The Fundamentals of Enterprise Risk Management: What You Need to Know to Prepare for the BEC Section

by Michael Kraten, PhD, CPA

Nervous about the BEC section of the exam? Your concern is perfectly understandable; after all, BEC addresses conceptual material that isn’t emphasized on any of the other sections of the CPA exam, and that tends to be under-emphasized in traditional collegiate accounting programs as well.

For instance, consider the discipline of Enterprise Risk Management (ERM). Although the Auditing section of the exam does address the COSO version of the Internal Controls cube, it does not focus on COSO’s far more broadly defined Enterprise Risk Management (ERM) cube.1 Neither do the other two sections of the exam, for that matter. It is only addressed in the BEC section.

Furthermore, the COSO Internal Controls cube is addressed (at least in part) by a single step on the front face of the ERM cube entitled Control Activities. But there are seven other steps on its front face, as well as four across its top side and four on its right side. And the Integrated Framework text that is published by COSO, containing the material that fully explains the discipline, extends across 246 pages!

So how deeply should you focus on the ERM material? Should you focus primarily on that single “Control Activities” step? Or must you memorize every step on the ERM cube, as well as every word on those 246 pages? The answers to those questions will not only help you prepare for the ERM questions; they will also help you develop a review strategy for all of the material on the BEC section of the exam.

First, Focus On the General Concepts

A “brief skim” of the guidelines makes it evident that some of the steps on the ERM cube are more important than others. In fact, the middle four steps on the front face of the cube represent the conceptual core of the material, and thus your primary review activity should focus on those very four steps.

What are those four steps? They are: (1) event identification, (2) risk assessment, (3) risk response, and (4) control activities. The first two of the steps are designed to be addressed sequentially, whereas the final two are designed to be addressed concurrently.

What are the primary concepts that are addressed by the first two steps? Any organization that intends to manage its risks on an enterprise-wide level must first identify all of the possible “things that might go wrong,” which are called “events” by COSO. Then it must identify the highest priority events by focusing on those that: (a) are most likely to go wrong, and (b) would do the most damage (or inflict the highest “cost”) if they occur. The identification process is called “event identification” by COSO, and the prioritization process is called “risk assessment.”

And what of the final two steps? Events that are highly prioritized because of their potential damage levels should be addressed by implementing “risk response” (i.e. crisis response) activities that can reduce these costs. And events that are prioritized because of their likelihoods should be addressed by implementing new “control activities,” such as preventive controls that reduce probabilities of occurrence.

Second, Apply To the Case Particulars

It is important to remember that you can earn significant exam credit on any topic by

demonstrating conceptual knowledge, even if you have no idea how to apply it to the details of a case question! In other words, by simply communicating your understanding of the four core steps of ERM, you can help yourself progress towards a passing grade.

If possible, though, it would certainly be helpful to add some applied information if a case question requires you to do so. In particular, the 246 page COSO text emphasizes two key techniques that should be applied to such questions.

First, you should remember to note that it is important to establish tolerance levels during the risk assessment process, thus creating risk objectives and threshold targets for your risk response and control activities. And you should also list a set of leading performance indicators that would warn management whenever an impending event is looming on the horizon.

These detailed facts supplement the conceptual structure of the ERM plan, but do not replace it. So please remember to address “concepts first and particulars second” when you address your question!

A Strategy for All BEC Topics

This two-step process represents more than simply a strategy for understanding the ERM cube. It also serves as a valid approach for addressing all of the topics within the BEC section.

Whether your question focuses on Economics, Management Accounting, or any of the other topics, you must first identify the key concepts of extremely broad sets of material. And then you must apply those key concepts to the particular “given assumptions” of the question.

For questions regarding the ERM cube, you should remember to address the four core steps of event identification, risk assessment, risk response, and control activities. And then you should remember to cite the two application techniques of tolerance levels and leading performance indicators. By focusing on these critical points, you can optimize your chances of success.