eBook ISBN: 978-1-94549-886-2

©2017 All Rights Reserved. No part of this publication may be reproduced,

redistributed, transmitted, or displayed in any form or by any means without
written permission COSO.
break

Table of Contents
1. Executive Summary

2. Framework

3. Appendices
Executive Summary
break

This project was commissioned by the Committee of Sponsoring

Organizations of the Treadway Commission (COSO), which is
dedicated to providing thought leadership through the development
of comprehensive frameworks and guidance on internal control,
enterprise risk management, and fraud deterrence designed to
improve organizational performance and oversight and to reduce
the extent of fraud in organizations. COSO is a private sector
initiative, jointly sponsored and funded by:
• American Accounting Association
• American Institute of Certi ed Public Accountants

• Financial Executives International

• Institute of Management Accountants
• The Institute of Internal Auditors
space above copyright

©2017 All Rights Reserved. No part of this publication may be

reproduced, redistributed, transmitted, or displayed in any form or
by any means without written permission of COSO. P254469-01
0516
break

Foreword
In keeping with its overall mission, the COSO Board commissioned
and published in 2004 Enterprise Risk Management—Integrated
Framework. Over the past decade, that publication has gained
broad acceptance by organizations in their efforts to manage risk.
However, also through that period, the complexity of risk has
changed, new risks have emerged, and both boards and executives
have enhanced their awareness and oversight of enterprise risk
management while asking for improved risk reporting. This update
to the 2004 publication addresses the evolution of enterprise risk
management and the need for organizations to improve their
approach to managing risk to meet the demands of an evolving
business environment.
The updated document, now titled Enterprise Risk Management—
Integrating with Strategy and Performance, highlights the
importance of considering risk in both the strategy-setting process
and in driving performance. The rst part of the updated publication
offers a perspective on current and evolving concepts and
applications of enterprise risk management. The second part, the
Framework, is organized into ve easy-to-understand components
that accommodate different viewpoints and operating structures,
and enhance strategies and decision-making. In short, this update:

• Provides greater insight into the value of enterprise risk

management when setting and carrying out strategy.
• Enhances alignment between performance and enterprise risk
management to improve the setting of performance targets and
understanding the impact of risk on performance.

• Accommodates expectations for governance and oversight.

• Recognizes the globalization of markets and operations and the

need to apply a common, albeit tailored, approach across
 geographies.
• Presents new ways to view risk to setting and achieving objectives
in the context of greater business complexity.

• Expands reporting to address expectations for greater stakeholder

transparency.

• Accommodates evolving technologies and the proliferation of data

and analytics in supporting decision-making.
• Sets out core de nitions, components, and principles for all levels
of management involved in designing, implementing, and
conducting enterprise risk management practices.

Readers may also wish to consult a complementary publication,

COSO’s Internal Control—Integrated Framework. The two
publications are distinct and have different focuses; neither
supersedes the other. However, they do connect. Internal Control—
Integrated Framework encompasses internal control, which is
referenced in part in this updated publication, and therefore the
earlier document remains viable and suitable for designing,
implementing, conducting, and assessing internal control, and for
consequent reporting.

The COSO Board would like to thank PwC for its signi cant
contributions in developing Enterprise Risk Management—
Integrating with Strategy and Performance. Their full consideration
of input provided by many stakeholders and their insight were
instrumental in ensuring that the strengths of the original publication
have been preserved, and that text has been clari ed or expanded
where it was deemed helpful to do so. The COSO Board and PwC
together would also like to thank the Advisory Council and
Observers for their contributions in reviewing and providing
feedback.
Robert B. Hirth Jr. Dennis L. Chesley
COSO Chair PwC Project Lead Partner and Global
and APA Risk and Regulatory Leader
break

Committee of Sponsoring
Organizations of the Treadway
Commission
Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Financial Executives
Auditors International
Charles E. Landes Douglas F. Prawitt Sandra Richtermeyer
American Institute of Certi ed American Accounting Institute of Management
Public Accountants Association Accountants

PwC—Author
Principal
Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Project Lead Partner and Project Lead Director and
Global and Asia, Paci c, and Global and APA Risk and Global Risk Framework
Americas (APA) Advisory Regulatory Leader and Methodology Leader
Leader Washington DC, USA British Columbia, Canada
New York, USA

Matthew Bagin Hélène Katz Katie T. Sylvis

Director Director Director
Washington DC, USA New York, USA Washington DC, USA

Sallie Jo Perraglia Kathleen Crader Zelnik Maria Grimshaw

Manager Manager Senior Associate
New York, USA Washington DC, USA New York, USA
break

The Changing Risk Landscape

Our understanding of the nature of risk, the art and science of
choice, lies at the core of our modern economy. Every choice we
make in the pursuit of objectives has its risks. From day-to-day
operational decisions to the fundamental trade-offs in the
boardroom, dealing with risk in these choices is a part of decision-
making.

As we seek to optimize a range of possible outcomes, decisions are

rarely binary, with a right and wrong answer. That’s why enterprise
risk management may be called both an art and a science. And
when risk is considered in the formulation of an organization’s
strategy and business objectives, enterprise risk management helps
to optimize outcomes.

Our understanding of risk and our practice of enterprise risk

management have improved greatly over the past few decades. But
the margin for error is shrinking. The World Economic Forum has
commented on the “increasing volatility, complexity and ambiguity
of the world.”1 That’s a phenomenon we all recognize. Organizations
encounter challenges that impact reliability, relevancy, and trust.
Stakeholders are more engaged today, seeking greater transparency
and accountability for managing the impact of risk while also
critically evaluating leadership’s ability to crystalize opportunities.
Even success can bring with it additional downside risk—the risk of
not being able to ful ll unexpectedly high demand, or maintain
expected business momentum, for example.
Organizations need to be more adaptive to change. They need to
think strategically about how to manage the increasing volatility,
complexity, and ambiguity of the world, particularly at the senior
levels in the organization and in the boardroom where the stakes are
highest.

Enterprise Risk Management—Integrating with Strategy and

Performance provides a Framework for boards and management in
entities of all sizes. It builds on the current level of risk management
that exists in the normal course of business. Further, it
demonstrates how integrating enterprise risk management practices
throughout an entity helps to accelerate growth and enhance
performance. It also contains principles that can be applied—from
strategic decision-making through to performance.
Below, we describe why it makes sense for management and
boards to use the enterprise risk management framework,2 what
organizations have achieved by applying enterprise risk
management, and what further bene ts they can realize through its
continued use. We conclude with a look into the future.

Management’s Guide to Enterprise Risk Management

Management holds overall responsibility for managing risk to the
entity, but it is important for management to go further: to enhance
the conversation with the board and stakeholders about using
enterprise risk management to gain a competitive advantage. That
starts by deploying enterprise risk management capabilities as part
of selecting and re ning a strategy.

Most notably, through this process, management will gain a better

understanding of how the explicit consideration of risk may impact
the choice of strategy. Enterprise risk management enriches
management dialogue by adding perspective to the strengths and
weaknesses of a strategy as conditions change, and to how well a
strategy ts with the organization’s mission and vision. It allows
management to feel more con dent that they’ve examined
alternative strategies and considered the input of those in their
organization who will implement the strategy selected.

Once strategy is set, enterprise risk management provides an

effective way for management to ful ll its role, knowing that the
organization is attuned to risks that can impact strategy and is
managing them well. Applying enterprise risk management helps to
create trust and instill con dence in stakeholders in the current
environment, which demands greater scrutiny than ever before
about how risk is actively addressing and managing these risks.

The Board’s Guide to Enterprise Risk Management

Every board has an oversight role, helping to support the creation of
value in an entity and prevent its decline. Traditionally, enterprise
risk management has played a strong supporting role at the board
level. Now, boards are increasingly expected to provide oversight of
enterprise risk management.

The Framework supplies important considerations for boards in

de ning and addressing their risk oversight responsibilities. These
considerations include governance and culture; strategy and
objective-setting; performance; information, communications and
reporting; and the review and revision of practices to enhance entity
performance.

The board’s risk oversight role may include, but is not limited to:

• Reviewing, challenging, and concurring with management on:

− Proposed strategy and risk appetite.

− Alignment of strategy and business objectives with the entity’s

stated mission, vision, and core values.
− Signi cant business decisions including mergers acquisitions,
capital allocations, funding, and dividend-related decisions.

− Response to signi cant uctuations in entity performance or the

portfolio view of risk.

− Responses to instances of deviation from core values.

• Approving management incentives and remuneration.

• Participating in investor and stakeholder relations.

Over the longer term, enterprise risk management can also enhance
enterprise resilience—the ability to anticipate and respond to
change. It helps organizations identify factors that represent not just
risk, but change, and how that change could impact performance
and necessitate a shift in strategy. By seeing change more clearly,
an organization can fashion its own plan; for example, should it
defensively pull back or invest in a new business? Enterprise risk
management provides the right framework for boards to assess risk
and embrace a mindset of resilience.

Questions for management

Can all of management—not just the chief risk of cer—
articulate how risk is considered in the selection of strategy
or business decisions? Can they clearly articulate the entity’s
risk appetite and how it might in uence a speci c decision?
The resulting conversation may shed light on what the
mindset for risk taking is really like in the organization.
Boards can also ask senior management to talk not only
about risk processes but also about culture. How does the
culture enable or inhibit responsible risk taking? What lens
does management use to monitor the risk culture, and how
has that changed? As things change—and things will change
whether or not they’re on the entity’s radar—how can the
board be con dent of an appropriate and timely response
from management?

What Enterprise Risk Management Has Achieved

COSO published Enterprise Risk Management—Integrated
Framework in 2004. The purpose of that publication was to help
entities better protect and enhance stakeholder value. Its underlying
philosophy was that “value is maximized when management sets
strategy and objectives to strike an optimal balance between growth
and return goals and related risks, and ef ciently and effectively
deploys resources in pursuit of the entity’s objectives.”3
Since its publication, the Framework has been used successfully
around the world, across industries, and in organizations of all types
and sizes to identify risks, manage those risks within a de ned risk
appetite, and support the achievement of objectives. Yet, while
many have applied the Framework in practice, it has the potential to
be used more extensively. It would bene t from examining certain
aspects with more depth and clarity, and by providing greater
insight into the links between strategy, risk, and performance. In
response, therefore, the updated Framework in this publication:
• More clearly connects enterprise risk management with a
multitude of stakeholder expectations.
• Positions risk in the context of an organization’s performance,
rather than as the subject of an isolated exercise.

• Enables organizations to better anticipate risk so they can get

ahead of it, with an understanding that change creates
opportunities, not simply the potential for crises.

This update also answers the call for a stronger emphasis on how
enterprise risk management informs strategy and its performance.

Clearing up a few misconceptions

We’ve heard a few misconceptions about the original
Framework since it was introduced in 2004. To set the record
straight:

Enterprise risk management is not a function or

 department. It is the culture, capabilities, and practices that
organizations integrate with strategy-setting and apply when
they carry out that strategy, with a purpose of managing risk
in creating, preserving, and realizing value.

Enterprise risk management is more than a risk listing. It

requires more than taking an inventory of all the risks within
the organization. It is broader and includes practices that
management puts in place to actively manage risk.

Enterprise risk management addresses more than

internal control. It also addresses other topics such as
strategy-setting, governance, communicating with
stakeholders, and measuring performance. Its principles
apply at all levels of the organization and across all functions.

Enterprise risk management is not a checklist. It is a set of

principles on which processes can be built or integrated for a
particular organization, and it is a system of monitoring,
learning, and improving performance.

Enterprise risk management can be used by

organizations of any size. If an organization has a mission, a
strategy, and objectives—and the need to make decisions
that fully consider risk—then enterprise risk management can
be applied. It can and should be used by all kinds of
organizations, from small businesses to community-based
social enterprises to government agencies to Fortune 500
companies.

Bene ts of E ective Enterprise Risk Management

All organizations need to set strategy and periodically adjust it,
always staying aware of both ever-changing opportunities for
creating value and the challenges that will occur in pursuit of that
value. To do that, they need the best possible framework for
optimizing strategy and performance.

That’s where enterprise risk management comes into play.

Organizations that integrate enterprise risk management throughout
the entity can realize many bene ts, including, though not limited to:

• Increasing the range of opportunities: By considering all

possibilities—both positive and negative aspects of risk—
management can identify new opportunities and unique
challenges associated with current opportunities.
• Identifying and managing risk entity-wide: Every entity faces
myriad risks that can affect many parts of the organization.
Sometimes a risk can originate in one part of the entity but impact
a different part. Consequently, management identi es and
manages these entity-wide risks to sustain and improve
performance.

• Increasing positive outcomes and advantage while reducing

negative surprises: Enterprise risk management allows entities to
improve their ability to identify risks and establish appropriate
responses, reducing surprises and related costs or losses, while
pro ting from advantageous developments.

• Reducing performance variability: For some, the challenge is less

with surprises and losses and more with variability in performance.
Performing ahead of schedule or beyond expectations may cause
as much concern as performing short of scheduling and
expectations. Enterprise risk management allows organizations to
anticipate the risks that would affect performance and enable
them to put in place the actions needed to minimize disruption
and maximize opportunity.

• Improving resource deployment: Every risk could be considered a

request for resources. Obtaining robust information on risk allows
management, in the face of nite resources, to assess overall
resource needs, prioritize resource deployment and enhance
resource allocation.
• Enhancing enterprise resilience: An entity’s medium- and long-
term viability depends on its ability to anticipate and respond to
change, not only to survive but also to evolve and thrive. This is, in
part, enabled by effective enterprise risk management. It becomes
increasingly important as the pace of change accelerates and
business complexity increases.

These bene ts highlight the fact that risk should not be viewed
solely as a potential constraint or challenge to setting and carrying
out a strategy. Rather, the change that underlies risk and the
organizational responses to risk give rise to strategic opportunities
and key differentiating capabilities.

The Role of Risk in Strategy Selection

Strategy selection is about making choices and accepting trade-
offs. So it makes sense to apply enterprise risk management to
strategy as that is the best approach for untangling the art and
science of making well-informed choices.

Risk is a consideration in many strategy-setting processes. But risk

is often evaluated primarily in relation to its potential effect on an
already-determined strategy. In other words, the discussions focus
on risks to the existing strategy: We have a strategy in place, what
could affect the relevance and viability of our strategy?

But there are other questions to ask about strategy, which

organizations are getting better at asking: Have we modeled
customer demand accurately? Will our supply chain deliver on time
and on budget? Will new competitors emerge? Is our technology
infrastructure up to the task? These are the kinds of questions that
executives grapple with every day, and responding to them is
fundamental to carrying out a strategy.
However, the risk to the chosen strategy is only one aspect to
consider. As this Framework emphasizes, there are two additional
aspects to enterprise risk management that can have far greater
effect on an entity’s value: the possibility of the strategy not aligning,
and the implications from the strategy chosen.

The rst of these, the possibility of the strategy not aligning with
an organization’s mission, vision, and core values, is central to
decisions that underlie strategy selection. Every entity has a
mission, vision, and core values that de ne what it is trying to
achieve and how it wants to conduct business. Some organizations
are skeptical about truly embracing their corporate credos. But
mission, vision, and core values have been demonstrated to matter
—and they matter most when it comes to managing risk and
remaining resilient during periods of change.

A chosen strategy must support the organization’s mission and

vision. A misaligned strategy increases the possibility that the
organization may not realize its mission and vision, or may
compromise its values, even if a strategy is successfully carried out.
Therefore, enterprise risk management considers the possibility of
strategy not aligning with the mission and vision of the organization.

The other additional aspect is the implications from the strategy

chosen. When management develops a strategy and works through
alternatives with the board, they make decisions on the trade-offs
inherent in the strategy. Each alternative strategy has its own risk
pro le—these are the implications arising from the strategy. The
board of directors and management need to determine if the
strategy works in tandem with the organization’s risk appetite, and
how it will help drive the organization to set objectives and
ultimately allocate resources ef ciently.
Here’s what’s important: Enterprise risk management is as much
about understanding the implications from the strategy and the
possibility of strategy not aligning as it is about managing risks to
set objectives. The gure below illustrates these considerations in
the context of mission, vision, core values, and as a driver of an
entity’s overall direction and performance.
Enterprise risk management, as it has typically been practiced, has
helped many organizations identify, assess, and manage risks to the
strategy. But the most signi cant causes of value destruction are
embedded in the possibility of the strategy not supporting the
entity’s mission and vision, and the implications from the strategy.
Enterprise risk management enhances strategy selection. Choosing
a strategy calls for structured decision-making that analyzes risk
and aligns resources with the mission and vision of the organization.

A Focused Framework
Enterprise Risk Management—Integrating with Strategy and
Performance clari es the importance of enterprise risk management
in strategic planning and embedding it throughout an organization—
because risk in uences and aligns strategy and performance across
all departments and functions.
The Framework itself is a set of principles organized into ve
interrelated components:

1. Governance and Culture: Governance sets the organization’s

tone, reinforcing the importance of, and establishing oversight
responsibilities for, enterprise risk management. Culture pertains
to ethical values, desired behaviors, and understanding of risk in
the entity.

2. Strategy and Objective-Setting: Enterprise risk management,

strategy, and objective-setting work together in the strategic-
planning process. A risk appetite is established and aligned with
strategy; business objectives put strategy into practice while
serving as a basis for identifying, assessing, and responding to
risk.

3. Performance: Risks that may impact the achievement of strategy

and business objectives need to be identi ed and assessed.
Risks are prioritized by severity in the context of risk appetite.
The organization then selects risk responses and takes a portfolio
view of the amount of risk it has assumed. The results of this
process are reported to key risk stakeholders.

4. Review and Revision: By reviewing entity performance, an

organization can consider how well the enterprise risk
management components are functioning over time and in light
of substantial changes, and what revisions are needed.

5. Information, Communication, and Reporting: Enterprise risk

management requires a continual process of obtaining and
sharing necessary information, from both internal and external
sources, which ows up, down, and across the organization.
The ve components in the updated Framework are supported by a
set of principles.4 These principles cover everything from
governance to monitoring. They’re manageable in size, and they
describe practices that can be applied in different ways for different
organizations regardless of size, type, or sector. Adhering to these
principles can provide management and the board with a
reasonable expectation that the organization understands and
strives to manage the risks associated with its strategy and
business objectives.

Looking into the Future

There is no doubt that organizations will continue to face a future full
of volatility, complexity, and ambiguity. Enterprise risk management
will be an important part of how an organization manages and
prospers through these times. Regardless of the type and size of an
entity, strategies need to stay true to their mission. And all entities
need to exhibit traits that drive an effective response to change,
including agile decision-making, the ability to respond in a cohesive
manner, and the adaptive capacity to pivot and reposition while
maintaining high levels of trust among stakeholders.

As we look into the future, there are several trends that will have an
effect on enterprise risk management. Just four of these are:

• Dealing with the proliferation of data: As more and more data

becomes available and the speed at which new data can be
analyzed increases, enterprise risk management will need to
adapt. The data will come from both inside and outside the entity,
and it will be structured in new ways. Advanced analytics and data
visualization tools will evolve and be very helpful in understanding
 risk and its impact—both positive and negative.

• Leveraging arti cial intelligence and automation: Many people feel

that we have entered the era of automated processes and arti cial
intelligence. Regardless of individual beliefs, it is important for
enterprise risk management practices to consider the impact of
these and future technologies, and leverage their capabilities.
Previously unrecognizable relationships, trends and patterns can
be uncovered, providing a rich source of information critical to
managing risk.

• Managing the cost of risk management: A frequent concern

expressed by many business executives is the cost of risk
management, compliance processes, and control activities in
comparison to the value gained. As enterprise risk management
practices evolve, it will become important that activities spanning
risk, compliance, control, and even governance be ef ciently
coordinated to provide maximum bene t to the organization. This
may represent one of the best opportunities for enterprise risk
management to rede ne its importance to the organization.
• Building stronger organizations: As organizations become better at
integrating enterprise risk management with strategy and
performance, an opportunity to strengthen resilience will present
itself. By knowing the risks that will have the greatest impact on
the entity, organizations can use enterprise risk management to
help put in place capabilities that allow them to act early. This will
open up new opportunities.

In summary, enterprise risk management will need to change and

adapt to the future to consistently provide the bene ts outlined in
the Framework. With the right focus, the bene ts derived from
enterprise risk management will far outweigh the investments and
provide organizations with con dence in their ability to handle the
future.
1
The Global Risks Report 2016, 11th edition, World Economic Forum (2016).
2
The Framework uses the term “board of directors” or “board,” which encompasses the
governing body, including board, supervisory board, board of trustees, general partners,
or owner.
3
Enterprise Risk Management—Integrated Framework, Executive Summary, COSO (2004).
4
A fuller description of these twenty principles is provided at the end of this document.
break

Acknowledgments
A special thank you to the following companies and organizations
for allowing the participation of Advisory Council Members and
Observers.

Advisory Council Members

Companies and Organizations
• Athene USA (Jane Karli)
• Edison International (David J. Heller)
• First Data Corporation (Lee Marks)
• Georgia-Paci c LLC (Paul Sobel)

• Invesco Ltd. (Suzanne Christensen)

• Microsoft (Jeff Pratt)
• US Department of Commerce (Karen Hardy)

• United Technologies Corporation (Margaret Boissoneau)

• Zurich Insurance Company (James Davenport)

Higher Education and Associations

• North Carolina State University (Mark Beasley)

• St. John’s University (Paul Walker)

• The Institute of Internal Auditors (Douglas J. Anderson)

Professional Service Firms

• Crowe Horwath LLP (William Watts)
• Deloitte & Touche LLP (Henry Ristuccia)
• Ernst & Young (Anthony J. Carmello)

• James Lam & Associates (James Lam)

• Grant Thornton LLP (Bailey Jordan)

• KPMG LLP Americas (Deon Minnaar)

• Mercury Business Advisors Inc. (Patrick Stroh)

• Protiviti Inc. (James DeLoach)

Former COSO Board Member

• COSO Chair, 2009–2013 (David Landsittel)

Observers
• Federal Deposit Insurance Corporation (Harrison Greene)

• Government Accountability Of ce (James Dalkin)

• Institute of Management Accountants (Jeff Thompson)

• Institut der Wirtschaftsprüfer (Horst Kreisel)

• International Federation of Accountants (Vincent Tophoff)

• ISACA (Jennifer Bayuk)

• Risk Management Society (Carol Fox)

break

Components and Principles

1. Exercises Board Risk Oversight—The board of directors
provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy
and business objectives.

2. Establishes Operating Structures—The organization

establishes operating structures in the pursuit of strategy and
business objectives.

3. De nes Desired Culture—The organization de nes the desired

behaviors that characterize the entity’s desired culture.

4. Demonstrates Commitment to Core Values—The

organization demonstrates a commitment to the entity’s core
values.

5. Attracts, Develops, and Retains Capable Individuals—The

organization is committed to building human capital in
alignment with the strategy and business objectives.

6. Analyzes Business Context—The organization considers

potential effects of business context on risk pro le.

7. De nes Risk Appetite—The organization de nes risk appetite

in the context of creating, preserving, and realizing value.

8. Evaluates Alternative Strategies—The organization evaluates

alternative strategies and potential impact on risk pro le.

9. Formulates Business Objectives—The organization considers

risk while establishing the business objectives at various levels
that align and support strategy.

10. Identi es Risk—The organization identi es risk that impacts

the performance of strategy and business objectives.
11. Assesses Severity of Risk—The organization assesses the
severity of risk.

12. Prioritizes Risks—The organization prioritizes risks as a basis

for selecting responses to risks.

13. Implements Risk Responses—The organization identi es and

selects risk responses.

14. Develops Portfolio View—The organization develops and

evaluates a portfolio view of risk.

15. Assesses Substantial Change—The organization identi es

and assesses changes that may substantially affect strategy
and business objectives.

16. Reviews Risk and Performance—The organization reviews

entity performance and considers risk.

17. Pursues Improvement in Enterprise Risk Management—The

organization pursues improvement of enterprise risk
management.

18. Leverages Information Systems—The organization leverages

the entity’s information and technology systems to support
enterprise risk management.

19. Communicates Risk Information—The organization uses

communication channels to support enterprise risk
management.

20. Reports on Risk, Culture, and Performance—The

organization reports on risk, culture, and performance at
multiple levels and across the entity.
Framework
break

This project was commissioned by the Committee of Sponsoring

Organizations of the Treadway Commission (COSO), which is
dedicated to providing thought leadership through the development
of comprehensive frameworks and guidance on internal control,
enterprise risk management, and fraud deterrence designed to
improve organizational performance and oversight and to reduce
the extent of fraud in organizations. COSO is a private sector
initiative, jointly sponsored and funded by:
• American Accounting Association
• American Institute of Certi ed Public Accountants

• Financial Executives International

• Institute of Management Accountants
• The Institute of Internal Auditors
space above copyright

©2017 All Rights Reserved. No part of this publication may be reproduced,

redistributed, transmitted, or displayed in any form or by any means without
written permission COSO.
break

Committee of Sponsoring
Organizations of the Treadway
Commission
Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Financial Executives
Auditors International
Charles E. Landes Douglas F. Prawitt Sandra Richtermeyer
American Institute of Certi ed American Accounting Institute of Management
Public Accountants Association Accountants

PwC—Author
Principal
Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Project Lead Partner and Project Lead Director and
Global and Asia, Paci c, and Global and APA Risk and Global Risk Framework
Americas (APA) Advisory Regulatory Leader and Methodology Leader
Leader Washington DC, USA British Columbia, Canada
New York, USA

Matthew Bagin Hélène Katz Katie T. Sylvis

Director Director Director
Washington DC, USA New York, USA Washington DC, USA

Sallie Jo Perraglia Kathleen Crader Zelnik Maria Grimshaw

Manager Manager Senior Associate
New York, USA Washington DC, USA New York, USA
break

Foreword
In keeping with its overall mission, the COSO Board commissioned
and published in 2004 Enterprise Risk Management—Integrated
Framework. Over the past decade, that publication has gained
broad acceptance by organizations in their efforts to manage risk.
However, also through that period, the complexity of risk has
changed, new risks have emerged, and both boards and executives
have enhanced their awareness and oversight of enterprise risk
management while asking for improved risk reporting. This update
to the 2004 publication addresses the evolution of enterprise risk
management and the need for organizations to improve their
approach to managing risk to meet the demands of an evolving
business environment. It is a concise framework for applying
enterprise risk management within any organization to increase
management and stakeholder con dence.
The updated document, now titled Enterprise Risk Management–
Integrating with Strategy and Performance, highlights the
importance of considering risk in both the strategy-setting process
and in driving performance. The rst part of the updated publication
offers a perspective on current and evolving concepts and
applications of enterprise risk management. The second part, the
Framework, is organized into ve easy-to-understand components
that accommodate different viewpoints and operating structures,
and enhance strategy and decision-making. In short, this update:

• Provides greater insight into the value of enterprise risk

management when setting and carrying out strategy.

• Enhances alignment between performance and enterprise risk

management to improve the setting of performance targets and
understanding the impact of risk on performance.

• Accommodates expectations for governance and oversight.

• Recognizes the globalization of markets and operations and the
need to apply a common, albeit tailored, approach across
geographies.
• Presents new ways to view risk to setting and achieving objectives
in the context of greater business complexity.

• Expands reporting to address expectations for greater stakeholder

transparency.

• Accommodates evolving technologies and the proliferation of data

and analytics in supporting decision-making.
• Sets out core de nitions, components, and principles for all levels
of management involved in designing, implementing, and
conducting enterprise risk management practices.

Readers may also wish to consult a complementary publication,

COSO’s Internal Control–Integrated Framework. The two
publications are distinct and have different focuses; neither
supersedes the other. However, they do connect. Internal Control–
Integrated Framework encompasses internal control, which is
referenced in part in this updated publication, and therefore the
earlier document remains viable and suitable for designing,
implementing, conducting, and assessing internal control, and for
consequent reporting.

The COSO Board would like to thank PwC for its signi cant
contributions in developing Enterprise Risk Management–Integrating
with Strategy and Performance. Their full consideration of input
provided by many stakeholders and their insight were instrumental
in ensuring that the strengths of the original publication have been
preserved, and that text has been clari ed or expanded where it
was deemed helpful to do so. The COSO Board and PwC together
would also like to thank the Advisory Council and Observers for
their contributions in reviewing and providing feedback.
Robert B. Hirth Jr. Dennis L. Chesley
COSO Chair PwC Project Lead Partner and Global
and APA Risk and Regulatory Leader
break

Table of Contents
Applying the Framework: Putting It into Context
1. Introduction
2. Understanding the Terms: Risk and Enterprise
Risk Management
3. Strategy, Business Objectives, and Performance
4. Integrating Enterprise Risk Management
5. Components and Principles
Framework
6. Governance and Culture
7. Strategy and Objective-Setting
8. Performance
9. Review and Revision
10. Information, Communication, and Reporting
Glossary of Key Terms
break

Applying the Framework:

Putting It into Context
break

1. Introduction
Integrating enterprise risk management
practices throughout an organization
improves decision-making in governance,
strategy, objective-setting, and day-to-day
operations. It helps to enhance
performance by more closely linking
strategy and business objectives to risk.
The diligence required to integrate
enterprise risk management provides an
entity with a clear path to creating,
preserving, and realizing value.
A discussion of enterprise risk management1 begins with this
underlying premise: every entity—whether for-pro t, not-for-pro t,
or governmental—exists to provide value for its stakeholders. This
publication is built on a related premise: all entities face risk in the
pursuit of value. The concepts and principles of enterprise risk
management set out in this publication apply to all entities
regardless of legal structure, size, industry, or geography.

Risk affects an organization’s ability to achieve its strategy and

business objectives. Therefore, one challenge for management is
determining the amount of risk2 the organization is prepared and
able to accept. Effective enterprise risk management helps boards
and management to optimize outcomes with the goal of enhancing
capabilities to create, preserve, and ultimately realize value.

Management has many choices in how it will apply enterprise risk

management practices, and no one approach is universally better
than another. Yet, for any entity, one approach may provide
increased bene ts versus another or have a greater alignment with
the overall management philosophy of the organization. This
Framework sets out a basic conceptual structure of ideas, which an
organization integrates into other practices occurring within the
entity. Readers who are looking for information beyond a
framework, or for different practices they can apply to integrate the
enterprise risk management concepts into the entity, will nd the
appendices in Volume II to this publication helpful.

Enterprise Risk Management A ects

Value
The value of an entity is largely determined by the decisions that
management makes—from overall strategy decisions through to
day-to-day decisions. Those decisions can determine whether value
is created, preserved, eroded, or realized.
• Value is created when the bene ts derived from resources
deployed exceed the cost of those resources. For example, value
is created when a new product is successfully designed and
launched and its pro t margin is positive. These resources could
be people, nancial capital, technology, processes, and market
presence (brand).

• Value is preserved when the value of resources deployed in day-

to-day operations sustain created bene ts. For example, value is
preserved with the delivery of superior products, service, and
production capacity, which results in satis ed and loyal customers
and stakeholders.

• Value is eroded when management implements a strategy that

does not yield expected outcomes or fails to execute day-to-day
tasks. For example, value is eroded when substantial resources
 are consumed to develop a new product that is subsequently
abandoned.

• Value is realized when stakeholders derive bene ts created by the

entity. Bene ts may be monetary or non-monetary.

How value is created depends on the type of entity. For-pro t

entities create value by successfully implementing a strategy that
balances market opportunities against the risks of pursuing those
opportunities. Not-for-pro t and governmental entities may create
value by delivering goods and services that balance their
opportunities to serve the broader community against any
associated risks. Regardless of the type of entity, integrating
enterprise risk management practices with other aspects of the
business enhances trust and instills greater con dence with
stakeholders.

Mission, Vision, and Core Values

Mission, vision, and core values3 de ne what an entity strives to be
and how it wants to conduct business. They communicate to
stakeholders the purpose of the entity. For most entities, mission,
vision, and core values remain stable over time, and through setting
strategy, they are typically reaf rmed. Yet, they also may evolve as
the expectations of stakeholders change. For example, a new
executive management team may present different ideas for the
mission to create value to the entity.

• Mission: The entity’s core purpose, which establishes what

it wants to accomplish and why it exists.

• Vision: The entity’s aspirations for its future state or what

the organization aims to achieve over time.

• Core Values: The entity’s beliefs and ideals about what is

 good or bad, acceptable or unacceptable, which in uence
the behavior of the organization.

In the Framework (Chapters 6 through 10), mission and vision are

considered in the context of an organization setting and carrying out
its strategy and business objectives. Core values are considered in
the context of the culture the entity wishes to embrace.

Enterprise Risk Management A ects

Strategy
“Strategy” refers to an organization’s plan to achieve its mission and
vision, and to apply its core values. A well-de ned strategy drives
the ef cient allocation of resources and effective decision-making. It
also provides a road map for establishing business objectives
throughout the entity.

Enterprise risk management4 does not create the entity’s strategy,

but it in uences its development. An organization that integrates
enterprise risk management practices into setting strategy provides
management with the risk information it needs to consider
alternative strategies and, ultimately, to adopt a chosen strategy.

Enterprise Risk Management Is

Linked to Business
Enterprise risk management practices integrate with all other
aspects of the business, including governance, performance
management, and internal control practices.

Governance
Governance forms the broadest concept. Typically, this refers to the
allocation of roles, authorities, and responsibilities among
stakeholders, the board, and management. Some aspects of
governance fall outside enterprise risk management (e.g., board
member recruiting and evaluation; developing the entity’s mission,
vision, and core values).

