4 Key Enterprise Risk Management Frameworks
Don’t be fearful of risks. Understand them, and manage and minimize them to an acceptable level. – Naved Abdali
Sound decision-making in risk management necessitates the use of enterprise risk management (ERM) frameworks that can sustainably meet business objectives. Reputable, battle-tested frameworks offer effective, sustainable ways to manage complex and unexpected problems.
This means, for those responsible for risk response in today’s volatile business environment (e.g., risk officers, audit committees), if you aren’t employing an ERM framework, you aren’t managing risk. You’re creating it.
That said, not all frameworks are created equal, which is why most enterprises opt to use a framework developed by one of four reputable organizations: the Casualty Actuarial Society (CAS), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the International Organization for Standardization (IOS), or the Risk Management Society (RIMS).
And while these four ERMs are ultimately all designed to help senior management determine their appetite while managing and mitigating operational risks, it’s helpful to understand the nuances that set them apart.
The Casualty Actuarial Society (CAS) ERM Framework
Founded in 1914, the CAS serves over 9,100 members worldwide. It is the world’s only regulatory organization focused exclusively on casualty and property risks. In addition to casualty and property insurance, member expertise includes enterprise risk management, finance, and reinsurance. As defined by the CAS, the ERM is viewed as a conceptual framework, one that can be used to unify different aspects of the actuarial discipline broadly.
ERM frameworks are often guided by foundational principles. For a time, CAS was no exception, publishing its statement of principles in 1988. But the subsequent development of their Actuarial Standards of Practice resulted in an unacceptable amount of overlap between principles and the newer standards. This is why the CAS board of directors opted to rescind their framework principles completely in 2020.
At present, the CAS ERM framework covers four types of risk: financial, strategic, operational, and hazard. And the process of applying the framework itself involves seven process steps:
- Establish Context
- Identify Risks
- Analyze/Quantify Risks
- Integrate Risks
- Access/Prioritize Risks
- Treat/Exploit Risks
- Monitor & Review
What’s more, this process is meant to work as a continuous loop, with outputs and insights from monitoring and reviewing, which inform a new round of establishing context as the framework begins anew. And CAS notes application of this process ERM framework provides additional collateral benefits when implemented. Improvements such as communication and collaboration with the enterprise, enhanced decision-making at all levels, and a cultural shift in perspective where various risks are seen as opportunities to gain competitive advantages, not problems to be avoided.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Framework
COSO, organized in 1985, has a mission to develop “thought leadership that enhances internal control, risk management, governance and fraud deterrence” in order to help organizations improve performance. First issued in 2004, COSO updated its framework in 2017 to emphasize the importance of risk consideration in the strategy-setting process, in addition to driving business performance.
Unlike the process steps found in the CAS framework, at present, the risk management components of the COSO framework consist of 20 principles broken across five interrelated components:
- Governance and Culture
- Strategy and Objective-Setting
- Review and Revision
- Information, Communication, and Reporting
One of the benefits of the COSO ERM framework is that it fosters greater transparency around risk, benefitting both employees and ERM stakeholders within the enterprise. But it also acts as a lens through which the enterprise itself can evaluate its ability to align risk along with strategy and performance.
The International Organization for Standardization (IOS) ERM Framework
In 1946, 65 delegates from 25 countries gathered at the Institute of Civil Engineers in London. Their collective goal was to form a new organization, one that would create and unify industrial standards. These efforts became what is now known as the ISO in 1947. Now headquartered in Sweden, the ISO is a non-governmental, independent, international organization focused on developing consensus-based, market-relevant standards to support innovation on a global scale.
The ISO ERM framework, ISO 31000, is designed to reassure in a “world of uncertainty” and is marketed to businesses of all sizes who need clear guidance in relation to risk management. The ISO also developed this framework to be used by anyone who manages risk in their role, not just those in risk management. And the framework is guided by its own set of core principles, ensuring its application is:
- Structured and comprehensive
- [informed by the] Best available information
- [encompassing of] Human and cultural factors
- [demonstrating] Continual improvement
Unlike other ERM frameworks, enterprises can’t use the ISO 31000 for certification purposes. However, leadership can provide effective management and corporate governance by comparing their organization’s practices with ISO’s internationally recognized benchmark.
The Risk Management Society (RIMS) ERM Framework
The RIMS is another nonprofit organization focused on supporting risk management internationally. Founded in 1950, the RIMS now represents more than 3,500 charitable, industrial, government, nonprofit, and service entities worldwide. Like COSO’s ERM, RIMS offers an enterprise risk management framework that combines strategic and enterprise risk management. Dubbed the Strategic & Enterprise Risk Management (SERM), the RIMS framework consists of these two subsequent halves.
As one-half of this two-part framework, the RIMS defines its approach to ERM much the same as its contemporaries above. It’s done so, in part, so that the RIMS approach can act as an “umbrella” for other frameworks used to access risk.
As for its other half, strategic risk management (SRM) differentiates itself through its ten guiding principles.
According to the RIMS SRM framework, enterprise risk management processes should be:
Like ISO 31000, the RIMS ERM framework can function as a benchmarking tool for practitioners of risk management or management practices in general. It’s also designed to be applicable to all industries. What’s more, its authors note that the principles of its framework serve well as conversation-starters for leadership teams looking to increase the synergy between their risk management programs, business units, and the overall corporate strategy.
Putting Enterprise Risk Management Frameworks to Work
COVID’s made it abundantly clear that business leaders need to fully embrace ERM programs and the mindset that yesterday’s potential risks, when managed correctly, can become tomorrow’s competitive advantages. But depending on the maturity of a given enterprise, this can be easier said than done.
This is why ERM frameworks are increasingly supported through the use of risk management tools. These tools help organizations to visualize the risk assessment process, making insights more digestible and actionable, improving critical decision-making.
To help provide a sense of how these tools could help those managing risk within your enterprise, take a quick guided tour of our risk management tool here.