■ CHAPTER 4 Basics of Risk Management
The introduction to decision-making theories and cases presented above highlights the significant differences among decision makers’ attitudes toward risk. Consequently, businesses need a structure for risk management to mitigate their enterprise’s exposure to loss. These types of structures are called “enterprise risk management” or simply ERM.2 The first known complete ERM structure was initially recommended by the Committee of Sponsored Organizations (COSO) of the Treadway Commission, formed in 1985.3 In 1993, the committee issued a report on internal controls in which the first ERM was formulated. In 2004, COSO issued a report specifically devoted to ERM: Enterprise Risk Management-Integrated Framework, which has become known by the acronym “the COSO Report.” COSO revised the report in 2010; many regard the new report (COSO 2) as a slight improvement over the first report. Since then, ERM has become an integral part of the organizational structure of large business entities in the USA and abroad, as well as in the subsystems of business entities such as information technology. In practice, the internal audit function has assumed the responsibility for assurance about the quality of ERM.