Performance Management
Performance relates to actions, tasks, and functions to achieve, or
exceed, an entity’s strategy and business objectives. Performance
management focuses on deploying resources ef ciently. It is
concerned with measuring those actions, tasks, and functions
against predetermined targets (both short- and long-term) and
determining whether those targets are being achieved. Because a
variety of risks—both known and unknown—may affect an entity’s
performance, a variety of measures may be used:
• Financial measures, such as return on investments, revenue, or
pro tability.

• Operating measures, such as hours of operation, production

volumes, or capacity percentages.
• Obligation measures, such as adherence to service-level
agreements or regulatory compliance requirements.
• Project measures, such as having a new product launch within a
set period of time.

• Growth measures, such as expanding market share in an

emerging market.
• Stakeholder measures, such as the delivery of education and
basic employment skills to those needing upgrades when they are
out of work.
There is always risk associated with a predetermined performance
target. For example, large-scale agriculture producers will have a
certain amount of risk relating to their ability to produce the volumes
required to satisfy customer demands and meet pro tability targets.
Similarly, airlines will have a certain amount of risk relating to their
ability to operate all ights on schedule. Yet, airline companies may
foresee less risk that they can operate 90% or even 80% of their
scheduled ights on time versus 100% of their scheduled ights. In
both of these examples, there is an amount of risk associated with
managing to achieve the predetermined targets of performance—
production volume and ight operation.
An entity can enhance its overall performance by integrating
enterprise risk management into day-to-day operations and more
closely linking business objectives to risk.

Internal Control
Enterprise risk management incorporates some concepts of internal
control. “Internal control” is the process put into effect by an entity
to provide reasonable assurance that objectives will be achieved.
Internal control helps the organization to identify and analyze the
risks to achieving those objectives and how to manage risks. It
allows management to stay focused on the entity’s operations and
the pursuit of its performance targets while complying with relevant
laws and regulations. Note, however, that some concepts relating to
enterprise risk management are not considered within internal
control (e.g., concepts of risk appetite, tolerance, strategy, and
objectives are set within enterprise risk management but viewed as
preconditions of internal control).
To avoid redundancy, some concepts relating to internal control that
are common to both this publication and Internal Control—
Integrated Framework have not been repeated here (e.g., fraud risk
relating to nancial reporting objectives, control activities relating to
compliance objectives, and ongoing and separate evaluations
relating to operations objectives). However, some common
concepts relating to internal control are further developed in the
Framework5 section (e.g., governance of enterprise risk
management). Please review Internal Control–Integrated
Framework6 as part of applying the Framework in this publication.

Bene ts of Enterprise Risk Management

An organization needs to identify challenges that lie ahead and
adapt to meet those challenges. It must engage in decision-making
with an awareness of both the opportunities for creating value and
the risks that challenge the organization in creating value. In short, it
must integrate enterprise risk management practices with strategy-
setting and performance management practices, and in doing so it
will realize bene ts related to value.

Bene ts of integrating enterprise risk management include the

ability to:
• Increase the range of opportunities: By considering all reasonable
possibilities—both positive and negative aspects of risk—
management can identify opportunities for the entity and unique
challenges associated with current and future opportunities. For
example, when the managers of a locally based food company
considered potential risks likely to affect the business objective of
sustainable revenue growth, they determined that the company’s
primary consumers were becoming increasingly health conscious
and changing their diet. This change indicated a potential decline
in future demand for the company’s current products. In response,
management identi ed ways to develop new products and
improve existing ones, which allowed the company to maintain
revenue from existing customers (preserving value) and to create
additional revenue by appealing to a broader consumer base
(creating value).

• Increase positive outcomes and advantage while reducing

negative surprises: Enterprise risk management allows an
 organization to improve its ability to identify risks and establish
appropriate responses, increasing positive outcomes while
reducing negative surprises and related costs or losses. For
example, a manufacturing company that provides just-in-time
parts to customers for use in production risks penalties for failing
to deliver on time. In response to this risk, the company assessed
its internal shipping processes by reviewing time of day for
deliveries, typical delivery routes, and unscheduled repairs on the
delivery eet. It used the ndings to set maintenance schedules
for its eet, schedule deliveries outside of rush periods, and
devise alternatives to key routes. Recognizing that not all traf c
delays can be avoided, it also developed protocols to warn clients
of potential delays. In this case, performance was improved by
management in uencing risk within its ability (production and
scheduling) and adapting to risks beyond its direct in uence
(traf c delays).
• Identify and manage entity-wide risks: Every entity faces myriad
risks that can impact many parts of the entity. Sometimes a risk
can originate in one part of the entity but affect a different part.
Management must identify and manage these entity-wide risks to
sustain and improve performance. For example, when a bank
realized that it faced a variety of risks in trading activities,
management responded by developing a system to analyze
internal transaction and market information that was supported by
relevant external information. The system provided an aggregate
view of risks across all trading activities, allowing drill-down
capability to departments, customers, and traders. It also allowed
the bank to quantify the relative risks. The system met the entity’s
enterprise risk management requirements and allowed the bank to
bring together previously disparate data to respond more
effectively to risks.

• Reduce performance variability: For some entities, the challenge is

less about surprises and losses, and more about performance
variability. Performing ahead of schedule or beyond expectations
 may cause as much concern as performing below expectations.
For instance, within a public transportation system, riders will be
just as annoyed when a bus or train departs ten minutes early as
when it is ten minutes late: both can cause riders to miss
connections. To manage such variability, transit schedulers build
natural pauses into the schedule. Drivers wait at designated stops
until a set time, regardless of when they arrive. This helps smooth
out variability in travel times and improve overall performance and
rider views of the transit system. Enterprise risk management
allows organizations to anticipate the risks that would affect
performance and enable them to take action to minimize
disruption.
• Improve resource deployment: Obtaining robust information on
risk allows management to assess overall resource needs and
helps to optimize resource allocation. For example, a downstream
gas distribution company recognized that its aging infrastructure
increased the risk of a gas leak occurring. By looking at trends in
gas leak–related data, the organization was able to assess the risk
across its distribution network. Management subsequently
developed a plan to replace worn-out infrastructure and repair
those sections that had remaining useful life. This approach
allowed the company to maintain the integrity of the infrastructure
while allocating signi cant additional resources over a longer
period of time.

Keep in mind that the bene ts of integrating enterprise risk

management practices with strategy-setting and performance
management practices will vary by entity. There is no one-size- ts-
all approach available for all entities. However, implementing
enterprise risk management practices will generally help an
organization achieve its performance and pro tability targets and
prevent or reduce the loss of resources.

Enterprise Risk Management and the

Capacity to Adapt, Survive, and
Prosper
Every entity sets out to achieve its strategy and business objectives,
doing so in an environment of change. Market globalization,
technological breakthroughs, mergers and acquisitions, uctuating
capital markets, competition, political instability, workforce
capabilities, and regulation, among other things, make it dif cult to
know all possible risks to the achievement of strategy and business
objectives.

Because risk is always present and always changing, pursuing and

achieving goals can be dif cult. While it may not be possible for
organizations to manage all potential outcomes of a risk, they can
improve how they adapt to changing circumstances. This is
sometimes referred to as organizational sustainability, resilience,
and agility. The Framework incorporates this concept in the broad
context of creating, preserving, and realizing value.

Enterprise risk management focuses on managing risks to reduce

the likelihood that an event will occur and on managing the impact
when one does occur. “Managing the impact” may require an
organization to adapt as circumstances dictate. In some extreme
cases, this may include implementing a crisis management plan.
Example 1.1 illustrates such a plan in practice.

Example 1.1: Crisis Management Plan

A cruise ship operator is concerned about the potential of

viral outbreaks occurring while its ships are at sea. A cruise
ship does not have the capability to quarantine passengers
during an outbreak, but it can carry out procedures to
minimize the spread of germs. However, despite installing
hand-sanitizing stations throughout the ship, providing
 laundry facilities, and daily disinfecting handrails,
washrooms, and other common areas, viral outbreaks still
can and do occur. The organization responds by
implementing speci c practices. First, routine on-board
cleaning and sanitizing are escalated. Once the ship is in
port, all passengers are required to disembark to allow
specially trained staff to disinfect the entire ship. Afterwards,
cleaning protocols are updated based on the strain of virus
found. The next departing cruise is delayed until all cleaning
protocols are addressed. In most instances, the delay is less
than forty-eight hours. By having strong enterprise risk
management practices in place to immediately respond and
adapt to each unique situation, the company is able to
minimize the impact while maintaining passenger con dence
in the cruise line.

Sometimes an organization is not able to return to normal

operations in the near term when an event occurs. In these cases,
the organization must adopt a longer-term solution. For instance,
consider a cruise ship that is disabled at sea by a re. Unlike the
scenario of a viral outbreak noted in Example 1.1, which affects only
a few passengers, the re affects everyone. There may be an
immediate need for medical assistance, food, water, and shelter, or
even a call to off-load all passengers. Because ships are seldom in
the same place, common crisis response planning may be less
effective as each location and type of incident can present different
challenges. However, by scheduling its eet location and staggering
departure schedules, the company can maintain a routing where
ships are always within hours of a port or another cruise ship. This
overlap allows the company to rapidly redeploy ships and crews to
assist in an emergency.

Management will be in a better position if it takes time to anticipate

what may transpire—the probable, the possible, and the unlikely.
The capacity to adapt to change makes an organization more
resilient and better able to evolve in the face of marketplace and
resource constraints. This capacity may also give management the
con dence to increase the amount of risk the organization is willing
to accept and, ultimately, to accelerate growth and create value.

1
De ned terms are linked to the Glossary of Key Terms when rst used in the document.
2
In this publication, “risks” (plural) refers to one or more potential events that may affect
the achievement of objectives. “Risk” (singular) refers to all potential events collectively
that may affect the achievement of objectives.
3
Note that some entities use different terms, such as “credo,” “purpose,” “philosophy,”
“fundamental beliefs,” and “policies.” Regardless of the terminology used, the concepts
underlying mission, vision, and core values provide a structure for communicating
throughout the entity.
4
Throughout this document, “enterprise risk management” refers to the culture,
capabilities, and practices, integrated with strategy-setting and performance, that
organizations rely on to manage risk in creating, preserving, and realizing value. It does
not refer to a function, group, or department within an entity. Speci c considerations on
the operating model are discussed in Appendix B in Volume II.
5
“Framework” refers collectively to the ve components introduced in Chapter 5 and
covered individually in Chapters 6 through 10.
6
Internal Control–Integrated Framework can be obtained through www.coso.org.
break

2. Understanding the Terms:

Risk and Enterprise Risk
Management
De ning Risk and Uncertainty
An entity’s strategy and business objectives may be affected by
potential events. A lack of complete predictability of an event
occurring (or not) and its related impact creates uncertainty for an
organization. Uncertainty exists for any entity7 that sets out to
achieve future strategies and business objectives. In this context,
risk is de ned as:
The possibility that events will occur and affect the achievement of
strategy and business objectives.
The box on this page contains terms that expand on and support
the de nition of risk. The Framework emphasizes that risk relates to
the potential for events, often considered in terms of severity. In
some instances, the risk may relate to the anticipation of an
expected event that does not occur.

• Event: An occurrence or set of occurrences.

• Uncertainty: The state of not knowing how or if potential

events may manifest.

• Severity: A measurement of considerations such as the

likelihood and impact of events or the time it takes to
recover from events.
In the context of risk, events are more than routine transactions;
they include broader business matters such as changes in the
governance and operating structure, geopolitical and social
in uences, and contracting negotiations, among other things. Some
events that potentially affect strategy and business objectives are
readily discernable—a change in interest rates, a competitor
launching a new product, or the retirement of a key employee.
Others are less evident, particularly when multiple small events
combine to create a trend or condition. For instance, it may be
dif cult to identify speci c events related to global warming, yet that
condition is generally accepted as occurring. In some cases,
organizations may not even know or be able to identify what events
may occur.
Organizations commonly focus on those risks that may result in a
negative outcome, such as damage from a re, losing a key
customer, or a new competitor emerging. However, events can also
have positive outcomes,8 such as better-than-forecast weather,
stronger staff retention trends, or improved tax rates, which should
also be considered. As well, events that are bene cial to the
achievement of one objective may at the same time pose a
challenge to the achievement of other objectives. For example, a
product launch with higher-than-forecast demand has a positive
effect on nancial performance. However, it may also increase risk
to the supply chain, which may result in unsatis ed customers if the
company cannot supply the product.

Some risks have minimal impact on an entity, and others have a

larger impact. Enterprise risk management practices help the
organization identify, prioritize, and focus on those risks that may
prevent value from being created, preserved, and realized, or that
may erode existing value. But, just as important, it also helps the
organization pursue potential opportunities.

De ning Enterprise Risk

Management
Enterprise risk management is de ned here as:

The culture, capabilities, and practices, integrated with strategy-

setting and performance, that organizations rely on to manage risk
in creating, preserving, and realizing value.
A more in-depth look at the de nition of enterprise risk management
emphasizes its focus on managing risk through:
• Recognizing culture.

• Developing capabilities.

• Applying practices.

• Integrating with strategy-setting and performance.

• Managing risk to strategy and business objectives.

• Linking to value.

Recognizing Culture
Culture is developed and shaped by the people at all levels of an
entity by what they say and do. It is people who establish the
entity’s mission, strategy, and business objectives, and put
enterprise risk management practices in place. Similarly, enterprise
risk management affects people’s decisions and actions. Each
person has a unique point of reference, which in uences how he or
she identi es, assesses, and responds to risk. Enterprise risk
management helps people make decisions while understanding that
culture plays an important role in shaping those decisions.

Developing Capabilities
Organizations pursue various competitive advantages to create
value for the entity. Enterprise risk management adds to the skills
needed to carry out the entity’s mission and vision and to anticipate
the challenges that may impede organizational success. An
organization that has the capacity to adapt to change is more
resilient and better able to evolve in the face of marketplace and
resource constraints and opportunities.

Applying Practices
Enterprise risk management is not static, nor is it an adjunct to a
business. Rather, it is continually applied to the entire scope of
activities as well as special projects and new initiatives. It is part of
management decisions at all levels of the entity.
The practices used in enterprise risk management are applied from
the highest levels of an entity and ow down through divisions,
business units, and functions. The practices are intended to help
people within the entity better understand its strategy, what
business objectives have been set, what risks exist, what the
acceptable amount of risk is, how risk impacts performance, and
how they are expected to manage risk. In turn, this understanding
supports decision-making at all levels and helps to reduce
organizational bias.

Integrating with Strategy-Setting and

Performance
An organization sets strategy that aligns with and supports its
mission and vision. It also sets business objectives that ow from
the strategy, cascading to the entity’s business units, divisions, and
functions. At the highest level, enterprise risk management is
integrated with strategy-setting, with management understanding
the overall risk pro le for the entity and the implications of
alternative strategies to that risk pro le. Management speci cally
considers any new opportunities that arise through innovation and
emerging pursuits.
But enterprise risk management doesn’t stop there; it continues in
the day-to-day tasks of the entity, and in so doing may realize
signi cant bene ts. An organization that integrates enterprise risk
management into daily tasks is more likely to have lower costs
compared with one that “layers on” enterprise risk management
procedures. In a highly competitive marketplace, such cost savings
can be crucial to a business’s success. As well, by building
enterprise risk management into the core operations of the entity,
management is likely to identify new opportunities to grow the
business.

Enterprise risk management integrates with other management

processes as well. Speci c actions are needed for speci c tasks,
such as business planning, operations, and nancial management.
An organization considering credit and currency risks, for example,
may need to develop models and capture large amounts of data
necessary for analytics. By integrating enterprise risk management
practices with an entity’s operating activities, and understanding
how risk potentially impacts the entity overall, not just in one area,
enterprise risk management can become more effective.

Managing Risk to Strategy and Business

Objectives
Enterprise risk management is integral to achieving strategy and
business objectives. Well-designed enterprise risk management
practices provide management and the board of directors with a
reasonable expectation that they can achieve the overall strategy
and business objectives of the entity. Having a reasonable
expectation means that the amount of risk of achieving strategy and
business objectives is appropriate for that entity, recognizing that no
one can predict risk with absolute precision.
But even with reasonable expectations in place, entities can
experience unforeseen challenges, which is why regularly reviewing
enterprise risk management practices is important. Review—and
consequent revision when needed—helps maintain robust practices
that increase management’s con dence in the entity’s ability to
successfully respond to the unexpected and achieve its strategy
and business objectives.

Linking to Value
An organization must manage risk to strategy and business
objectives in relation to its risk appetite—that is, the types and
amount of risk, on a broad level, it is willing to accept in its pursuit
of value. The rst expression of risk appetite is an entity’s mission
and vision. Different strategies will expose an entity to different risks
or different amounts of similar risks.

Risk appetite provides guidance on the practices an organization is

encouraged to pursue or not pursue. It sets the range of appropriate
practices and guides risk-based decisions rather than specifying a
limit.
Risk appetite is not static; it may change between products or
business units and over time in line with changing capabilities for
managing risk. The types and amount of risk that an organization
might consider acceptable can change. For example, during good
economic times, a successful and growing company may be more
willing to accept certain downside risk than when economic times
are bad and business outlooks deteriorate. Risk appetite must be
exible enough to adapt to changing business conditions as needed
without waiting for periodic management reviews and approvals.

While risk appetite is introduced here,9 the Framework sets out

numerous instances where it is applied as part of enterprise risk
management. Some of the more important applications of risk
appetite are its:
• Use by the organization in making decisions that enhance value.

• Help in aligning the acceptable amount of risk with the

organization’s capacity to manage risk and opportunities.

• Relevance when setting strategy and business objectives, helping

management consider whether performance targets are aligned
with acceptable amount of risk.

• Assistance in communicating risk pro les desired by the board.

• Relevance and alignment with risk capacity.
• Use in evaluating aggregated risk at a portfolio view.

Enterprise risk management helps management select a strategy

that aligns anticipated value creation with the entity’s risk appetite
and its capabilities for managing risk more often and more
consistently over time. Managing risk within risk appetite enhances
an organization’s ability to create, preserve, and realize value.

7
“Entity” is a broad term that can encompass a wide variety of legal structures including
for-pro t, not-for-pro t, and governmental entities.
8
This Framework distinguishes between positive outcomes and opportunities. Positive
outcomes relate to those instances where performance exceeds the original target.
Opportunities relate to an action or potential action that creates or alters goals or
approaches for creating, preserving, and realizing value.
9
Risk appetite is discussed further in the Framework under Principle 7: De nes Risk
Appetite.
break

3. Strategy, Business
Objectives, and Performance
Enterprise Risk Management and
Strategy
Enterprise risk management helps an organization better
understand:
• How mission, vision, and core values form the initial expression of
what types and amount of risk are acceptable to consider when
setting strategy.
• The possibility that strategy and business objectives may not align
with the mission, vision, and core values.

• The types and amount of risk the organization potentially exposes

itself to by choosing a particular strategy.
• The types and amount of risk inherent in carrying out its strategy
and achieving business objectives and the acceptability of this
level of risk, and ultimately, value.

Figure 3.1 illustrates strategy in the context of mission, vision, and

core values, and as a driver of an entity’s overall direction and
performance.
Possibility of Misaligned Strategy and
Business Objectives
Both mission and vision provide a view from up high of the
acceptable types and amount of risk for the entity. They help the
organization to establish boundaries and focus on how decisions
may affect strategy. An organization that understands its mission
and vision can set strategies that will yield the desired risk pro le.
Consider the statements from a healthcare provider in Example 3.1.

Example 3.1: Cascading Mission, Vision, and Core

Values

Mission: To improve the health of the people we serve by

providing high-quality care, a comprehensive range of
services, and convenient and timely access with exceptional
patient service and compassion.

Vision: Our hospital will be the healthcare provider of choice

for physicians and patients, and be known for providing
unparalleled quality, delivering celebrated service, and being
a terri c place to practice medicine.

Core Values: Our values serve as the foundation for

everything we think, say, and do. We will treat our physicians,
 patients, and our colleagues with respect, honesty, and
compassion, while holding them accountable for these
values.

These statements guide the organization in determining the types

and amount of risk it is likely to encounter and accept. The
organization would consider the risks associated with providing
high-quality care (mission), providing convenient and timely access
(mission), and being a terri c place to practice medicine (vision).
Considering its high regard for quality, service, and breadth of skill,
the organization is likely to seek a strategy that has a lower-risk
pro le relating to quality of care and patient service. This may mean
offering in-patient and/or out-patient services, but not being a
primary on-line presence. On the other hand, if the organization had
stated its mission in terms of innovation in patient care approaches
or advanced delivery channels, it may have adopted a strategy with
a different risk pro le.
Enterprise risk management can help an entity avoid misaligning a
strategy. It can provide an organization with insight to ensure that
the strategy it chooses supports the entity’s broader mission and
vision for management and board consideration.

Evaluating the Chosen Strategy

Enterprise risk management does not create the entity’s strategy,
but it informs the organization on risks associated with alternative
strategies considered and, ultimately, with the adopted strategy. The
organization needs to evaluate how the chosen strategy could affect
the entity’s risk pro le, speci cally the types and amount of risk to
which the organization is potentially exposed.

When evaluating potential risks that may arise from strategy,

management also considers any critical assumptions that underlie
the chosen strategy. These assumptions form an important part of
the strategy and may relate to any of the considerations that form
part of the entity’s business context. Enterprise risk management
provides valuable insight into how sensitive changes to
assumptions are: that is, whether they would have little or great
effect on achieving the strategy.

Example 3.2 considers the mission and vision of the healthcare

provider discussed earlier, and how the entity cascades these into
its strategy statement. Using the statement shown in that example,
the organization can consider what risks may result from the
strategy chosen. For instance, risks relating to medical innovation
may be more pronounced, risks to the ability to provide high-quality
care may elevate in the wake of cost-management initiatives, and
risks relating to managing new partnerships may be an approach
the organization has not previously focused on. These and many
other risks result from the choice of strategy. Yet, there remains the
question of whether the entity is likely to achieve its mission and
vision with this strategy, or whether there is an elevated risk to
achieving the set goals.

Example 3.2: Cascading Mission, Vision, and Core

Values

Our Strategy:

• Maximize value for our patients by improving quality across

a diverse spectrum of services.
• Curtail trends in increasing costs.

• Integrate operating ef ciency and cost-management

initiatives.

• Align physicians and clinical integration.

• Leverage clinical program innovation.
 • Grow strategic partnerships.

• Manage patient service delivery, and reduce wait times

where practical.

Risk to Implementing the Strategy and

Business Objectives
There is always risk to carrying out a strategy, which every
organization must consider. Here, the focus is on understanding the
strategy set out and what risks there are to its relevance and
viability. Sometimes the risks become important enough that an
organization may wish to revisit its strategy and consider revising it
or selecting one with a more suitable risk pro le.
The risk to carrying out strategy may also be viewed through the
lens of business objectives. An organization can use a variety of
techniques to assess risks using some kind of common measure.
Wherever possible, the organization should use similar units for
measuring risk for each objective. Doing so will help to align the
severity of the risk with established performance measures.

Enterprise Risk Management and

Performance
Assessing risk to the strategy and business objectives requires an
organization to understand the relationship between risk and
performance—referred to in this Framework as the “risk pro le.” An
entity’s risk pro le provides a composite view of the risk at a
particular level of the entity (e.g., overall entity level, business unit
level, functional level) or aspect of the business model (e.g.,
product, service, geography).

This composite view allows management to consider the type,

severity, and interdependencies of risks, and how they may affect
performance. The organization should initially understand the
potential risk pro le when evaluating alternative strategies. Once a
strategy is chosen, the focus shifts to understanding the current risk
pro le for that chosen strategy and related business objectives.

The relationship between risk and performance is rarely linear.

Incremental changes in performance targets do not always result in
corresponding changes in risk (or vice versa). Consequently, a
useful, dynamic representation, sometimes depicted graphically,
illustrates the aggregate amount of risk associated with different
levels of performance. Such a representation considers risk as a
continuum of potential outcomes along which the organization must
balance the amount of risk to the entity and its desired
performance.
There are several methods for depicting a risk pro le. The
Framework uses one approach, shown here, to illustrate the
relationship between various aspects of enterprise risk
management. Doing so helps to enhance the conversations of risk,
risk appetite, tolerance, and the overall relationship to performance
targets.
In Figure 3.2, each bar represents the aggregate amount of risk for a
speci c level of performance for a business objective. The target
line depicts the level of performance chosen by the organization as
part of strategy-setting, which is communicated through a business
objective and target. Organizations may develop different
approaches for conceptualizing and depicting the entity’s risk
pro le.
Risk pro les that trend upwards, as shown in Figure 3.2, are typical
of, but not limited to, business objectives such as:
• Oil and gas exploration: As exploration efforts for new oil and gas
reserves target increasingly remote and inaccessible areas, oil and
gas companies likely face greater amounts of risk in an effort to
locate resources.

• Recruitment of specialist resources: As entities pursue

increasingly niche products or markets, the risks associated with
attracting and retaining expertise and experience in their
workforce increases.
• Transportation and logistics: As the number of locations or volume
of goods increases, the size of the transportation eet and
complexity of operations grows, resulting in a higher amount of
risk.

• Funding for capital works and improvements: In illiquid markets, or

where consumer con dence is low, the amount of risk associated
with an entity’s ability to secure funding for capital works, projects,
or initiatives increases.

There is, however, no one universal risk pro le shape or trend. Every
entity’s risk pro le will be different depending on its unique strategy
and business objectives. Organizations can use their risk pro les to
better understand the intrinsic relationship between risk, targeted
performance, and actual performance.

Risk pro les help management to determine what amount of risk is

acceptable and manageable in the pursuit of strategy and business
objectives. Risk pro les10 may help management:

• Understand the level of performance in the context of the entity’s

risk appetite (see Principle 7: De nes Risk Appetite).

• Find the optimal level of performance given the organization’s

ability to manage risk (see Principle 9: Formulates Business
Objectives).
• Determine the tolerance for variation in performance related to the
target (see Principle 9: Formulates Business Objectives).
• Assess the potential impact of risk on predetermined targets (see
Principle 11: Assesses Severity of Risk and Principle 14: Develops
Portfolio View).
While the risk pro le shown here implies needing a speci c level of
precision, and perhaps data to create, keep in mind that it can also
be developed using qualitative information.

10
Refer to Appendix D in Volume II for a more detailed discussion on risk pro les.
break

4. Integrating Enterprise Risk

Management
The Importance of Integration
An entity’s success is the result of countless decisions made every
day by the organization that affect the performance and, ultimately,
the achievement of the strategy or business objectives. Most of
those decisions require selecting one approach from multiple
alternatives. Many of the decisions will not be simply either “right”
or “wrong,” but will include trade-offs: time versus quality; ef ciency
versus cost; risk versus reward.

When making such decisions, management and the board must

continually navigate a dynamic business context, which requires
integrating enterprise risk management thinking into all aspects of
the entity, at all times. The Framework, therefore, views enterprise
risk management in just that way. It is not simply a function or
department within an entity, something that can be “tacked on.”
Rather, culture, practices, and capabilities are, together, integrated
and applied throughout the entity.

Integrating enterprise risk management with business activities and

processes results in better information that supports improved
decision-making and leads to enhanced performance. In addition it
helps organizations to:
• Anticipate risks earlier or more explicitly, opening up more options
for managing the risks and minimizing the potential for deviations
in performance, losses, incidents, or failures.

• Identify and pursue existing and new opportunities in accordance

with the entity’s risk appetite and strategy.
• Understand and respond to deviations in performance more
quickly and consistently.
• Develop and report a more comprehensive and consistent
portfolio view of risk, thereby allowing the organization to better
allocate nite resources.

• Improve collaboration, trust, and information sharing across the

organization.

Integration enables the organization to make decisions that are

better aligned with the speed and potential disruption of individual
risks and the pursuit of new opportunities. Risk-aggressive entities
may need to obtain risk-related information quickly and have
streamlined decision-making processes in place in order to pursue
fast-moving opportunities. For example, consider an investment rm
that has been presented with an opportunity to bid on a new deal,
but is required to respond within several hours. The rm’s risk
management practices are well integrated with the capabilities
within the bidding process, allowing the organization to collect and
review the available information and make a decision in the time
required.
Where risk management practices and capabilities are separate,
collecting relevant information, identifying stakeholders, and making
decisions all take longer, and that can jeopardize an entity’s ability
to meet urgent deadlines. In short, the more risk aggressive the
entity, the greater the value of integration.

Toward Full Integration

For most entities, integrating enterprise risk management is an
ongoing endeavor. Factors that in uence integration are entity
culture, size, complexity, and how long a risk-aware culture has
been embraced.

An entity that is just beginning to develop enterprise risk

management will have limited practices and capabilities on which to
rely. But as the entity matures, it implements more dedicated
practices and capabilities that improve decision-making (such as
identifying, assessing, and responding to risks). Once organizations
consistently integrate risk considerations, they become less reliant
on the formalized, stand-alone practices and infrastructure. For
example, in a fully integrated entity, personnel will identify deviations
in performance and understand the potential effect on the risk
pro le without relying on a stand-alone assessment program.

Time isn’t the only factor affecting an entity’s ability to fully integrate
enterprise risk management. Size and type matter, too (i.e., whether
the entity is for pro t, not-for-pro t, heavily regulated, etc.). For
example, a large pharmaceuticals company may have a well-
developed risk-aware culture, but may be required to retain some
stand-alone monitoring and reporting practices by its regulators. In
comparison, smaller non-regulated entities may focus more on
developing risk awareness and integrating risk throughout
performance reporting.

In a fully integrated entity, enterprise risk management practice will

also affect the operating structure. At this point, awareness and
responsibility for risk are more evenly distributed across the
operating structure, which is often characterized by the
understanding that “everyone is a risk manager.” Silos of knowledge
are broken down to enable better decision-making across the entity.

The following lists provide examples of how organizations can foster

full integration of enterprise risk management throughout the
culture, capabilities, and practices of the entity, with the result being
better decision-making.

Culture
Instilling more transparency and risk awareness into an entity’s
culture requires actions such as:
• Implementing forums or other mechanisms for sharing
information, making decisions, and identifying opportunities.

• Encouraging people to escalate issues and concerns without fear

of retribution.

• Clarifying and communicating roles and responsibilities for the

achievement of strategy and business objectives, including
responsibilities for the management of risk.

• Aligning core values, behaviors, and decision-making with

incentives and remuneration models.
• Developing and sharing a strong understanding of the business
context and drivers of value creation.

Capabilities
Enterprise risk management capabilities are integrated into the
entity when:
• Management is able to make decisions that are appropriate given
its appetite, risk pro le of the entity, and the changes to the pro le
that occur over time.
• The organization routinely hires capable individuals with relevant
experience who can exercise judgment and oversight in
accordance with their responsibilities.
• The organization has access to capable individuals, subject matter
experts, or other technical resources to support decision-making.

• When making necessary investments in technology or other

infrastructure, management considers the tools required to enable
enterprise risk management responsibilities.

• Vendors, contractors, and other third parties are considered in

discussions of risk and performance.
Practices
Enterprise risk management practices are integrated when:

• Setting strategy explicitly considers risk when evaluating options.

• Management actively addresses risk in pursuit of its performance
targets.
• Activities are developed to regularly and consistently monitor
performance results and changes in the risk pro le throughout the
entity.
• Management is able to make decisions that are in line with the
speed and scope of changes in the entity.

Example 4.1 describes integration in practice.

Example 4.1: Integration in Practice

The management of a large government department

integrates enterprise risk management practices with the
monthly performance management meetings. At these
meetings, they analyze performance and discuss new,
emerging, and changing risks that affect their ability to
effectively serve the public. This promotes greater
transparency and increased responsiveness to the most
important risks, sharing of ideas on how best to approach the
risk, and greater consistency on deploying risk responses
across the operations of the department.

Addressing Integration in the

Framework
Each component of enterprise risk management includes principles
(set out in the following chapter), which apply to creating,
preserving, and realizing value in an organization regardless of size,
type, or location. The principles and their components do not
represent isolated, stand-alone concepts. Each highlights the
importance of integrating enterprise risk management and the role
of decision-making.
For each principle, the Framework outlines considerations to fully
integrating culture, practices, and capabilities into the entity. These
considerations are not exhaustive, but they do demonstrate the
range of inputs into decision-making and the exercise of judgment
by personnel, management, and the board.
break

5. Components and Principles

Components and Principles of
Enterprise Risk Management
The Framework consists of the ve interrelated components of
enterprise risk management. Figure 5.1 illustrates these
components and their relationship with the entity’s mission, vision,
and core values. The three ribbons in the diagram of Strategy and
Objective-Setting, Performance, and Review and Revision represent
the common processes that ow through the entity. The other two
ribbons, Governance and Culture, and Information, Communication,
and Reporting, represent supporting aspects of enterprise risk
management.

The gure further illustrates that when enterprise risk management

is integrated across strategy development, business objective
formulation, and implementation and performance, it can enhance
value. Enterprise risk management is not static. It is integrated into
the development of strategy, formulation of business objectives, and
the implementation of those objectives through day-to-day
decision-making.

The ve components11 are:

• Governance and Culture: Governance and culture together form

a basis for all other components of enterprise risk management.
Governance sets the entity’s tone, reinforcing the importance of
enterprise risk management, and establishing oversight
responsibilities for it. Culture is re ected in decision-making.

• Strategy and Objective-Setting: Enterprise risk management is

integrated into the entity’s strategic plan through the process of
setting strategy and business objectives. With an understanding of
business context, the organization can gain insight into internal
and external factors and their effect on risk. An organization sets
its risk appetite in conjunction with strategy-setting. The business
objectives allow strategy to be put into practice and shape the
entity’s day-to-day operations and priorities.

