The road to this restored confidence is enterprise risk management, which COSO defines:
“Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.”
We couldn’t agree with this definition more. It touches on many attributes of ERM that we have long championed: integration across silos and levels, strategy and goal alignment, culture, and performance.
Another framework which I co-authored, the RIMS Risk Maturity Model (RMM), also emphasizes value. In fact, an independent study by Queen’s University, “The Valuation Implications of Enterprise Risk Management Maturity,”based on RMM data found that organizations with mature ERM programs realize a 25% market valuation premium over those in which “silo-based risk activities are dominant.”
Realizing this value, however, is more than a matter of understanding the theories presented by COSO 2017. It’s a matter of taking actionable steps towards aligning with those theories. It’s also a matter of prioritizing these steps, as it is often too big a task to take on all at once. Not all components presented by the COSO update contribute equal business value; those that contribute more value should of course be prioritized.
Below are some of the theoretical goals of the updated Framework that we resonate with most, as well as some helpful resources we’ve published that show you how to implement COSO 2017.
The enhancements are ordered by percent contribution to business value, as determined by “The Valuation Implications of Enterprise Risk Management Maturity” study.