In the last chapter we saw how to identify, assess and report risks at the strategic level. This sets the overall risk context and framework for an organisation. However, if we then try to identify all of the risks at a day to day or operational/tactical level, without reference to this context, there is a danger that:
• the strategic risks may be forgotten or missed, leading to gaps in risk coverage.
• we will be reviewing and mitigating risks that are not significant to the organisation as a whole.
We therefore need a mechanism to connect and synchronise the strategic and operational/tactical risks and controls. This mechanism is often referred to as ERM, or Enterprise Risk Management. In this chapter we will consider:
• What is enterprise risk management?
• Common frameworks for ERM
At the end of the chapter there is also a summary of key points and take-aways.
The phrase enterprise risk management (ERM) has become increasingly popular. It is used to encompass the tools and processes that organisations use to manage risks and ensure that they are making the best use of any opportunities they have to achieve their business objectives. It is important that the information risk management specialist or auditor understands enterprise risk management, as much of their work will need to be in the context of ERM for their entity.
One definition could be:
ERM is a strategic enterprise wide management process, to identify potential risks that could significantly impact the entity, and manage them within the entity’s risk appetite. The aim is to provide reasonable assurance management can still achieve the entity’s strategic objectives.
Let’s look at some of the key elements of this definition in more detail.
Strategic enterprise wide management process
Each operating division, function or geographical market of the business could develop their own approach, tools and processes for risk assessment and management. However, this ‘bottom-up’ approach has a number of weaknesses, as this approach:
• Will identify risks specific for each location – these may be too granular and of little or no consequence to the organisation as a whole.
• Is not standard – different levels of effort will be made at each location, probably not related to the overall impact of the risk on the organisation as a whole.
• It will be difficult to consolidate findings for the organisation as a whole and relate them to the strategic business risks.
As a result of the above, enterprise risk management seeks to provide a standardised approach across the enterprise. This will include the tactical and divisional risks within the overall strategic risk management.
Identify potential risks
We could just ask everyone in the organisation to provide a list of risks. This ‘bottom-up’ approach would provide descriptions of risks that the individual considers to be important (e.g. ‘the coffee machine may not work’ or ‘I am unable to open my office’) which whilst important to the individual, are less important to the organisation as a whole. The risk will tend to be operational and tactical rather than strategic. In the early days of SOX implementation, some organisations found themselves with hundreds of risks, only a few of which were relevant to financial reporting and hence the Act.
This approach also leads to duplication and risks that are worded inconsistently, making them very difficult to consolidate and assess at the entity level.
We cannot treat all risks the same – and indeed do not need to. We only need to address those with a potential significant impact. The extent of review and mitigation should be commensurate to the level of risk impact.
Manage them within the entity’s risk appetite
COSO’s Enterprise Risk Management – Integrated Framework defines risk appetite as follows:
“The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.” – 1 COSO, Enterprise Risk Management – Integrated Framework, p. 19.
Each entity will have its own risk appetite, based on history, the sector and business that it operates in. Generally, entrepreneurial organisations would be expected to take more risks because of the greater business opportunities available to them and competition to be the first in the market. Established businesses will take fewer risks because they have more to lose. The appetite for risk should be standard across an organisation and should be ‘embedded in its DNA’. If there is too much autonomy for risk the whole business could be brought down by the activities in a particular area.
Enterprise risk management seeks to identify the risk appetite for the entity as a whole and ensure that it is communicated, aligned throughout the entity and complied with via the entities corporate governance framework.
Common ERM frameworks
The most commonly used and internationally recognised framework is COSO (see www.coso.org). The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative to provide thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. It was formed in the US after the Treadway Commission issued a report of findings and recommendations in October 1987 – Report of the National Commission on Fraudulent Financial Reporting. It is the framework most commonly used by organisations that have to comply with the Sarbanes-Oxley Act and is also commonly used within the public sector.
COSO provide a wide range of guidance on risk management, etc. The most famous of which is a cube which was updated in 2012. There are a number of critics of COSO citing its complexity and its basis on principles. However, it is still the most widely used and attempts to provide an alternative (e.g. from the Institute of Management Accountants) have generally failed. In my view COSO is a useful tool – like all tools its benefit depends on how it is applied in practice. The following is an overview to give a taste of the framework – further information is widely available on the Internet – including COSO’s own website referenced above.
The ‘X axis’ of the COSOS cube shows three categories (operations, reporting and compliance). Earlier versions had a fourth category, strategic. The ‘Y axis’ shows five components of ERM (Control environment, risk assessment, control activities, information and communication and monitoring activities. Earlier versions had eight components. The ‘Z axis’ represents the four levels of an organisation (entity, division, operation and function). The cube structure demonstrates the interaction between the categories, components and levels of an organisation.
The five components
The five risk components form a sequence and are likely to be completed in that order.
1. Control environment
The control environment, sometimes referred to as ‘tone at the top’, assists the context for the organisation’s commitment to control, ethical values and overall integrity. It should be demonstrated through all levels of an organisation, starting with the Board of Directors and their independence and guidance. The Board, or other governance level of an entity, is responsible for evaluation, direction and high-level monitoring of the governance and controls for their entity. The Board should direct the entity’s level of control and also ensure adequate monitoring is in place to provide compliance with this agreed control environment.