• Performance: An organization identi es and assesses risks that

may affect an entity’s ability to achieve its strategy and business
objectives. As part of that pursuit, the organization identi es and
assesses risks that may affect the achievement of that strategy
and business objectives. It prioritizes risks according to their
severity and considering the entity’s risk appetite. The organization
then selects risk responses and monitors performance for change.
In this way, it develops a portfolio view of the amount of risk the
entity has assumed in the pursuit of its strategy and entity-level
business objectives.

• Review and Revision: By reviewing enterprise risk management

capabilities and practices, and the entity’s performance relative to
its targets, an organization can consider how well the enterprise
risk management capabilities and practices have increased value
over time and will continue to drive value in light of substantial
changes.
• Information, Communication, and Reporting: Communication is
the continual, iterative process of obtaining information and
sharing it throughout the entity. Management uses relevant
information from both internal and external sources to support
enterprise risk management. The organization leverages
information systems to capture, process, and manage data and
information. By using information that applies to all components,
the organization reports on risk, culture, and performance.

Within these ve components are a series of principles, as

illustrated in Figure 5.2. The principles represent the fundamental
concepts associated with each component. These principles are
worded as things organizations would do as part of the entity’s
enterprise risk management practices. While these principles are
universal and form part of any effective enterprise risk management
initiative, management must bring judgment to bear in applying
them. Each principle is covered in detail in the respective chapters
on components.

Assessing Enterprise Risk

Management
An organization should have a means to reliably provide to the
entity’s stakeholders with a reasonable expectation that it is able to
manage risk to an acceptable amount. It does this by assessing the
enterprise risk management practices that are in place. Such
assessment is voluntary, unless required otherwise by legislation or
regulation.
The Framework provides criteria for conducting an assessment and
determining whether the enterprise risk management culture,
capabilities, and practices collectively manage the risk of not
achieving the entity’s strategy and supporting business objectives.
During an assessment, the organization considers whether:

• The components and principles relating to enterprise risk

management are present and functioning.
• The components relating to enterprise risk management are
operating together in an integrated manner.
• The controls necessary to put into effect relevant principles are
present and functioning.12
In these three considerations, being “present” means the
components, principles, and controls exist in the design and
implementation of enterprise risk management to achieve strategy
and business objectives. Being “functioning” means they continue
to operate to achieve strategy and business objectives. And
“operating together” refers to the interdependencies of components
and how they function cohesively. Organizations may place different
emphasis on speci c principles and apply them differently,
depending on the bene ts an organization seeks to attain through
enterprise risk management.13 When these components, principles,
and supporting controls are present and functioning, the
organization can reasonably expect that enterprise risk
management is helping the entity create, preserve, and realize
value.

Different approaches are available for assessing enterprise risk

management. When the assessment is performed to communicate
to external stakeholders, it would be conducted considering the
principles set out in the Framework. When assessing enterprise risk
management for internal purposes, some organizations may choose
to use some form of maturity model in completing this evaluation,
recognizing that the model must be tailored to address the
complexity of the business. Factors that add complexity may
include, among other things, the entity’s geography, industry,
nature, extent and frequency of change within the entity, historical
performance and variation in performance, reliance on technology,
and the extent of regulatory oversight.

During an assessment, management may also review the suitability

of those capabilities and practices, keeping in mind the entity’s
complexity and the bene ts the organization seeks to attain through
enterprise risk management.

11
Components are discussed in detail in Chapters 6 through 10.
12
Additional discussion on controls to effect principles is set out in Internal Control—
Integrated Framework.
13
Potential bene ts relating to enterprise risk management are set out in Chapter 1:
Introduction.
break

Framework
break

6. Governance and Culture

Principles Relating to Governance

and Culture

Introduction
An entity’s board of directors plays an important role in governance
and signi cantly in uences enterprise risk management. This
Framework uses the term “board of directors” or “board” to
encompass the governing body, including board, supervisory board,
board of trustees, general partners, or owner.

Where the board is independent from management and generally

comprises members who are experienced, skilled, and highly
talented, it can offer an appropriate degree of industry, business,
and technical input while performing its oversight responsibilities.
This input includes scrutinizing management’s activities when
necessary, presenting alternative views, challenging organizational
biases, and acting in the face of wrongdoing. Most important, in
ful lling its role of providing risk oversight, the board challenges
management without stepping into the role of management.
Another critical in uence on enterprise risk management is culture.
Whether the entity is a small family-owned private company, a large,
complex multinational, a government agency, or a not-for-pro t
organization, its culture re ects the entity’s core values: the beliefs,
attitudes, desired behaviors, and importance of understanding risk.
Culture supports the achievement of the entity’s mission and vision.
An entity with a culture that is risk-aware stresses the importance of
managing risk and encourages transparent and timely ow of risk
information. It does this with no assignment of blame, but with an
attitude of understanding, accountability, and continual
improvement.
break

Principle 1: Exercises Board Risk

Oversight

The board of directors provides oversight

of the strategy and carries out governance
responsibilities to support management in
achieving strategy and business objectives.

Accountability and Responsibility

The board of directors has the primary responsibility for risk
oversight in the entity, and in many countries it has a duciary
responsibility to the entity’s stakeholders, including conducting
reviews of enterprise risk management practices. Typically, the full
board is responsible for risk oversight, leaving the day-to-day
responsibilities of managing risk to management. Some full boards
retain ownership while others delegate board-level responsibilities
to a committee of the board, such as a risk committee. Regardless
of the structure, it is common to develop a statement that de nes
the board’s and management’s respective responsibilities.

Skills, Experience, and Business Knowledge

The board of directors is well positioned to offer expertise and
provide oversight of enterprise risk management through its
collective skills, experience, and business knowledge. This includes,
for instance, asking the appropriate questions to challenge
management when necessary about strategy, business objectives,
and performance targets. It also includes interacting with
stakeholders and presenting alternative views and actions.

Risk oversight is possible only when the board understands the

entity’s strategy and industry, and stays informed on relevant issues.
As the business context changes, so does risk to the strategy and
business objectives. Consequently, the required quali cations for
board membership may change over time. Each board must
determine for itself, and review periodically, if it has the appropriate
skills, expertise, and composition to provide effective oversight. For
example, entities exposed to cyber risk may need to have board
members who either have expertise in information technology or
access to the required expertise through independent advisors.

Independence
The board overall should be independent. Independence enhances
directors’ ability to be objective and to evaluate the performance
and well-being of the entity without any con ict of interest or undue
in uence of interested parties. The board demonstrates its
independence through each board member displaying his or her
individual director’s ability to be objective (see Example 6.1).

Example 6.1: Factors That Impede Board

Independence

A board member’s independence may be impeded if he or

she:
• Holds a substantial nancial interest in the entity.

• Is currently or has recently been employed in an executive

capacity by the organization.

• Has recently advised the board of directors in a material

way.

• Has a material business relationship with the entity, such as

being a supplier, customer, or outsourced service provider.
 • Has an existing contractual relationship with the
organization.

• Has donated a signi cant nancial amount to an entity.

• Has business or personal relationships with key

stakeholders within an organization.

• Sits as a board member of other organizations that

represent a potential con ict of interest.

• Has held the same board position for an extended period.

An independent board serves as a check and balance on

management, ensuring that the entity is being run in the best
interests of its stakeholders rather than of a select number of board
members or management.

While independence is often a larger focus within publicly traded

companies, similar considerations apply to private entities,
government bodies, and not-for-pro t entities.

Suitability of Enterprise Risk Management

It is important that the board understand the complexity of the entity
and how integrating enterprise risk management capabilities and
practices will enhance value. The board engages in conversations
with management to determine whether enterprise risk management
is suitably designed to enhance value.

For example, some organizations may derive value from gaining an

understanding of the risks to the strategy. In this case, management
would focus enterprise risk management on practices to achieve the
strategy and business objectives—perhaps ways to reduce
surprises and losses, or to reduce performance variability. Others
may gain value from aligning mission, vision, and core values and
the implications of the chosen strategy on its risk pro le. In this
case, management would focus more on strategy-setting and
increasing the range of opportunities in support of that strategy.

Organizational Bias
Bias in decision-making has always existed and always will. It is not
unusual to nd within an entity evidence of dominant personalities,
overreliance on numbers, disregard of contrary information,
disproportionate weighting of recent events, and a tendency for risk
avoidance or risk taking. So the question is not whether bias exists,
but rather how bias affecting decisions relating to enterprise risk
management can be managed. The board is expected to
understand the potential organizational biases that exist and
challenge management to overcome them.
break

Principle 2: Establishes
Operating Structures

The organization establishes operating

structures in the pursuit of strategy and
business objectives.
An operating structure describes how the entity organizes and
carries out its day-to-day operations. Through the operating
structure, personnel are responsible for developing and
implementing practices to manage risk and stay aligned with the
core values of the entity. In this way, an operating structure
contributes to managing risk to the strategy and business
objectives.
The operating structure is typically aligned with the legal structure
and management structure. The legal structure in uences how an
entity operates and the management structure sets out the reporting
lines, roles, and responsibilities for ongoing management and
operation of the business.

Different legal structures may be more or less suitable depending on

the size of the entity and any relevant regulatory, taxation, or
shareholder structures. A small entity is likely to operate as a single
legal entity. Large entities may consist of several distinct legal
entities, in which case decisions may become segregated if risk
information is not aggregated across legal structures.

Under the management structure, reporting usually transcends the

legal structures of the entity. For example, a company that has three
separate legal divisions reports as one consolidated company.
Operating Structure and Reporting Lines
The organization establishes an operating structure and designs
reporting lines to carry out the strategy and business objectives. It is
important for the organization to clearly de ne responsibilities when
designing reporting lines. The organization may also enter into
relationships with external third parties that can in uence reporting
lines (e.g., strategic business alliances, outsourcing, or joint
business ventures).

Different operating structures may result in different perspectives of

a risk pro le, which may affect enterprise risk management
practices. For example, assessing risk within a decentralized
operating structure may indicate few risks, while the view within a
centralized model may indicate a concentration of risk—perhaps
relating to certain customer types, foreign exchange, or tax
exposure.

Factors to consider when establishing and evaluating operating

structures may include the:
• Entity’s strategy and business objectives.
• Nature, size, and geographic distribution of the entity’s business.

• Risks related to the entity’s strategy and business objectives.

• The assignment of authority, accountability, and responsibility to

all levels of the entity.

• Type of reporting lines (e.g., direct reporting/solid line versus

secondary reporting) and communication channels.

• Financial, tax, regulatory, and other reporting requirements.

The organization considers these and other factors when deciding

what operating structure to adopt. For example, the board of
directors determines which management roles have at least a
dotted line to the board to allow for open communication of all
important issues. Similarly, direct reporting and informational
reporting lines are de ned at all levels of the entity.

Enterprise Risk Management Structures

Management plans, organizes, and carries out the entity’s strategy
and business objectives in accordance with the entity’s mission,
vision, and core values. Consequently, management needs
information on how risk associated with the strategy occurs across
the entity. One example of a commonly used method of gathering
such information is to delegate the responsibility to a committee.

Committee members are typically executives or senior leaders

appointed or elected by management, and each contributes
individual skills, knowledge, and experience.

Entities with complex structures may have several committees, each

with different but overlapping management membership. This multi-
committee structure is then aligned with the operating structure and
reporting lines, which allows management to make business
decisions as needed, with a full understanding of the risks
embedded in those decisions.
Regardless of the particular management committee structure
established, it is common to clearly state the authority of the
committee, the management members who are a part of the
committee, the frequency of meetings, and the speci c
responsibilities and operating principles. In some small entities,
enterprise risk management oversight may be less formal, with
management being much more involved in day-to-day decisions.

Authority and Responsibilities

In an entity that has a single board of directors, the board delegates
to management the authority to design and implement practices
that support the achievement of strategy and business objectives.
In turn, management de nes roles and responsibilities for the overall
entity and its operating units. Management also de nes roles,
responsibilities, and accountabilities of individuals, teams, divisions,
and functions aligned to strategy and business objectives.

In an entity with a dual-board structure, a supervisory board focuses

on longer-term decisions and strategies affecting the business. A
management board is charged with overseeing day-to-day
operations including the oversight and delegation of authority
among senior management. As with a single-board governance
structure, senior management de nes roles and responsibilities for
the overall entity and its operating units.

Key roles typically include the following:

• Individuals in a management role who have the authority and
responsibility to make decisions and oversee business practices
to achieve strategy and business objectives. Within the
management team, the chief risk of cer14 is often responsible for
providing expertise and coordinating risk considerations.

• Other personnel who understand both the entity’s standards of

conduct and business objectives in relation to their area of
responsibility and the related enterprise risk management
practices at their respective levels of the entity.
Management delegates responsibility and tasks to enable personnel
to make decisions. Periodically, management may revisit its
structures by reducing or adding layers of management, delegating
more or less responsibility and tasks to lower levels, or partnering
with other entities.
Clearly de ning authority is important, as it empowers people to act
as needed in a given role but also puts limits on authority. Risk-
based decisions are enhanced when management:
• Delegates responsibility only to the extent required to achieve the
 entity’s strategy and business objectives (e.g., the review and
approval of new products involves the business and support
functions, separate from the sales team).
• Speci es transactions requiring review and approval (e.g.,
management may have the authority to approve acquisitions).
• Considers new and emerging risks as part of decision-making
(e.g., a new business partner is not taken on without exercising
due diligence).

Enterprise Risk Management within the

Evolving Entity
As an entity changes, the capabilities and value it seeks from
enterprise risk management may also change. Enterprise risk
management should be tailored to the capabilities of the entity,
considering both what the organization is seeking to attain and the
way it manages risk. It is natural for the operating structure to
change as the nature of the business and its strategy evolves.
Management, therefore, regularly evaluates the operating structure
and associated reporting lines.

In today’s world of evolving information technology, new operating

structures are emerging. It may be that standard operating
structures soon become “virtual” in nature, relying far less on
physical locations and more on technological interconnections. This
will require examining how risk will shift in response: At what point in
decision-making is risk considered? How does this affect the
achievement of strategy and business objectives? Management
must be prepared to address these questions under a new
operating structure and understand how changes due to innovation
will in uence enterprise risk management practices.

The chief risk of cer is the individual who is delegated authority for enterprise risk
14

management; other names for this role may be “head of enterprise risk management,”
“head of risk,” “director of enterprise risk management,” or “director of risk.”
break

Principle 3: De nes Desired

Culture

The organization de nes the desired

behaviors that characterize the entity’s
desired culture.

Culture and Desired Behaviors

An organization’s culture re ects its core values, behaviors, and
decisions. Decisions are in turn a function of the available
information, judgment, capabilities, and experience. An entity’s
culture in uences how the organization applies this Framework: how
it identi es risk, what types of risk it accepts, and how it manages
risk.
It is up to the board of directors and management to de ne the
desired culture of the entity as a whole and of the individuals within
it. The core values drive the expected behaviors in day-to-day
decision-making in order to meet the expectations of stakeholders.
Establishing a culture embraced by all personnel—where people do
the right thing at the right time—is critical to the organization being
able to seize opportunities and manage risk to achieve the strategy
and business objectives.

Many factors shape entity culture. Internal factors include, among

other things, the level of judgment and autonomy provided to
personnel, how entity employees interact with each other and their
managers, the standards and rules, the physical layout of the
workplace, and the reward system in place. External factors include
regulatory requirements and expectations of customers, investors,
and other elements.
All these factors in uence where the entity positions itself on the
culture spectrum, which ranges from risk averse to risk aggressive
(see Figure 6.1). The closer an entity is to the risk aggressive end of
the spectrum, the greater is its propensity for and acceptance of the
differing types and greater amount of risk to achieve strategy and
business objectives (see Example 6.2).

Example 6.2: Two Ends of the Culture Spectrum

A nuclear power plant will likely have a risk-averse culture in

its day-to-day operations. Both management and external
stakeholders expect decisions regarding new technologies
and systems to be made carefully and with great attention to
detail and safety in order to provide reasonable expectation
of the plant’s reliability. It is not desirable for nuclear power
plants to invest heavily in innovative and unproven
technologies critical to managing the operations.
In contrast, a private equity manager is more likely a risk-
aggressive entity. Management and external investors will
have high expectations of performance that require taking on
potentially severe risks, while still falling within the de ned
risk appetite of the entity.

A well-de ned culture does not imply a template approach to

enterprise risk management. That is, managers of some operating
units may be prepared to take more risk, while others may be more
conservative. For example, an aggressive sales unit may focus its
attention on making a sale without careful attention to regulatory
compliance outside the desired risk appetite, while the personnel in
the contracting unit may focus on maintaining full compliance well
within the desired risk appetite. Working separately, these two units
could adversely affect the entity, but by having a shared
understanding of acceptable risk decisions, they can respond
appropriately within the de ned risk appetite to achieve the strategy
and business objectives.

Applying Judgment
Judgment has a signi cant role in de ning the desired culture and
management of risk across the culture spectrum. Judgment is often
relied upon:

• When there is limited information or data available to support a

decision.

• Where there are unprecedented changes in the strategy, business

objectives, performance, or risk pro le of the organization.

• During times of disruption.

Judgment is a function of personal experiences, risk appetite,

capabilities and the level of information available, and organizational
bias. Management judgment is susceptible to bias whenever over-
or under-con dence in the organization’s abilities exist, for example,
or anchoring assumptions and attributing correlations are based on
limited information. Behaviors within the entity may also lead to
organizational bias that affects judgment. Group dynamics in
meetings, communication styles of management, and recognition
and acknowledgment of personnel may affect the ability of
management to exercise good judgment.

The use of judgment in uences the ability of an organization to

navigate periods of crisis and resume normal operations more
ef ciently. During periods of disruption, the ability for an
organization to function in accordance with existing policies or
procedures may be hampered, requiring it to rely more on the
judgment and behaviors of management and the board. The actions
taken by the organization to steer the entity out of a crisis depend
on the accountability, behaviors, and actions of personnel.
Organizations with management teams who have extensive
experience, established capabilities, and well-de ned risk appetite
will likely exercise judgment with greater clarity. Stakeholders are in
turn likely to have greater con dence that the organization will
recover successfully when the judgment demonstrated is in line with
the core values of the entity.
Judgment also affects the extent to which innovation and the
identi cation of opportunities are fostered within an entity. When the
entity is characterized by very prescriptive practices and limited
delegations of authority, innovation may be sti ed. An organization
that places a stronger emphasis on risk-aware culture may rely more
on management’s judgment when making decisions that enhance
values and in seeking new opportunities in line with the risk appetite
of the entity.

E ect of Culture
The culture of an organization affects how risk is identi ed,
assessed, and responded to from the moment of setting strategy
through to execution and performance. Examples include:
• Scoping of strategy and business objective-setting: The culture of
an organization may affect the types of strategic alternatives being
considered. For example, despite promising feasibility studies, a
risk-averse organization may choose not to expand mining and
drilling operations into new geographies.

• Applying rigor to the risk identi cation and assessment processes:

Depending where an organization sits on the culture spectrum, the
nature and types of risks and opportunities may differ. What are
 viewed as potential risks by a risk-averse entity may be
considered as opportunities worthy of pursuit by another. For
example, increasing demand for online ordering may be seen as a
risk for a traditional retail manufacturer but as an opportunity to
increase sales by a retailer looking to grow sales and market
share.
• Selecting risk responses and allocating nite resources: A risk-
averse entity may allocate risk responses or additional resources
in order to gain higher con dence of the achievement of a speci c
business objective. The costs and bene ts associated with
incremental risk responses may be interpreted less favorably by
more risk-aggressive entities. For example, purchasing additional
insurance may be favored by risk-averse entities, but may be
viewed as an inef cient use of nancial resources by another.
• Reviewing performance: Trends in the risk pro le or business
context may be addressed differently by entities on different
points of the culture spectrum. A risk-averse entity may make
changes more quickly to risk responses as variations in
performance are identi ed. Entities that are more risk aggressive
may wait longer before making changes or may make smaller
changes. For example, airlines may adjust ight schedules more
quickly in response to adverse changes in weather conditions than
train or bus companies, which may be able to continue operating
without disruption for longer.

Aligning Core Values, Decision-Making, and

Behaviors
The ability for an organization to successfully achieve its strategy
and business objectives is impeded when the behaviors and
decisions of the organization do not align with its core values.
Misalignment can result in a loss of con dence from stakeholders,
inconsistent approaches, and lower than targeted performance.
When core values are not adhered to, it is generally for one of the
following reasons:

• Tone at the top does not effectively convey expectations.

• The board does not provide oversight of management’s adherence
to standards.

• Middle management and functional managers are not aligned with

the entity’s mission, vision, and strategy.
• Risk is an afterthought to strategy-setting and business planning.

• Performance targets create incentives or pressures that instill

behavior contrary to core values.

• There is no clear escalation policy on important risk and

performance matters.
• The investigation and resolution of excessive risk-taking is
inadequate.
• Management or other personnel deliberately act in a way that
does not comply with core values.

In a risk-aware culture, personnel know what the entity stands for

and the boundaries within which they can operate. They can openly
discuss and debate which risks should be taken to achieve the
entity’s strategy and business objectives, with the result being
employee and management behaviors that are more consistently
aligned with the entity’s risk appetite.

Shifting Culture
Culture does not stay constant over time (see Example 6.3).
Changes within the organization and external in uences may cause
an entity’s culture to shift. New leadership may have a different
attitude and philosophy about enterprise risk management.
Additionally, an acquisition could alter an entity’s mission and vision
and affect decision-making. Mergers and acquisitions can also
result in changes to the culture. These changes will affect how the
organization looks at risk and in uence how decisions are made.

Example 6.3: When Deviations to Standards of

Conduct Occur

A technology start-up is developing a new algorithm that

improves the accuracy of tracking changes in customer
behaviors and purchasing preferences. In its infancy, the
start-up had a very aggressive risk culture as it worked
through the initial phases of establishing commercial
operations and identifying potential business partners,
customers, and market opportunities. As the organization
matured it entered into more formal partnerships with larger
clients. The start-up eventually decided to become publicly
listed to access a larger group of investors. With this change,
the company shifted to the left on the culture spectrum,
which mirrored the company’s risk appetite and
corresponding changes to the enterprise risk management
practices and capabilities of the entity.
break

Principle 4: Demonstrates
Commitment to Core Values

The organization demonstrates a

commitment to the entity’s core values.

Re ecting Core Values throughout the

Organization
Understanding the entity’s core values is fundamental to enterprise
risk management. Core values are re ected in actions and decisions
applied across the entity. Without a strong and supportive
understanding of, and commitment to, those values communicated
from the top of the organization, risk awareness can be undermined
and risk-inspired decisions may be inconsistent with those values.
The manner in which values are communicated across the
organization is often referred to as the “tone” of the organization.
A consistent tone establishes a common understanding of the core
values, business drivers, and desired behavior of personnel and
business partners. Consistency helps pull the organization together
in the pursuit of the entity’s strategy and business objectives. But it
is not always easy to maintain a consistent tone. For instance,
different markets may call for different approaches to motivation,
evaluation, and customer service. From time to time, these factors
may put pressure on different levels of the entity, resulting in a
change in tone. (In larger entities, this view of tone is sometimes
referred to as “tone in the middle.”) However, the more the tone can
remain consistent throughout the entity, the more consistent the
performance of enterprise risk management responsibilities in the
pursuit of the entity’s strategy and business objectives will be.

Aligning the culture and tone of the organization gives con dence to
stakeholders that the entity is adhering to its core values and the
pursuit of its mission and vision. For example, in an entity where
“safety rst” is a core value, management demonstrates its
commitment by actively encouraging everyone at every level to
identify and escalate safety practices regardless of their role in the
organization. External stakeholders such as safety inspectors who
observe the content and tone of training materials, internal
communications, and reporting will consequently have the
con dence that the organization is embracing its culture and core
values.

Embracing a Risk-Aware Culture

Management de nes the characteristics needed to achieve the
desired culture over time, with the board providing oversight and
focus. An organization can then embrace a risk-aware culture by:

• Maintaining strong leadership: The board and management places

importance on creating the right risk awareness and tone
throughout the entity. Culture and, therefore, risk awareness
cannot be changed from second-line team or department
functions alone; the organization’s leadership must be the real
driver of change.
• Employing a participative management style: Management
encourages personnel to participate in decision-making and to
discuss risks to the strategy and business objectives.

• Enforcing accountability for all actions: Management documents

policies of accountability and adheres to them, demonstrating to
personnel that lack of accountability is not tolerated and that
practicing accountability is appropriately rewarded.

• Aligning risk-aware behaviors and decision-making with

performance: Remuneration and incentive programs are aligned to
the core values of the organization including expected behaviors,
adherence to codes of conduct, and promoting accountability for
 risk-aware decision-making and judgment.

• Embedding risk in decision-making: Management addresses risk

consistently when making key business decisions, which includes
discussing and reviewing risk scenarios that can help everyone
understand the interrelationship and impacts of risks before
nalizing decisions.

• Having open and honest discussions about risks facing the entity:
Management does not view risk as being negative, and
understands that managing risk is critical to achieving the strategy
and business objectives.
• Encouraging risk awareness across the entity: Management
continually sends messages to personnel that managing risk is a
part of their daily responsibilities, and that it is not only valued but
also critical to the entity’s success and survival.

Aligning individual behavior with culture is critical. The most

powerful in uence comes from management who creates and
sustains the organizational agenda. Explicitly, the organization
develops policies, rules, and standards of conduct. Implicitly, the
organization should lead by example to re ect its core values and
standards of conduct. The key is management enforcing what it
says is of value, recognizing that it is the implicit and subtle
processes that most effectively establish culture in line with its core
values.

Enforcing Accountability
The board of directors ultimately holds the chief executive of cer15
accountable for managing the risk faced by the entity by
establishing enterprise risk management practices and capabilities
to support the achievement of the entity’s strategy and business
objectives. The chief executive of cer and other members of
management, together, are responsible for all aspects of
accountability—from initial design to periodic assessment of the
culture and enterprise risk management capabilities. Accountability
for enterprise risk management is demonstrated in each structure
used by the entity.
Management provides guidance to personnel so they understand
the risks. Management also demonstrates leadership by
communicating the expectations of conduct for all aspects of
enterprise risk management. Such leadership from the top helps to
establish and enforce accountability and a common purpose.

Accountability is evident in the following ways:

• Management and the board of directors clearly communicating
the expectations (e.g., developing and enforcing standards of
conduct).
• Management ensuring that information on risk ows throughout
the entity (e.g., communicating how decisions are made and how
risk is considered as part of decisions).

• Employees committing to collective business objectives (e.g.,

aligning individual targets and performance with the entity’s
business objectives).

• Management responding to deviations from standards and

behaviors (e.g., terminating personnel or taking other corrective
actions for failing to adhere to organizational standards; initiating
performance evaluations).

Holding Itself Accountable

In some governance structures, performance targets cascade from
the board of directors to the chief executive of cer, management,
and other personnel, and performance is evaluated at each of these
levels. The board of directors evaluates the performance of the chief
executive of cer, who in turn evaluates the management team, and
so on. At each level, adherence to the core values and desired
culture behaviors is evaluated, and rewards are allocated or
disciplinary action is applied as appropriate. The board may also
conduct a self-evaluation to assess its own strengths and identify
opportunities to improve enterprise risk management.

In other governance structures, such as a dual-board structure, the

supervisory board evaluates the performance of the management
board as a whole and of its individual members; the executive board
evaluates the senior management team that reports directly to the
executive board.

Keeping Communication Open and Free

from Retribution
It is management’s responsibility to cultivate open communication
and transparency about risk and the risk-taking expectations.
Management demonstrates that risk is not a discussion to be left for
the boardroom. It does that by sending clear and consistent
messages to employees that managing risk is a part of everyone’s
daily responsibilities, and that it is not only valued but also critical to
the entity’s success and survival. Open communication and risk
transparency enables management and personnel to work together
continually to share risk information throughout the entity.
Information is shared and escalated to the relevant level within the
entity. Transparency of information may relate to:

• Changes in the understanding of assumptions underpinning the

selection of a strategy or business objectives.
• Ongoing adequacy of a risk response.

• Incidents, failures, errors, or unexpected losses.

• Variations in performance including overperformance, including
those facilitated by third parties.
• Changes in the risk pro le or portfolio view of risk of the entity.

• Deviations in expected behaviors compared to the core values of

the organization.

In addition, management provides the board of directors with an

appropriate level of risk information to gauge whether current
enterprise risk management practices are appropriate. The board of
directors can provide risk oversight only if it is given timely and
complete information, and when the lines of communication are
open to discuss issues with management.
The entity that demonstrates open communication and
transparency provides a variety of channels for both management
and personnel to report concerns about potentially inappropriate or
excessive risk taking, business conduct, or behavior without fear of
retaliation or intimidation. The entity also prohibits any form of
retaliation against any individual who participates in good faith in
any investigation of behavior that is not in line with the standards of
conduct and risk appetite. Personnel who engage in inappropriate
or unlawful retaliation or intimidation are subject to disciplinary
action.

Responding to Deviations in Core Values

and Behaviors
If establishing a culture in which management and personnel act
according to desired behaviors is fundamental to enterprise risk
management, then why do things sometimes go wrong? Even in
those entities that solidly demonstrate a commitment to their core
values, operational failures, scandals, and crises do sometimes
occur—damaging reputations and ultimately leaving an organization
unable to achieve its strategy and business objectives.

Wrongdoing occurs for three reasons: people make mistakes (out of

confusion or ignorance), people have a moment of weakness of will,
or people choose to do harm. Knowing that any one of these three
things can take place, an organization must align core values and
behaviors to help people avoid mistakes and to identify potential
wrongdoers, individuals, or groups whether individuals or groups.
This requires appropriately assessing and prioritizing risks and
developing detailed risk responses.
The organization sends a clear message of what is acceptable and
unacceptable behavior whenever deviations become known.
Deviations from standards of conduct must be addressed in a timely
and consistent manner (see Example 6.4).

Example 6.4: When Deviations to Core Values Occur

For a global pharmaceutical company, research and

development (R&D) is often one of the biggest costs, as
products may take ten to twenty years to develop and bring
to market and require signi cant nancial investment. During
the research phase, it is common for many side effects of a
product to be identi ed. But if R&D did not disclose all
potential side effects to management, thereby impeding
management from making an informed decision on moving
from drug trials to production, and the drug is launched,
there could be severe effects to the entity if patients who use
the drug experience adverse side effects. Moreover, R&D’s
failure to disclose would likely be a clear violation of the
desired conduct of the company.

The response to a deviation will depend on its magnitude, which is

determined by management considering any relevant laws and
standards of conduct. The response may range from an employee
being issued a warning to being put on probation to even being
terminated. In all cases, the expectations of risk-aware behavior,
judgment, and decision-making must remain consistent.
Consistency ensures that the entity’s culture is not undermined.

15
The Framework refers to “chief executive of cer.” Other terms describing this senior
leadership position that may be used include “chief executive,” “president,” “managing
director,” or “deputy.”
break

Principle 5: Attracts, Develops,

and Retains Capable Individuals

The organization is committed to building

human capital in alignment with the
strategy and business objectives.

Establishing and Evaluating Competence

Management, with board oversight, de nes the human capital
needed to carry out strategy and business objectives.
Understanding the needed competencies helps in establishing how
various business processes should be carried out and what skills
should be applied. This begins with the board of directors relative to
the chief executive of cer, and the chief executive of cer relative to
the management and personnel of each of the divisions, operating
units, and functions in the entity. That is, the board of directors
evaluates the competence of the chief executive of cer and, in turn,
management evaluates competence across the entity and
addresses any shortcomings or excesses as necessary.
The human resources function helps promote competence by
assisting management in developing job descriptions and roles and
responsibilities, facilitating training, and evaluating individual
performance for managing risk. Management considers the
following factors when developing competence requirements:

• Knowledge, skills, and experience with enterprise risk

management.

• Nature and degree of judgment and limitations of authority to be

applied to a speci c position.
• The costs and bene ts of different skill levels and experience.

Attracting, Developing, and Retaining

Individuals
The ongoing commitment to competence is supported by and
embedded in the human resource management processes.
Management at different levels establishes the structure and
process to:

• Attract: Seek out the necessary number of candidates who t the

entity’s desired risk-aware culture, desired behaviors, operating
style, and organizational needs, and who have the competence for
the proposed roles.

• Train: Enable individuals to develop and maintain enterprise risk

management competencies appropriate for assigned roles and
responsibilities, reinforce standards of conduct and desired levels
of competence, tailor training to speci c needs, and consider a
mix of delivery techniques, including classroom instruction, self-
study, and on-the-job training.

• Mentor: Provide guidance on the individual’s performance

regarding standards of conduct and competence, align the
individual’s skills and expertise with the entity’s strategy and
business objectives, and help the individual to adapt to an
evolving business context.

• Evaluate: Measure the performance of individuals in relation to

achieving business objectives and demonstrating enterprise risk
management competence against agreed-upon standards.
• Retain: Provide incentives to motivate an individual and reinforce
the desired level of performance and conduct. This includes
offering training and credentialing as appropriate.
Throughout this process, any behavior not consistent with
standards of conduct, policies, performance expectations, and
enterprise risk management responsibilities is identi ed, assessed,
and corrected in a timely manner.

