Uncertainty and risk are inseparable elements of each economic activity. On one hand they make it possible to use upcoming chances in order to generate profit. On the other hand they bring unexpected events that result in losses or threaten the continuity of business activities or existence of the company.

 

In the light of rapidly changing external environment of the company and growing number and frequency of extraordinary events, it is recommended to perform actions leading to establishment of a certain level of security. How is it possible to establish such a level considering the number, complexity and unpredictability of factors influencing operation of a company? How to act in order to gain certainty regarding effectiveness and wisdom of actions? Integrated framework for Enterprise Risk Management – COSO II – is a solution that is worth to be considered.

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) is a name of an American organization that works on good practices and education in the field of transparency of organizations. In 1992 COSO I, a document on internal control, was published. In 2004 the organization presented COSO II – an integrated framework for Enterprise Risk Management. Using the terminology and structure of actions presented in this work a company can arrange all kinds of risks and organize appropriate mitigating actions.

COSO II presents an integrated Enterprise Risk Management as a process consisting of eight inseparable elements:

•  Internal Environment – includes character of an organization and sets a basis for perception of and reaction on risks by employees; philosophy of risk management and acceptable level of risk; honesty with ethical values and work environment.
• Objective Setting – objectives need to be set before the management begins to identify potential events that might influence abilities of reaching them. Risk management assures that procedures for objectives setting, which reflect a mission, a vision and apply to a risk level acceptable by the organization, exist.
• Event Identification – internal and external events that influence abilities of reaching the objectives must be identified and distinguished between threats and chances, which in further stages will be considered in the process of objective setting and strategy building.
• Risk Assessment – analysis together with assessment of risk probability and results.
• Risk Response – management chooses a reaction – avoidance, acceptance, mitigation or transfer of risk – in order to create a set of actions to link risks with acceptable level of them.
• Control Activities – policies and procedures that are set and realized to make reaction on risks effective.
• Information and Communication – appropriate information should be gathered and sent further in a form and time frames enabling employees to perform their duties. Effective communication must take place in a wider range as well – downwards, across and upwards in the organizational hierarchy.
• Monitoring – monitoring of separate risks is realized by constant actions of managers, independent assessments and via a combination of both of these.

All the above stages should be done in an order that was shown and without missing any of those element.

What are the benefits of using COSO II standard?

• it presents an integrated Enterprise Risk Management process in a systematic way. Definitions, rules and terms are clearly specified, criteria of risk treatment efficiency assessment and guidelines for perfection of risk management system are presented
• board of directors, management or audit committee are supported in decision-making by regular monitoring and assessment of control actions performed in the company. Occurrence of unforeseen situations is limited to a chosen level
• risk management system is adjusted to a strategy of a company and its risk appetite. Decisions made in response to risks are rationally justified. What is more, probability and/or result of negative events is significantly reduced and chances more often identified and used.

• Current situation analysis – strategy, structure of responsibilities.
• Setting a plan of actions.
• Setting a risk appetite and procedures for objectives creation.
• Organization of trainings on the implemented solution in order to make the awareness among managers better.
• Assessment of existing mechanisms that mitigate risks.
• Identification of critical points and events that influence abilities to reach objectives by the company.
• Assessment of risks probability and reaction on risks.
• Creating reaction on risks that are unacceptable in accordance with risk appetite.
• Creating policies and control procedures.