Risk management’s traditional focus on adversity is changing. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2017 Enterprise Risk Management (ERM)–Integrating With Strategy and Performance framework now refers to risk holistically as “the possibility that events will occur and affect the achievement of strategy and business objectives.” With “adversely” removed from the definition, a risk is no longer something that must be prevented from happening. In addition, the framework no longer speaks of risk management as a separate process, but defines it in terms of “culture, capabilities, and practices.”
The updated COSO ERM framework and the International Organization for Standardization’s ISO 31000: Risk Management standard present great opportunities to replace the term risk management with value management. According to both standards, managing risk is all about creating and protecting value. However, they retain the term risk management.
Business activities always involve uncertainty. To increase success, leadership teams have to take advantage of opportunities and limit threats. Ultimately, they want to increase the certainty they will achieve their objectives and will not get what they do not want. For that reason, organizations need a pragmatic approach to keep key stakeholders satisfied by realizing value for them.
Changing risk standards pave the way for organizations to bring their experts together to pursue opportunities and cope with threats.
The value management approach offers intriguing opportunities for internal auditors because it focuses on the quality of decision-making within the organization. Internal audit can help the organization by assessing to what extent decision-makers possess the right competence and integrity to reconcile dilemmas caused by the conflicting interests of stakeholders.
* Marinus de Pooter CIA, CMA, CFM, CRMA, is owner of MdP | Management, Consulting & Training in Deurne, Netherlands.