Under the direction of the Board, management are responsible for planning, building, running and day to day monitoring of the processes of the entity, including governance and risk management/control processes. Management should reflect this with appropriate structures and reporting to ensure that all individuals in the entity are aware of the control environment and that there is a culture to ensure individual accountability for internal control. The IT function is not an exception – it also needs to comply with the control environment by applying the entities’ policies, procedures, guidelines and monitoring arrangements to its own controls. We will consider this further in Chapter 5 (Overview of General IT and Management Risks).
2. Risk assessment
In order to assess risk, the entity first needs to be clear what it is trying to achieve and ensure that this is understood by all. It is then possible to assess the risks relating to these objectives across the entity so that appropriate management arrangements, such as controls, can be introduced. The risk assessment will also depend upon the control environment of the entity, particularly their risk appetite. This will include the risk of fraud or other irregularity and also consider how the risks may change over time.
Risk assessments usually start at the Board and then filter down through all levels of management. Typically, a Board will review the top risks faced on an annual basis using workshops and a risk heat map. As we saw in the last chapter, risk assessment is based on likelihood (or probability) of an event and the likely impact. Any risk assessment for IT needs to follow the same approach and any risks identified should be referenced to the higher level strategic risks.
3. Control activities
Having assessed the risks, it is then possible to select and develop appropriate control activities to reduce the level of risk to a more acceptable level in line with the risk appetite. In the IT context, this could include activities, such as the use of access controls, use of firewalls, or reporting of unauthorised access attempts.
4. Information and communication
The assessment of risk, monitoring of activities, etc. all require the organisation to obtain or generate relevant high quality data or information. Information is also generated internally to ensure all board members and staff are aware of the control environment and their responsibilities. Information risk management specialists or auditors will often be involved in reviewing the accuracy and completeness of this information and the systems and processes by which it is obtained.
5. Monitoring activities
Monitoring activities is important to ensure that we can evaluate the effectiveness of the controls in mitigating risks. This helps to identify gaps or other control failures so that they can be remediated. Monitoring also ascertains whether the components of internal control are present and functioning – across the whole entity. Effective monitoring relies on clear lines of accountability and responsibility, and quality mechanisms to ensure consistency.
Larger organisations will generally use automated tools to ensure that all control activity is monitored on an ongoing basis. This will include a level of control self-assessment and additional independent quality reviews to ensure consistency and integrity of monitoring. Information risk management specialists will be using these tools to monitor their own controls and may also be asked to review the integrity and use of the tool from a technical perspective.
ISO31000 is an international standard for risk management, first published in 2009. The following table will help to compare and contrast ISO31000 with COSO.
Flexible evaluation standard for ERM evaluation
Guidance on risk management process and its implementation
Describes the ‘What’
Describes the ‘How’
ISO31000 provides guidelines and principles to help organisations with risk analysis and assessments. It was written to improve risk management techniques and provide better stakeholder confidence in the process. It is most used by organisations new to risk management and can be applied to a wide range of risk management areas, including health and safety and IT. It specifies three main areas for the risk management process to cover:
1. Risk architecture – the roles and responsibilities, communication and risk reporting structures.
2. Risk strategy – the strategy, appetite, attitudes and philosophy as defined in the risk management policy. This will include the objectives that the risk management arrangements are seeking to achieve.
3. Risk protocols – the guidelines specified by the entity, including rules and procedures, methodologies, tools and techniques to be applied. They describe the procedures by which the strategy will be implemented and risks managed.
The above represent the main communication channels within an entity to ensure consistency of risk management.
ISO31000 describes the components of a framework for implementing risk management, including the implementation and ongoing support. There are five main components:
1. Mandate and commitment – conducted by the Board to provide the overall control environment.
2. Design of framework – depends upon the organisation and its context, and includes risk management policy and embedding risk management.
4. Monitor and review framework.
5. Improve framework (loops back to 2 above).
Sarbanes-Oxley is not actually a framework in its own right (it is usually used alongside COSO and often COBIT® 5). It has, however, been a great source of work for information risk management specialists since 2002 and so you should know something about it.
It relates to the Sarbanes-Oxley Act 2002, which enforced the establishment of controls, management reporting and independent audit for the financial reporting of any US publicly traded company – including in effect their subsidiaries, even if based outside the US. It is important to emphasise that it only relates to:
• US listed companies, including non-US based operations and subsidiaries but not companies only listed on other stock exchanges (e.g. London).
• Only controls over financial reporting – not other financial controls, or operational controls.
• Usually when SOX is referred to it is in connection with Section 404, which refers to financial reporting.
The Act came about following high-level accounting failures, such as Enron. A way was required to re-establish trust in the financial markets and general financial reporting.
Just after SOX was introduced, it was thought there would be a number of similar initiatives in other areas. Rumours of ESOX (European), and PSOX (public sector) were common. Japan’s Financial Instruments Exchange Law (FIEL) requires a management assessment of financial reporting internally and auditors to provide an opinion on this assessment. This is commonly referred to as ‘J-SOX’, and is applicable to all publicly registered companies on Japanese stock exchanges. It is broadly similar to the SOX requirement described above and the information risk management approach is still applicable.
The consideration of information risk should not be seen in isolation but in the overall context of enterprise risk management. COSO provides a well-established framework for understanding enterprise risk management and ISO31000 provides guidance on how it can be implemented. For those involved in the specific audit of US registered companies, consideration also needs to be given to SOX and how it impacts their work.