Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: Ted Howard, peer group leader of NeuGroup for Enterprise Risk Management, offered this context on the subject of enterprise risk categories: “When it comes to ERM, companies frequently use a variety of risk categories and standards to build programs tailored to their needs. The specific standards and categories used by ERM teams are based on the organization’s objectives, industry, regulatory environment and overall operational needs.
- “The main and perhaps most utilized standard framework is from COSO, or the Committee of Sponsoring Organizations of the Treadway Commission. For many companies, COSO is a holistic risk template they would use to construct the foundation of their risk program.
- “They would then incorporate other standards into that program to address more specific issues like cybersecurity (NIST), IT governance (COBIT), or quality management (ISO 9000).”
Member question: “I am revisiting our current risk categories—strategic, operational, financial and IT (we mostly follow the COSO framework). What categories do you use? I’m also interested if you adopted from COSO, ISO, Gartner, etc.”
- In a follow-up with NeuGroup Insights, the member explained the timing of her question. “We are finalizing our risk register (basically the list of all of our risks and the definitions) to upload it into ERM technology and therefore are revisiting our risk categories,” she said. She added that “individual risks roll up to risk categories to help broadly bucket them.”
Peer answer 1: “For enterprise risk (which looks at broad strategic risks) we use four broad categories: strategic (which includes risk areas like business model, employees and policy), technology (a very broad category), finance and compliance, and operational risk (which tends to be less strategic).
- “We benchmark against COSO and ISO; we also looked at 10-Ks from similarly sized companies in the tech industry to identify gaps. We review annually and do a comprehensive review every three years; however, the broad categories have been stable for the last 5+ years.
- “Like other companies, there are a substantial number of other risk assessments that are tactical or operational in nature conducted by other parts of the organization.”
Peer answer 2. “We follow the COSO framework in general and use the four COSO categories: operational, strategic, financial and regulatory. The COSO methodology maps to a proven control model that is accepted nearly globally. We have other risk assessments that we use for IT, especially following COBIT and NIST.
- “Some companies are adding a more descriptive topic related to technology to assist in further clarifying types. It’s hard to argue [with that] in this day and age, but the COSO model has not yet been updated to provide this category addition.
- “It really does not make much difference unless the company wants to add credibility to their ERM program to be based on an approved ERM model. Nearly all companies have the four vs. other, different ones, regardless of the industry.”
Peer answer 3: “We settled on COSO, but my issue is that the COSO taxonomy doesn’t provide any additional insight or perspective. I would like to hear about risk taxonomies that help provide further insight or patterns on the risk categories or guide the treatment of those risks.”
Peer answer 4: “At a high level, we use COSO as a baseline, but modified for our company. Then also use ISO and NIST frameworks in specific circumstances. If there is an ISO standard available for an area and we are trying to get certified, we’ll use that framework for that area. If it is IT/cyber related, we’ll use NIST.”
Peer answer 5: “We generally use strategic, operational and financial, and used Gartner as a baseline which we have modified to fit our own purposes.”
Member wrap-up. After reviewing the peer responses, the member who posed the question said, “the majority of respondents follow the COSO framework, which was helpful to benchmark against.”
