and this allowed to make room for innovation in order to mitigate risk.

In 2017, COSO ERM has been reviewed giving attention to the link between ERM and performance management and its contribution to the business resilience, hence to the (achievable) long term competitive advantage.

How to implement ERM

Enterprise Risk Management should be adopted with an holistic approach that covers all company levels, from top to bottom and when implementing ERM, this scope is often divided into Operational, Strategic and Financial area.

Once the scope is defined, the change manager assign an individual – within the company – to act as Central Risk Function and then people from each unit (i.e. SBU, function, division, etc. according to the organizational structure), are encouraged to share its expertise in order to:

  • Create the risk category-owner system;
  • Structure hazard, compliance and internal controls;
  • Set up external and internal scanning capabilities.

Then, it is necessary to formalize the policies infrastructure (the skeleton on which processes will flow), and the internal audit mechanism. Big companies can appoint a Chief Risk Officer (CRO) and a risk taskforce team too, in other cases, these functions are spread on key managers.

At the same time, the ERM effectiveness is supported by ERM software solutions: these systems needs a parallel set up, coherent to the company ERM approach, because they allow to connect different risk management channels in one centralized hub (Marchetti, 2012). An IT senior member could lead to a more sophisticated deploy, as well as an external consultant. Moreover, being ERM a continuous and integrated process, a real-time collaborative dashboard reporting system is crucial to produce role-based reports designed to support the decision making of each recipient (Lam, 2012) and cross-check KPIs with KRIs (i.e. Key Risk Indicators). In this context, the Balanced Scorecard (BSC) can be a powerful allied.

Finally, stakeholders have to be engaged: integrating their needs in the ERM program will help implementation proceed smoothly and facilitate a more successful program overall (Lam, 2012). Communication is key, not only to simply inform or to obtain consensus (i.e. decoupling), but to get parties involved in a real ERM adoption, a real disclosure.

On average, implementing an Enterprise Risk Management full program could request from 20 to 30 months. Then, the challenge is to maintain, update and improve the risk culture.

Improving ERM: on going challenges

Tolerability, in the sense of economic long run sustainability. This is the key word that summarize progressive challenges about Enterprise Risk Management’s routine.

How much does it cost to enhance prudence?

In non-emergency periods, compliance is strengthened by a proper and solid governance, that should drive cultural behavior and activity throughout the organization (Marchetti, 2012). In fact, both the Dey Report and the Organisation for Economic Cooperation and Development (OECD) – Principles of Corporate Governance overtly mention that the board has a responsibility for ensuring that appropriate systems and policies for risk management (“The Dey Report,” Guideline 1(ii) and the “OECD Principles of Corporate Governance, 2004, Principle D7).

Furthermore, the risk/return optimization needs a cost-effective macro-process that could include several activities in order to improve risk management:

  • Outsourcing: if a function is weak, in terms of make or buy dichotomy, outsourcing it to experts can lead to an immediate risk reduction;
  • Control automation: ERM systems provide several tools that automates control and this can lead to more compliance, less FTEs budget and better control violation timing;
  • Technology update: according to the role-based authorizations, anyone has to be able to evaluate and share the right information, to the right decision makers, at the right time. In doing this, ERM systems have to meet with digitization and technology latest standards (e.g. mobile responsiveness or AI);
  • Plans’ alignment: not just technology, plans has to be updated too, and in particular they has to be aligned to industry trends. This can result in mapping risks considered internally irrelevant, but crucial in the external environment.
  • Cooperation: good-old fashioned handshakes offer, still today, excellent opportunities, including diversification. Partnerships, networks, franchising, joint-ventures, consortium, alliances and so on, allow to dilute risk between counterparties.

Internal audit role

Internal audit support boards and senior management in the mission accomplishment through a systematic, independent and disciplined approach to business. They play a critical role as the eyes and ears of the board, specially non-executives (Parekh, 2005).

The audit scope can extend for each business process, including risk management. In particular, the internal audit is responsible for audit the integrity and the outcomes of the ERM framework. Actually, their role has been increasingly integrated in key business functions, although there are “grey” areas where conflicts of interest could appear (e.g. risk monitoring or board approval of ERM tactics).

In addition, Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a paper called “ERM-Integrated Framework” (2006) as suggested by its title, the paper outlined the essential framework of successful ERM. This has greatly influenced the transformation of the internal audit function. For example, the Institute of Internal Auditors (IIA) recommends that internal auditors should work with both the audit committee as well as management to implement ERM (Lam, 2017).

Risks in the twenties: cause for reflection

2020 was the Year par excellence in which our (E)RMs were under scrutiny.

But let’s step back for a moment and put aside the individual-statistical idea of risk and think about it in an holistic way, not as a catastrophic event that could doom us. Indeed, risk is also the reason for investing in new businesses (i.e. risk capital), for giving weight to losses (and so do our best) or, in general, why markets move.

If there is no remuneration, no losses or no market growth, what is the point of performing? What is the point of hiring or innovating?

In this sense, enterprise risk simply became the likelihood that actual results will not satisfy expected results (bearing in mind asymmetric information), where the risk itself represents a neutral and congenital part of the system. Our awareness of this must inspire us to work even harder to strengthen our ERM framework in a more concrete way. Concreteness that has been being questioned in 2020, but it will not have to be so in the near future.


BAXTER, RYAN J. and BEDARD, JEAN C. and HOITASH, RANI and YEZEGEL, ARI (2012). Enterprise Risk Management Program Quality: Determinants, Value Relevance, and the Financial Crisis. Contemporary Accounting Research, Forthcoming. DOI: http://dx.doi.org/10.2139/ssrn.1684807

LAM, J. (2017). Implementing Enterprise Risk Management: From Methods to Applications. Hoboken, New Jersey: John Wiley & Sons, Inc.

MARCHETTI, M. ANNE (2012). Enterprise Risk Management Best Practices: From Assessment to Ongoing Compliance. Hoboken, New Jersey: John Wiley & Sons, Inc.

PAREKH, A. (2005). Managing Business Risk: A practical guide to protecting your business, edited by Jonathan Reuvid, 2nd edition. London: Kogan Page Ltd.

TALEB, N. NICHOLAS (2007). The black swan: the impact of the highly improbable. New York (NY): Random House.

ZAGARIA, C. (2017). L’Enterprise Risk Management. Gestione integrata del rischio, profili di comunicazione ed evidenze empiriche. Torino (IT): Giappichelli.

Leave a Comment