COSO Based Enterprise Risk Management: the case of Enron

Published 21 Feb 2017

For a long time, many organizations have taken measures to manage risks which they are usually faced with in a traditional manner. The implication is that in many firms, these organizations have not been following any structured way of managing risk. What used to happen was that the various risks which faced business organizations were managed independently what had been referred to as silo by silo method (Molle, 2008). However, it has been established that this method was ineffective and inefficient given that it failed to cover effectively the effects of portfolio management.

The method was found to be deficient in managing risks in terms of the various ways in which risks were interdependent besides failing to strategically place the concept of risk in its right place in the organization. As a result of the above failures there has been a significant emergence of developments towards the achievement of more comprehensive and inclusive approach to the management of risk in the organizations more so in the case of Enron (Martin, 2004). This new approach to risk management is comprehensive in the sense that it entails the management of risk from product to eventually organization wide levels and has been duped the enterprise risk management (ERM).

This has more so been influenced by the events of the Enron saga in which case the top management of the organization was found to be engaging in fraudulent activities which eventually led to the collapse of the firm (KnowledgeLeader, 2008). Alongside the Sarbanes Oxley laws (SOX) which were put in place as regulatory measures by which corporate bodies were expected to comply, there equally emerged the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a way of internal control measures. The COSO model has been widely accepted as a benchmark for organizational internal control systems such as the ERM (Maltz, 2003).

College Students Frequently Tell EssayLab professionals:

I neeed to write my essay. But I don’t have the time

Professional writers advise:
Pay For Essay Reviews Online Assignment Help

Enterprise Risk Management (ERM) Process.

COSO based integrated ERM at Enron can be looked into from several perspectives. The ERM process at Enron is a comprehensive process which entails principles like the management of risk interdependencies. This is usually done in comparison to the traditional silo methods. COSO based ERM also entails the definition of the scope as well as the fundamental ERM organizational practices. Such practices include the overview of internal systems of control, such as the identification of the IT controls which are required to cater for particular risks (KnowledgeLeader, 2008).

The other component of COSO based ERM at Enron include the analysis of ERM costs and benefits. This entails assessing the risks that pose a challenge to the organization, quantifying them and then weighing the same against the benefits that would accrue to the organization if such risks are avoided (Molle, 2008). To achieve the above it is important to come up with and compare the risk factor of ERM which involves the organizational overview of potential risks. Other measures that are entailed in the process includes coming up with a register of ERM risks register.

There are several stages of COSO based ERM. The first stage of the process is the determination of risk objectives. This is usually followed by setting a mission statement which acts as the overall guide upon which all the COSO based ERM will be conducted. The next step is to develop a plan for responding to risks. This is usually followed by control and monitoring measures which are a series of activities geared towards ensuring that the risks are measured and taken control of. This involves the establishment of adequate communication amongst the different personnel in charge of risk management channels as well as undertaking continuous review and audits of the functions of ERM (Molle, 2008).

It is important to note that for the above processes to succeed, it is important that there exists a clear structure detailing the duties and expectations of all the people who are involved in COSO based ERM at Enron. This has the implication that there is need for the establishment of an organizational culture which is aware of risk and its implications to the overall success of the organization (Sobel & Reding, 2004). At the same time it is important that the organizational effectiveness is enhanced thorough the incorporation of the external stakeholders in the process of ERM. This implies that the whole process of ERM is an all inclusive process that requires the internal and external organizational stakeholders.

This has the implication that the framework of ERM is comprised of organizational stakeholders, the management, which is basically the top level management, composed of the board of directors. The other components include risk management process as well as assurance (Martin, 2004). This means that the top level management is the fundamental bases upon which the whole process of ERM is built. The implication is that it is the top level of management who are charged with the responsibility of managing particular risks.

For instance the company’s legal secretary is charged with the responsibility of managing the legal risks which could be affecting the organization. The implication here the only the top level management as well as risk managers should be directly involved in ERM (Sobel & Reding, 2004).

In addition, by using COSO recommendations, Enron would have efficiently heightened its management of enterprise risk management by considering risk avoidance and capital protections, accepting that they are also susceptible to risk, adapting ways of addressing losses, risk financing, transfer, securitization and repacking of assets in order to efficiently manage loss control despite many senior executives lacking the confidence in the identification and management of a risk (Molle, 2008). ERM helps identify future risks to be able to manage all the potential risks in the physical and financial risk. Identification of future events can have positive effects on aligning strategy, people, processes and technology. ERM creates and preserves enterprise value (KnowledgeLeader, 2008).

Enron would have also established the best practice ERM function on different organizational levels within its organization. For instance, at the project management levels, corporate level as well as strategic business unit level. Within the same line of eliminating extreme risk events, Enron would have ensured ERM best practice at organizational level and at the on financial firms (Molle, 2008).

By introduction of policies and strategy for risk management with regard to the ERM context, the Enron Company would have found it efficient in their management skills. This, they would have done by managing the foreign exchange and interest rate, its liquidity and liability management, balance sheet, credit risk, operational risk and capital management to be able to plan on which way the company would have taken for effective management of the company (Molle, 2008). Following governance guidelines established by Sarbanes-Oxley would have made it possible for a smart business by Enron since it would have been able to identify the priority risks (Maltz, 2003).
If Enron was been able to measure their susceptibility to bankruptcy, then it would have just as well managed to combat it (Molle, 2008). Among ways that would have been used to assess the risk through ERM; risk mapping by use of risk indicators, use of risk adjusted capital based performance measures, asset based value at risk models among others. This concept identifies and provides quality input for purposes of effective risk reaction. The risk management policies include the competencies, processes and technology required to manage the risks (Molle, 2008). Sarbanes-Oxley Act which was enacted in July 2002 guides the ethics of the senior positions for transparency and efficient decision making for a foundation of productivity in all departments in an organization (Maltz, 2003).

