Customizing Enterprise Risk Management

When the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its enterprise risk management integrated framework in 2004, the document received a warm welcome from companies looking for better ways to identify and manage the myriad risks they face. And because the framework integrates internal controls and enterprise risk management (ERM), it seemed a perfect fit for organizations looking to leverage the work they were doing to comply with the Sarbanes-Oxley Act of 2002.

At the very least, the framework has raised awareness at the senior executive and board levels about the need for companies to understand the key risks they face, measure their tolerance for those exposures, develop a process to manage them and ensure that their risk profile is regular-ly updated.

"The COSO framework has been a lever that has pushed those efforts further along," says Michael Chagares, a director with Mercer Oliver Wyman, a financial services strategy and risk management consulting firm headquartered in New York City. "It has gotten companies to think about risk in a more strategic way. And if they understand risks better and how those risks align with objectives, they can manage those risks better and close gaps in order to achieve objectives with more predictability and less volatility."

But while most observers agree that the framework has had a positive impact on the prevalence and effectiveness of ERM, some experts point out that risk management executives might be tempted to treat the COSO framework as just another compliance requirement or as a shrink-wrapped solution to risk management issues that are complex and unique to each organization. It's neither of those, and companies need to carefully calibrate this risk management tool to get the best results.