Developing a Portfolio View

Last time, I talked about the 4th point under the COSO guiding principle of Performance, which was Implements Risk Responses. This week, I’ll move on to the 5th point under Performance, which is Develops a Portfolio View

Performance has 5 points:

1. Identifies Risk

2. Assesses Severity of Risk

3. Prioritizes Risk

4. Implements Risk Responses

5. Develops Portfolio View

 A portfolio view allows management and the board to consider the type, severity, and interdependencies of risks and how they may affect performance. Using the portfolio view, the organization identifies severe risks at the organizational and business unit level. Business unit risk registers need to be aggregated and so they can be evaluated and prioritized across business units into an enterprise risk profile. Assessing cyber risks alongside other types of risks and overall business objectives enables proactive and effective risk decisions by company leadership.

I’ve broken how this is done into a 4 step process:

• ·Step 1, ERM Guidance, involves receiving risk direction from the top of the organization and your ERM team. Corporate boards and executive leadership teams use external and internal factors alongside their strategy to determine risk acceptance levels and balance resource allocations for risk treatment across the organization. Operational leaders pass down the resulting resource and financial guidance to the business unit level.

• Step 2, Cyber Risk Assessments: In step 2, cyber risk assessments are conducted at the business unit level.  Understanding the guidance from step 1 allows cybersecurity teams to work with operational managers to frame, assess, manage, respond to, and report cyber risks within the business unit and in alignment with organizational strategy.

• Step 3, Risk Treatment and Monitoring: In step 3, risk treatment and monitoring results are reported to organization stakeholders. The risk determinations, decisions, and status are conveyed through the enterprise risk register and adjusted as necessary.

• Step 4, Risk Aggregation and Normalization: In step 4, the ERM team collects, aggregates, and normalizes risk register information. This process allows the ERM team to:

  • Report understanding of actual and potential risks from threats and system failures to enterprise information and technology.

  • Create a risk taxonomy and normalize risk management across the organization.

  • Inform risk mitigation activities at the business unit level and relate these to organizational strategy and budgetary guidance to prioritize and implement risk responses.

  • Produce enterprise-level risk disclosures for required reporting, public filings, and even congressional hearings.

Adjustments made to risk priorities, risk appetites and budgets are iterated as inputs back into Step 1 as updated ERM guidance.

Congrats! You have made it through the 3rd COSO guiding principle of Performance! Next time, we’ll start on the 4th COSO guiding principle of Review and Revision.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Thank you and have a great week.