Peer Review

ERM & Internal Controls

Using the New COSO Risk-Management Guidance
By Richard M. Steinberg Compliance Week Columnist


Embed risk management into the fabric of the business; and Continue to update and educate senior management and the board on evolving ERM practices.


he Committee of Sponsoring Organizations recently issued guidance designed to assist companies with implementing an enterprise risk management process. Let’s take a closer look at the reports to get a sense of what they’re about and the value they bring. The first report, “Embracing Enterprise Risk Management: Practice Approaches for Getting Started,” issued in January, suggests ways in which companies, especially smaller ones, can begin a risk-management initiative with the ultimate objective of moving to an ERM process. The paper describes how an organization can start to move from informal risk management to ERM with suggested “specific, tangible actions that organizations can use to get started.” It has three sections: Keys to success; initial action steps; and continuing ERM implementation. Beginning with the paper’s “keys to success” we find seven themes. They are: 1. Gain support from the top of the organization; Build on incremental steps and implement key practices to gain immediate and tangible results; Focus on a small number of top risks; Leverage existing resources by using the capabilities of the chief audit executive, chief financial officer, or other executives as a catalyst to begin the initiative; Build on existing risk-management activities already being performed, for example, by internal audit, insurance, compliance functions, fraud protection and detection units, or credit and treasury functions;


The paper continues with initial action steps, which are intended to support development of an ERM initiative: » Seek board and top management leadership, involvement and oversight; Select a strong leader for the ERM initiative; Establish a risk committee or...