In addition, organizations must continually identify and evaluate

those roles that are essential to achieving strategy and business
objectives. The decision of whether a role is essential is made by
assessing the consequences of having that role temporarily or
permanently un lled. The question needs to be asked: How will
strategy and business objectives be achieved if the position of, for
example, the chief executive of cer is left un lled?

Rewarding Performance
Performance is greatly in uenced by the extent to which individuals
are held accountable and how they are rewarded. It is up to
management and the board of directors to establish incentives and
other rewards appropriate for all levels of the entity, considering the
achievement of both short-term and longer-term business
objectives. Establishing such incentives and rewards requires
appropriately assessing and prioritizing risks and developing
detailed risk responses. Conversely, under a program of incentives,
those individuals who do not adhere to the entity’s standards of
conduct are sanctioned and not promoted or otherwise rewarded.

Salary increases and bonuses are common incentives, but non-

monetary rewards such as being given greater responsibility,
visibility, and recognition are also effective. Management
consistently applies and regularly reviews the entity’s measurement
and reward structures in conjunction with its desired behavior. In
doing so, the performance of individuals and teams are reviewed in
relation to de ned measures, which include business performance
factors as well as demonstrated competence (see Example 6.5).
 Example 6.5: Performance, Incentives, and Rewards

A family-owned furniture manufacturer is trying to win

customer loyalty with its high-quality furniture. It engages its
workforce to reduce production defect rates, and it aligns its
performance measures, incentives, and rewards with both
the operating units’ production goals and the expectation to
comply with all safety and quality standards, workplace
safety laws, customer loyalty programs, and accurate
product recall reporting. Once they aligned business
objectives with incentives and rewards, the company noted
in the staff a greater sense of accountability and more
willingness to work together to address challenges, and
ultimately there was a measurable decline in product defects.

Addressing Pressure
Pressure in an organization comes from many sources. The targets
that management establishes for achieving strategy and business
objectives by their nature create pressure. Pressure also may occur
during the regular cycles of speci c tasks (e.g., negotiating a sales
contract), and it may sometimes be self-imposed. Unexpected
change in business context, such as a sudden dip in the economy,
can also add pressure.
Pressure can either motivate individuals to meet expectations or
cause them to fear the consequences of not achieving strategy and
business objectives. In the latter case, individuals may circumvent
processes or engage in fraudulent activity. Organizations can
positively in uence pressure by rebalancing workloads or increasing
resource levels, as appropriate, and continue to communicate the
importance of ethical behavior.
Excessive pressure is most commonly associated with:
• Unrealistic performance targets, particularly for short-term results.

• Con icting business objectives of different stakeholders.

• Imbalance between rewards for short-term nancial performance
and those for long-term focused stakeholders, such as corporate
sustainability targets (see Example 6.6).

Example 6.6: The Price of Pressure

Possible negative reaction to pressure should be accounted

for when considering compensation and incentives. For
example, investment managers take risks on behalf of their
clients, and the performance of those investment portfolios
may signi cantly affect the entity’s remuneration. A fee based
on fund performance may result in very different behavior
compared with a fee based on fund value. Aligning an
individual’s compensation can help reinforce the desired
culture. Conversely, incentive structures that fail to
adequately consider the risks associated with creating
pressure can create inappropriate behavior.

Pressure is also created by change: change in strategy, in operating

structure, in acquisition or divestiture activity, and in the business
context, which is often external to the organization, such as market
competitor actions. Management and the board must be prepared
to set and adjust, as appropriate, the pressure when assigning
responsibilities, designing performance measures, and evaluating
performance. It is management’s responsibility to guide those to
whom they have delegated authority to make appropriate decisions
in the course of doing business.

Preparing for Succession

To prepare for succession, the board of directors and management
must develop contingency plans for assigning responsibilities
important to enterprise risk management. In particular, succession
plans for key executives need to be de ned, and succession
candidates should be trained, coached, and mentored for assuming
the role. Typically, larger entities identify more than one person who
could ll a critical role.
break

7. Strategy and Objective-

Setting

Principles Relating to Strategy and

Objective-Setting

Introduction
Every entity has a strategy for bringing its mission and vision to
fruition, and to drive value. It can be a challenge to assess whether
the strategy will align with mission, vision, and core values, but it is
a challenge that must be taken on. By integrating enterprise risk
management with strategy-setting, an organization gains insight into
the risk pro le associated with strategy and the business objectives.
Doing so guides the organization and helps to sharpen the strategy
and the tasks necessary to carry it out.
break

Principle 6: Analyzes Business

Context

The organization considers potential

e ects of business context on risk pro le.

Understanding Business Context

An organization considers business context when developing
strategy to support its mission, vision, and core values. “Business
context” refers to the trends, relationships, and other factors that
in uence an organization’s current and future strategy and business
objectives. Business context may be:

• Dynamic, where new risks can emerge at any time disrupting the
status quo (e.g., a new competitor causes product sales to
decrease or even make the product obsolete).
• Complex, with many interconnections and interdependencies
(e.g., an entity has many operating units around the world, each
with its own unique political regimes, regulatory policies, and
taxation laws).

• Unpredictable, where change happens quickly and in

unanticipated ways (e.g., currency uctuations and political
forces).

Considering External Environment and

Stakeholders
The external environment is part of the business context. It is
anything, including external stakeholders, outside the entity that can
in uence the entity’s ability to achieve its strategy and business
objectives.
An example of an external stakeholder is a regulatory body that
grants an entity a license to operate, but also has the authority to
ne the entity or force it to shut down temporarily or permanently.
Another example is an investor who provides the entity with capital
but who can decide to take that investment elsewhere if it does not
agree with the entity’s strategic direction or its level of performance.
An organization that identi es its external environment and
stakeholders and the extent of their in uence on the business may
be in a better position to anticipate and adapt to change.

External stakeholders are not directly engaged in the entity’s

operations, but they:

• Are affected by the entity (customers, suppliers, competitors, etc.).

• Directly in uence the entity’s business environment (government,
regulators, etc.).

• In uence the entity’s reputation, brand, and trust (communities,

interest groups, etc.).

The external environment comprises several factors that can be

categorized by the acronym PESTLE: political, economic, social,
technological, legal, and environmental (see Figure 7.1). Example
7.1 provides a scenario to illustrate this concept.

Figure 7.1: External Environment Categories and Characteristics16

 Example 7.1: External Environment In uences

Two competing global technology companies are both

seeking to increase revenues. The rst company is
considering launching an established product in developing
countries, while the other company is developing a new
product that would expand its existing consumer base. As
each company evaluates alternative strategies, they consider
different external environment categories. The rst company
is in uenced by political, legal, and economic factors as it
navigates country-speci c laws, government regulations, and
supply chain considerations. In contrast, the second
company focuses on social and technological factors as it
seeks to understand changing customer needs. Even though
both companies are in the same industry, they have different
external environments that in uence their speci c risk
pro les and their chosen strategy.

Considering Internal Environment17 and

Stakeholders
An entity’s internal environment is anything inside the entity that can
affect its ability to achieve its strategy and business objectives
(Figure 7.2). Internal stakeholders are those people working within
the entity who directly in uence the organization (board directors,
management, and other personnel). As entities vary greatly in size
and structure, internal stakeholders may affect the organization
differently as a whole than at the level of division, operating unit, or
function.

How Business Context A ects Risk Pro le

The effect that business context has on an entity’s risk pro le may
be viewed in three stages: past, present, and future performance.
Looking back at past performance can provide an organization with
valuable information to use in shaping its risk pro les. Looking at
current performance can show how current trends, relationships,
and other factors are affecting the risk pro le. And by thinking what
these factors will look like in the future, the organization can
consider how its risk pro le might evolve in relation to where it is
heading or wants to head. Example 7.2 illustrates how an
organization can consider business context within the components
of enterprise risk management.

Example 7.2: Considering Business Context in Each of

the Framework Components
 The management of a retail company integrates
understanding of business context with other enterprise risk
management practices as follows:

• Governance and Culture: The organization develops an

understanding of governance and associated regulatory
trends. The board incorporates this understanding of
emerging expectations into its oversight of enterprise risk
management practices.

• Strategy and Objective-Setting: Management conducts a

detailed analysis of social trends, retail trends, and
consumer con dence levels driving behavior of its core
customer base and incorporates ndings into its strategic-
setting cycle for long-term value and success.

• Performance: Management incorporates its understanding

of environmental trends and how they may affect the
assessment of risks relating to the objective of reducing
packing by 50% in line with its core values.

• Review and Revision: Management considers how

changes in workforce practices, namely the emergence of
the mobile workforce, may also affect the entity’s culture
and enterprise risk management practices, including
opportunities to enhance current practices.

• Information, Communication, and Reporting:

Management considers that legislation concerning
information privacy may affect the way the entity captures,
communicates, and reports on risk information.

External environment categories may also be considered as potential risk categories

16

when identifying and assessing risks.

17
Internal environment is explored in detail in the Governance and Culture component
(Chapter 6).
break

Principle 7: De nes Risk

Appetite

The organization de nes risk appetite in

the context of creating, preserving, and
realizing value.

Applying Risk Appetite

Decisions made in selecting strategy and developing risk appetite
are not linear, with one decision always preceding the other. Nor is
there a universal risk appetite that applies to all entities.
Many organizations develop strategy and risk appetite in parallel,
re ning each throughout strategy-setting. Some boards will provide
input and may challenge management on its choice of risk appetite,
while others will be expected to concur with management and
approve the risk appetite set. Regardless of how the decisions are
made, the organization would have a preliminary understanding of
its risk appetite based on the established mission and vision and
prior strategies. These are important inputs into any risk appetite,
which is re ned whenever an organization reviews alternative
strategies and selects a desired strategy.

Some entities consider risk appetite in qualitative terms while others

prefer to use quantitative terms, often focusing on balancing
growth, return, and risk. Whatever the approach for describing risk
appetite, it should re ect the entity’s culture. Moreover, if the
organization wants to change some aspect of the culture, de ning a
strong risk appetite can help create and reinforce that desired
culture.

The best approach for an entity is one that aligns with the analysis
used to assess risk in general, whether that is qualitative or
quantitative. Developing the risk appetite statements is an exercise
in seeking the optimal balance between risk and opportunity.
Taken together, these considerations help frame the entity’s risk
appetite and provide greater precision than a single, higher-level
statement. Figure 7.3 depicts the risk pro le as a solid area (in blue),
lling the space across the performance axis from the individual risk
pro le bars (from the earlier illustration of Figure 3.2). A line showing
risk appetite has also been added.

On any depiction of risk pro le, organizations may also plot risk
capacity (as in Figure 7.3), which is the maximum amount of risk an
entity is able to absorb in the pursuit of strategy and business
objectives. Risk capacity must be considered when setting risk
appetite, as generally an organization strives to hold risk appetite
within its capacity. It is not typical for an organization to set risk
appetite above its risk capacity, but in rare situations an
organization may choose to do so. This could happen, for instance,
in the case of an organization accepting the threat of insolvency,
understanding that success can create considerable value. Where
the organization is managing risks above its risk appetite,
management will typically be expected to either amend its practices
to operate within its risk appetite or formally accept this level of risk
taking, Some organizations will also seek board approval in such
instances. (Additional discussion on risk pro les is presented in
Appendix D in Volume II.)

Determining Risk Appetite

There is no standard or “right” risk appetite that applies to all
entities. Management and the board of directors choose a risk
appetite with an informed understanding of the trade-offs involved.
Risk appetite may encompass a single depiction or several
depictions that align and collectively specify the acceptable types
and amount of risk.

A variety of approaches are available to determine risk appetite,

including facilitating discussions, reviewing past and current
performance targets, and modeling. In determining risk appetite,
organizations may consider stakeholders as noted in the discussion
on business context. It is up to management to communicate the
agreed-upon risk appetite at various levels of detail throughout the
entity. With the support of the board, management also revisits and
reinforces risk appetite over time in light of new and emerging
considerations.

For some entities, using general terms such as “low appetite” or

“high appetite” is suf cient. Others may view such statements as
too vague to effectively communicate and implement, and therefore
they may look for more quantitative measures. Often, as
organizations become more experienced in enterprise risk
management, their description of risk appetite becomes more
precise. In some instances, organizations may develop quantitative
measures that link to the risk appetite statement. Typically these
measures would align with the strategy and related business
objective targets. For instance, an entity that focuses its enterprise
risk management practices on reducing performance variability may
express risk appetite using nancial results or the beta of its stock.
Risk appetite should be positioned and perceived as a dynamic
approach for shaping the entity’s risk pro le rather than as an
additional constraint on performance. For that reason, some entities
will develop a series of cascading expressions of risk appetite
referencing “targets,” “ranges,” “ceilings,” or “ oors” (see Example
7.3). Others will use speci c quantitative terms as a way of
increasing precision.

Example 7.3: Risk Appetite Expressions

Target: A credit union with a lower risk appetite for loan

losses cascades this message into the business by setting a
loan loss target of 0.50% of the overall loan portfolio.
Range: A medical supply company operates within a low
overall risk range. Its lowest risk appetite relates to safety
and compliance objectives, including employee health and
safety, with a marginally higher risk appetite for its strategic,
reporting, and operations objectives. This means reducing to
a reasonably practicable amount the risks originating from
various medical systems, products, equipment, and the work
environment, and meeting legal obligations that take priority
over other business objectives.

Ceiling: A university accepts a moderate risk appetite as it

seeks to expand the scope of its offerings where nancially
prudent and will explore opportunities to attract new
students. The university will favor new programs where it has
or can readily attain the capabilities to deliver them. However,
the university will not accept programs that present severe
risk to the university mission and vision, forming a ceiling on
acceptable decisions.
Floor: A technology company has aggressive goals for
growth in its sector and recognizes that such growth requires
signi cant capital investment. While it does not accept
 investing capital unwisely, management is of the view that, as
a minimum, 25% (i.e., the oor) of the operating budget
should be allocated to the pursuit of technology innovation.

An organization may consider any number of parameters to help

frame its risk appetite and provide greater precision. For example,
the organization may consider:

• Strategic parameters, such as new products to pursue or avoid,

the investment for capital expenditures, and merger and
acquisition activity.

• Financial parameters, such as the maximum acceptable variation

in nancial performance, return on assets or risk-adjusted return
on capital, target debt rating, and target debt/equity ratio.

• Operating parameters, such as environmental requirements, safety

targets, quality targets, and customer concentrations.
Management may also consider the entity’s risk pro le, risk
capacity, enterprise risk management capability and maturity,
among other things, when determining risk appetite.
• Risk pro le provides information on the entity’s current amount of
risk and how risk is distributed across the entity, as well as on the
different categories of risk for the entity. New organizations will not
have an existing risk pro le to draw from, but they may be able to
get valuable information from their industry and competitors.

• Risk capacity is the maximum amount of risk the entity can absorb
in pursuit of strategy and business objectives. If risk appetite is
very high, but its risk capacity is not large enough to withstand the
potential impact of the related risks, the entity could fail. On the
other hand, if the entity’s risk capacity signi cantly exceeds its risk
appetite, the organization may lose opportunities to add value for
its stakeholders.
• Enterprise risk management capability and maturity provide
information on how well enterprise risk management is
functioning. A mature organization is often able to de ne
enterprise risk management capabilities that provide better insight
into its existing risk appetite and factors in uencing risk capacity.
A less mature organization with unde ned enterprise risk
management capabilities may not have the same understanding,
which can result in a broader risk appetite statement or one that
will need to be rede ned sooner. Enterprise risk management
capability and maturity also in uence how the organization
adheres to and operates within its risk appetite.

Articulating Risk Appetite

Some organizations articulate risk appetite as a single point; others
as a continuum (see Example 7.4).

An organization may articulate detailed risk appetite statements in

the context of:

• Strategy and business objectives that align with the mission,

 vision, and core values.

• Business objective18 categories.

• Performance targets of the entity.

Some organizations will develop and articulate risk appetite using
other approaches, such as risk categories. These approaches are
sometimes easier to manage and assess. However, they can also
result in organizations managing risk in silos rather than taking an
integrated view of enterprise risk management.
Risk appetite is communicated by management, endorsed by the
board, and disseminated throughout the entity. Disseminating risk
appetite is important, as the goal is for all decision-makers to
understand the risk appetite they must operate within, especially
those who perform tasks to achieve business objectives (e.g., local
sales forces, country managers).

Most organizations will choose to communicate risk appetite

broadly across the entity. Some may choose to focus on senior
roles that have direct responsibility for managing performance. This
may occur, for instance, where there is sensitivity to competitor
activity, access to private or con dential information, or potential for
risk appetite to impede compliance with obligations. In some
instances, organizations may also choose to communicate risk
appetite to external stakeholders, either in its entirety or in an
abbreviated form.
Example 7.5 illustrates how one organization cascades risk appetite
through statements aligned with high-level business objectives that,
in turn, align with the overall entity strategy.
Using Risk Appetite
Risk appetite guides how an organization allocates resources, both
through the entire entity and in individual operating units. The goal is
to align resource allocation with the entity’s mission, vision, and
core values. Therefore, when management allocates resources
across operating units, it considers the entity’s risk appetite and
individual operating units’ plans for creating value. For instance,
management may choose to allocate a greater portion of resources
to those business objectives with a lower risk appetite versus those
business objectives with a higher risk appetite. The organization
seeks to align people, processes, and infrastructure to successfully
implement strategy and business objectives while remaining within
its risk appetite.

Risk appetite is incorporated into decisions on how the organization

operates. Management, with board oversight, continually monitors
risk appetite at all levels and accommodates change when needed.
In this way, management creates a culture that emphasizes the
importance of risk appetite and holds those responsible for
implementing enterprise risk management within the risk appetite
parameters.

But risk appetite is only part of the approach. To fully embed risk
appetite into decision-making at various levels, it does need to
cascade through and align with other practices. Figure 7.4 depicts
this important relationship and the application of risk appetite,
tolerance,19 and indicators and triggers20 as they cascade within an
entity.
 Formulating business objectives is discussed in Principle 9. They are included here to
18

better illustrate how risk appetite cascades from strategy through business objectives.
19
Tolerance is discussed later in this chapter in Principle 9.
20
Limits and triggers are discussed in the Performance component.
break

Principle 8: Evaluates
Alternative Strategies

The organization evaluates alternative

strategies and potential impact on risk
pro le.
An organization must evaluate alternative strategies as part of
strategy-setting and assess the risk and opportunities of each
option. Alternative strategies are assessed in the context of the
organization’s resources and capabilities to create, preserve, and
realize value. A part of enterprise risk management includes
evaluating strategies from two different perspectives: (1) the
possibility that the strategy does not align with the mission, vision,
and core values of the entity, and (2) the implications from the
chosen strategy.

The Importance of Aligning Strategy

Strategy must support mission and vision and align with the entity’s
core values and risk appetite. If it does not, the entity may not
achieve its mission and vision.

Further, a misaligned strategy increases risk to stakeholders

because the value of the organization and its reputation may be
affected. For example, consider a telecommunications company
that is considering a strategy of limiting the areas in which its
products and services are available in order to improve its nancial
performance. But this strategy is at odds with its mission of being a
provider of critical services and a leading corporate citizen in the
local community. While the anticipated improvement in nancial
results is intended to appeal to shareholders and investors, it may
be undermined by an adverse effect to its reputation with
community groups and regulators that insist that services be
maintained.

Understanding the Implications from

Chosen Strategy
When evaluating alternative strategies, the organization seeks to
identify and understand the potential risks and opportunities of each
strategy being considered. The identi ed risks collectively form a
risk pro le for each option; that is, different strategies yield different
risk pro les. Management and the board use these risk pro les
when deciding on the best strategy to adopt, given the entity’s risk
appetite. In some instances, this evaluation may need to consider
multiple strategies to understand the potential dependency of one
strategy on another.

Another consideration when evaluating alternative strategies is the

supporting assumptions relating to business context, resources,
and capabilities. These assumptions are an important part of the
strategy. They may relate to any of the internal and external
considerations that form part of the entity’s business context. Where
assumptions are unproven, there is often a higher risk of disruption
than there would be if the organization had greater certainty that
there would not be disruptive events associated with a strategy. The
level of con dence of management and the board associated with
each assumption will affect the risk pro le of each of the strategies.
Further, a strategy typically has a higher risk pro le when a
signi cant number of assumptions are made or where the
assumptions are largely unproven.
Once a risk pro le has been determined for the chosen strategy,
management is better able to consider the types and amount of risk
it will face in carrying out that strategy. Speci cally, knowing the risk
pro le allows management to determine what resources will be
required and allocated to support carrying out the strategy while
remaining within the risk appetite. Resource requirements include
infrastructure, technical expertise, and working capital.

The amount of effort expended and the level of precision required to

evaluate alternative strategies will vary by the signi cance and
complexity of the decision, the resources and capabilities available,
and the number of strategies being evaluated. The more signi cant
or complex the decision, the more detailed the evaluation will be,
perhaps using several approaches.

Popular approaches to evaluating alternative strategies are SWOT

analysis,21 modeling, valuation, revenue forecast, competitor
analysis, and scenario analysis. The evaluation is typically
performed by management who have an entity-wide view of risk
and understand how strategy affects performance. That is,
management understands at the entity level how a chosen strategy
will support performance across different divisions, functions, and
geographies.

When developing alternative strategies, management makes certain

assumptions. These underlying assumptions can be sensitive to
change, and that propensity to change can greatly affect the risk
pro le. Once a strategy has been chosen, and by understanding the
propensity of assumptions to change, the organization is able to
develop requisite oversight mechanisms relating to changing
assumptions.

Example 7.6 illustrates one organization’s approach for evaluating

the possibility of alternative strategies not aligning with mission and
vision and implications from the alternative strategies on the entity’s
risk pro le. This example also illustrates the need to understand
competing priorities between customers, employees, and
shareholders.
Aligning Strategy with Risk Appetite
An organization should expect that the strategy it selects can be
carried out within the entity’s risk appetite; that is, strategy must
align with risk appetite. If the risk associated with a speci c strategy
is inconsistent with the entity’s risk appetite or risk capacity, it needs
to be revised, an alternative strategy selected, or the risk appetite
revisited.
For instance, a sports equipment manufacturer had this strategy:
“To grow business by expanding global manufacturing locations.”
However, when it became clear that some global locations
presented risk that exceeded the manufacturer’s risk appetite, the
strategy was updated: “To grow business by expanding to global
locations within established infrastructure requirements and
governmental regulations.”
The development of risk appetite should align with the development
of strategy and business plans, otherwise it may appear that goals
and priorities are con icting, or even creating tensions on the types
and amounts of risk re ected in decision-making.

Making Changes to Strategy

Typically, organizations hold periodic strategy-setting sessions to
outline both short-term and long-term strategies. A change in
strategy is warranted if the organization determines that the current
strategy fails to create, realize, or preserve value; or a change in
business context causes the entity to get too near the boundary of
risk it is willing to accept, or requires resources and capabilities that
are not available to the organization. Finally, developments in
business context may result in the organization no longer having a
reasonable expectation that it can achieve the strategy (see
Example 7.7).

Example 7.7: Making Changes to Strategy

A global camera manufacturer used to sell lm cameras, but

as digital cameras became more popular, the company
started to experience lower sales. In response, it has
modi ed its strategy by adapting to a changing consumer
need and new technology. It now develops digital cameras
and mitigates the risk that its products may become
obsolete. These changes to strategy are supported by
 changes to relevant business objectives and performance
targets.

Mitigating Bias
Bias always exists, but an organization should try to be unbiased—
or to mitigate any bias—when it is evaluating alternative strategies.
The rst step is to identify any bias that may exist during strategy-
setting. Where such bias exists, the organization should take steps
to mitigate that bias. Bias may prevent an organization from
selecting the best strategy to both support the entity’s mission,
vision, core values, and to re ect the entity’s risk appetite.

21
SWOT is an acronym for strengths, weaknesses, opporunities, and threats. A SWOT
analysis is a structured planning method that evaluates those four elements.
break

Principle 9: Formulates Business

Objectives

The organization considers risk while

establishing the business objectives at
various levels that align and support
strategy.

Establishing Business Objectives

The organization develops business objectives that are speci c,
measurable or observable, attainable, and relevant. Business
objectives provide the link to practices within the entity to support
the achievement of the strategy. For example, business objectives
may relate to:
• Financial performance: Maintain pro table operations for all
businesses.
• Customer aspirations: Establish customer care centers in
convenient locations for customers to access.

• Operational excellence: Negotiate competitive labor contracts to

attract and retain employees.
• Compliance obligations: Comply with applicable health and safety
laws on all work sites.

• Ef ciency gains: Operate in an energy-ef cient environment.

• Innovation leadership: Lead innovation in the market with frequent
new product launches.

Business objectives may cascade throughout the entity (divisions,

operating units, functions) or be applied selectively. Cascading
objectives become more detailed as they are applied progressively
from the top of the entity down. For example, nancial performance
objectives are cascaded from divisional targets to individual
operating units. Alternatively, many business objectives will be
speci c to an operational dimension, geography, product, or
service.

Aligning Business Objectives

Individual objectives are aligned with strategy regardless of how the
objective is structured and where it is applied. The alignment of
business objectives to strategy supports the entity in achieving its
mission and vision.

Business objectives that do not align, or only partially align, to the

strategy will not support the achievement of the mission and vision
and may introduce unnecessary risk to the risk pro le of the entity.
That is, the organization may consume resources that would
otherwise be more effectively deployed in carrying out other
business objectives.
Business objectives should also align with the entity’s risk appetite.
If they do not, the organization may be accepting either too much or
too little risk. Therefore, when an organization evaluates a proposed
business objective, it must consider the potential risks that may
occur and determine the effect on the risk pro le. A business
objective that results in the organization exceeding the risk appetite
may be modi ed or, perhaps, discarded.

If an organization nds that it cannot establish business objectives

that support the achievement of strategy while remaining within its
risk appetite or capabilities, a review of either the strategy or the risk
pro le is required.

Understanding the Implications from

Chosen Business Objectives
An organization has many options when deciding on business
objectives. Consider, for example, an organization that is presented
with an opportunity to upgrade its core operating systems and
redesign its existing IT infrastructure. One option is to pursue a
business objective of identifying a suitable vendor and enter into a
third-party arrangement to develop a customized IT system.
Another option is for the organization to build its own system
internally by investing signi cantly in its IT capabilities and
increasing the number of personnel. Both objectives align with the
overall strategy, and therefore management must evaluate both and
determine the appropriate course of action given the potential
implications to the risk pro le, resources, and capabilities of the
entity.

As is the case with setting strategy, the organization needs to have

a reasonable expectation that a business objective can be achieved
given the risk appetite or resources available to the entity. The
expectation is informed by the entity’s capabilities and resources.
Where that reasonable expectation does not exist, the organization
must choose to either exceed risk appetite, procure more resources,
or change the business objective. Depending on the signi cance of
the business objective to the strategy, revising the strategy may also
be warranted (see Example 7.8).

Example 7.8: Determining the Implications of a Chosen

Business Objective

As part of its ve-year strategy, an agricultural producer is

looking to cultivate organic produce as a competitive
differentiator. The company analyzes the cost of transitioning
to an organic environment and determines that signi cant
investment will be required, which may threaten the nancial
performance objectives. Given the importance of maintaining
 nancial performance, the organization chooses to abandon
the selected business objectives.

Categorizing Business Objectives

Many organizations will group common business objectives into
common categories. Some organizations will categorize or group
business objectives to align with speci c aspects of the strategy,
such as market share, customer focus, or corporate responsibility.
Organizations may also align business objectives with various
business groups of the entity, such as operations, human resources,
or other de ned functional areas. Regardless of how they are
categorized, they must align with business practices, products,
geographies, or other organizational dimensions. How an
organization categorizes its business objectives is decided by
management.

In some cases, organizations must adhere to external requirements

that set out the manner in which business objectives are
categorized for reporting purposes. For example, if an organization
is required to report on its environmental risk assessment as part of
its operating license, it will speci cally include those requirements
within it business objectives and in its reporting.
Organizations need to be careful not to confuse business objectives
categories with risk categories. Risk categories relate to the shared
or common groupings of risks that potentially impact those
business objectives.

Setting Performance Measures and Targets

The organization sets targets to monitor the performance of the
entity and support the achievement of the business objectives. For
instance:
• An asset management company seeks to achieve a return on
investment (ROI) of 5% annually on its portfolio.
• A restaurant targets on-line home delivery orders to be delivered
within forty minutes.

• A call center endeavors to minimize missed calls to 2% of overall

calls received.
By setting targets, the organization is able to in uence the risk
pro le of the entity. An aggressive target may result in greater risk
for that business objective. For example, an organization may set
aggressive growth targets that heighten the risks in pursuing added
growth. Conversely, an organization may set a more conservative
growth target that will lower the risk of not achieving the target, but
may also result in the target no longer aligning with the achievement
of the business objective.

As another example, consider again the asset management

company from the list above that understands that an ROI of 5%
will enable the entity to achieve its nancial objectives. If it strives
for a return of 7%, it would incur greater risk in performance. If it
strives for 3%, which allows for a less aggressive risk pro le, it will
not achieve its broader nancial objectives. (Identifying and
assessing the risks to the achievement of the business objective
and reviewing the appropriateness of the performance measures
and targets are discussed in Chapter 8.)
Example 7.9 provides a more thorough example of business
objectives considered at the entity, division, operating unit, and
function levels, along with supporting targets. The example
illustrates how business objectives increase in speci city as they
cascade throughout the entity and at all levels.
Understanding Tolerance
Closely linked to risk appetite is tolerance—the acceptable variation
in performance. It describes the range of acceptable outcomes
related to achieving a business objective within the risk appetite. It
also provides an approach for measuring whether risks to the
achievement of strategy and business objectives are acceptable or
unacceptable.

Having an understanding of the tolerance for variation in

performance enables management to enhance value to the entity.
For instance, the right boundary of acceptable variation should
generally not exceed the point where the risk pro le intersects risk
appetite. But where the right boundary is below risk appetite,
management may be able to shift its targets and still be within its
overall risk appetite. The maximum point where the performance
target could be set is where the right boundary of tolerance
intersects with risk appetite (“A” in Figure 7.5).
Unlike risk appetite, which is broad, tolerance is tactical and
focused. That is, it should be expressed in measurable units
(preferably in the same units as the business objectives), be applied
to all business objectives, and be implemented throughout the
entity. In setting tolerance, the organization considers the relative
importance of each business objective and strategy. For instance,
for those objectives viewed as being highly important to achieving
the entity’s strategy, or where a strategy is highly important to the
entity’s mission and vision, the organization may wish to set a lower
range of tolerance. Tolerance focuses on objectives and
performance, not speci c risks.
Operating within de ned tolerance provides management with
greater con dence that the entity remains within its risk appetite
and provides a higher degree of comfort that the entity will achieve
its business objectives.

Performance Measures and Established

Tolerances
Performance measures related to a business objective help con rm
that actual performance is within an established tolerance (see
Example 7.10). Performance measures can be either quantitative or
qualitative. Tolerance also considers both exceeding and trailing
variation, sometimes referred to as positive or negative variation.
Note that exceeding and trailing variation is not always set at equal
distances from the target.

Example 7.10 Trailing Target Variation

A large beverage bottler sets a target of having no more than

ve lost-time incidents in a year and sets the tolerance as
zero to seven incidents. The exceeding variation between ve
and seven represents greater incidents and potential for lost
time and an increase in health and safety claims, which is a
negative result for the entity. In contrast, the trailing variation
up to ve represents a bene t: fewer incidents of lost time
and fewer health and safety claims. The organization also
needs to consider the cost of striving for zero lost-time
incidents.

The amount of exceeding and trailing variation depends on several

factors. An established organization, for example, with a great deal
of experience, may move exceeding and trailing variation closer to
the target as it gains experience at managing to a lower level of
variation. The entity’s risk appetite is another factor: an entity with a
lower risk appetite may prefer to have less performance variation
compared to an entity with a greater risk appetite.

It is common for organizations to assume that exceeding variation in

performance is a bene t, and trailing variation in performance is a
risk. Exceeding a target does usually indicate ef ciency or good
performance, not simply that an opportunity is being exploited. But
trailing a target does not necessarily mean failure: it depends on the
organization’s target and how variation is de ned (see Example
7.11).
Organizations should also understand the relationship between cost
and tolerance so they can deal effectively with associated risk.
Typically, the narrower the tolerance, the greater amount of
resources required to operate within that level of performance.
Consider airlines, for example, which track on-time arrivals and
departures. An airline may decide to stop serving several routes
because its on-time performance does not t within the airline’s
revised (decreased) tolerance. The airline would then need to weigh
the cost implications of forgoing service revenue to realize a
decreased variation in its performance target.
break

8. Performance

Principles Relating to Performance

Introduction
Creating, preserving, realizing, and minimizing the erosion of an
entity’s value is further enabled by identifying, assessing, and
responding to risk that may impact the achievement of the entity’s
strategy and business objectives. Risks originating at a
transactional level may prove to be as disruptive as those identi ed
at an entity level. Risks may impact one operating unit or the entity
as a whole. They may be highly correlated with factors within the
business context or with other risks. Further, risk responses may
require signi cant investments in infrastructure or may be accepted
as part of doing business. Because risk emanates from a variety of
sources, a range of responses is required from across the entity and
at all levels.
This component of the Framework focuses on practices that
support the organization in making decisions and achieving strategy
and business objectives. To that end, organizations use their
operating structure to develop a practice that:
• Identi es new and emerging risks so that management can deploy
risk responses in a timely manner.

• Assesses the severity of risk, with an understanding of how the

risk may change depending on the level of the entity.

• Prioritizes risks, allowing management to optimize the allocation

of resources in response to those risks.
• Identi es and selects responses to risk.

