BlackLine Home page BlackLine home page
Solutions
Solutions
Financial Close Management
Financial Close Management
Overview
Overview
Account Reconciliations
Account Reconciliations
Task Management
Task Management
Transaction Matching
Transaction Matching
Journal Entry
Journal Entry
Compliance
Compliance
Variance Analysis
Variance Analysis
Smart Close for SAP
Smart Close for SAP
Accounts Receivable Automation
Accounts Receivable Automation
Overview
Overview
Cash Application
Cash Application
Credit & Risk Management
Credit & Risk Management
Collections Management
Collections Management
Disputes & Deductions
Disputes & Deductions
Team & Task Management
Team & Task Management
AR Intelligence
AR Intelligence
Intercompany Financial Management
Intercompany Financial Management
Overview
Overview
BlackLine Intercompany
BlackLine Intercompany
By Organization Size
By Organization Size
Midsize Organizations
Midsize Organizations
Large Enterprises
Large Enterprises
By Industry
By Industry
Banking & Financial Services
Banking & Financial Services
Consumer Products & Services
Consumer Products & Services
Energy & Raw Materials
Energy & Raw Materials
Healthcare & Life Sciences
Healthcare & Life Sciences
Manufacturing
Manufacturing
Retail
Retail
Technology, Media & Communications
Technology, Media & Communications
See All Industries
By ERP
By ERP
SAP
SAP
Oracle
Oracle
Oracle NetSuite
Oracle NetSuite
Microsoft Dynamics
Microsoft Dynamics
See all ERPs
Customers
Customers
Customer Success
Success Stories
Success Stories
Collaborative Accounting Experience
Collaborative Accounting Experience
Modern Accounting Playbook
Modern Accounting Playbook
Training & Education
Training & Education
CUSTOMER SUPPORT
Global Support
Global Support
Developer Portal
Developer Portal
BlackLine Community
BlackLine Community
Resources
Resources
Events
Events
Upcoming Webinars
Upcoming Webinars
On-Demand Webinars
On-Demand Webinars
White Papers
White Papers
Blog
Blog
Accounting Glossary
Accounting Glossary
Global Support
Global Support
About
About
Company
Company
About BlackLine
About BlackLine
Leadership
Leadership
In The News
In The News
Press Releases
Press Releases
Investors
Investors
Awards & Recognition
Awards & Recognition
Careers
Careers
Partners
Partners
Consulting Alliances
Consulting Alliances
Solution Provider Partners
Solution Provider Partners
Software & Cloud Partners
Software & Cloud Partners
Business Process Outsourcers
Business Process Outsourcers

COSO: Elevating Risk Assessment in Strategic Planning

image

This September, COSO released its latest updated publication, “Enterprise Risk Management – Integrating with Strategy and Performance.” A primary goal of the full 110-page framework is to elevate risk assessment to a place of full participation in corporate strategic planning.

All too often, the act of assessing the risk of a new corporate venture – say, in opening new markets or starting new product lines – comes well after the strategic plan is complete.

According to Bob Hirth, a senior managing director for Protiviti and the current chair of the industry-governance organization known as COSO, this is a practice that’s growing more dangerous as the world of business, and the world itself becomes increasingly unpredictable.

Since its formation in 1985, in response to the finance law reforms of the 1970’s, the Committee of Sponsoring Organizations of the Treadway Commission has published a series of original and updated frameworks for internal controls and enterprise risk management.

“We want to talk directly to company board members because that’s where strategic planning typically begins,” says Hirth.

“We believe that they have an obligation during strategic planning, to themselves and their stakeholders, to look at the risks as well as the rewards of any new strategy – not just once it’s finished and handed off to execute. Each should inform the other as part of an iterative process.”

It’s in the DNA

The newly updated framework includes 20 main principles grouped into five interrelated components. Hirth says that the components are presented broadly enough to fit almost any organization, regardless of size or industry.

For instance, the second component, Strategy and Objective-Setting, includes these principles: Analyzes Business Context, Defines Risk Appetite, Evaluates Alternative Strategies, and Formulates Business Objectives. The third component, Performance, covers Identifies Risk, Assesses Severity of Risk, Prioritizes Risks, Implements Risk Responses, and Develops Portfolio View.

To reinforce the message that enterprise risk management should be embedded deeply within an organization, the components are illustrated within DNA-like graphics.

Hirth notes that as comprehensive as the framework is, its focus – and its implementation – is anything but complicated.

In reality, he says it boils down to three main recommendations.

“First, at the board and upper-management level, you ask basic questions of the new strategy: Have we modeled customer demand accurately? Will our supply chain deliver on time and on budget? Will new competitors emerge? Things like that.

“Then, as the strategy is formed, you ask: How well does this align with our mission, vision, and core values? In other words, now that we’ve got the strategy in place and it satisfies our appetite for risk, does the new strategy cause us to change who we want to be?

“If we’re a hamburger company now selling hot dogs, that might not be OK. Or it might. But we need to ask.

“Finally, can our organization deliver? Will the strategy be able to drive the organization to set objectives and allocate resources, and still stay within our risk appetite?”

Talking to the Board

This updated framework follows the spirit of the previous ERM framework, released in 2004, fairly closely. That publication also emphasized the value of moving risk assessment into the strategic planning process. But this version puts even greater emphasis on the actions taken by boards of directors. This isn’t just intentional, says Hirth, but necessary.

“Something significant changed after that framework was released. In 2009, the SEC started to require public companies to disclose in writing the roles of boards of directors in overseeing risk management programs at their companies.

“Directors are more tuned than ever before to ERM, and we think they’ll welcome a publication like this.”

Now that you have an understanding of how to make risk assessment a key part of strategic planning, learn why a responsive, agile strategy is most successful in today's constantly changing business landscape.