A Building-Block Approach for Implementing COSO's Enterprise Risk Management-Integrated Framework: Here Is a Way Organizations of All Sizes, Cultures, and Risk Experiences Can Apply the Framework without Becoming Overwhelmed by It

EXECUTIVE SUMMARY: As a result of the highly publicized business failures, scandals, and frauds over the past several years, senior managers must now comply with a series of laws, regulations, and listing standards calling for strengthened corporate governance and risk management. To help them comply, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its framework for enterprise-wide risk management, Enterprise Risk Management--Integrated Framework, in September 2004. The goal of the framework is to enable organizations to standardize enterprise risk management (ERM) so that organizations can more easily benchmark, establish best practices, and have more meaningful dialogue about the critically important issue of risk management. One concern regarding the COSO ERM framework is that its overreaching nature can appear overwhelming for some organizations, particularly those that are small in size or have not previously established an ERM culture. This article presents a building-block approach to implementing the COSO ERM framework that makes it usable to organizations regardless of their size or previous experience in risk management. Our building-block process enables organizations to evolve ERM as they establish a risk culture and offers better opportunities for efficient and effective allocation of resources for ERM activities. ********** Managing risk is an important aspect of running an organization that is sometimes overlooked--despite the unprecedented level of business failures and financial reporting scandals over the past several years. The responsibility of overseeing risk management falls on the board of directors, while the ownership responsibility for enterprise risk management falls on the CEO and senior executives. In Risk from the CEO and Board Perspective by Mary Pat McCarthy and Timothy Flynn, Hewlett-Packard board member Jay Keyworth states, "In my years at H-P and in talking to other board members from large Fortune 50 companies, I find that people thought that actually becoming familiar with the business itself and the details of the business, and particularly the half-dozen major areas of potential risk the company faces, was not really a board responsibility." (1) Keyworth has been on H-P's board for 19 years, served as chairman of the Progress and Freedom Foundation, worked as the Science Advisor to President Reagan, and dealt with risk and governance issues while serving on six other boards. His comment in the McCarthy and Flynn book suggests that boards might not have taken responsibility for risk management to the extent that stakeholders expect. From directors on down to other people in the organization, the need for enterprise risk management is even more important than ever because of today's business environment. Organizations now face unprecedented challenges as they compete in an increasingly global, volatile, and regulated business environment. Further, meeting customer needs, managing complex supply chains, utilizing strategic alliance partners, and ensuring effective and efficient internal business process performance are increasingly more difficult, even with today's more sophisticated, real-time information systems. Added to these pressures are the threats to an organization's reputation. There is an ever-strengthening public perception that organizations are improperly, or not all, socially responsible. This perception is due in part to the public's belief that organizations are not doing enough to improve the communities and environments in which they operate. Further damaging organizations' reputations is the distrust from frauds and reporting restatements, especially from 1999 to 2004. Taken together, the increasingly complex nature of business risks suggests that companies need to develop a formal process for managing their portfolio of risk properly. But, until recently, there has not been a standardized framework for approaching enterprise risk management (ERM) that organizations could use to establish benchmarks and best practices. …