• Develops a portfolio view to enhance the ability for the

organization to articulate the amount of risk assumed in the
pursuit of strategy and entity-level business objectives.

Figure 8.1 illustrates that these practices are iterative, with the
inputs in one step of the process typically being the outputs of the
previous step. The practices are performed across all levels and
with responsibilities and accountabilities for appropriate enterprise
risk management aligned with severity of the risk.
break

Principle 10: Identi es Risk

The organization identi es risk that

impacts the performance of strategy and
business objectives.

Identifying Risk
The organization identi es new, emerging, and changing risks to the
achievement of the entity’s strategy and business objectives. It
undertakes risk identi cation activities to rst establish an inventory
of risks, and then to con rm existing risks as being still applicable
and relevant. As enterprise risk management practices are
progressively integrated, the knowledge and awareness of risks is
kept up-to-date through normal day-to-day operations. Some
entities will supplement those activities from time to time in order to
con rm the completeness of the risk inventory. How often an
organization does this will depend on how quickly risks change or
new risks emerge. Where risks are likely to take months or years to
materialize, the frequency at which risk identi cation occurs will be
less than where risks are less predictable or will occur at a greater
speed.
New, emerging, and changing risks include those that:

• Arise from a change in business objectives (e.g., the entity adopts

a new strategy supported by business objectives or amends an
existing business objective).
• Arise from a change in business context (e.g., changes in
consumer preferences for environmentally friendly or organic
products that have potentially adverse impacts on the sales of the
company’s products).
• Pertain to a change in business context that may not have applied
to the entity previously (e.g., a change in regulations that results in
new obligations to the entity).
• Were previously unknown (e.g., the discovery of a susceptibility for
corrosion in raw materials used in the company’s manufacturing
operations).

• Were previously identi ed but have since been altered due to a

change in the business context, risk appetite, or supporting
assumptions (e.g., a positive increase in the expected sales
forecasts affecting production capacity).

Emerging risks arise when business context changes, and they may
alter the entity’s risk pro le in the future. Note that emerging risks
may not be understood well enough to identify and initially assess
accurately, and may warrant re-identi cation more frequently.
Additionally, organizations should communicate evolving
information about emerging risks.
Identifying new and emerging risks, or changes in existing risks,
allows the organization to look to the future and gives them time to
assess the potential severity of the risks as well as to take
advantage of these changes. In turn, having time to assess the risk
allows the organization to anticipate the risk response, or to review
the entity’s strategy and business objectives as necessary.

Some risks may remain unknown—risks for which there was no

reasonable expectation that the organization would consider during
risk identi cation. These typically relate to changes in the business
context. For example, the future actions or intentions of competitors
are often unknown, but they may represent new risks to the
performance of the entity.
Organizations want to identify those risks that are likely to disrupt
operations and affect the reasonable expectation of achieving
strategy and business objectives. Such risks represent signi cant
change in the risk pro le and may be either speci c events or
evolving circumstances. The following are some examples:

• Emerging technology: Advances in technology that may affect the

relevance and longevity of existing products and services.

• Expanding role of big data and data analytics: How organizations

can effectively and ef ciently access, transform, and analyze large
volumes of structured and unstructured data sources.
• Depleting natural resources: The diminishing availability and
increasing cost of natural resources that affect the supply,
demand, and location for products and services.

• Rise of virtual entities: The growing prominence of virtual entities

that in uence the supply, demand, and distribution channels of
traditional market structures.

• Mobility of workforces: Mobile and remote workforces that

introduce new activities to the day-to-day operations of an entity.

• Labor shortages: The challenges of securing labor with the skills

and levels of education required by entities to support
performance.
• Shifts in lifestyle, healthcare, and demographics: The changing
habits and needs of current and future customers as populations
change.

• Political environment: Actions by a government that alter

operations of an industry in a country.

Embedded in identifying risk is identifying opportunities.22 That is,

sometimes opportunities emerge from risk. For example, changes in
demographics and aging populations may be considered as both a
risk to the current strategy of an entity and an opportunity to renew
the workforce to better pursue growth. Similarly, advances in
technology may represent a risk to distribution and service models
for retailers as well as an opportunity to change how retail
customers obtain goods (e.g., through online service). Where
opportunities are identi ed, they are communicated through the
organization to be considered as part of setting strategy and
business objectives.

Using a Risk Inventory

A risk inventory is simply a listing of the risk the entity faces.
Depending on the number of individual risks identi ed,
organizations may structure the risk inventory by category to
provide standard de nitions for different risks. This allows similar
risks to be grouped together, such as nancial risks, customer risks,
or compliance (or more broadly, obligation) risks. Within each
category, organizations may choose to further de ne risks into more
detailed sub-categories. The risk inventory can be updated to re ect
changes identi ed by management.

Figure 8.2 illustrates how risks that impact different levels of the
entity form part of the risk inventory:
• Risk 1 potentially impacts the strategy directly.

• Risk 2 impacts the entity business objectives.

• Risk 3 impacts multiple business objectives that then aggregate
and impact entity business objectives.

• Risk 4 impacts a single business objective and that also impacts

entity business objectives.
Because the impact of risks cannot be limited to speci c levels or
functions, identi cation activities should capture all risks, and
regardless of where they are identi ed, all risks form part of the
entity’s risk inventory. For example, an entity that identi es risks at
the strategy level relating to board governance and achieving
diversity targets must also consider these risks at a business
objective level. Or an organization that identi es the risk of missing
a customer billing deadline at a business objective level should
consider the impact of that risk at the entity level.
To demonstrate that a comprehensive risk identi cation has been
carried out, management will identify risks and opportunities across
all functions and levels—those risks that are common across more
than one function, as well as those that are unique to a particular
product, service offering, jurisdiction, or other function.

Approaches to Identifying Risk

A variety of approaches are available for identifying risks. The
organization can identify risks as part of day-to-day activities such
as budgeting, business planning, performance reviews, and
meetings as considerations in the approval processes for new
products and designs and in response to customer complaints,
incidents, or nancial losses. Identi cation activities integrated
through the entity can be supplemented by additional targeted
activities such as simple questionnaires, facilitated workshops, and
interviews. Some approaches may be enabled by technology, such
as data tracking and complex analytics.
Depending on the size, geographic footprint, and complexity of an
entity, management may use more than one technique. For
example, an entity may collect internal data on historical incidents
and losses and analyze it to identify new, emerging, and changing
risks. Additionally, the nature and type of the risk may determine the
appropriate technique. For example, management may use more
sophisticated approaches to identify risks associated with an
acquisition. Some organizations may draw on information from other
organizations in the same industry or region to inform them of
potential risks. Figure 8.3 and the list below provide information on
useful approaches for identifying different types of risks.

• Cognitive computing allows organizations to collect and analyze

large volumes of data to detect future trends and meaningful
insights in new and emerging risks as well as changes in existing
risks more ef ciently than a human.

• Data tracking from past events can help predict future

occurrences. While historical data typically is used in risk
assessment—based on actual experience with severity—it can
also be used to understand interdependencies and develop
predictive and causal models. Databases developed and
maintained by third-party service providers that collect information
on incidents and losses incurred by industry or region may inform
the organization of potential risks. These are often available on a
 subscription basis. In some industries, consortiums have formed
to share internal data.
• Interviews solicit the individual’s knowledge of past and potential
events. For canvassing large groups of people, questionnaires or
surveys may be used.
• Key indicators are qualitative or quantitative measures that help to
identify changes to existing risks. Risk indicators should not be
confused with performance measures, which are typically
retrospective in nature.

• Process analysis involves developing a diagram of a process to

better understand the interrelationships of its inputs, tasks,
outputs, and responsibilities. Once mapped, risks can be
identi ed and considered against relevant business objectives.
• Workshops bring together individuals from different functions and
levels to draw on the group’s collective knowledge and develop a
list of risks as they relate to the entity’s strategy or business
objectives.

Whatever approaches are selected, an organization considers how

changes in assumptions underpinning the strategy and business
objectives may create new or emerging risks. For example, in one
case management assumed an exchange rate on par with the local
currency for importing raw materials. The actual exchange rate,
however, declined by more than 10%, which created a new risk to
meeting overall pro tability targets. Additionally, management
considered the business context—the expected economic outlook
for the entity, changing customer preferences, and anticipated
growth rates when conducting risk identi cation.

When identifying risks, the organization should aim to precisely

describe the risk itself, rather than other considerations of that risk,
such as the root causes of the risk, the potential impacts of the risk,
or the effect of the risk being poorly implemented. Figure 8.4
compares descriptions of these other considerations, which are less
helpful, to precise risk descriptions, which are preferred.

Precise risk identi cation:

• Allows the organization to more effectively manage the risk

inventory and understand its relationship to the business strategy,
objectives, and performance.

• Allows the organization to more accurately assess the severity of

the risk in the context of business objectives.
• Helps the organization identify the typical root causes and
impacts, and therefore select and deploy the most appropriate risk
responses.
• Allows the organization to understand interdependencies between
risks and across business objectives.
• Supports the aggregation of risks to produce the portfolio view.

Accordingly, organizations are encouraged to describe risks by

using a standard sentence structure. Here are two possible
approaches:
• The possibility of [describe potential occurrence or circumstance]
and the associated impacts on [describe speci c business
objectives set by the organization].

− Example: The possibility of a change in foreign exchange rates

and the associated impacts on revenue.

• The risk to [describe the category set by the organization] relating

to [describe the possible occurrence or circumstance] and
[describe the related impact].

− Example: The risk to nancial performance relating to a possible

change in foreign exchange rates and the impact on revenue.

Framing Risk
Prospect theory, which explores human decision-making, says that
individuals are not risk neutral; rather, a response to loss tends to be
more extreme than a response to gain. And with this comes a
tendency to misinterpret probabilities and best solution reactions.
As well, how a risk is framed—focusing on the upside (a potential
gain) or downside (a potential loss)—often will in uence the
response. With that in mind, consider the importance of describing
risk with a consistent sentence structure to reduce framing bias.
Example 8.1 presents an illustration of framing.

Example 8.1: Framing

An individual is confronted with two sets of choices:

 1
. A sure gain of $240, or a 25% chance to gain $1,000 and a
75% chance to gain nothing.
2
. A sure loss of $750, or a 75% chance to lose $1,000 and a
25% chance to lose nothing.
In the rst set, most people select “a sure gain of $240,”
because that is framed in the positive. In the second set,
most people select a “75% chance to lose $1,000,” because
in this case it is the loss that is more certain. Prospect theory
holds that people do not want to put at risk what they already
have or think they can have, but they will have higher risk
tolerance when they think they can minimize losses.

22
This Framework distinguishes between positive events and opportunities. Positive events
are those instances where performance exceeds the original target. Opportunities are
actions or potential actions that create or alter goals or approaches for creating,
preserving, and realizing value.
break

Principle 11: Assesses Severity of

Risk

The organization assesses the severity of

risk.

Assessing Risk
Risks identi ed and included in an entity’s risk inventory are
assessed in order to understand the severity of each to the
achievement of an entity’s strategy and business objectives. Risk
assessments inform the selection of risk responses. Given the
severity of risks identi ed, management decides on the resources
and capabilities to deploy in order for the risk to remain within the
entity’s risk appetite.

Assessing Severity at Di erent Levels of

the Entity
The severity of a risk is assessed at multiple levels (across divisions,
functions, and operating units) in line with the business objectives it
may impact. It may be that risks assessed as important at the
operating unit level, for example, may be less important at a division
or entity level. At higher levels of the entity, risks are likely to have a
greater impact on reputation, brand, and trustworthiness.

Using standardized risk terminology and categories helps in the

assessment of risks at all levels of the organization. Common risks
across business units, divisions, and functions can also be grouped.
For example, the risk of technology disruptions identi ed by multiple
divisions may be grouped and assessed collectively. Similarly, the
risks measured at escalating levels within an entity may also be
grouped. When common risks are grouped, the severity rating may
change. Risks that are of low severity individually may become more
or less severe when considered collectively across business units or
divisions.
Figure 8.5 illustrates the risk inventory mapped to strategy and
business objectives. In a “top-down” entity-level risk assessment,
risk 4 may be assessed to have a low level of severity. In a business
unit–level assessment, risk 4 may be considered more signi cant
and therefore have a greater severity.

In order for risk assessment practices to be complete, a top-down

assessment considers those risks identi ed and assessed at lower
levels. For example, an entity-level assessment would assess entity-
level risks, but should also consider those severe risks identi ed at
the entity business objective level, such as risk 2, to determine if,
given their severity, they are an entity-level concern.

Figure 8.6 illustrates four common scenarios.

• In scenario 1, the organization recognizes that the risk could

impact the business objective as well as the entity-level business
objective. For example, a safety error in a manufacturing process
can, given its magnitude, impact the entity as whole.

• In scenario 2, a risk diminishes in severity at higher levels of the

 entity, indicating that it does not pose the same potential impact
to the entity as a whole. For example, a backlog in transactions
may pose a risk to the operating unit managing processing but
may not have a signi cant impact on the business objective
overall, and at the entity level may have little to no impact.
However, if the backlog grows, this risk could elevate to scenario
3 or even scenario 1.

• In scenario 3, two risks individually have moderate severity

assessments, but together they impact the business objectives
and entity more signi cantly, and therefore they are assessed as
more severe. For example, the inability to recruit employees for
common support functions such as legal expertise represents a
low risk to each operating unit but starts to impact the entity more
signi cantly at a business objective level as the trend could have a
detrimental impact on the ability to achieve a business objective
heavily dependent on legal expertise. Yet, at an entity level, that
risk may not be as signi cant given the importance of the
business objective to the strategy.

• In scenario 4, certain risks impact the entire entity. For example,

the risk of a takeover bid by competitors impacts the strategy of
the entity as a whole, but may not impact business-level
objectives individually.
Selecting Severity Measures
Management selects measures to assess the severity of risk.
Generally, these measures align to the size, nature, and complexity
of the entity and its risk appetite. Different thresholds may also be
used at varying levels of an entity for which a risk is being assessed.
The thresholds used to assess the severity of a risk are tailored to
the level of assessment—by entity or operational unit. Acceptable
amounts of risk to nancial performance, for example, may be
greater at an entity level than an operating unit level.

Management determines the relative severity of various risks in

order to select an appropriate risk response, allocate resources, and
support management decision-making and performance. Measures
may include:23
• Impact: Result or effect of a risk. There may be a range of possible
impacts associated with a risk. The impact of a risk may be
positive or negative relative to the strategy or business objectives.
• Likelihood: The possibility of a risk occurring. This may be
expressed in terms of a probability or frequency occurring.
Likelihood may be expressed in a variety of ways, as the following
examples show:

− Qualitative: “The possibility of a risk relating to a potential

occurrence or circumstance and the associated impacts on a
speci c business objective [within the time horizon
contemplated by the business objective, e.g., twelve months] is
remote.”

− Quantitative: “The possibility of a risk relating to a potential

occurrence or circumstance and the associated impacts on a
speci c business objective [within the time horizon
contemplated by the business objective, e.g., twelve months] is
80%.”

− Frequency: “The possibility of the risk relating to a potential

occurrence or circumstance and the associated impacts on a
speci c business objective [within the time horizon
contemplated by the business objective, e.g., twelve months] is
once every twelve months.”
As part of the assessment process, management considers
potential combinations of likelihood and impact. For example, there
may be a low risk of operational incidents resulting in losses greater
than 20% of the entity’s revenue. At the same time, there may be a
higher likelihood of operational incidents resulting in losses of less
than 1% of the entity’s revenue. Whenever management identi es
when a risk would be disruptive or necessitates a change in risk
response, that risk is accounted for in the assessment activities.

The time horizon used to assess risks should be the same as that
used for the related strategy and business objectives. For instance,
if the business objectives focus on a three-year time horizon,
management would consider risks within that time frame. Because
the strategy and business objectives of many entities focus on
short- to medium-term time horizons, management often focuses
on risks associated with those time frames. However, when
assessing risks of the mission, vision, or strategy, the time frame
may be longer. Management needs to be cognizant of the longer
time frames and not ignore risks that might emerge or occur further
out.
Additionally, risk emanates from multiple sources and results in
different impacts. Root causes can have a positive or negative
impact on assessment of a risk. Figure 8.7 illustrates the variety of
results that may occur from a variety of sources.

Severity measures should align with the strategy and business

objectives. Example 8.2 illustrates how an organization identi es the
risks to its business objectives and applies appropriate measures.
When different impacts are identi ed for a business objective,
management provides guidance on how to assess the severity of
the impact. Where multiple impacts result in different assessments
of severity or require a different risk response, management
determines if additional risks need to be identi ed and assessed
separately.
Assessment Approaches
Risk assessment approaches may be qualitative, quantitative, or a
combination of both.

• Qualitative assessment approaches, such as interviews,

workshops, surveys, and benchmarking, are often used when it is
neither practicable nor cost-effective to obtain suf cient data for
quanti cation. Qualitative assessments are more ef cient to
complete; however, there are limitations in the ability to identify
correlations or perform a cost-bene t analysis.
• Quantitative assessment approaches, such as modeling, decision
trees, Monte Carlo simulations, etc., allow for increased
granularity and precision, and support a cost-bene t analysis.
Consequently, quantitative approaches are typically used in more
complex and sophisticated activities to supplement qualitative
techniques. Quantitative approaches include:

− Probabilistic models (e.g., value at risk, cash ow at risk,

operational loss distributions) that associate a range of events
and the resulting impact with the likelihood of those events
based on certain assumptions. Understanding how each risk
factor could vary and impact cash ow, for example, allows
management to better measure and manage the risk.
− Non-probabilistic models (e.g., sensitivity analysis, scenario
analysis) use subjective assumptions to estimate the impact of
events without quantifying an associated likelihood on a
business objective. For example, scenario analysis allows
management to understand the impact on a business objective
to increase pro tability under different scenarios, such as a
competitor releasing a new product, a disruption in the supply
chain, or an increase in product costs.

Depending on how complex and mature the entity is, management

may rely on a degree of judgment and expertise when conducting
the modeling. Regardless of the approach used, any assumptions
should be clearly stated.

The anticipated severity of a risk may in uence the type of approach

used. In assessing risks that could have extreme impacts,
management may use scenario analysis, but when assessing the
effects of multiple events, management might nd simulations more
useful (e.g., stress testing). Conversely, high-frequency, low-impact
risks may be more suited to data tracking and cognitive computing.
To reach consensus on the severity of risk, organizations may
employ the same approach they used as part of the risk
identi cation.
Assessments may also be performed across the entity by different
teams. In this case, the organization establishes an approach to
review any differences in the assessment results. For example, if
one team rates particular risks as “low,” but another team rates
them as “medium,” management reviews the results to determine if
there are inconsistencies in approach, assumptions, and
perspectives of business objectives or risks.
Finally, part of risk assessment is seeking to understand the
interdependencies that may exist between risks. Interdependencies
can occur where multiple risks impact one business objective or
where one risk triggers another. Risks can occur concurrently or
sequentially. For example, for a technology innovator the delay in
launching new products results in a concurrent loss of market share
and dilution of the entity’s brand value. How management
understands interdependencies will be re ected in the assessment
of severity.

Inherent, Target, and Residual Risk

As part of the risk assessment, management considers inherent
risk, target residual risk, and actual residual risk.
• Inherent risk is the risk to an entity in the absence of any direct or
focused actions by management to alter its severity.

• Target residual risk is the amount of risk that an entity prefers to

assume in the pursuit of its strategy and business objectives,
knowing that management will implement, or has implemented,
direct or focused actions to alter the severity of the risk.

• Actual residual risk is the risk remaining after management has

taken action to alter its severity. Actual residual risk should be
equal to or less than the target residual risk. Where actual residual
risk exceeds target risk, additional actions should be identi ed
that allow management to alter risk severity further.
Management may identify risks for which unnecessary responses
have been deployed. Redundant risk responses are those that do
not result in a measurable change to the severity of the risk.
Removing such responses may allow management to allocate
resources put toward that response elsewhere.

Depicting Assessment Results

Assessment results are often depicted using a “heat map” or other
graphical representation to highlight the relative severity of each of
the risks to the achievement of a given strategy or business
objective. Each risk plotted on the heat map assumes a given level
of performance for that strategy or business objective.

Assessed risks for a given business objective are plotted on the

heat map using the severity measures selected by the entity for a
given level of performance. The various combinations of likelihood
and impact (severity measures), given the risk appetite, are color
coded to re ect a particular level of severity. In Figure 8.8, the entity
has four risk severity ratings ranging from red to green. The color
coding aligns to a particular severity outcome and re ects the risk
appetite of the entity. Risk-averse entities may code more squares
in red compared to risk-aggressive entities.

Figure 8.9 illustrates the risk pro le for a single business objective
and a given level of performance. Should the level of performance
change, the corresponding changes in each of the risks are
captured. This may result in new risks, risks shifting in severity, or
risks being removed.

It is the risk inventory that forms the basis from which an

organization is able to construct a risk pro le (as shown in Figure
8.9). Each data point on the risk curve represents the combination
and severity of risks for that business objective (as illustrated in a
disaggregated manner using the heat map in Figure 8.8).
Management may use the risk pro le in its assessment to:

• Con rm that performance is within the tolerance.

• Con rm that risk is within risk appetite.

• Compare the severity of a risk at various points of the curve.

• Assess the disruption point in the curve, at which the amount of

risk greatly exceeds the appetite of the entity and may impact its
performance or the achievement of its strategy and business
objectives.

In addition, management considers how different risks may present

different impacts to the same business objective. For example, a
hardware store franchise identi es the risk of poor sales due to not
stocking a diverse product range that will appeal to a broad group
of customers. Management is also aware that changes in marketing
and advertising efforts can signi cantly affect sales. Focusing on the
business objective of sales, management is able to better
understand the risks that have an impact on sales. Understanding
the severity of different risks to the same business objective,
management can make risk-aware decisions about the diversity of
products in stock and the desired budget to spend on marketing
and advertising costs in order to manage the risk of low sales.

Identifying Triggers for Reassessment

The organization strives to identify triggers that will prompt a
reassessment of severity when required. Triggers are typically
changes in the business context, but may also be changes in the
risk appetite, and they serve as early-warning indicators of changes
to assumptions underpinning the severity assessment. A trigger
may be an increase in the number of customer complaints, an
adverse change in an economic index, a drop in sales, or a spike in
employee turnover. Triggers may also come from a competitor (e.g.,
competitor’s product recalled for defects).

The severity of the risks and the frequency at which severity may
change will inform how often the assessment may be triggered. For
example, risks associated with changing commodity prices may
need to be assessed daily, but risks associated with changing
demographics or market tastes for new products may need to be
assessed only annually.

Bias in Assessment
Management should identify and mitigate the effect of bias in
carrying out risk assessment practices. For example, con dence
bias may support a pre-existing perception of a known risk.
Additionally, how a risk is framed can also affect how risks are
interpreted and assessed. For example, for a given risk, there may
be a range of potential impacts, each with a separate likelihood.
Thus, a risk with a low likelihood but high impact could have the
same outcome as a high likelihood, low impact; however, one risk
may be acceptable to the organization while the other is not. As
such, the manner in which the risk is presented and framed to
management is critical to mitigate any bias.

Bias may result in the severity of a risk being under- or

overestimated, and limit how effective the selected risk response
will be. Underestimating the severity may result in an inadequate
response, leaving the entity exposed and potentially outside of the
entity’s risk appetite. Overestimating the severity of a risk may result
in resources being unnecessarily deployed in response, creating
inef ciencies in the entity. Additionally, it may hamper the
performance of the entity or affect its ability to identify new
opportunities.

Additional measures, including persistence, velocity, and complexity, are discussed in

23

Principle 14.
break

Principle 12: Prioritizes Risks

The organization prioritizes risks as a basis

for selecting responses to risks.

Establishing the Criteria

Organizations prioritize risks in order to inform decision-making on
risk responses and optimize the allocation of resources. Given the
resources available to an entity, management must evaluate the
trade-offs between allocating resources to mitigate one risk
compared to another. The prioritization of risks, given their severity,
the importance of the corresponding business objective, and the
entity’s risk appetite helps management in its decision-making.

Priorities are determined by applying agreed-upon criteria.24

Examples of these criteria include:

• Adaptability: The capacity of an entity to adapt and respond to

risks (e.g., responding to changing demographics such as the age
of the population and the impact on business objectives relating
to product innovation).

• Complexity: The scope and nature of a risk to the entity’s success.

The interdependency of risks will typically increase their
complexity (e.g., risks of product obsolescence and low sales to a
company’s objective of being market leader in technology and
customer satisfaction).
• Velocity: The speed at which a risk impacts an entity. The velocity
may move the entity away from the acceptable variation in
performance. (e.g., the risk of disruptions due to strikes by port
and customs of cers affecting the objective relating to ef cient
supply chain management).
• Persistence: How long a risk impacts an entity (e.g., the
persistence of adverse media coverage and impact on sales
objectives following the identi cation of potential brake failures
and subsequent global car recalls).
• Recovery: The capacity of an entity to return to tolerance (e.g.,
continuing to function after a severe ood or other natural
disaster). Recovery excludes the time taken to return to tolerance,
which is considered part of persistence, not recovery.

Prioritization takes into account the severity of the risk compared to

risk appetite. Greater priority may be given to those risks likely to
approach or exceed risk appetite.

Prioritizing Risk
Risks with similar assessments of severity may be prioritized
differently. That is, two risks may both be assessed as “medium,”
but management may give one more priority because it has greater
velocity and persistence (see Example 8.3), or because the risk
response for one risk provides a higher risk-adjusted return than for
other risks of similar severity.

Example 8.3: Prioritizing Risk

For a large restaurant chain, responding to the risk that

customer complaints remain unresolved and attract adverse
attention in social media is considered a greater priority than
responding to the risk of protracted contract negotiations
with vendors and suppliers. Both risks are severe, but the
speed and scope of on-line scrutiny may have a greater
impact on the performance and reputation of the restaurant
chain, necessitating a quicker response to negative
feedback.
How a risk is prioritized typically informs the risk responses that
management considers. The most effective responses address both
severity (impact and likelihood) and prioritization of a risk (velocity,
complexity, etc.).

Risks of greater priority are more likely to be those that affect the
entity as a whole or arise at the entity level. For example, the risk
that new competitors will introduce new products and services to
the market may require greater adaptability and a review of the
entity’s strategy and business objectives in order for the entity to
remain viable and relevant.

Using Risk Appetite to Prioritize Risks

Management should also compare risk appetite when prioritizing
risks. Risks that result in the entity approaching the risk appetite for
a speci c business objective are typically given higher priority (see
Example 8.4). Additionally, performance levels that approach the
outer bounds of tolerance may be given priority.

Example 8.4: Relationship of Risk Pro le to Risk

Appetite

A utility company’s mission is to be the most reliable

electricity provider in its region. A recent increase in the
frequency and persistence of power outages indicates that
the company is approaching its risk appetite and is less likely
to achieve its business objectives of providing reliable
service. This situation triggers a heightened priority for the
risk. A change in the priority may result in reviewing the risk
response, implementing additional responses, and allocating
more resources to reduce the likelihood of the risk breaching
the organization’s risk appetite.
Through prioritizing risks, management also recognizes that there
are risks the entity chooses to accept; that is, some are already
considered to be managed to an acceptable amount for the entity
and for which no additional risk response will be contemplated.

Prioritization at All Levels

Risk prioritization occurs at all levels of an entity, and different risks
may be assigned different priorities at different levels. For example,
high-priority risks at the operating level may be evaluated as low-
priority risks at the entity level. The organization assigns a priority at
the level at which the risk is owned and with those who are
accountable for managing it.

Organizations prioritize risks on an aggregate basis where a single

risk owner is identi ed or a common risk response is likely to be
applied. This allows risks to be clearly identi ed and described
using a standard risk category, which enables common risks to be
prioritized consistently across the entity. The result is a more
consistent and ef cient risk response than would have occurred if
each risk had been prioritized separately.

Risk owners are responsible for using the assigned priority to select
and apply appropriate risk responses in the context of business
objectives and performance targets. In many cases, the risk
response owner and risk owner may be two different people, or may
be at different levels within the entity. Risk owners must have
suf cient authority to prioritize risks based on their responsibilities
and accountability for managing the risk effectively.

Bias in Prioritization
Management must strive to prioritize risks and manage competing
business objectives relating to the allocation of resources free from
bias. Competing business objectives may include securing
additional resources, achieving speci c performance measures,
qualifying for personal incentives and rewards, or obtaining other
speci c outcomes.

The criteria may also be used as a consideration when assessing the severity of a risk as
24

discussed in Principle 11.

break

Principle 13: Implements Risk

Responses

The organization identi es and selects risk

responses.

Choosing Risk Responses

For all risks identi ed, management selects and deploys a risk
response. Management considers the severity and prioritization of
the risk as well as the business context and associated business
objectives. Finally, the risk response also accounts for the
performance targets of the organization. Risk responses fall within
the following categories:

• Accept: No action is taken to change the severity of the risk. This

response is appropriate when the risk to strategy and business
objectives is already within risk appetite. Risk that is outside the
entity’s risk appetite and that management seeks to accept will
generally require approval from the board or other oversight
bodies.
• Avoid: Action is taken to remove the risk, which may mean
ceasing a product line, declining to expand to a new geographical
market, or selling a division. Choosing avoidance suggests that
the organization was not able to identify a response that would
reduce the risk to an acceptable level of severity.

• Pursue: Action is taken that accepts increased risk to achieve

improved performance. This may involve adopting more
aggressive growth strategies, expanding operations, or developing
new products and services. When choosing to pursue risk,
management understands the nature and extent of any changes
 required to achieve desired performance while not exceeding the
boundaries of acceptable tolerance.
• Reduce: Action is taken to reduce the severity of the risk. This
involves any of myriad everyday business decisions that reduces
risk to an amount of severity aligned with the target residual risk
pro le and risk appetite.

• Share: Action is taken to reduce the severity of the risk by

transferring or otherwise sharing a portion of the risk. Common
techniques include outsourcing to specialist service providers,
purchasing insurance products, and engaging in hedging
transactions. As with the reduce response, sharing risk lowers
residual risk in alignment with risk appetite.

These categories of risk responses require that the risk be managed

within the business context, business objectives, performance
targets, and organization’s risk appetite. In some instances,
management may need to consider another course of action,
including the following:
• Review business objective: The organization chooses to review
and potentially revise the business objective given the severity of
identi ed risks and tolerance. This may occur when the other
categories of risk responses do not represent desired courses of
action for the entity.

• Review strategy: The organization chooses to review and

potentially revise the strategy given the severity of identi ed risks
and risk appetite of the entity. As with a review of business
objectives, this may occur when other categories of risk
responses do not represent desired courses of action for the
entity.
Organizations may also choose to exceed the risk appetite if the
effect of staying within the appetite is perceived to be greater than
the potential exposure from exceeding it. For example, management
may accept the risk associated with the expedited approval of a
new product in favor of the opportunity and competitive advantage
of bringing those products to market more quickly. Where an entity
repeatedly accepts risks that approach or exceed appetite as part
of its usual operations, a review and recalibration of the risk appetite
may be warranted.

Selecting and Deploying Risk Responses

Management selects and deploys risk responses while considering
the following factors:

• Business context: Risk responses are selected or tailored to the

industry, geographic footprint, regulatory environment, operating
structure, or other factors.

• Costs and bene ts: Anticipated costs and bene ts are generally
commensurate with the severity and prioritization of the risk.
• Obligations and expectations: Risk response addresses generally
accepted industry standards, stakeholder expectations, and
alignment with the mission and vision of the entity.

• Prioritization of risk: The priority assigned to the risk informs the

allocation of resources. Risk responses that have large
implementation costs (e.g., system upgrades, increases in
personnel) for lower-priority risks need to be carefully considered
and may not be appropriate given the assessed priority.

• Risk appetite: Risk response either brings risk within risk appetite
of the entity or maintains its current status. Management identi es
the response that brings residual risk to within the appetite. This
may be, for example, a combination of purchasing insurance and
implementing internal responses to reduce the risk to a range of
tolerance.
• Risk severity: Risk response should re ect the size, scope, and
nature of the risk and its impact on the entity. For example, in a
 transaction or production environment, where risks are driven by
changes in volume, the proposed response is scaled to
accommodate increased activity.
Often, any one of several risk responses will bring the residual risk in
line with the tolerance, and sometimes a combination of responses
provides the optimum result. Conversely, sometimes one response
will affect multiple risks, in which case management may decide
that additional actions to address a particular risk are not needed.

The risk response may change the risk pro le (see Example 8.5).
Once management selects a risk response, control activities25 are
necessary to ensure that those risk responses are carried out as
intended. Management must recognize that risk is managed but not
eliminated. Some residual risk will always exist, not only because
resources are limited, but because of future uncertainty and
limitations inherent in all tasks.

Example 8.5: Changing Risk Pro les

A midsized fruit farmer considers purchasing weather-related

insurance for oods or storms that would offset any decline
in production below a certain minimum volume. The resulting
risk pro le for production levels would account for the
potential performance outcomes covered by insurance.

Considering Costs and Bene ts of Risk

Responses
Management must consider the potential costs and bene ts of
different risk responses. Generally, anticipated costs and bene ts
are commensurate with the severity and prioritization of the risk. For
example, a high-priority risk with a greater severity may warrant
increased resource costs, given the anticipated bene ts of the
response.

