Enterprise Risk Management

Many companies responded to the accounting scandals of the early 2000s and the ensuing recession by taking measures to improve their entity risk management process. In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an enterprise risk management (ERM) framework to provide guidance in this area.

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004).

In a 2008 survey led by Crowe Horwath LLC, more than 65 percent of CFOs and 70 percent of audit committee members cite managing enterprise risk as their organization’s biggest challenge over the next year. Standard and Poor’s has recently begun evaluating a firm’s ERM procedures as a component of their credit evaluation (Dreyer and Ingram, 2008), and a new SEC proxy statement disclosure requirement has companies providing insight into their board’s involvement in risk assessment (SEC, 2010b).

Nine of the eleven sampled companies have begun developing ERM processes in the past few years. Early ERM process development activities involved identifying and ranking the company’s enterprise risks, and constructing formal methods to continuously monitor and manage identified risks. Internal audit is or will be involved in the ERM process by ensuring the developed risk management activities are performed by the appropriate individuals. The two remaining sampled companies are not currently developing an ERM process. One of these companies tried ERM but found the process to be an inflexible “check list” exercise, and the other company manages risks informally. Several CAEs noted the economic downturn has strained resources, slowing ERM process development.