Hi, I'm Jennifer Louis, and welcome back to our corporate governance CPA Review module. Today we're going to talk about enterprise risk management and. Enterprise risk management or erm is a principle that's very similar in a lot of ways to the COSO internal control integrated framework. If you remember, we talked about that in an earlier module about the COSO integrated framework that had five components.
Control environment, risk assessment, information and communication monitoring, and control activities. The enterprise risk management framework is also something that is based on Kozol principles. Kozol being the committee of sponsoring organizations. And what it does is it takes that original COSO integrated framework and looks at it in a little bit of a, in a more broad context.
And the foundational principle of it is that every entity exists to provide value for its stakeholders. So what management's challenges is to figure out how much uncertainty or risk are we willing to accept in order to grow stakeholder value? Enterprise risk management enables management to effectively deal with the uncertainty that's associated with the opportunity.
Because every time you try to take advantage of the opportunity, there's always a risk that the opportunity might not play out. So you want to figure out where is that delicate balance between accepting risk. In order to take advantage of opportunities and create value, but not going to the extreme to the detriment of the organization.
So in going through this enterprise risk management process, it also helps ensure effective financial reporting, compliance with laws and regulations and operational effectiveness and efficiency. So there's. Other objectives that roll out of the enterprise risk management framework, enterprise risk management, or erm, if you would, to the actual definition is that it's a process that's affected by the entities, board of directors, management, and other personnel.
So you can tell that that part of the definition is very similar to the Kozol. Internal control, integrated framework definition, which is also a process that is affected by management and other personnel and an entity's board of directors. What's different about this is that it is applied in a strategic way, so the COSO framework or the integrated framework for internal controls thinks about operational process improvement.
Ensuring reliable financial statements and compliance with laws and regulations where the erm framework adds an additional objective of ensuring that you're able to fulfill the strategic. Directions are the strategic objectives of the company as well. So what they do in the erm framework is they look at what are the things that could go wrong that may affect the entity's ability to meet any of those risks.
And then how do I manage that risk to be within the entity's appetite and to assure that we can achieve those objectives, whether it's financial reporting, operational effectiveness, and efficiency compliance, or the ability to fulfill strategic goals and objectives. Key terms that you will hear as real as it relates to the enterprise risk management or erm framework are these concepts around strategy, aligning your risk appetite, and your risk strategy.
So your risk appetite is where you try to assess how much risk or uncertainty am I willing to. Take on, and then my risk strategy is going to be, how do I respond to that risk? So what it does is it helps. Design. It helps in creating a rigorous process of identifying your risk, selecting among different alternative risk responses to create a strategy for dealing with that risk.
And the different risk responses are either going to be. Risk avoidance or I just choose not to engage in that activity to reduce my risk or what's often it's risk reduction is the second option, which is I can try and put in some compensating or mitigating controls and activities to try and manage the risk.
I can do risk sharing where I try and share the risk with other organizations. For example, I might get involved in a joint venture as opposed to taking all the risk on myself. Or I might choose to do a risk assessment at Rick's acceptance, which is where I just choose to, um, to go ahead and assume the risk because I think that the risk isn't going to be significant enough for me to have to try and deal with it.
So for responses that you might have to risk underneath the enterprise risk management framework are risk avoidance, risk reduction, risk sharing, and risk acceptance. The goal of each of those different responses or combinations responses is going to be to try and make sure that you are reducing any surprises and you want to try to make sure that as you identify potential events and trying to figure out how you're going to respond to those different events, that you do that in a robust manner in order to, for you to reduce surprises that might have.
An outcome such as an unexpected cost or a loss. This might involve you looking at risk from a very large perspective, like how to manage risk across an enterprise that has multiple locations, uh, that might operate on an international basis. And so part of it might be, um. Going through and trying to look at risk at a big picture perspective, not just at the individual component perspective and trying to figure out how all those risks interrelate together and how to prioritize, how you're going to respond to risk.