Cost and bene t measurements for selecting and deploying risk

responses are made with varying levels of precision. Costs
comprise direct costs, indirect costs (where practicably
measurable), and for some entities, opportunity costs associated
with the use of resources. Measuring bene ts may be more
subjective, as they are usually dif cult to quantify. In many cases,
however, the bene t of a risk response can be evaluated in the
context of the achievement of strategy and business objectives. In
some instances, given the importance of a strategy or business
objective, there may not be an optimal risk response from the
perspective of costs and bene ts. In such instances, the
organization can either select a response or choose to revisit the
entity’s strategy and business objectives.
Management is also responsible for risk responses that address any
regulatory obligations, which again may not be optimal from the
perspective of costs and bene ts, but comply with legal or other
obligations (see Example 8.6). In selecting the appropriate response,
management must consider the expectations of stakeholders such
as shareholders, regulators, and customers.

Example 8.6: Relationship of Risk Pro le to Risk

Appetite

An insurance company implements risk responses to address

new regulatory requirements across the insurance industry.
These responses will require the company to make additional
investments in its technology infrastructure, change in its
current processes, and add to its staff to assist with the
implementation to achieve its objectives relating to regulatory
compliance.
Additional Considerations
Selecting one risk response may introduce new risks that have not
been previously identi ed or may have unintended consequences.
For example, for the fruit farmer in Example 8.5, the risk of oods
damaging the crops was reduced by purchasing insurance;
however, the farmer may now be at risk of low cash ow.
For newly identi ed risks, management should assess the severity
and related priority, and determine the effectiveness of the proposed
risk response. On the other hand, selecting a risk response may
present new opportunities not previously considered. Management
may identify innovative responses, which, while tting with the
response categories described earlier, may be entirely new to the
entity or even an industry. Such opportunities may surface when
existing risk response options reach the limit of effectiveness, and
when further re nements will likely provide only marginal changes to
the severity of a risk. Management channels any new opportunities
back to strategy-setting.

25
Control activities are discussed in Internal Control—Integrated Framework.
break

Principle 14: Develops Portfolio

View

The organization develops and evaluates a

portfolio view of risk.

Understanding a Portfolio View

Enterprise risk management allows the organization to consider
potential implications to the risk pro le from an entity-wide, or
portfolio, perspective. Management rst considers risk as it relates
to each division, operating unit, or function. Each manager develops
a composite assessment of risks that re ects the unit’s residual risk
pro le relative to its business objectives and tolerance.

A portfolio view allows management and the board to consider the

type, severity, and interdependencies of risks and how they may
affect performance. Using the portfolio view, the organization
identi es risks that are severe at the entity level. These may include
risks that arise at the entity level as well as transactional,
processing-type risks that could disrupt the entity as a whole.
With a portfolio view, management is well positioned to determine
whether the entity’s residual risk pro le aligns with the overall risk
appetite. The same risk across different units may be acceptable for
the operating units, but taken together may give a different picture.
Collectively, the risk may exceed the risk appetite of the entity as a
whole, in which case additional or different risk responses are
needed. Conversely, a risk may not be acceptable in one unit, but
be well within the range in another. For example, some operating
units have higher risk than others, yet the overall risk remains within
the entity’s risk appetite. And in cases where the portfolio view
shows that risks are signi cantly less than the entity’s risk appetite,
management may decide to motivate individual operating unit
managers to accept greater risk in targeted areas, striving to
enhance the entity’s value.

Developing a Portfolio View

A portfolio view of risk can be developed in a variety of ways. One
method is to focus on major risk categories across operating units,
or on risk for the entity as a whole, using metrics such as risk-
adjusted capital or capital at risk. This method is particularly useful
when assessing risk against business objectives stated in terms of
earnings, growth, and other performance measures, sometimes
relative to allocated or available capital. The information derived can
prove useful in reallocating capital across operating units and
modifying strategic direction (other qualitative methods can also be
used to develop this portfolio view).

A portfolio view also may be depicted graphically indicating the

types and amount of risk assumed compared to the risk appetite of
the entity for each organizational function, strategy, and business
objective. The portfolio view in Figure 8.10 illustrates the alignment
of risks to business objectives and the relationship between
different objectives.
In developing a view of risk, there are four levels in order of
ascending level of integration (from minimal to maximum):

• Minimal Integration—Risk View: At the risk-centric view, the entity

identi es and assesses discreet risks. The predominant focus is
on the underlying risk event rather than the objective; for example,
the risk of a breach impacting compliance of the entity with local
regulations.

• Limited Integration—Risk Category View: This view uses

information captured in the risk inventory view and organizes risks
using categories or another classi cation scheme. Risk categories
often re ect the entity’s operating structure and inform roles and
responsibilities. A compliance department, for example, will have
responsibilities for helping the organization manage its
compliance-related risks.
• Partial Integration—Risk Pro le View: Adopting a more integrated
view, an organization focuses on business objectives and the risks
that align with those objectives (e.g., all objectives potentially
impacted by compliance-related risks). Further, dependencies that
 may exist between business objectives are identi ed and
considered. For example, an objective of enhancing operational
excellence may be a prerequisite for strengthening the balance
sheet and growing market share. This view relies on information
used to create the risk-centric or risk-category view.

• Full Integration—Portfolio View: At this level, the focus shifts to the

overall entity strategy and business objectives. Greater integration
supports identifying, assessing, responding to, and reviewing risk
at the appropriate levels for decision-making. Boards and
management focus greater attention on the achievement of
strategy while responsibility and management of business
objectives and individual risks within the risk inventory cascade
throughout the entity. Using the same example, the board reviews
and challenges management on how the entity is enhancing its
operational excellence including the management of compliance-
related risks.

In developing the portfolio view, organizations may observe risks

that:
• Increase in severity as they are progressively consolidated to
higher levels within the entity.
• Decrease in severity as they are progressively consolidated.
• Offset other risks by acting as natural hedges.

• Demonstrate a positive or negative correlation to changes

occurring in the severity of other risks.

Using Figure 8.10 as an example, an organization develops its

portfolio view and observes the following characteristics:
• Severity of technology disruptions increases as risks are
progressively aggregated, recognizing the reliance that multiple
businesses have on common operating systems and technology.
• Risk of counterparty defaults decrease in severity as the entity
 does not have a single creditor considered large enough to impact
the entity as a whole.
• Risk of low sales from multiple operating units may act as a natural
hedge where low sales in one operating unit are offset by strong
sales in another.
• Risk of currency uctuations may also act as a natural hedge
where currency changes in one country offset changes in another.

• Strong positive correlation between risk of product recalls and the

risk of compliance breaches increases the priority of risk
responses to both risks.

• Strong positive correlation between the business objectives

requires investing in best-in-class technology solutions and
minimizes losses and inef ciencies that are taken into account
when selecting associated risk responses.

Developing a portfolio view of the risks to the entity enables risk-

based decision-making and helps set performance targets and
manage changes in either the performance or the risk pro le.
Important considerations in setting targets and responding to
change include understanding which risks are likely to increase or
decrease, whether new risks are introduced, and whether existing
ones become less relevant. By using a portfolio view to understand
the relationship between risk and performance, the organization can
assess the results of the strategy and business objectives in
accordance with the entity’s risk appetite.

Analyzing the Portfolio View

To evaluate the portfolio view of risk, the organization will want to
use both qualitative and quantitative techniques. Quantitative
techniques include regression modeling and other means of
statistical analysis to understand the sensitivity of the portfolio to
changes and shocks. Qualitative techniques include scenario
analysis and benchmarking.

By stressing the portfolio, management can review:

• Assumptions underpinning the assessment of the severity of risk.

• Behaviors of individual risks under stressed conditions.

• Interdependencies of risks within the portfolio view.

• Effectiveness of existing risk responses.

Undertaking stress testing, scenario analysis, or other analytical
exercises helps an organization to avoid or better respond to big
surprises and losses. The organization uses different techniques to
assess the effect of changes in the business context or other
variables on a business objective or strategy. For example, an
organization may choose to analyze the effect of a change in
interest rates on the portfolio view. Alternatively, the organization
may seek to understand the impact of multiple variables occurring
concurrently, such as changing interest rates combined with a spike
in commodity prices that affect the entity’s pro tability. Finally, the
organization may choose to evaluate the impact of a large-scale
event, such as an operational incident or third-party failure. By
analyzing the effect of hypothetical changes on the portfolio view,
the organization identi es potential new, emerging, or changing
risks and evaluates the adequacy of existing risk responses.

Stress testing helps an organization understand how the shape or

height of the risk curve may respond to potential changes. For
example:

• Validation of events that could become disruptive and cause the

risk curve to exceed risk appetite (e.g., the magnitude of a
potential funding gap that impacts the viability of the business,
which would be represented by the intersect of the risk curve with
the risk appetite of the entity.
• The extent to which the risk curve may shift up or down in
 response to a change (e.g., con rming to what extent changing
economic health indicators such as unemployment levels and
gross domestic product represent a suf cient deterioration in the
business context and causing the risk curve to shift up).

• Risk responses that can cause sections of the curve to become

atter (e.g., diversifying products entering into new nancial
hedging strategies or purchasing additional insurance).

• The ease at which the organization can move along the curve. The
speed and agility of the organization to make decisions and travel
along the risk curve to a new desired intersection of risk and
performance (e.g., the ability and speed of adjusting production
volumes in response to changes in sales).

These practices help to assess the adaptive capacity of the entity.

They also invite management to challenge the assumptions
underpinning the selection of the entity’s strategy and assessment
of the risk pro le. As such, analysis of the portfolio view can also
form part of an organization’s evaluation in selecting a strategy or
establishing business objectives. Figure 8.11 illustrates a portfolio
view of risk.
break

9. Review and Revision

Principles Relating to Review and

Revision

Introduction
An entity’s strategy or business objectives and enterprise risk
management practices and capabilities may change over time as
the entity adapts to shifting business context. In addition, the
business context in which the entity operates can also change,
resulting in current practices no longer applying or suf cient to
support the achievement of current or updated business objectives.
As necessary, the organization revises its practices or supplements
it capabilities.
break

Principle 15: Assesses

Substantial Change

The organization identi es and assesses

changes that may substantially a ect
strategy and business objectives.

Integrating Reviews into Business Practices

Organizations typically anticipate many changes within setting of
strategy and business objectives and performance, but they need to
also be aware of the potential for larger, substantial changes that
may occur and have a more pronounced effect. Substantial change
may lead to new or changed risks, and affect key assumptions
underpinning strategy. Practices for identifying such changes should
be built into business activities and performed continually. Many
management practices can identify substantial changes in the
ordinary course of running the business. For example, reviewing the
plan for integrating a newly acquired joint business venture may
identify the need for future enhancements of information technology.
Substantial changes such as acquiring an entity or implementing a
new system could potentially change the entity’s portfolio view of
risk or affect how enterprise risk management functions. In the case
of an acquisition, integrating the acquired company’s operations
could affect the existing culture and risk ownership. Implementing a
new system could present new exposures related to information
security, which could in uence how data is captured and managed.

Organizations consider how change can affect enterprise risk

management and the achievement of strategy and business
objectives. This requires identifying internal and external
environmental changes related to the business context as well as
changes in culture. Some examples of substantial change in both
the internal and external environment are highlighted below.

Internal Environment
• Rapid growth: When operations expand quickly, existing
structures, business activities, information systems, or resources
may be affected. Information systems may not be able to
effectively meet risk information requirements because of the
increased volume of transactions. Risk oversight roles and
responsibilities may need to be rede ned in light of organizational
and geographical changes due to an acquisition. Resources may
be strained to the point where existing risk responses and actions
break down. For instance, supervisors may not successfully adapt
to higher activity levels that require adding manufacturing shifts or
increasing personnel.

• Innovation: Whenever innovation is introduced, risk responses and

management actions will likely need to be modi ed. For instance,
introducing sales capabilities through mobile devices may require
access controls speci c to that technology. Training may be
needed for users. Innovation technology may also enhance
enterprise risk management. For example, a new system of using
mobile devices that captures previously unavailable sales
information gives management the ability to monitor performance,
forecast potential sales, and make real-time inventory decisions.

• Substantial changes in leadership and personnel: A change in

management may affect enterprise risk management. A newcomer
to management may not understand the entity’s culture and may
have a different philosophy, or may focus solely on performance to
the exclusion of risk appetite or tolerance.

External Environment
• Changing regulatory or economic environment: Changes to
 regulations or in the economy can result in increased competitive
pressures, changes in operating requirements, and different risks.
If a large-scale failure in operations, reporting, and compliance
occurs in one entity, regulators may introduce broad regulations
that affect all entities within an industry. For instance, if toxic
material is released in a populated or environmentally sensitive
area, new industry-wide transportation restrictions may be
introduced that affect an entity’s shipping logistics. If a publicly
traded company is seen to have poor transparency, enhanced
regulatory reporting requirements may be introduced for all public
companies. The revelation of patients being treated poorly in one
care facility may prompt additional requirements for all care
facilities. And a more competitive environment may drive
individuals to make decisions that are not aligned with the entity’s
risk appetite and increase the risk exposures to the entity. Each of
these changes may require an organization to closely examine the
design and application of its enterprise risk management.

Identifying substantial changes, evaluating their effects, and

responding to the changes are iterative processes that can affect
several components of enterprise risk management. It can be useful
to conduct a “post mortem” after a risk event to review how well the
organization responded and to consider what lessons learned could
be applied to future events.
break

Principle 16: Reviews Risk and

Performance

The organization reviews entity

performance and considers risk.

Integrating Reviews into Business Practices

Much of the focus on enterprise risk management is on managing
risk—either reducing the type and amount of risk to acceptable
levels or appropriately pursing new opportunities as they emerge.
Over time, an entity may not conduct its practices as ef ciently as
intended, thereby causing risk to manifest and affect performance.
From time to time, the organization may wish to consider its
enterprise risk management capabilities and practices.
Observations may relate to incorrect assumptions, implemented
practices, entity capabilities, or cultural factors. Sometimes,
however, performance is affected because of the inherent nature of
risk, which an organization cannot predict with complete accuracy.
By reviewing performance, organizations seek answers to questions
such as:

• Has the entity performed as expected and achieved its target?

The organization identi es variances that have occurred and
considers what may have contributed to them. This may involve
using measures relating to objectives or other key metrics. For
example, consider an entity that has committed to opening ve
new of ce locations every year to support its longer-term growth
strategy to build a presence across the country. The organization
has determined that it could continue to achieve its strategy with
only three of ces opening, and would be taking on more risk than
desired if it opened seven or more of ces. The organization
therefore monitors performance and determines whether the entity
 has opened the expected number of of ces, and how those new
of ces are performing. If the growth is below plan, the
organization may need to revisit the strategy.

• What risks are occurring that may be affecting performance?

Reviewing performance con rms whether risks were previously
identi ed, or whether new, emerging risks have occurred. The
organization also reviews whether the actual risk levels are within
the boundaries established for tolerance. For example, reviewing
performance helps con rm that the risk of delays due to additional
permit requirements for construction did occur and affected the
number of new of ces opened, and whether the number of of ces
to be opened is still within the range of acceptable performance.

• Was the entity taking enough risk to attain its target? Where an
entity has failed to meet its target, the organization needs to
determine if the failure is due to risks that are impacting the
achievement of the target or insuf cient risk being taken to
support the achievement of the target. Using the same example,
suppose the entity opens only three of ces. In this case,
management observes that the planning and logistics teams are
operating below capacity and that other resources set aside to
support the opening of new of ces have remained unused.
Insuf cient risk was taken by the entity despite having allocated
resources.

• Was the estimate of the amount of risk accurate? When risk

has not been assessed accurately, the organization asks why. To
answer that question, the organization must challenge the
understanding of the business context and the assumptions
underpinning the initial assessment. It must also determine
whether new information has become available that would help
re ne the assessment. For example, suppose the example entity
opens ve of ces and observes that the estimated amount of risk
was too low compared to the types and amount of risk that have
occurred (e.g., more problems, delays, and unexpected events
 than initially assessed).

If an organization determines that performance does not fall within

its acceptable variation, or that the target performance results in a
different risk pro le than what was expected, it may need to:

• Review business objectives: An organization may choose to

change or abandon a business objective if the performance of the
entity is not achieved within acceptable variation.

• Review strategy: Should the performance of the entity result in a

substantial deviation from the expected risk pro le, the
organization may choose to revise its strategy. In this case, it may
choose to reconsider alternative strategies that were previously
evaluated, or identify new strategies.

• Review culture: An organization may wish to review its culture and

determine whether it is embracing the actions in a risk-aware
manner. Is the organization comfortable taking enough risk to
succeed, or is it prone to taking too much risk and incurring
adverse outcomes?

• Revise target performance: An organization may choose to revise

the target performance level to re ect a better understanding of
the reasonableness of potential performance outcomes and the
corresponding severity of risks to the business objective.

• Reassess severity of risk results: An organization may re-do the

risk assessment for relevant risks, and results may alter based on
changes in the business context, the availability of new data or
information that enables a more accurate assessment, or
challenges to the assumptions underpinning the initial
assessment.
• Review how risks are prioritized: An organization may decide to
either raise or lower the priority of identi ed risks to support
reallocating resources. The change re ects a revised assessment
of the prioritization criteria previously applied.
• Revise risk responses: An organization may consider altering or
adding responses to bring risk in line with the target performance
and risk pro le. For risks that are reduced in severity, an
organization may redeploy resources to other risks or business
objectives. For risks that increase in severity, the organization may
bolster responses with additional processes, people,
infrastructure, or other resources. As part of reviewing risk
responses, the organization may also consider monitoring
activities developed and implemented as part of internal control.26
• Revise risk appetite: Corrective actions are typically undertaken to
maintain or restore the alignment of the risk pro le with the entity’s
risk appetite, but can extend to revising it. However, this action
requires review and approval by the board or other risk oversight
body.
The extent of any corrective actions must align with the magnitude
of the deviation in performance, the importance of the business
objective, and the costs and bene ts associated with altering risk
responses. Consider, for example, a small retailer that stocks a
signi cant portion of its inventory from local producers. The retailer
monitors the nancial results of its shop on a weekly basis and
realizes locally produced goods are not suf ciently pro table to
meet its nancial goals. It therefore decides to revise its business
objective of sourcing locally and begins to import less expensive
goods to improve its nancial performance. The retailer also
recognizes that this change may affect other risks, such as logistics,
currency uctuations, and time to market.

Where reviewing performance repeatedly identi es new risks that

were not identi ed through the organization’s risk identi cation
practices, or where the actual risk is inconsistent with severity
ratings, management determines whether a review of enterprise risk
management practices is warranted. A more detailed discussion on
reviewing the risk assessment practices can be found in Principle
17.
Considering Entity Capabilities
Part of reviewing performance is considering the organization’s
capabilities and their effect on performance. If performance targets
are not being met, is it because there are insuf cient capabilities? If
targets are being exceeded, is it because corrective action is
required? The organization must answer these questions.
Corrective action may include reallocating resources, revising
business objectives, or exploring alternative strategies (see Example
9.1).

Example 9.1: Considering Entity Capabilities

For a local government, the economy is largely supported by

tourism. City of cials understand the minimum, targeted, and
maximum levels of tourism required to support their nancial
objectives. Speci cally, they have determined how much
income can be generated through tourism based on metrics
such as hotel reservations and occupancy rates. They found
that an occupancy rate of 50% (its target) provides the city
with enough revenue to support its annual operating budget
and fund other programs. However, an occupancy rate
greater than 85% increases risks relating to the usage of the
public transportation system, demands for peace of cer
presence, and stresses on natural resources. The city tracks
patterns in its tourism industry to make more risk-aware
decisions on the aggressiveness of its future marketing
campaigns and actively managing risk in uenced by tourism.

The entity’s capacity for resources also informs decisions for

corrective actions. For business objectives that affect the entity as a
whole, the organization may choose to revise the objective instead
of incurring the costs of deploying additional risk responses.
Whenever signi cant deviations from the tolerance occur, or where
performance represents a disruption to the achievement of the
entity’s strategy, the organization may revise its strategy.

26
Additional information on monitoring activities is discussed in Internal Control–Integrated
Framework.
break

Principle 17: Pursues

Improvement in Enterprise Risk
Management

The organization pursues improvement of

enterprise risk management.

Pursuing Improvement
Even those entities with suitable enterprise risk management can
become more ef cient. By embedding continual evaluations into
business practices, organizations can systematically identify
potential improvements to their enterprise risk management
practices. Separate evaluations may also be helpful.27 Pursuing
improved enterprise risk management should occur throughout the
entity (see Example 9.2).

Example 9.2: Continual Improvement

A government agency learns that it has stronger practices in

place for establishing and implementing governance
capabilities and for instilling the desired culture. Conversely,
the organization’s practices for establishing and
implementing information and communications capabilities
present opportunities for improvement. While management
monitors improvement opportunities for all enterprise risk
management components, it concentrates on developing its
information and communications practices.

Management pursues continual improvement throughout the entity

(functions, operating units, divisions) to improve the ef ciency and
usefulness of enterprise risk management at all levels. Opportunities
to revisit and improve ef ciency and usefulness may occur in any of
the following areas:
• New technology: New technology may offer an opportunity to
improve ef ciency. For example, an entity that uses customer
satisfaction data nds it voluminous to process. To improve
ef ciency it implements a new data-mining technology that
pinpoints key data points quickly and accurately.

• Historical shortcomings: Reviewing performance can identify

historical shortcomings or the causes of past failures, and that
information can be used to improve enterprise risk management.
For example, management in an entity observes that there have
been shortcomings noted over time related to risk assessment.
Although management compensates for these, the organization
decides to improve its risk assessment practices to reduce the
number of shortcomings and enhance enterprise risk
management.

• Organizational change: By pursuing continual improvement, an

organization can identify the need for organizational changes such
as a change in the governance structure. For example, an
enterprise risk management function reports to the chief nancial
of cer, but when the entity redevelops its strategy group, it
decides to realign the responsibility for enterprise risk
management to that reorganized group.

• Risk appetite: Reviewing performance provides clarity on factors

that affect the entity’s risk appetite. It also gives management an
opportunity to re ne its risk appetite. For example, management
may monitor the performance of a new product over a year and
assess the volatility of the market. If management determines that
the market is performing well and is less volatile than originally
thought, the organization can respond by increasing its risk
appetite for similar future initiatives.
• Risk categories: An organization that continually pursues
improvement can identify patterns as the business changes,
which can lead the entity to revise its risk categories. For example,
one entity’s risk categories does not include cyber risk, but now
that the entity has decided to offer several on-line products and
services, it is revising the categories to include cyber risk so it can
accurately map its strategy.

• Communications: Reviewing performance can identify outdated or

poorly functioning communication processes. For example, in
reviewing performance an organization discovers that emails are
not successfully communicating its initiatives. In response, the
organization decides to highlight initiatives through a blog and
instant message feed to appeal to its changing workforce.

• Peer comparison: Reviewing industry peers can help an

organization determine if it is operating outside of industry
performance boundaries. For example, a global package delivery
provider discovered during a peer review that its operations in
Asia were performing signi cantly below its major competitor.
Consequently, it is planning to review and, if necessary, revise its
strategy to increase its competitiveness and, hence, its
performance in Asia.

• Rate of change: Management considers the rate that the business

context evolves or changes. For example, an entity in an industry
where technology is quickly changing or where organizational
change happens often may have more frequent opportunities to
improve the ef ciency and usefulness of enterprise risk
management, but an entity operating in an industry with a slower
rate of change in technology will likely have fewer opportunities.

27
Readers may also wish to review the discussion on monitoring activities in Internal
Control–Integrated Framework.
break

Principle 18: Leverages

Information and Technology

The organization leverages the entity’s

information and technology systems to
support enterprise risk management.

Putting Relevant Information to Use

Organizations leverage relevant information when they apply
enterprise risk management practices. “Relevant information” is
simply information that helps organizations be more agile in their
decision-making, giving them a competitive advantage.
Organizations use information to anticipate situations that may get
in the way of achieving strategy and business objectives. Risk
information is more than a repository of historical risk data. It needs
to support an understanding and development of a complete
current and evolving risk pro le.
Organizations consider what information is available to
management, what information systems and technology are in use
for capturing that information (which may be more than is needed),
and what the costs are of obtaining that information. Management
and other personnel can then identify how information supports the
enterprise risk management practices, which may include any of the
following:

• For governance and culture-related practices, the organization

may need information on the standards of conduct and individual
performance in relation to those standards. For instance,
professional service rms have speci c standards of conduct to
help maintain independent relationships with clients. Annual staff
training reinforces those standards, and management gathers
 information by testing the staff’s knowledge to determine whether
they understand what is expected of them.
• For strategy and objective-setting related practices, the
organization may need information on stakeholder expectations of
risk appetite. Stakeholders such as investors and customers may
express their expectations through analyst calls, blog postings,
contract terms and conditions, etc. All of these provide relevant
information on the types and amount of risk an entity may be
willing to accept and strategy it pursues.

• For performance-related practices, organizations may need

information on their competitors to assess changes in the amount
of risk. For example, a large residential real estate company may
assess the risk of losing market share to smaller boutique rms.
The information they need is their competitors’ commission
pricing models and on-line marketing plans. If their competitors’
commission rates are low and aggressive, and their on-line
presence is widespread, the large company may review its ability
to achieve its sales targets.

• For review and revision-related practices, organizations may need

information on emerging trends in enterprise risk management.
Organizations can collect such information from attending
enterprise risk management conferences and following industry-
speci c blogs.

Today data is generated so fast that it is often a challenge for

management to process and re ne it into usable information.
Information systems can help entities meet this challenge. However,
the focus should not be on creating a new and separate information
system or even separate streams for enterprise risk management. It
is usually more ef cient for an organization to leverage its existing
information systems to capture what it needs to understand risk, to
make risk-aware decisions, and to ful ll reporting requirements.

To be useful, information must be available to decision-makers

when it is needed. It is also essential that the information be of high
quality. If the underlying data is inaccurate or incomplete,
management may not be able to make sound judgments, estimates,
or decisions.28 To maintain high-quality information, organizations
implement data management systems and establish information
management policies with clear lines of responsibility and
accountability.

Evolving Information
Data transformed into information may come from both structured
and unstructured sources. Structured data generally refers to
information that is highly organized and readily searchable (e.g.,
database les, public indexes, or spreadsheets). In contrast,
unstructured data does not follow a prede ned data pattern, nor is it
organized (e.g., email messages, photos, videos, word processing
documents). Several research studies have estimated that today
unstructured data outweighs structured data by more than 80%.

Data analytics have historically relied on prede ned patterns when

converting data to information. Now, advances in cognitive
computing, such as arti cial intelligence,29 data mining, and
machine learning can collect, convert, and analyze large volumes of
unstructured data into information that helps organizations to make
better business decisions. These advances, combined with human
analysis, allow management greater insight. Example 10.1 illustrates
the application of unstructured information.

Example 10.1: Using Unstructured Information in

Decision-making

A consumer retailer uses arti cial intelligence to attain better

information on improving the customer experience. In this
way, management is able to gather insights about consumers
through social media, such as purchasing behavior, including
 historical patterns and preferences. The insights can be used
to reduce the risk of over- or understocking inventory, as they
provide management with a better view of the right inventory
levels. This improved inventory management reduces
operational and resource costs and enhances the customer
experience.

In short, advances in data analytics can help organizations avoid

“information overload” and use the huge amount of data now
available to its advantage. They may be able to detect correlations
in business performance that are not readily apparent with a more
traditional approach to data analysis. Or they may be able to identify
likely trends in performance earlier. They may even be able to more
thoroughly evaluate key assumptions embedded into a strategy,
which in turn provides added insight in decisions on alternative
strategies, business objectives, and setting of performance targets.
Having more information pertinent to decision-making also reduces
reliance on individual experience and judgment in making those
decisions.

Data Sources
Data that is transformed into information becomes knowledge (e.g.,
analysis of comments posted on social media identi es potential
risks to the entity’s brand). Therefore, data requirements should be
based on information requirements. Example 10.2 illustrates how a
company determines that it requires data in order to provide
compliance information to an external stakeholder.

Example 10.2: Determining Information Requirements

A pharmaceutical company’s strategy is to expand its market

share by developing a new drug targeted to a speci c
 population. To receive approval for its new product, the
organization must provide the regulators with information that
meets speci c compliance requirements, such as
conclusions regarding the safety of the drug. These
conclusions rely on various data such as demographics of
the testing population, number of side effects, duration of
studies, and type of application. Data is captured from
internal patient feedback and through monitoring social
media conversations.

Data can be collected from a variety of sources and in a variety of

forms. Figure 10.1 lists examples of structured and unstructured
data.

Categorizing Risk Information

Organizations can classify the information they capture by using
common risk categories.30 These categories may be organized by
functional areas, such as internal audit, information management, or
operational risk management. They may also be based on the size,
scale, and complexity of the entity.
Using a common set of categories helps organizations aggregate
risk information to determine if there are any potential impacts from
concentrations of risk across the entity. Such a structure of
categories also helps them assess risks that could affect the entity’s
strategy and business objectives. It also serves as the basis for
developing consistent enterprise risk responses and reporting.

Managing Data
Data must be well managed to provide the right information to
support risk-aware decisions. That requires capturing and
preserving the quality of the data while allowing different
technologies to exchange and use it. Effective data management
considers three key elements: data and information governance,
processes and controls, and architecture.
• Data and information governance help to deliver standardized,
high-quality data to end users in a timely, veri able, and secure
manner. They also help to standardize data architecture, authorize
standards, assign accountability, and maintain quality. As well,
they de ne clear roles and responsibilities for data owners and
risk information owners.
• Processes and controls help an entity reinforce the reliability of
data and allow for corrections to be made as needed. For
example, organizations may have a process to identify instances
and patterns of both low- and high-quality data, and whether that
data is relevant to meeting requirements. Or they may be able to
identify data consistency, redundancy, availability, and accuracy.
But managing data requires more than using processes and
 controls to ensure its quality. It also involves preventing issues of
quality from occurring in the rst place.
• Data management architecture refers to the fundamental design of
the technology. It is composed of models, policies, rules, or
standards that dictate which data is collected and how it is stored,
arranged, integrated, and put to use in systems and in the
organization. Organizations implement standards and provide
rules for structuring information so that the data can be reliably
read, sorted, indexed, retrieved, and shared with both internal and
external stakeholders, ultimately protecting its long-term value.

Using Technology to Support Information

Technology is often associated with information systems. Yet,
technology often involves more than processing and reporting of
data; it also can help the organization to carry out activities.
Robotics used in manufacturing, smart appliances that manage
energy use in residential and commercial buildings, and wearable
technology are all examples of how technology can help an
organization manage speci c risks. Example 10.3 illustrates how
technology is helping to both manage the risk and capture
information that aids in decision-making.

Example 10.3: Information Systems

A healthcare organization has been challenged to nd ways

to reduce the incidents of seniors missing doses of
prescription medicines. Missing prescribed dosages can
reduce the bene ts of the drugs and increase health risks to
the patient. In response, the company has distributed
wearable technology to patients that identi es cases of them
missing a dose and tracks the general health of each patient.
This information is reported to the healthcare provider.
However, technology can also introduce new risks to an entity,
which can be critical to achieving strategy and business objectives.
The decision on what technology to implement depends on many
factors, including organizational goals, marketplace needs,
competitive requirements, and the associated costs and bene ts.
An organization uses these factors to balance the bene ts of
obtaining and managing information against the costs of selecting
or developing supporting technologies.

Changing Requirements
Management leverages and designs its technology to meet a broad
range of requirements, including those due to internal and external
changes. As entities respond to changes in the business context in
which they operate and adapt their strategy and business
objectives, they must also review their technologies. For instance,
shifting customer expectations may require organizations to change
their technology to allow for more timely information gathering and
more active reviewing of comments on social media.

28
Further discussion on information quality is available in Internal Control–Integrated
Framework, speci cally Principle 13.
29
Arti cial intelligence can be de ned as theory and development of computer systems
that perform tasks that normally require human intelligence such as speech recognition,
decision-making, visual perception, and other factors.
30
Some organizations refer to these common risk categories as a “risk taxonomy.”
break

Principle 19: Communicates Risk

Information

The organization uses communication

channels to support enterprise risk
management.

Communicating with Stakeholders

Various channels are available to the organization for
communicating risk data and information to internal and external
stakeholders. These channels enable organizations to provide
relevant information for use in decision-making.
Internally, management communicates the entity’s strategy and
business objectives clearly throughout the organization so that all
personnel at all levels understand their individual roles. Speci cally,
communication channels enable management to convey:

• The importance, relevance, and value of enterprise risk

management.

• The characteristics, desired behaviors, and core values that de ne

the culture of the entity.
• The strategy and business objectives of the entity.

• The risk appetite and tolerance.

• The overarching expectations of management and personnel in

relation to enterprise risk and performance management.
• The expectations of the organization on any important matters
relating to enterprise risk management, including instances of
 weakness, deterioration, or non-adherence.
Management also communicates information about the entity’s
strategy and business objectives to shareholders and other external
parties. Enterprise risk management is a key topic in these
communications so that external stakeholders not only understand
the performance against strategy but the actions consciously taken
to achieve it. External communication may include holding quarterly
analyst meetings to discuss performance.

An entity with open communication channels can also be on the

receiving end of information from external stakeholders. For
example, customers and suppliers can provide input on the design
or quality of products or services, enabling the organization to
address evolving customer demands or preferences. Or inquiries
from environmental groups about sustainability approaches could
provide an organization with insight into leading approaches or
identify potential risks to its reputation. This information may come
through email communications, public forums, blogs, hotlines, or
other channels.

