A common misconception is the belief that Enterprise Risk Management-Integrated Framework (ERM) published by COSO in 2004 was intended to replace The Internal Control Integrated Framework (ICIF). This could not be further from the truth as ERM and ICIF are more similar than they are different.  In fact, ERM is not meant to replace ICIF, rather it is intended to expand upon the internal control guidelines published by COSO in 1992.

The basic difference between ICIF and ERM is the fact that ICIF is intended to provide reasonable assurance as that management’s objectives are being carried  out as it relates to the (i) effectiveness and efficiency of operations, (ii) reliability of financial reporting, and (iii) compliance with applicable laws and regulations.  ICIF accomplishes this by using five steps (i) creating a control environment, (ii) assess the risk, (iii) create control activities, (iv) facilitate the flow of information and communication, and (iv) monitor the processes.  (Tanki, 2003) Enterprise Risk Management – Integrated Framework utilizes the same five steps but expands on them as if focuses solely on risk management and how to better identify and assess the enterprise risk so that the company can actively manage its risk exposure while creating value for the Company.    ERM adds three more steps in doing so including (iii) objective setting, (ii) event notification, (iii) and risk response.

In practical terms, both frameworks impact the bottom line, however, Internal Controls-Integrated Framework focuses more on the mechanics of the business, in other words, ICIF ensures that the proper steps are put in place to eliminate errors in reporting that could result in material weakness in the financial reports.  Enterprise Risk Management takes a more macro look at the company and encompasses the various risks that the Company may face from angles such as competition, computer hacking, economic crisis, technology advancements that may make it difficult to compete.  After management identifies these events it assesses the related risks , which then allows it to manage the risk in the best possible way which could include buying insurance, investing in research and development to mitigate the risk of losing its competitive edge, and/or investing in additional IT security.  Management has a certain appetite for risk and by identifying and assessing the risks to the enterprise it can make educated cost/benefit decisions regarding how to manage the risk.

Risk can be managed in four different ways, (i) risk avoidance which means that if something is risky, it is simply avoided at all costs, (ii) risk reduction, which is after the risk is identified the firm will look for ways to limit the risk by changing its procedures or something to that extent, (iii) risk sharing, which is to look to push the risk onto another party such as an insurer, and (iv) risk acceptance, which is when the firm determines that it accepts the risk in its entirety and would prefer to do nothing to avoid the repercussions of the event. Most likely a firm would do this if it is very costly to eliminate the risk and the risk would cause a relatively small monetary disturbance if the event took place.

Ultimately ERM (i) aligns the risk appetite and strategy of the Company, (ii) improves management’s ability to make better decisions regarding the risk, (iii) reduces operational surprises and losses, (iv)helps the firm identify and manage multiple and cross corporate risks,  and finally (iv) improve the deployment of capital.  (COSO, 2004)

Written By: The Company Pulse (analyst@thecompanypulse.com) 

Works Cited:

Cheryl L. Dunn, J. O. (2005). Enterprise Information Systems: A Pattern Based Approach - 3rd Edition. McGraw Hill/Irwin.

Tanki, R. M. (1993, June). Internal Control-Integrated Framework: a landmark study. The CPA Journal .

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (September, 2004). Enterprise Risk Management-Integrated Framework – Executive Summary