Image by: RomoloTavani, ©2016 Getty Images

Recently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated enterprise risk management (ERM) framework for public exposure and comment. COSO’s exposure draft, Enterprise Risk Management: Aligning Risk with Strategy and Performance, addresses important lessons from the financial crisis of 2008. As we look back, it’s still hard to believe that an entire industry was culpable in creating a credit crunch so severe that it triggered an ugly global recession and the need for massive government bailouts.

The crisis taught valuable lessons regarding the potential for the unexpected, with such terms as “black swan” entering the business lexicon. These lessons demonstrated the vital importance of several key elements of effective risk management—a fully engaged board, a bought-in chief executive officer (CEO), an open and transparent culture, a compensation structure that balances short- and long-term goals and interests, an understanding of the risk implications of the strategy, and a recognition that critical strategic assumptions can be invalidated by changes in the environment.

COSO emphasizes these elements in its updated framework. Based on these elements, we summarize a number of important insights for boards of directors and management from the COSO exposure draft.

Identifying risks to the strategy is not enough.
Many organizations focus on identifying risks to the execution of the strategy. That’s a good thing. However, COSO asserts that “risks to the strategy” is only one dimension of strategic risk. There are two additional dimensions to applying ERM in strategy-setting that can significantly affect an enterprise’s risk profile.

A second dimension is the “possibility of strategy not aligning” with an organization’s mission, vision, and core values, which define what it is trying to achieve and how it intends to conduct business. Board members and executives should ensure the company doesn’t put into play a misaligned strategy, which may increase the opportunity for an organization to run askew of its mission and vision, even if that strategy is successfully executed.

The third dimension to consider is the “implications from the strategy.” When overseeing strategy-setting, boards need to consider how the strategy works in tandem with the organization’s risk appetite and how it will drive behavior across the organization in setting objectives, allocating resources, and making key decisions.

The updated COSO framework asserts that all three of these dimensions need to be considered as part of the strategy-setting process. As we learned in the financial crisis, failure to address all three could result in unintended consequences that lead to missed opportunities or loss of enterprise value.

The crisis taught valuable lessons regarding the potential for the unexpected. These lessons demonstrated the vital importance of several key elements of effective risk management.

Strengthening risk governance and culture sets the right tone.
Risk governance sets the organization’s tone and reinforces the importance of, and establishes oversight responsibilities for, ERM. Culture pertains to ethical values and responsible business behaviors, particularly those reflected in decision-making. COSO asserts that several principles drive the risk governance and culture needed to lay a strong foundation for effective ERM. These include fostering effective board risk oversight; recognizing the risk profile of the operating model; encouraging risk awareness; demonstrating a commitment to integrity and ethics; establishing accountability for ERM; and attracting, developing, and retaining talented individuals.

Advancing the risk appetite dialogue adds value to strategy-setting.
The institution’s risk appetite statement is considered during the strategy-setting process, communicated by management, embraced by the board of directors, and integrated across the organization. Risk appetite is shaped by the enterprise’s mission, vision, and core values and considers its risk profile, risk capacity, risk capability, and maturity, culture, and business context.

To be useful, risk appetite must be driven down into the organization. To that end, COSO defines the “acceptable variation in performance” (sometimes referred to as risk tolerance) as the range of acceptable outcomes related to achieving a specific business objective. Acceptable variation in performance relates risk appetite to specific business objectives and provides measures that can identify when risks to the achievement of those objectives emerge.

Monitoring what really matters is essential to effective ERM.
The organization monitors risk management performance and how well the components of ERM function over time, in view of any substantial changes in the external or internal environment. If not considered on a timely basis, change can either create significant performance gaps vis-à-vis competitors or invalidate the critical assumptions underlying the strategy.

COSO’s updated ERM framework offers a principled-based approach that every organization can use to identify opportunities to improve its risk management. In this era of disruptive change, boards of directors and executive management would be well-advised to ensure that these insights are addressed within the organizations they oversee and manage. The reality is clear: To stay ahead of the disruption curve, business leaders must quickly discern the vital signs of change and all related implications for their markets and business models.

Jim DeLoach is a Managing Director with Protiviti, a global consulting firm. Contact him by visiting or follow him on Twitter @DeLoachJim.