Communicating with the Board

Effective communication between the board of directors and
management is critical for organizations to achieve the strategy and
business objectives and to seize opportunities within the business
environment. Communicating about risk starts by de ning risk
responsibilities clearly: who needs to know what and when they
need to act. Organizations should examine their governance
structure to ensure that responsibilities are clearly allocated and
de ned at the board and management levels and that the structure
supports the desired risk dialogue. The board’s responsibility is to
provide oversight and ensure the appropriate measures are in place
so that management can identify, assess, prioritize, and respond to
risk (see Example 10.4).
 Example 10.4: Communicating with the Board

A company aiming to improve risk communication chose to

revise its governance structure by elevating its chief risk
of cer position to ensure risk was integrated into all
discussions of business strategy. Risk issues are now
discussed by the full board. The company found that bringing
risk out of a board committee and embedding enterprise risk
management responsibilities into the management team
better integrated risk and strategy discussions and increased
clarity about risk.

To communicate effectively, the board of directors and management

must have a shared understanding of risk and its relationship to
strategy and business objectives. In addition, directors need to
develop a deep understanding of the business, value drivers, cost
drivers, and strategy and associated risks. Many board members
use on-site visits as a communication channel to engage with
management and personnel to understand operations and
management.

Board and management continually discuss risk appetite. As part of

its oversight role, the board ensures that communications regarding
risk appetite remain open. It may do this by holding formal quarterly
board meetings, and by calling extraordinary meetings to address
speci c events, such as cyber terrorism, CEO succession, or
mergers. The board and management can use the risk appetite
statement as a touchstone, allowing them to identify those risks that
are on or off strategy, monitor the entity’s risk pro le, and track the
effectiveness of enterprise risk management programs. Given the
strong link to strategy, the risk appetite statement should be
reviewed as strategy and business objectives evolve.

Management provides any information that helps the board ful ll its
oversight responsibilities concerning risk. There is no single correct
method for communicating with the board, but the following list
offers some common approaches:

• Address risks as determined by the entity’s strategy and business

objectives.

• Capture and align information at a level that is consistent with

directors’ risk oversight responsibilities and with the level of
information determined necessary by the board.

• Ensure reports present the entity’s risk pro le as aligned with its
risk appetite statement, and link reported risk information to
policies for exposure and tolerances.
• Capture instances where current performance levels are
approaching the tolerance of acceptable variation in performance
and the plans in place to manage performance.
• Provide a longitudinal perspective of risk exposures including
historical data, explanations of trends, and forward-looking
information explained in relation to current positions.
• Update at a frequency consistent with the pace of risk evolution
and severity of risk.
• Use standardized templates to support consistent presentation
and structure of risk information over time.

Management should not underplay the importance of qualitative

open communications with the board. A dynamic and constructive
risk dialogue must exist between management and the board,
including a willingness to challenge any assumptions underlying the
strategy and business objectives. Boards can foster an environment
in which management feels comfortable bringing risk information to
the board even if they do not yet have a de ned response for that
risk either planned or in place. Management may be uncomfortable
discussing emerging risks with the board at a time when the severity
of these risks is often unclear. By being open to conversations
where there is not yet a nal resolution, the board can encourage
management to provide more timely and insightful dialogue, rather
than waiting for these risks to evolve within the entity.

Methods of Communicating
For information to be received as intended, it must be
communicated clearly. To be sure communication methods are
working, organizations should periodically evaluate them. This can
be done through existing processes such as stating expectations for
enterprise risk management in employee performance goals and
subsequent periodic performance evaluations.

Communication methods vary widely, from holding face-to-face

meetings, to posting messages on the entity’s intranet, to
announcing a new product at an industry convention, to
broadcasting to shareholders globally through social media and
newswires.
Communication methods can take the form of:

• Electronic messages (e.g., emails, social media, text messages,

instant messaging).
• External/third-party materials (e.g., industry, trade, and
professional journals, media reports, peer company websites, key
internal and external indexes).
• Informal/verbal communications (e.g., one-on-one discussions,
meetings).

• Public events (e.g., roadshows, town hall meetings,

industry/technical conferences).

• Training and seminars (e.g., live or on-line training, webcast and

other video forms, workshops).
• Written internal documents (e.g., brie ng documents, dashboards,
 performance evaluations, presentations, questionnaires and
surveys, policies and procedures, FAQs).
In addition to the list above, separate lines of communication are
needed when normal channels are inoperative or insuf cient for
communicating matters requiring heightened attention. Many
organizations provide a means to communicate anonymously to the
board of directors or a board delegate—such as a whistle-blower
hotline. Many organizations also establish escalation protocols and
policies to facilitate communication when there are exceptions in
standards of conduct or inappropriate behaviors occurring.
break

Principle 20: Reports on Risk,

Culture, and Performance

The organization reports on risk, culture,

and performance at multiple levels and
across the entity.

Identifying Report Users and Their Roles

Reporting supports personnel at all levels to understand the
relationships between risk, culture, and performance and to improve
decision-making in strategy- and objective-setting, governance, and
day-to-day operations. Reporting requirements depend on the
needs of the report user. Report users may include:
• Management and the board of directors with responsibility for
governance and oversight of the entity.

• Risk owners accountable for the effective management of

identi ed risks.
• Assurance providers who seek insight into performance of the
entity and effectiveness of risk responses.
• External stakeholders (regulators, rating agencies, community
groups, and others).

• Other parties that require reporting of risk in order to ful ll their

roles and responsibilities.

It is also important to understand the governance and operating

structures of respective report users. Each report user will require
different levels of detail of risk and performance information in order
to ful ll their responsibilities in the entity. Reporting must also make
clear the interrelationships between users, and the related effect
across the entity.
Risk information presented at different levels cascades down into
the entity and ows up to support higher levels of reporting. For
example, reports to the board support decisions on risk appetite
and company strategy. Reports to senior management present a
more granular level and support decisions on strategic-setting and
budgeting, as well as decisions at the divisional and/or functional
level. The next layer of reporting is even more granular and supports
divisional and functional leaders in planning, budgeting, and day-to-
day operations. This level of reporting should align with senior
management reporting and board reporting. At higher levels, risk
reporting encapsulates the portfolio view.

Risk reporting may be done by any team within the operating

structure. Teams prepare reports, disclosing information in
accordance with their risk management responsibilities. For
example, teams may prepare risk information as part of nancial
and budgeting planning submissions to support requests for
additional resources to maintain or prevent the risk pro le from
deteriorating.

Reporting Attributes
Reporting combines quantitative and qualitative risk information,
and the presentation can range from being fairly simple to more
complex depending on the size, type, and complexity of the entity.
Risk information supports management in decision-making,
although management must still exercise judgment in the pursuit of
business objectives as well as the business context.

In reporting, history can relay meaningful, useful information, but an

emphasis on being forward-looking is of more bene t. Knowing the
end-to-end processes taken to ful ll an entity’s mission and vision,
as well as the business environment in which the entity operates,
can help management connect historical information to potential
early-warning information. Early-warning analytics of key trends,
emerging risks, and shifts in performance may require both internal
and external information.

Types of Reporting
Risk reporting may include any or all of the following:

• Portfolio view of risk outlines the severity of the risks at the entity
level that may impact the achievement of strategy and business
objectives. The reporting of the portfolio view highlights the
greatest risks to the entity, interdependencies between speci c
risks, and opportunities. The portfolio view of risk is typically
found in management and board reporting.

• Pro le view of risk, similar to the portfolio view, outlines the

severity of risks, but focuses on different levels within the entity.
For example, the risk pro le of a division or operating unit may
feature in designated risk reporting for management or those
areas of the entity.
• Analysis of root causes enables users to understand assumptions
and changes underpinning the portfolio and pro le views of risk.

• Sensitivity analysis measures the sensitivity of changes in key

assumptions embedded in strategy and the potential effect on
strategy and business objectives.

• Analysis of new, emerging, and changing risks provides the

forward-looking view to anticipate changes to the risk inventory,
effects on resource requirements and allocation, and the
anticipated performance of the entity.

• Key performance indicators and measures outline the tolerance of

the entity and potential risk to a strategy or business objective.

• Trend analysis demonstrates movements and changes in the

 portfolio view of risk, risk pro le, and performance of the entity.
• Disclosure of incidents, breaches, and losses provides insight into
effectiveness of risk responses.

• Tracking enterprise risk management plans and initiatives provides

a summary of the plan and initiatives in establishing or maintaining
enterprise risk management practices. Investment in resources,
and the urgency by which initiatives are completed, may also
re ect the commitment to enterprise risk management and culture
by organizational leaders in responding to risks.
Risk reporting is supplemented by commentary and analysis by
subject matter experts. For example, compliance, legal, and
technology experts often provide commentary and analysis on the
severity of risk, effectiveness of risk responses, drivers for changes
in trend analysis, and industry developments and opportunities the
entity may have.

Reporting Risk to the Board

At the board level, there is likely to be both formal reporting and
informal information sharing. For example, the board may have
informal discussions about the possibility of strategy and
implications of alternative strategies while using risk pro les and
other analyses to support the discussions. Formal reporting plays a
more integral role when the board exercises other responsibilities
including considering the risks to executing strategy, reviewing risk
appetite, or overseeing enterprise risk management practices
deployed by management.
There are a number of ways management may report to a board,
but it is critical that the focus of reporting be the link between
strategy, business objectives, risk, and performance. Reporting to
the board is the highest level of reporting and will include the
portfolio view. Reporting to the board should foster discussions of
the performance of the entity in meeting its strategy and business
objectives and impact of potential risk in meeting those objectives.

Reporting on Culture
An entity’s culture is grounded in behavior and attitudes, and
measuring it is often a very complex task. Reporting on culture may
be embodied in:
• Analytics of cultural trends.

• Benchmarking to other entities or standards.

• Compensation schemes and the potential in uence on decision-
making.
• “Lessons learned” analyses.
• Reviews of behavioural trends.

• Surveys of risk attitudes and risk awareness.

Key Indicators
Key indicators are used to predict a risk manifesting. They are
usually quantitative, but can be qualitative. Key indicators are
reported to the levels of the entity that are in the best position to
manage the onset of a risk where necessary. They should be
reported in tandem with key performance indicators to demonstrate
the interrelationship between risk and performance. Key indicators
support a proactive approach to performance management (see
Example 10.5).

Example 10.5: Using Key Indicators

A government agency wants to retain competent individuals.

The business objective that supports retaining competent
 individuals has as a target maintaining turnover rates at less
than 5% per year. A key indicator would be a percentage of
personnel eligible to retire within ve years. Anything higher
than 5% indicates that risk to the target is potentially
manifesting. A key performance indicator is the actual
turnover rate. Key performance indicators are based on
historical performance, and while understanding historical
performance can establish baselines, the rate trending
upwards would not necessarily identify a risk manifesting.

Key indicators and key performance indicators can be re ected in a

single measure. For example, in a manufacturing company,
production volumes and the thresholds around them can be viewed
through a risk lens. Production volumes above the target can be
seen as potential risks to quality, and production volumes below the
target can suggest potential risk such as supplier delays, labor
shortages, or equipment downtime.
Key indicators are reported along with corresponding targets and
acceptable variations. Knowing where an entity lies on the culture
spectrum, whether risk averse or risk aggressive, will help determine
the key indicators and key performance indicators that are tracked
as well as the acceptable variation in performance.

Reporting Frequency and Quality

Management works closely with those who will use reports to
identify what information is required, how often they need the
reports, and their preferences in how reports are presented.
Management is responsible for implementing appropriate controls
so that reporting is accurate, clear, and complete.
The frequency of reporting should be commensurate with the
severity and priority of the risk. Reporting should enable
management to determine the types and amount of risk assumed
by the organization, its ongoing appropriateness, and the suitability
of existing risk responses. For example, changes in stock prices, or
competitor pricing in the hospitality or airline industries, may be
reported on daily, commensurate with the potential changes in risk.
In contrast, reporting on the risks emanating from an organization’s
progress toward long-term strategic projects and initiatives may be
monthly or quarterly.
break

Glossary of Key Terms

• Business Context: The trends, events, relationships and other
factors that may in uence, clarify, or change an entity’s current
and future strategy and business objectives.

• Business Objectives: Those measurable steps the organization

takes to achieve its strategy.

• Core Values: The entity’s beliefs and ideals about what is good or
bad, acceptable or unacceptable, which in uence the behavior of
the organization.

• Culture: The attitudes, behaviors, and understanding about risk,

both positive and negative, that in uence the decisions of
management and personnel and re ect the mission, vision, and
core values of the organization.

• Data: Raw facts that can be collected together to be analyzed,

used, or referenced.

• Enterprise Risk Management: The culture, capabilities, and

practices, integrated with strategy-setting and its performance,
that organizations rely on to manage risk in creating, preserving,
and realizing value.

• Entity: Any form of for-pro t, not-for-pro t, or governmental body.

An entity may be publicly listed, privately owned, owned through a
cooperative structure, or any other legal structure.

• External Environment: Anything outside of the entity that

in uences the ability to achieve strategy and business objectives.

• External Stakeholders: Any parties not directly engaged in the

entity’s operations but who are affected by the entity, directly
in uence the entity’s business environment, or in uence the
 entity’s reputation, brand, and trust.

• Event: An occurrence or set of occurrences.

• Framework: The ve components consisting of (1) Governance

and Culture; (2) Strategy and Objective-Setting; (3) Strategy and
Objective Performance; (4) Review and Revision; and (5)
Information, Communication, and Reporting.

• Impact: The result or effect of a risk. There may be a range of

possible impacts associated with a risk. The impact of a risk may
be positive or negative relative to the entity’s strategy or business
objectives.

• Information: Processed, organized, and structured data

concerning a particular fact or circumstance.

• Internal Control: A process, effected by an entity’s board of

directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance. (For more
discussion, see Internal Control—Integrated Framework.)

• Internal Environment: Anything inside of the entity that in uences

the ability to achieve strategy and business objectives.

• Internal Stakeholders: Parties working within the entity such as

employees, management, and the board.

• Likelihood: The possibility that a given event will occur.

• Mission: The entity’s core purpose, which establishes what it

wants to accomplish and why it exists.

• Operating Structure: The way the entity organizes and carries out
its day-to-day operations.

• Opportunity: An action or potential action that creates or alters

goals or approaches for creating, preserving, and realizing value.
• Organization: The term used to collectively describe the board of
directors, management, and other personnel of an entity.

• Organizational Sustainability: The ability of an entity to

withstand the impact of large-scale events.

• Performance Management: The measurement of efforts to

achieve or exceed the strategy and business objectives.

• Portfolio View: A composite view of risk the entity faces, which

positions management and the board to consider the types,
severity, and interdependencies of risks and how they may affect
the entity’s performance relative to its strategy and business
objectives.

• Practices: The methods and approaches deployed within an

entity relating to managing risk.

• Reasonable Expectation: The amount of risk of achieving

strategy and business objectives that is appropriate for an entity,
recognizing that no one can predict risk with precision.

• Risk: The possibility that events will occur and affect the
achievement of strategy and business objectives. NOTE: “Risks”
(plural) refers to one or more potential events that may affect the
achievement of objectives. “Risk” (singular) refers to all potential
events collectively that may affect the achievement of objectives.

• Risk Appetite: The types and amount of risk, on a broad level, an

organization is willing to accept in pursuit of value.

• Risk Capacity: The maximum amount of risk that an entity is able

to absorb in the pursuit of strategy and business objectives.

• Risk Inventory: All risks that could impact an entity.

• Risk Pro le: A composite view of the risk assumed at a particular

level of the entity, or aspect of the business that positions
 management to consider the types, severity, and
interdependencies of risks, and how they may affect performance
relative to the strategy and business objectives.

• Severity: A measurement of considerations such as the likelihood

and impact of events or the time it takes to recover from events.

• Stakeholders: Parties that have a genuine or vested interest in

the entity.

• Strategy: The organization’s plan to achieve its mission and vision

and apply its core values.

• Tolerance: The boundaries of acceptable variation in performance

related to achieving business objectives.

• Uncertainty: The state of not knowing how or if potential events

may manifest.

• Vision: The entity’s aspirations for its future state or what the
organization aims to achieve over time.
Appendices
break

This project was commissioned by the Committee of Sponsoring

Organizations of the Treadway Commission (COSO), which is
dedicated to providing thought leadership through the development
of comprehensive frameworks and guidance on internal control,
enterprise risk management, and fraud deterrence designed to
improve organizational performance and oversight and to reduce
the extent of fraud in organizations. COSO is a private sector
initiative, jointly sponsored and funded by:
• American Accounting Association
• American Institute of Certi ed Public Accountants

• Financial Executives International

• Institute of Management Accountants
• The Institute of Internal Auditors
space above copyright

©2017 All Rights Reserved. No part of this publication may be reproduced,

redistributed, transmitted, or displayed in any form or by any means without
written permission of COSO.
break

Committee of Sponsoring
Organizations of the Treadway
Commission
Board
Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Financial Executives
Auditors International
Charles E. Landes Douglas F. Prawitt Sandra Richtermeyer
American Institute of American Accounting Institute of Management
Certi ed Public Association Accountants
Accountants

PwC—Author
Principal
Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Project Lead Partner Project Lead Director
Global and Asia, Paci c, and Global and APA and Global Risk
and Americas (APA) Risk and Regulatory Framework and
Advisory Leader Leader Methodology Leader
New York, USA Washington DC, USA British Columbia,
Canada

Matthew Bagin Hélène Katz Katie T. Sylvis

Director Director Director
Washington DC, USA New York, USA Washington DC, USA

Sallie Jo Perraglia Kathleen Crader Zelnik Maria Grimshaw

Manager Manager Senior Associate
New York, USA Washington DC, USA New York, USA
break

Acknowledgments
The COSO Board and PwC gratefully acknowledge the many
individuals who gave their time and energy by participating in and
contributing to various aspects of the project. The COSO Board and
PwC also recognizes the considerable efforts of the COSO
organizations and their members who responded to surveys,
participated in workshops and meetings, and provided comments
and feedback throughout the development of this framework.

Advisory
Council
Douglas J. Anderson Mark Beasley Margaret Boissoneau
The Institute of Internal North Carolina State United Technologies
Auditors University Deloitte Corporation
Managing Director of Professor of Enterprise PMO Liaison
CAE Solutions Risk Management
and Director, ERM Initiative
Anthony J. Carmello Suzanne Christensen James Davenport
Ernst & Young Invesco Ltd. Zurich Insurance Company
Partner, Advisory Head of Enterprise Risk Global Head of Risk and
Services Control
James DeLoach Karen Hardy David J. Heller
Protiviti Inc. US Department of Edison International
Managing Director Commerce Deputy VP Enterprise Risk
Director for Risk Management & General
Management Auditor
Bailey Jordan Jane Karli James Lam
Grant Thornton LLP Athene USA James Lam & Associates
Partner, Advisory Director of Investment President
Services Operations
David Landsittel Lee Marks Deon Minnaar
Former COSO Chair First Data Corporation KPMG LLP Americas
Enterprise Risk Americas Lead Partner
Management for ERM/GRC
Jeff Pratt Henry Ristuccia Paul Sobel
Microsoft Deloitte & Touche LLP Georgia-Paci c LLC
General Manager, ERM Partner, Global Leader - GRC Vice President/Chief Audit
Executive
Patrick Stroh Paul Walker William Watts
Mercury Business St. John’s University, Tobin Crowe Horwath LLP
Advisors Inc. College of Business Partner in Charge,
President James J. Schiro / Zurich Business Risk Services
Chair in Enterprise Risk
Management

Observers
Jennifer Bayuk James Dalkin Carol Fox
Citi Government Accountability RIMS, the Risk
Managing Director Of ce Management Society
Representing Director in the Financial Director, Strategic and
International Management and Enterprise Risk
Systems Audit & Assurance Team
Controls Association,
ISACA
Harrison Greene Horst Kreisel Jeff Thompson
Federal Deposit Institut der Wirtschaftsprüfer Institute of Management
Insurance Corporation Director of Project Accountants
Assistant Chief Management President and CEO
Accountant
Vincent Tophoff
International
Federation
of Accountants
Senior Technical
Manager

Additional PwC Partners, Principals, and Sta

Julie Bogas Lillian Borsa Angela Calapa Juan Carlos Simon
Partner Principal Director Partner
USA USA USA Mexico
Rick Crethar Symon Dawson David Fisher Tobias Flath
Partner Partner Principal Senior Manager
Australia UK USA Germany
Peter Frank Dimitriy Goloborodskiy Rob Gormly Carmen Le Grange
Principal Partner Principal Partner
USA USA USA South Africa
Christof Menzies Gonzalo Nunez Jason Pett Marcel Prinsenberg
Partner Partner Partner Managing Director
Germany Mexico USA Netherlands
Jerri Ribeiro Jonathan Riva Nicole Salimbeni David Sapin
Partner Partner Partner Principal
Brazil Canada Australia USA
Manuel Seiferth Dietmar Serbee Laurie Schive Stephen Soske
Manager Principal Director Partner
Germany USA USA USA
Christina Stecker Olivier Sueur Kuntal Sur Alywin Teh
Partner Director Partner Partner
Germany Netherlands India Singapore
Steven van Agt Kosta Weber Andrew Wilson Stephen Zawoyski
Director Managing Director Partner Partner
Netherlands Netherlands Australia USA

Additional Contributors
PwC also wishes to thank Geoffrey Albutt, Catherine Jordan, Mark Tan, Armando
Urunuela, and Karen Vitale for their contributions to the development of the
Framework.
break

Table of Contents
A. Project Background and Approach for Revising
the Framework
B. Summary of Public Comment
C. Roles and Responsibilities for Enterprise Risk
Management
D. Risk Pro le Illustrations
break

A. Project Background and

Approach for Revising the
Framework
Project Background
In October 2014, the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) announced that it would be
reviewing and updating the 2004 Enterprise Risk Management–
Integrated Framework (original Framework). The original Framework
is widely accepted and used by management and boards to
enhance an organization’s ability to manage uncertainty and to
consider how much risk to accept as they strive to increase
stakeholder value.
Since 2004, the complexity of risk has changed, signi cant new
risks have emerged, and boards have enhanced their awareness
and oversight of risk management while asking for improved risk
reporting. Updates to the Framework re ect current and evolving
concepts and applications so that organizations worldwide can
attain better value from enterprise risk management. Speci cally, it
now provides greater insight into strategy and the role of enterprise
risk management in the setting and execution of strategy, enhances
the alignment between organizational performance and enterprise
risk management, and accommodates expectations for governance
and oversight.
PwC served as the author and project leader for updating the
publication, preparing related documents and reporting to the
COSO Board of Directors. The PwC Project Team includes senior
resource people, many who were involved in previous COSO
projects and who bring in-depth understanding of the original
Framework, and others who provide current market perspectives to
this revision. To capture views of a broad range of professionals in
the marketplace, the COSO Board formed an Advisory Council
representing industry, academia, government agencies, and not-for-
pro t organizations and invited Observers to attend Advisory
Council meetings.

Approach for Revising the Framework

The PwC Project Team carefully considered the merits of feedback
and opinions received throughout the project. They reviewed and
embraced input that helped in the development of a relevant,
logical, and internally consistent document in all phases of the
project. These phases include:

• Assess and Envision: Through literature reviews, global surveys,

and public round tables and forums, this phase identi ed current
challenges for organizations implementing enterprise risk
management. The PwC Project Team analyzed information,
reviewed various sources of input, and identi ed critical issues
and concerns. COSO launched a global survey, available to the
general public, for providing input on the original Framework,
soliciting almost 900 responses.
• Build and Design: The PwC Project Team drafted Enterprise Risk
Management–Aligning Risk with Strategy and Performance,1
which was reviewed by the COSO Advisory Council and
Observers as well as other key users to gather reactions and
suggestions. The PwC Project Team conducted numerous one-
on-one and group meetings to capture feedback on the alternative
directions being considered in drafting the Framework. These
meetings, conducted across North America, Europe, Asia, and
Australia, included board members, chief risk of cers, chief
nancial of cers, chief audit executives, and other senior
members of management.
• Public Exposure: With the assistance and oversight of the COSO
Board, PwC prepared exposure drafts and an on-line
questionnaire to facilitate a review by the general public. The PwC
Project Team conducted a variety of meetings and presented at
conferences to capture added input. Appendix B presents a
summary of the public comments and the Project Team’s
response.

• Finalization: The PwC Project Team reviewed and analyzed all

comments received and re ned the various documents with
needed modi cations. The COSO Board considered whether
Enterprise Risk Management–Integrating with Strategy and
Performance was sound, logical, and useful to management of
entities of all types and sizes, and the PwC Project Team nalized
the document for the COSO Board for acceptance.

1
This working title was used throughout the public exposure phase, and then the
document was retitled Enterprise Risk Management–Integrating with Strategy and
Performance.
break

B. Summary of Public
Comments
As noted in Appendix A, a draft of the Framework was issued for
public comment from June 15 through September 30, 2016. There
was signi cant interest in the exposure draft, indicated by almost
10,000 downloads2 of the Framework across industries and from
entities of all types. Much of the interest was international: 46% of
downloads occurred from outside North America.
There were forty-eight public comment letters received and more
than 200 responses to the on-line survey to the exposure draft. The
public comment letters generated more than 1,600 comments and
the on-line survey resulted in over 400 free-form responses on many
aspects of the updated document. All comments were considered in
further revisions to the Framework.

In addition to the feedback generated from COSO, the PwC Project

Team solicited feedback from the public through over forty
meetings, conferences, and seminars during the public exposure
period. In addition, they developed a series of videos, articles on
key topics (e.g., managing risk and performance to support
strategy), and social media posts, which generated over 2.8 million
impressions and over 3,000 direct interactions from the public.

This appendix summarizes the more signi cant comments and

resulting modi cations to the Framework arising from the public
exposure period. Many respondents supported COSO’s efforts to
update the Framework to emphasize the importance of considering
risk in both strategic planning and overall performance, add ve
components of enterprise risk management, and stress how
integrating enterprise risk management into the business can
improve decision-making.
However, there were divergent views on certain updates to the
Framework, including the de nitions of risk and enterprise risk
management, the link to decision-making, the practicality of risk
pro les, and the relationship of internal control to enterprise risk
management.
Some respondents sought fundamental changes to the Framework,
whereas others recognized that the Framework remains relevant
and useful today for boards and management of entities regardless
of type or size, and requested that only speci c areas be updated,
as discussed in more detail below.

Structuring the Document: Components

and Principles
Overall, respondents supported updating the original title of the
Framework, Enterprise Risk Management–Aligning Risk with
Strategy and Performance. They acknowledged the bene ts of a
components and principles structure to provide clarity to integrating
enterprise risk management into strategic planning and day-to-day
decision-making. Some suggested the ve components of the
Framework could be better aligned with a common business model
of develop, implement, review, and revise. Further, some noted that
the use of the word “execution” in the Risk in Execution component
did not translate well across geographies. A few respondents
expressed concern about the number of principles, saying twenty-
three was not practical for managing an entity, and suggested
having fewer. Lastly, others suggested changes to align or reconcile
the Framework principles to other frameworks and standards.

Given the overall support of integrating enterprise risk management

with strategy-setting through performance, the title was revised to
Enterprise Risk Management–Integrating with Strategy and
Performance. The Framework retains the ve components but
renames and reorders them to better align to a typical business
model: Governance and Culture; Strategy and Objective-Setting;
Performance; Review and Revision; and Information,
Communication, and Reporting.

As for the principles, some have been consolidated. Speci cally,

two principles within the Governance and Culture component were
combined into one to focus on core values. As well, within the
Strategy and Objective-Setting component, the principles Considers
Risk while Establishing Business Objectives and De nes Acceptable
Variation in Performance were merged into one, Formulates
Business Objectives, which focuses on establishing objectives and
using tolerance to understand how risk impacts the achievement of
those objectives. Lastly, within the Information, Communication, and
Reporting component, the principles Use Relevant Information and
Leverages Information Systems were merged into one to focus on
information and technology supporting enterprise risk management
practices.

Some respondents also expressed concern about the length of the

document and complexity of the language. Speci cally, they
requested greater use of plain language to make certain technical
terms accessible to a wider audience.

These concerns were addressed by consolidating principles as

discussed above. Additionally, the Framework was revised to
reduce sentence length to improve readability. Speci cally, the
Flesch–Kincaid readability tool was used to identify areas for
improvement as well as to con rm the readability for similar
standards and frameworks. Given the complexity of certain topics,
the overall Framework remains a comprehensive document in length
to suf ciently develop and clarify concepts.

De ning Enterprise Risk Management and

Risk
Respondents provided various suggestions to amend the de nitions
of risk and enterprise risk management, including aligning the
de nitions with other frameworks and standards. Suggestions for
de ning risk varied from including impact only, separating risk into
adverse events (threats) and opportunities, and focusing on
uncertainty.

Some respondents expressed preference for the 2004 de nition of

enterprise risk management, in particular the use of risk appetite,
roles and responsibilities, and a focus on processes, as opposed to
practices. Others preferred the exposure draft de nition and
requested incorporating decision-making into it. There were also
requests to condense the de nition by removing “creating,
preserving, realizing value” and providing a clear separation
between risk management and enterprise risk management.

After careful review and analysis of de nitions from other standards

and frameworks, it was decided the exposure draft’s de nitions
would be kept. The COSO Board believes those de nitions best
re ect COSO’s present view of risk and enterprise risk management
and align with other COSO frameworks and thought leadership.

Integrating Enterprise Risk Management

and Impact on Decision-Making
A number of respondents expressed support for integrating
enterprise risk management with core business activities, as
opposed to having a more process-based approach. Some viewed
enterprise risk management as more of a function (e.g., second line
of defense), as opposed to a capability. As part of integrating
enterprise risk management, respondents requested an expanded
discussion on decision-making throughout the Framework,
including the role of bias and risk appetite, and a stronger
connection to culture.
Given the focus on capabilities and practices as opposed to a
speci c function, the Framework contains limited discussion on the
lines-of-defense model. Further discussion on roles and
responsibilities is included in Appendix C.

The Framework now includes a new chapter, “Integrating Enterprise

Risk Management,” which focuses on how enterprise risk
management is integrated with strategy-setting through
performance, and the value of integration for the entity, such as
improved decision-making. The new chapter and each principle in
the Framework enhance the discussion of decision-making and the
impact of management bias.

The Relationship of Enterprise Risk

Management to Internal Control
There was diverse feedback on the relationship between enterprise
risk management and internal control. Some respondents requested
clari cation of the structural aspects of the two frameworks (e.g.,
where there is overlap) and the conceptual linkages of these two
topics. Some suggested COSO merge the two frameworks into one,
while others preferred two separate and distinct frameworks. Still
others suggested including the entirety of the internal control
conversation in the Framework rather than referencing Internal
Control–Integrated Framework.
The new Framework now clari es the relationship between
enterprise risk management and internal control and identi es those
instances where it relies on concepts established in Internal
Control–Integrated Framework. Since Internal Control–Integrated
Framework is used as a regulatory standard, and to avoid
inadvertently expanding the scope of that framework for regulatory
application, the COSO Board decided to maintain two separate and
distinct frameworks. Therefore, the COSO Board did not include
components in this update that are common to both frameworks
(e.g., control activities) to avoid redundancy and to encourage users
to become familiar with both. However, some concepts introduced
in Internal Control–Integrated Framework, such as governance of
enterprise risk management, are further developed in this
Framework. These additions limited the ability to shorten the
document.

Discussion on Strategy
Respondents expressed overall support for the emphasis on
strategy throughout the Framework. Some requested clarity on the
transition from strategy planning to implementation and when to
revisit strategy. A few held the view that objectives precede strategy,
and others requested replacing strategy with strategic objectives.
There were varying opinions about including the setting of mission,
vision, and core values within the scope of enterprise risk
management.
The Framework retains the current focus on the “possibility of
strategy not aligning, implications from the strategy chosen, and
risks to performing the strategy” as these provide a more detailed
analysis of the importance of integrating enterprise risk
management with strategy-setting. The Framework now clari es
how enterprise risk management is applied across strategy and
performance. It retains the link to mission, vision, and core values as
that provides the foundation of the acceptable type and amount of
risk. Additionally, the Framework retains the hierarchy relationship
between strategy and business objectives, and the terminology of
strategy versus strategic objectives, as both are consistent with
commonly used strategy and business frameworks.

Role of Culture
Overall, there was positive support for the inclusion and prominence
of culture in the exposure draft. Some respondents suggested
further expanding the discussion on the culture spectrum and
emphasizing links to performance management, conduct, and
incentives. A few suggested that culture is not part of the de nition
of enterprise risk management, while others suggested that entities
do have a culture and risk is a part of it. Some wanted a discussion
on fraud risk as it relates to culture.
The Framework has been revised to consolidate Principles 4, 5, and
6 into the new Principle 4, Demonstrates Commitment to Core
Values. This principle emphasizes the relationship between
enterprise risk management and the core values established by the
board and management for the entity. Additionally, the revised
Framework is enhanced with examples of how culture in uences
enterprise risk management practices and decision-making,
including the in uence of management bias. It does not include
discussions of fraud risk, as this is addressed in Internal Control–
Integrated Framework.

Risk Appetite and Tolerance

Several respondents took a risk-centric view to risk appetite, as
opposed to an objective-centric view. Related comments focused
on setting boundaries for speci c risks or groups of common risks
(e.g., credit risk) and reinforced a view of managing risk through
discrete groups. Further, several respondents requested that the
discussion on risk appetite be revised to make it measurable for
speci c risks instead of focused on decision-making. Others
requested a visual diagram, demonstrating the hierarchy of risk
appetite and tolerance.