By following the controls of ERM, the external and internal auditing functions, control self assessment can be used as a tool for acquiring information about business risks. Also, following corporate responsibility for the financial reports, control reports and managerial reports tools and materials, Enron would have successfully put placed itself in a better position to eliminate risks (Molle, 2008). This would have rebalanced Enron’s activities in the management of on their financial reporting.

Further still, the Sarbanes-Oxley Act heightens a full, accurate disclosure of the company’s filings, report of any violation of the code of ethics. As well, responsibility in the compliance to the code of ethics would have provided Enron with a more valuable internal audit reporting and recommendations to address the risk issue (Maltz, 2003). The best practice for self auditing would have enhanced the managerial level to commit to ethics when conducting their duties. In other words, Enron’s management would have been able to evaluate all areas at risk promptly to enable them act on time (Maltz, 2003).

Risk Management plan

Taking an example of Enron, it is clear that the lackluster in corporate governance was created by the need for holistic, consistent enterprise-wide risk identification, assessment and monitoring. This contributed largely to the failure in Enron’s corporate governance. However, the implementation of enterprise risks management as stipulated by COSO. To begin the enterprise risk management process, the corporate governance should seek to identify the risk concepts as outlined in the COSO framework and identify the ones that might ruin the firm. It should also find out the key risks, determine how they are monitored and find out the audit committee as well as the corporate board are involved in the process (KnowledgeLeader, 2008).

Enron management can start by aligning the firm’s appetite for risk with its corporate strategy. The firm can also link growth, risk and return as well. Besides, the firm could enhance its response to risk decisions while minimizing operational surprises and losses. This will be made possible if the management at Enron identifies the potential risk events, analyzes the risk and establishes responses that are intelligently thought out. (KnowledgeLeader, 2008).

Further still, internal auditing should be integrated in the firm. The internal audit department should formulate a corporate risk checklist that needs to be reviewed and completed every year as part of the department’s planning process. This implies that the internal audit department of Enron needs to cover risks involving business, financial, operational and information services. This step will help the internal audit in focusing their auditing to the areas that will be more beneficial to the organization. Better still, the questions laid down in the risk checklist can be used to facilitate self assessment sessions, risk assessment questionnaires or workshops, auditing work programs as well as auditing interviews (KnowledgeLeader, 2008).

Enron also needs to encourage business ethics and reputation risk in reference to the enterprise risk management (ERM). This implies that the firm will have to define the business ethics and values across the entire firm. The firm should operate with an ERM ethical conscious attitude. Apart from that, Enron will also have to state its values this means that it will need to come up with an ERM code of conduct that will govern the operations of the firm. Further still on reputational risk, the firm needs to formulate strategies that will control, deter and manage any ethical trail offs (Molle, 2008).

Furthermore, the implementation of an economic and regulatory risk capital allocation in the context of ERM is necessary. This means that Enron should set risks that are enterprise-wide and capital requirements which should be at the enterprise risk management level. What is more, the firm should also calculate the economic risks and capital allocations at the firm wide level. Further still, the impact on enterprise risk management needs to be evaluated and the regulatory risk capital allocations calculated all in the context of Base II as per the enterprise risk management frame work (Molle, 2008).

Information technology is also of importance in the implementation of enterprise risk management in reference to the COSO recommendations. Therefore the risk management process should involve the identification and assessment of IT controls that will address the specific risks identified. The successful implementation of these controls will be aggravated if the company adopts a control framework that is formal. Additionally, the framework should not only apply to the internal audit department but even the other departments in the organization as a whole. (Molle, 2008).

Among the IT frameworks that the firms needs to apply during the implementation of the risk management include CICA CoCo. This framework sets to improve the performance and decision making of an organization by enhancing better understanding of control, risk in addition to governance. The CoCo framework also gives the grounds for making judgments about the effectiveness of control. CoCo also helps an organization to focus on the future by encouraging it take control, ensure that it has the resources needed to complete the job and to be in a position to learn from experience as well (Molle, 2008).


It is therefore evident that the implementation of enterprise risk management in accordance with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a systematic process. It is also evident that risk management is crucial in any organization’s operations so as to promote its up keep.
Generally the implementation of the enterprise risk management plan should include an exploration of perspectives and fundamentals of the organization which include risk and opportunities deduced from an ERM point of view.

Risks and opportunities need to be categorized and objectives set. The organization should also identify the suitable policies and strategies for risk management not forgetting that the internal audit is important in the risk management of the organization. Besides, the implementation of risk management in an organization needs to be done from an enterprise risk management perspective. This will help the organization to stay in line with the best risk management policies and strategies.


  • KnowledgeLeadersm (2008). COSO Internal Control Framework Resources,Protiviti Inc.
  • Maltz, A. (2003). Codes of Ethics in the wake of Sarbanese-Oxley. Trustee, 56(10),31.
  • Martin, A.G (2004). Making SOX work for your company is just good business.Fort worth Business Press
  • Molle D.J (2008). Enterprise Risk Management- from a COSO Perspective &Beyond, Kaplan.
  • Sobel, P.J & Reding K.F (2004). Aligning corporate governance with enterpriserisk management. Management Accounting Quarterly, 5(2), 29.
Did it help you?