Looking at things on an enterprise-wide level. The goal of all this is to help you seize opportunities where I have an opportunity where I think my risk appetite is such that I should take advantage of that opportunity and try to have a positive outcome. So I'm going to deploy my capital or delegate my resources to the areas where I think that there's this great opportunity for me to seize.
Um, chances in order for me to build shareholder value. So remember that all comes back to the very beginning when we talked about erm, is that the ultimate goal is to take on risk. With the goal of building shareholder value, but I need to do that in a way that makes sense that I go through and I make conscious decisions around how can I provide reasonable assurance to the organization that I am actually moving towards my objectives of reliable financial statements, strategic objectives, operational objectives, compliance.
I'm moving towards all these objectives. In a way where we are accepting risk, but not doing it to the extent where there could be a detriment or a loss to the organization because we've overextended ourselves with our risk appetite. Each of those different categories of risk of strategic operational reporting and compliance all could overlap.
Just like we talked about with the COSO internal control integrated framework, you might have activities that cross over those different objectives. It's something that helps me be in compliance with the law. Regulation also might help me run my business better. So you might see where there's overlap between the four objectives, but you have to make sure.
That during this process of using the enterprise risk management process that you're looking at each of those different objectives and trying to thoughtfully deal with each of those different components. Now, how do you do that? If you remember, the COSO integrated framework had five components of internal controls.
It had the control environment, risk assessment information, and communication monitoring and control activities. Enterprise risk management has. Eight components. Now, some of the components are very similar to what you heard in the COSO integrated framework, starting with the control environment. Erm, has a concept around that.
The internal environment has to encompass the tone of the entity and sets the consciousness around how risk is viewed and addressed, and what's the general philosophy around the organization's risk appetite. And yeah. What's management's integrity and ethical values. So it's all those things that are very similar to that foundational basis of the COSO integrated framework, which is the control environment.
Here's where it's a little different. The COSO integrated framework has something called a risk assessment component, whereas the erm framework actually takes that risk assessment component and it breaks it apart into three separate components. The first component is to establish what your objectives are.
So you need to know what are the things that we're trying to accomplish with financial reporting and strategy and operations and compliance. So that is a whole separate component of the framework. The second thing that you're going to do in that. In that risk assessment thing. Part of the component is to identify the internal and external events that might keep you from achieving those objectives.
And then the next step is to say, how is it that I'm going to perhaps decide how I'm going to manage these risks? So that includes looking at the likelihood and magnitude of these things that could go wrong. How likely is it that they would happen and what would be the magnitude if they did? And to go through the process of segregating out your lower level risks from your higher-level risks.
So whereas the risk assessment component of the COSO integrated framework that we talked about in a previous module has just risk assessment. The erm framework has objective setting for your risk has to identify the internal and external events that could occur that could keep you from meeting those objectives.
It has a risk assessment component that involves looking at the likelihood and magnitude of risks and deciding how it is that those risks should be managed appropriately. Then they're going to go through and set up the response itself. So you're going to go through and say, once I've looked at. The dip, the likelihood of magnitude of risk, and I've tried to put them into different buckets.
Then I'm going to go through and say, how should I respond to these risks? I remember there were four different risk responses. You could avoid the risk. You could share the risk, you could manage the risk, or you sh, or you could decide to, um, manage the risk appropriately with some compensating or mitigating controls.
So with your risk response, you're going to subside how it is that I'm going to deal with that risk, looking at my risk appetite, or how much risk I'm willing to tolerate, and then I'm going to design control activities that will appropriately manage that risk. So the control activities are the policies and the procedures that are established and implemented to help ensure that your responses that management's decision on how to respond to these risks are effectively carried out.
This is where things are going to start looking a little bit more similar to the COSO integrated framework because there are an information and communication component on the CPA Exam where it talks about identifying and capturing and communicating information in a form and timeframe that enables people to carry out their job responsibilities.
And then there also needs to be a monitoring component that makes sure that things are happening as intended. So the erm framework has eight different components to it. And so take the time now to go back to the outline and go back and revisit those eight different components of the enterprise risk management framework, and think to yourself where there is some similarities to the COSO integrated framework and where there are some differences.
Is your CPA Review on track for Exam Day?