The Framework retains the use of risk appetite in the development

of strategy and business objectives, and the emphasis on how it is
used in decision-making. A diagram has been added to clarify the
relationship between risk appetite, tolerance, and limits and triggers,
and how those elements apply to strategy, objectives, and speci c
risks.

Respondents also questioned the use of acceptable variation in

performance in lieu of risk tolerance. In particular, some strongly
expressed a desire to revert to using risk tolerance from the 2004
Framework, while others noted the use of acceptable variation in
performance as an improvement. The nal Framework has revised
the use of acceptable variation in performance to tolerance and
enhanced the discussion on how tolerance is tied to an entity’s
objectives, taking an objective-centric view.

Risk Assessment and Risk Pro les

Some feedback targeted the technical risk assessment practices,
including the use of risk pro les. Speci cally, several respondents
requested a more detailed discussion of quantitative risk
assessment methods (e.g., modeling, simulations, decision trees)
and other practical tools. Some expressed concern about the value
of heat maps, arguing that they are typically risk-centric and do not
accurately re ect the relationship of risk with performance. Several
noted the absence of discussion on the distribution of outcomes,
while many questioned the inclusion of inherent risk assessments.

The nal Framework has revised Principle 11, Assess Severity of

Risk, to focus more explicitly on the impact to the achievement of
business objectives and strategy. It also clari es how heat maps
can be used to depict risk in the context of objectives. Additionally,
a discussion on quantitative approaches to risk assessments was
added.

Some respondents questioned the practical application of risk

pro les, whereas others noted limiting the risk pro le to one graphic
may be too prescriptive. Those supportive of the risk pro les noted
that they provide an effective explanation of the relationship
between risk, performance targets, risk capacity, and risk appetite.

The nal Framework retains the use of risk pro les as they provide
management with a view of how risk impacts performance and how
risk appetite can be used for decisions. Enhancements have been
made to clarify the risk pro le graphics across different types of
business objectives, and how risk pro les can be used with both
qualitative and quantitative data.

Information and Technology

Some respondents requested a detailed discussion on information
and technology; others questioned whether data management and
technology were within the scope of enterprise risk management.
Several focused on reporting information from a risk-centric
perspective as opposed to a business viewpoint.

The Framework now has a revised Information, Communication, and

Reporting component to reduce the focus on information systems
and put more emphasis on the greater role of data and evolving
technology as part of enterprise risk management. Speci cally,
information has been added on how an entity manages and
analyzes data, and the use of evolving technology to manage data
more ef ciently and effectively. The Framework also now highlights
objective-based reporting to support management in decision-
making.

Guidance
Some respondents requested guidance on how a company could
apply the concepts discussed in the Framework. Speci cally, they
asked for more examples, including mini or full case studies, tools
to assist in evaluating enterprise risk management (e.g., maturity
models), and general implementation guidance (e.g., risk reports).
In response, the COSO Board and the PwC Project Team agreed to
develop a separate document containing examples on applying the
Framework, Enterprise Risk Management–Integrating with Strategy
and Performance: Compendium of Examples. This document
illustrates the application of all the principles in the Framework
across different industries, entity sizes, and types, and actual and
expected company practices.
2
Downloads from the COSO.org website
break

C. Roles and Responsibilities

for Enterprise Risk
Management
In any entity, everyone shares responsibility for enterprise risk
management. The leader of the entity (i.e., chief executive of cer or
president) is ultimately responsible and should assume ownership
for the achievement of the entity’s strategy and business objectives.
That person should also have a deep understanding of those factors
that may impede the achievement of strategy. It is up to other
managers to “live and breathe” the behaviors that align with the
culture, oversee enterprise risk management, leverage information
systems tools, and monitor performance. Other personnel are
responsible for understanding and aligning to the cultural norms and
behaviors, business objectives in their area, and related enterprise
risk management practices. The board of directors provides risk
oversight to the achievement of strategy.
This appendix looks at approaches an organization can take for
assigning roles and responsibilities for enterprise risk management,
and provides guidance on the roles and responsibilities of the board
of directors, chief executive of cer, chief risk of cer, management,
and internal auditor. The information is presented in a “lines of
accountability model.”

The lines of accountability model offers an organization a balanced

approach to managing risk and seizing opportunities, all while
enabling risk-based decision-making that is free of bias. However,
there is no one-size- ts-all approach to using this model and no
prescriptive details on the number of lines of accountability
necessary. Some industries offer speci c guidance for implementing
an accountability model, but organizations must consider factors
such as their size, strategy and business objectives, organizational
culture, and external stakeholders. Individual organizations may
establish roles across any number of different lines of accountability
with speci c regulatory guidance and oversight. Regardless of the
number of lines of accountability, the roles, responsibilities, and
accountabilities are de ned to allow for clear “ownership” of
strategy and risk that ts within the governance structure, and
culture of the entity.

Board of Directors and Dedicated

Committees
Different entities will establish different governance structures, such
as a board of directors, a supervisory board, trustees and/or general
partners, and dedicated committees. In the Framework (Chapters 5
through 9), these governance structures are commonly referred to
generally as “the board of directors.”

The board of directors is responsible for providing risk oversight of

enterprise risk management culture, capabilities, and practices.
Therefore, board members must be objective, capable, and
inquisitive. They should have technical knowledge and expertise
that is relevant to the entity’s operations and environment, and they
must commit to the time necessary to ful ll their day-to-day risk
oversight responsibilities and accountabilities. In some jurisdictions,
the board has legal responsibility for carrying out its oversight role.
Figure C.1 lists typical board oversight practices of enterprise risk
management.
The board of directors may choose to manage its risk oversight
responsibilities at the full board level or may assign speci c tasks to
dedicated committees with a risk focus. Where a particular
committee has not been established for risk oversight, the
responsibilities are carried out by the board itself.

Board-level committees can include the following:

• Audit committee: Establishes the importance of risk oversight.
Regulatory and professional standard-setting bodies often require
the use of an audit committee, sometimes named the audit and
risk committee. The role and scope of authority of an audit
committee can vary depending on the entity’s regulatory
jurisdiction, industry norm, or other variables. While management
is responsible for ensuring nancial statements are reliable, an
effective audit committee plays a critical risk oversight role. The
board of directors, often through its audit committee, has the
 authority and responsibility to question senior management on
how it is carrying out its enterprise risk management
responsibilities.
• Risk committee: Establishes the direct oversight of enterprise risk
management. The focus of the risk committee is entity-wide risk in
non- nancial areas that go beyond the authority of the audit
committee and its available resources (e.g., operational,
obligations, credit, market, technology).

• Compensation committee: Establishes and oversees the

compensation arrangements for the chief executive of cer and
other executives, as appropriate, to motivate without providing
incentives for undue risk taking. It also oversees that management
balances performance measures, incentives, and rewards with the
pressures created by the entity’s strategy and business objectives,
and helps structure compensation models without unduly
emphasizing short-term results over long-term performance.

• Nomination/governance committee: Provides input to and

oversight of the selection of candidates for directors and
management. It regularly assesses and nominates members of the
board of directors; makes recommendations regarding the board’s
composition, operations, and performance; oversees the
succession-planning process for the chief executive of cer and
other key executives; and develops oversight processes and
structures. It also promotes director orientation and training, and
evaluates oversight processes and structures (e.g.,
board/committee evaluations).

Management and the Three Lines of

Accountability
Management is responsible for all aspects of an entity, including
enterprise risk management. Responsibilities assigned to the
various levels of management are outlined here.
Chief Executive O cer
The chief executive of cer (CEO) is accountable to the board of
directors and is responsible for overall enterprise risk management
culture, capabilities, and practices required to achieve the entity’s
strategy and business objectives. (In privately owned and not-for-
pro t entities, this position may have a different title, but generally
the responsibilities are the same.) More than any other individual,
the CEO sets the tone at the top along with the explicit and implicit
values, behaviors, and norms that de ne the culture of the entity.
The CEO’s responsibilities relating to enterprise risk management
include:

• Providing leadership and direction to senior members of

management, and shaping the entity’s core values, standards,
expectations of competence, organizational structure, and
accountability.

• Evaluating alternative strategies, choosing a strategy, and setting

business objectives that consider supporting assumptions relating
to business context, resources, and capabilities within the risk
appetite of the entity.
• Maintaining oversight of the risks facing the entity (e.g., directing
all management and other personnel to proactively identify,
assess, prioritize, respond to, and report risks that may impede
the ability to achieve the strategy and business objectives).
• Guiding the development and performance of the enterprise risk
management process across the entity, and delegating to various
levels of management at different levels of the entity.
• Communicating expectations (e.g., integrity, competence, key
policies) and information requirements (e.g., the type of planning
and reporting systems the entity will use).
Chief Risk O cer
One of the more prominent roles in enterprise risk management is
that of chief risk of cer (CRO). This position is tasked with
overseeing enterprise risk management as a second line of
accountability. This role should normally have reasonably direct
access to the CEO, or the authority to have access for speci c
issues or types of risk. An alternative to having a chief risk of cer is
to assign the underlying responsibilities to another member of
management, typically in the second line of accountability.
Organizations develop the CRO role and responsibilities in a way
that best meets their needs for effective enterprise risk
management. Some entities choose to align the role of chief risk
of cer with the chief strategy of cer so that strategy and risk are
managed together under the CEO. Other entities delegate
responsibility for enterprise risk management to rst-line functions,
including operating unit and functional unit leaders, leaving second-
line responsibility to the CRO. These entities often align staff within
divisions, operating units, and functions with the CRO to support
enterprise risk management efforts across the entity.
The CRO is typically responsible for:

• Assisting the board of directors and management in ful lling their

respective risk oversight responsibilities.
• Establishing ongoing enterprise risk management practices
suitable for the entity’s needs.

• Building and maintaining relationships with those responsible for

managing risks throughout the entity.

• Overseeing enterprise risk management ownership within the

respective lines of accountability.
• Reviewing the operation of enterprise risk management in each
operating unit.
• Communicating with management through a forum, such as the
enterprise risk management committee, about the status of
enterprise risk management, which includes discussing severe
risks and emerging risks.

• Promoting enterprise risk management to the CEO and operating

unit leaders and assisting in integrating practices into their
business plans and reporting.

• Evolving organizational capabilities in line with the maturity and

suitability of enterprise risk management.

• Escalating identi ed or emerging risk exposures to executive

management and the board.

Management
Management comprises the CEO and senior members leading the
key operating units and business-enabling functions. Each of these
management roles may have different responsibilities and
accountabilities within the lines of accountability model, depending
on the entity. For example, a chief technology of cer may play a
second-line role in a nancial services company, but in a technology
company that same position would play a rst-line role. Some
smaller entities may combine roles, with one person having
responsibilities for one or more. Examples of management for a
larger public or private entity, a smaller business entity, and a
government entity are noted in Figure C.2.
In some entities, the CEO establishes an enterprise risk
management committee of senior members of management
including functional managers, such as the chief nancial of cer,
chief audit executive, chief information of cer, and others. Examples
of the functions and responsibilities of such a committee include:
• Assuming overall responsibility for enterprise risk management,
including the processes used to identify, assess, prioritize,
respond to, and report on risk.

• Communicating the enterprise risk management process to the

CEO and the board.

• Considering and discussing emerging risks.

• De ning roles, responsibilities, and accountabilities at the different
levels of management.

• Providing policies, methodologies, and tools to operating units to

identify, assess, and manage risks.

• Reviewing the entity’s risk pro le.

• Reviewing acceptable variation in performance and taking action
where appropriate.

Management also guides the development and implementation of

enterprise risk management practices within their respective
functional or operating unit and veri es that these practices are
applied consistently.
Depending on how many layers of management exist within an
entity, subunit managers or lower-level supervisory personnel are
directly involved in executing policies and procedures at a detailed
level. It is their responsibility to carry out the enterprise risk
management process that senior management has designed and
implemented. Each manager is accountable to the next higher level
for his or her portion of enterprise risk management, with the CEO
being ultimately accountable to the board of directors, and the
board being accountable to external stakeholders such as
shareholders or other owners of the entity.

First Line: Core Business

Management is responsible for identifying and managing the
performance and risks resulting from practices and systems for
which it is accountable. The rst line is also responsible for the risks
inherent to the strategy and business objectives. As the principal
owners of risk, management sets business objectives, establishes
acceptable variation in performance, trains personnel, and
reinforces risk responses. In short, the rst line implements and
carries out the day-to-day tasks to manage performance and risks
taken to achieve strategy and business objectives.

Second Line: Support Functions

Support functions (also referred to as business-enabling functions)
include management and personnel responsible for overseeing
performance and enterprise risk management. They provide
guidance on performance and enterprise risk management
requirements, and evaluate adherence to de ned standards. Each of
these functions has some degree of independence from the rst line
of accountability, and they challenge the rst line to manage
performance and take prudent risks to achieve strategy and
business objectives. In some entities, independent teams without
separate and distinct reporting lines may provide some degree of
challenge. These organizational functions or operating units support
the entity through specialized skills, such as technical risk
management expertise, nance, product/service quality
management, technology, compliance, legal, human resources, and
others. As management functions they may intervene directly in
modifying and supporting the rst line in appropriate risk response.

Second-line responsibilities often include:

• Supporting management policies, de ning roles and

responsibilities, and setting targets for implementation.

• Providing enterprise risk management guidance.

• Supporting management to identify trends and emerging risks.

• Assisting management in developing processes and risk

responses to manage risks and issues.

• Providing guidance and training on enterprise risk management

processes.
• Monitoring the adequacy and effectiveness of risk responses,
accuracy, and completeness of reporting, and timely remediation
of de ciencies.
• Escalating identi ed or emerging risk exposures to management
and the board for awareness and potential action.

There are various methods of achieving objectivity across these two

lines of accountability. For example, one company may have
enterprise risk management teams embedded in the rst line but
with a separate second-line risk function. Another company may
spread its risk management teams across the two lines depending
on the complexity and nature of the business. These and other
approaches can work as long as unbiased oversight is not
constrained.

Third Line: Assurance Functions

Assurance functions, most commonly internal audit, often provide
the last line of accountability by performing audits or reviews of
enterprise risk management practices, identifying issues and
improvement opportunities, making recommendations, and keeping
the board and executive management up-to-date on matters
requiring resolution. Two factors distinguish the last line of
accountability from the others: the high level of independence and
objectivity (enabled by direct reporting to the board), and the
authority to evaluate and make recommendations to management
on the design and operating effectiveness of the entity overall.

External Auditors
External auditors provide management and the board of directors
with a unique, independent, and objective view that can contribute
to an entity’s achievement of its strategy and business objectives.

In an external audit, the auditor expresses an opinion on the

fairness of the nancial statements in conformity with applicable
accounting standards, thereby contributing to the entity’s external
nancial reporting objectives. The auditor conducting a nancial
statement audit may contribute further to those objectives by
providing information useful to management in carrying out its
enterprise risk management responsibilities. Such information
includes:

• Audit ndings, analytical information, and recommendations for

actions necessary to achieve established business objectives.
• Findings regarding de ciencies in enterprise risk management and
internal control that come to the auditor’s attention, and
recommendations for improvement.

This information frequently relates not only to reporting but to

strategy, operations, and compliance practices as well, and can be
important to an entity’s achievement of its business objectives. The
information is reported to management and, depending on its
signi cance, to the board of directors or audit committee.

It is important to recognize that a nancial statement audit, by itself,

normally does not include a signi cant focus on enterprise risk
management. Nor does it result in the auditor forming an opinion on
the entity’s enterprise risk management. Where, however, law or
regulation requires the auditor to evaluate a company’s assertions
related to internal control over nancial reporting and the supporting
basis for those assertions, the scope of the work directed at those
areas will be extensive, and additional information and assurance
will be gained.
break

D. Risk Pro le Illustrations

Introduction to Risk Pro les
A risk pro le provides the composite view of risks related to a
speci c strategy or business objective at a particular level of the
entity (e.g., overall entity level, business unit level, functional level)
or aspect of the business model (e.g., product, service, geography).
These risk pro les bring together several important considerations
in enterprise risk management, namely performance targets, the
assessment of the overall amount of risk for varying levels of
performance, risk appetite, and tolerance. Risk pro les are used to
help organizations evaluate alternative strategies and support the
process of identifying and assessing risks.
This relationship between risk and performance is rarely constant.
Changes in performance do not always result in corresponding
changes in risk, and therefore a single-point illustration used in
many typical enterprise risk management approaches is not always
helpful. A more complete illustration shows the aggregate amount of
risk associated with different levels of performance, where risk is
shown as a continuum of potential outcomes. The organization
balances the amount of risk with desired performance along this
continuum.
This appendix offers examples of how risk pro les may be
developed and applied to support the organization in applying the
principles of the Framework.

Developing Risk Pro les

When developing a risk pro le, the organization must understand
the:
• Strategy or relevant business objective.
• Performance target and acceptable variances in performance.

• Risk capacity and appetite for the entity.

• Severity of the risk to the achievement of the strategy and

business objective.
The risk pro le, as depicted in this appendix, enables the
organization to evaluate:

• The relationship between risk and performance, noting that the

amount of risk for a given strategy or business objective is
typically not static and will change for different levels of
performance.

• Assumptions underlying the risk assessment for a given strategy

or business objective.
• The level of con dence with which the assessment has been
performed and the potential for unknown risks.

• Where corrective actions may be required in setting strategy,

business objectives, performance targets, or risk responses.

To develop a risk pro le, the organization determines the

relationship between the level of performance for a strategy or
business objective and the expected amount of risk. On a risk
graph, performance is plotted along the x-axis and risk is along the
y-axis (Figure D.1). The resulting line is often referred to as a “risk
curve” or “risk pro le.”
Each data point is plotted by considering the perceived amount of
risk that corresponds to the achievement of a business objective or
strategy. As performance changes, the organization identi es how
the amount of risk may change. Risk may change due to the
changes in execution and business context.

Both quantitative and qualitative approaches can be used to plot

points. If the organization has suf cient data on a strategy or
business objective, it may use a quantitative approach, such as
probabilistic modeling or regression analysis. Where data is not
available or where business objectives are less important, the
organization may prefer to use a qualitative approach, such as
performing interviews, facilitating workshops, or benchmarking.
Example D.1 describes how one entity plotted its risk pro le.
Risk, Strategy, and Objective-Setting
Incorporating Risk Appetite
Using a risk pro le, the organization can outline its risk appetite in
relation to a proposed strategy or business objective. In Figure D.2,
the risk appetite is plotted as a horizontal line parallel to the x-axis
(performance). The gradient of the line indicates that the risk
appetite remains constant for all levels of performance at a given
point in time. The y-axis (risk) uses the same metric or expression of
risk appetite as is referred to in an entity’s risk appetite statement.
For example, the y-axis may be earnings at risk, value at risk, or
other metric.

The section of the curve from the point of intersection (Point A)

where it continues above the risk appetite line indicates a level of
performance that exceeds the entity’s appetite and where risk
becomes disruptive to the entity.
Organizations may also want to incorporate an additional parallel
line above risk appetite to indicate risk capacity, shown in Figure
D.3.
Using Risk Pro les to Consider Alternative Strategies
Organizations can develop pro les of potential risks as part of
considering alternative strategies. For each strategy, an organization
may prepare a risk pro le that re ects the expected types and
amount of risks. These risk pro les support the strategy selection
process by highlighting differences in the expected risk for different
strategies.

Figure D.4 illustrates how pro les can be compared. Alternative A

shows a atter curve, indicating that the entity faces less
incremental risk as performance increases. That is, the intersection
of the risk curve and risk appetite is farther to the right, indicating
greater opportunity for performance before the entity exceeds
appetite. Established entities operating in mature, stable markets or
with stakeholders who expect lower risk pro les may seek
strategies that resemble Alternative A.

Conversely, risk-taking entities such as start-ups or venture

capitalists may explore strategies that are more typical of Alternative
B. In this case, an entity would seek more aggressive performance
in return for assuming greater risk.

Quantitative and qualitative techniques are used to develop the

pro le of potential risks and may be the same tools that are then
used to support risk identi cation and assessment processes. This
includes quantitative analysis and modeling where there is suf cient
data. Where data is not available, more qualitative techniques may
be employed.

Considering Risk in Establishing Business Objectives

and Setting Performance Targets
Once an organization selects a strategy, it carries out a similar
analysis to establish business objectives. Organizations that are
faced with alternative objectives seek to understand the shape and
height of a curve for a potential business objective.

First, the organization sets a performance target for its business

objectives. The performance target is determined in relation to the
risk appetite and selected strategy. On a risk pro le, the target
demonstrates the desired performance and corresponding amount
of risk (see Figure D.5).

Further, it illustrates the distance between the accepted amount of

risk and risk appetite. The more aggressive the entity, the less will
be the distance between the intersection of the performance target
and the risk curve (Point A), and the intersection of performance
target and risk appetite (Point B).

Using Risk Pro les to Demonstrate Acceptable

Variation in Performance
The organization next determines the acceptable variation in
performance on both sides of the target. This is illustrated in the
gures by the dotted lines that run parallel to the performance
target. The trailing and exceeding variances are set to re ect the risk
appetite of the entity. There is no requirement that they be
equidistant from the performance target. The closer the variances
are set to the performance target, the less appetite for risk.
However, by setting variations close to performance, management
considers the trade-offs in the additional resources required to
manage variability.

Identifying Risks in Performance

Organizations identify and assess the risks to business objectives
and chosen strategy. Any potential risks that have been identi ed as
part of the selection process provide a starting point for identifying
and assessing risks in execution. This process yields a risk pro le of
actual risks for each business objective and overall strategy—one
that either con rms the expected risks or one that indicates
additional risks.

Additional risks may be identi ed for a number of reasons. The

organization may have completed a more rigorous analysis after
selecting a business objective, or may have gained access to more
information, giving it more con dence in its understanding of the
risk pro le, or may have determined it needs to update the list of
expected risks due to changes in the business context having
occurred.
The outputs of the risk identi cation process, the risk universe, form
the basis on which an organization is able to construct a more
reliable risk pro le.

Using Risk Pro les when Assessing Risk

Risks identi ed and included in a risk pro le are assessed in order
to understand their severity to the achievement of an entity’s
strategy or business objectives. Management’s assessment of risk
severity can focus on different points of the risk pro le for different
purposes:

• To con rm that performance is within the acceptable variation in

performance.

• To con rm that risk is within risk appetite.

• To compare the severity of a risk at various points of the curve.

• To assess the disruption point in the curve at which the amount of
risk has greatly exceeded the appetite of the entity and impacts its
performance or the achievement of its strategy or business
objectives.

The risk pro le in Figure D.6 depicts the amount of risk within an
assumed time horizon. To incorporate time into the risk pro le,
management must de ne the performance target with reference to a
time period.
In assessing the distance of the curve from the x-axis, management
considers the aggregate amount of known (existing, emerging, and
new risks) and unknown risks. The amount of unknown risk may be
estimated with varying levels of con dence depending on the type
of business objective, experience and knowledge of the
organization, and available data. Where the number and amount of
unknown risks is potentially large (e.g., developing new technology),
the distance between the risk curve and the x-axis will typically be
greater to indicate greater risk. For business objectives in more
mature environments with signi cant performance data, knowledge,
and experience, the amount of unknown risk may be considered
much less signi cant, and the distance between the risk curve and
the x-axis will therefore be smaller. The distance of the curve from
the x-axis also demonstrates how multiple risks impact the same
business objective.

The organization may choose to use different assessment methods

for different points of the risk curve. When focused on the
acceptable variation in performance, analysis of risk data may be a
suitable approach. When looking at the extreme sections of the
curve, scenario analysis workshops may prove more effective in
determining the height and shape of the curve.
As with considering alternative strategies and identifying risks,
management uses quantitative and qualitative approaches, or a
combination of both, to assess risks and develop a risk pro le.
Qualitative assessment is useful when risks do not lend themselves
to quanti cation or when it is neither practicable nor cost effective
to obtain suf cient data for quanti cation. For example, consider a
reputable technology company that is contemplating launching a
new product that is currently not commercially available. In
developing a risk pro le of the risk of launching the R&D of the new
product, management relies on its own business knowledge and its
engineers’ expertise to determine the height and shape of the curve.
For risks that are more easily quanti able, or where greater
granularity or precision is required, a probability modeling approach
is appropriate (e.g., calculating value at risk or cash ows at risk).
For example, when the same technology company assesses the risk
of maintaining operations in a foreign country, it employs modeling
when plotting the curve to identify suf cient points outlining the
severity of its foreign exchange exposure.

Using Risk Pro les when Prioritizing Risks

How organizations prioritize risks can affect the risk pro le for a
strategy or business objective. The following are examples of how
the prioritization criteria (see Principle 14) are incorporated into the
risk pro le:
• Adaptability in uences the height and shape of the risk curve
re ecting the relative ease with which the organization can change
and move along the curve.
• Complexity of a risk will typically shift the risk curve upwards to
re ect greater risk.

• Velocity may affect the distance at which acceptable variation in

performance is set from the target. (Note that the velocity of the
risk also re ects the third dimension of time, and therefore is not
 re ected in the risk curve.)

• Persistence, not shown on the risk curve as it relates to a third

dimension, may be re ected in a narrowing of the acceptable
variation in performance as the entity acknowledges the sustained
effect on performance.
• Recovery, the time taken to return to acceptable variation in
performance, is considered part of persistence. How the entity
recovers will shape the risk curve outside of the acceptable
variation in performance and the relative ease with which the
entity can move along the curve.
Many organizations choose to use severity as a prioritization
criterion. For example, consider the risk pro les in Figure D.7. If an
organization were asked to prioritize the risks in Risk Pro le A
compared to those in Risk Pro le B, it may well select Risk #3 in
Pro le A as the most important because of its absolute severity (a
risk-centric perspective). But if the organization were to view Risk
Pro le A from a business objective perspective, it would see that the
entity is still well within its risk appetite for the particular
performance target. In fact, both Risk Pro le A and B have the same
severity of risk for their respective performance targets.
Consequently, the severity of one risk (e.g., Risk #3 in Risk Pro le A)
should not be the sole basis for prioritization relative to other risks.
Using Risk Pro les when Considering Risk Responses
Once the organization develops a risk pro le, it can determine if
additional risk responses are required. The height and shape of the
risk curve can be impacted depending on the risk response chosen
(see Principle 15):

• Accept: No further action is taken to affect the severity of the risk

and the risk pro le remains the same. This response is appropriate
when the performance of the entity and corresponding risk are
below the risk appetite line and within the lines indicating
acceptable variation in performance.
• Avoid: Action is taken to remove the risk, which may mean
ceasing a product line, declining to expand to a new geographical
market, or selling a division. Choosing avoidance suggests that
the organization is not able to identify a response that would
reduce the impact of the risk to an acceptable severity. Removing
a risk will typically shift the curve downwards and/or to the left
with the intent of having the target performance to the left of the
intersection of the risk curve and the risk appetite.
• Pursue: Action is taken that accepts increased risk to achieve
increased performance. This may involve adopting more
aggressive growth strategies, expanding operations, or developing
new products and services. When choosing to exploit risk,
management understands the nature and extent of any changes
required to achieve desired performance while not exceeding the
target residual risk. Here the risk curve may not change but the
target may be set higher, and therefore setting the target at a
different point along the risk curve.
• Reduce: Action is taken to reduce the severity of the risk. This
involves any of myriad everyday business decisions that reduce
residual risk to the target residual risk pro le and risk appetite. The
intent of the risk response is to change the height and shape of
the curve, or applicable sections of the curve, to remain within the
 risk appetite set for the entity. Alternatively, for risks that are
already within the risk appetite, the reduce response may pertain
to the reduction in variability of performance through the
deployment of additional resources. The effective reduction of a
risk would see a attening of the risk curve for the sections
impacted by the risk response.
• Share: Action is taken to reduce the severity of a risk by
transferring or otherwise sharing a portion of the risk. Common
techniques include outsourcing to specialist service providers,
purchasing insurance products, and engaging in hedging
transactions. As with the reduce response, sharing risk lowers
residual risk in alignment with risk appetite. A section of the risk
curve may change, although the entire risk curve likely shares
similarities to one where risk has not been shared.
• Review business objective: The organization chooses to review
and potentially revise the business objective given the severity of
identi ed risks and acceptable variation in performance. This may
occur when the other categories of risk responses do not
represent desired courses of action for the entity.

• Review strategy: The organization chooses to review and

potentially revise the strategy given the severity of identi ed risks
and risk appetite of the entity. Similar to reviewing business
objectives, this may occur when other categories of risk
responses do not represent desired courses of action for the
entity. Revisions to a strategy, or adoption of a new strategy, also
require that a new risk pro le be developed.

Figure D.8 shows how a risk pro le changed after carrying out a risk
response, such as entering into an insurance arrangement. For
example, fruit farmers may purchase weather-related insurance for
oods or storms that would result in their production levels dropping
below a certain minimum. The risk curve for production levels
attens for the outcomes covered by insurance.
Developing a Portfolio View
After selecting risk responses, management develops a composite
view of residual risk (i.e., post-assessment and implementation of
risk response). This composite view forms an entity-wide portfolio
view of the risk that the entity faces.
While the portfolio view represents the view of risk at that level,
management may choose to depict that view through a variety of
lenses. Figures D.9 and D.10 illustrate two alternatives for viewing
risk pro le. The rst, Figure D.9, illustrates a risk pro le linked to
strategy and entity objetives. The second, Figure D.10, illustrates
the risk pro le relating to the portfolio view of entity-level
onbjectives.

An organization may choose how to depict the portfolio depending

on how performance is articulated and who is concerned. For
instance, a chief nancial of cer may focus on a view that depicts
the severity of risk in relation to nancial performance. A chief
operating of cer may focus on a view that depicts the severity of
risk in relation to operational performance. And the chief human
resources of cer may focus on a view that depicts the severity of
risk in relation to culture and resource allocation. Yet, each of these
views is based on one shared understanding of risk to business
objectives.
Through the portfolio view, the organization identi es severe entity-
level risks. Figure D.9 illustrates the portfolio view.

When preparing a portfolio view, the organization may also choose

to develop a risk pro le that provides added context on the portfolio
view. Figure D.10 illustrates the risk pro le of two entity-level
objectives. The rst graph illustrates how risk to the achievement of
entity objective 1 (at the current level of performance) is within the
both risk appetite and risk capacity (and shown as green in Figure
D.9). The second graph illustrates how risk to the achievement of
entity objective 2 is above the risk appetite, although still within risk
capacity (red in Figure D.9). These two perspectives are re ected
above in Figure D.9.
An organization will typically use both qualitative and quantitative
techniques in developing this view. Qualitative techniques include
scenario analysis and benchmarking. Quantitative techniques
include regression modeling and other means of statistical analysis
to determine the sensitivity of the portfolio to sudden or large
changes. These changes may be represented as shifts in the risk
curve or gradient.
Analysis may also identify the point on the curve where change
becomes a disruption to the performance of the entity. For example,
using entity objective 1, an organization identi es that a drop of
more than 25% in a speci c index represents a disruptive change
where the entity exceeds its risk appetite and affects the
achievement of the strategy. This is represented at the point where
the gradient of the curve steepens signi cantly (Point A). Further, the
organization determines that a 50% drop would affect performance
to the extent that the entity exceeds its risk capacity and threatens
the viability of the entity. This is represented where the risk curve
intersects the risk capacity line (Point B).

By using stress testing, scenario analysis, or other analytical

exercises, an organization can avoid or more effectively respond to
big surprises and losses. By analyzing the effect of hypothetical
changes on the portfolio view, the organization identi es potential
new, emerging, or changing risks and evaluates the adequacy of
existing risk responses. The purpose of these exercises is for
management to be able to assess the adaptive capacity of the
entity. They also help management challenge the assumptions
underpinning the selection of the entity’s strategy and assessment
of the risk pro le.

Monitoring Risk Management Performance

Organizations can use graphical representations to understand how
risk is impacting performance. As shown in Figure D.11,
management analyzes the risk pro le to determine whether the
current level of performance risk is greater, less than, or as expected
compared to the risk assessment results. Additionally, management
considers whether a change in performance has created new
factors that in uence the shape of the curve. Based on this analysis,
management can take corrective action.
• Has the organization performed as expected and achieved its
target? Using a risk pro le, the organization reviews the
performance set and determines whether targets were achieved or
if variances occurred. Point B on the gure shows an organization
that has not met its planned performance (Point A) but remains
within acceptable variation.
• What risks are occurring that may be impacting performance? In
reviewing performance, the organization observes which risks
have occurred or are presently occurring. Monitoring also con rms
whether risks were previously identi ed or whether new, emerging
risks have occurred. That is, are the risks that were identi ed and
assessed and that inform the shape and height of the risk curve
consistent with what is being observed in practice?
• Was the entity taking enough risk to attain its target? Where an
entity has failed to meet its target, the organization seeks to
understand whether risks have occurred that are impacting the
achievement of the target or whether insuf cient risk was taken to
support the achievement of the target. Given the actual
performance of the entity in the gure, Point B also indicates that
more risk could have been taken to attain its target.
• Was the estimate of risk accurate? In those instances where the
risk was not assessed accurately, the organization seeks to
understand why. In reviewing the assessment of severity, the
organization challenges the understanding of the business
context, the assumptions underpinning the initial assessment and
whether new information has become available that may help
re ne the assessment results. Point C on the gure indicates
where an entity has experienced more risk than anticipated for a
given level of performance.
Given the results of the monitoring activities, the organization can
determine the most appropriate course of action.
break
space above back cover