coso s enterprise risk management erm framework n.
Skip this Video
Loading SlideShow in 5 Seconds..
COSO’s Enterprise Risk Management (ERM) Framework PowerPoint Presentation
Download Presentation
COSO’s Enterprise Risk Management (ERM) Framework

Loading in 2 Seconds...

play fullscreen
1 / 65

COSO’s Enterprise Risk Management (ERM) Framework - PowerPoint PPT Presentation

  • Uploaded on

COSO’s Enterprise Risk Management (ERM) Framework. Enterprise Risk Management Overview. Project Background. Increased awareness of the importance of Risk Management due to events of the past five years: High-profile business scandals Economic slowdown caused many business failures

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COSO’s Enterprise Risk Management (ERM) Framework' - Jims

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
project background
Project Background
  • Increased awareness of the importance of Risk Management due to events of the past five years:
    • High-profile business scandals
    • Economic slowdown caused many business failures
    • World events impose new risks
  • Emphasized the danger of overlooking risk.
  • Need for a common guide for discussing, identifying, evaluating and managing risk.
project background1
Project Background
  • Project was launched by COSO in 2001
  • Engaged PricewaterhouseCoopers to write the COSO ERM Framework, which consists of 3 parts:
    • Executive Summary
    • Framework
    • Application Guidance
  • Currently in draft form, expected to be issued in 3Q of 2004.
project background2
Project Background
  • “Enterprise Risk Management” is a process for identifying, analyzing and managing risk across the entire enterprise
  • ERM defines risk and risk management and provides key principles and concepts, a common language and other elements of a comprehensive risk management framework.
  • ERM provides criteria for companies’ use in determining whether their risk management is effective, and if not, what is needed to make it so.
erm defined
ERM Defined

Defined in the Framework as:

Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

erm defined1
ERM Defined
  • The Enterprise Risk Management process includes:
    • Identification of potential events that may impact objectives
    • Assessment of Risk and a determination of an appropriate response
    • Consideration of risk in the formulation of strategy
    • Application across the entity – takes a portfolio view of risk.
    • Risk management within an entity’s risk appetite
    • Monitoring the performance of ERM
erm defined2
ERM Defined

ERM versus the Internal Control – Integrated Framework:

  • ERM is much broader than the Internal Control – Integrated Framework
  • ERM expands on internal control and provides a more robust and extensive focus on the broader subject of enterprise risk management.
  • ERM does NOT replace the internal control framework, rather incorporates elements of the internal control framework within it.
  • The Internal Control – Integrated Framework remains in place as the definition of and framework for internal control.
benefits of erm
Benefits of ERM
  • ERM enables management to:
    • Deal effectively with future events that create uncertainty.
    • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
    • Maximize value by balancing strategy and objectives within the entity’s risk appetite.
benefits of erm1
Benefits of ERM

ERM helps an enterprise to:

  • Align risk appetite and strategy
  • Enhance risk response decisions
  • Reduce operational surprises and losses
  • Identify and manage enterprise-wide risks
  • Seize opportunities
  • Improve deployment of capital
erm framework
ERM Framework

The ERM Framework is geared to achieving an entity’s objectives, set forth in 4 categories:

  • Strategic – related to the high-level goals and mission of the entity,
  • Operations – related to efficiency, performance and profitability
  • Reporting – related to internal and external reporting
  • Compliance – related to compliance with laws and regulations
erm framework1
ERM Framework

The ERM Framework has Eight Components. The cube depicts the interrelationship of the 8 components with the entity’s objectives and with the entity’s units:

internal environment
Internal Environment

The Internal Environment encompasses:

  • Entity’s Risk Management Philosophy
  • Risk Appetite
  • Board of Directors
  • Integrity and Ethical Values
  • Commitment to Competence
  • Organizational Structure
  • Assignment of Authority and Responsibility
  • Human Resource Standards

Sets the Foundation for how risk and control are viewed and addressed by the entity.

internal environment1
Internal Environment

Risk Management Philosophy:

  • The shared beliefs and attitudes toward risk.
  • Reflects the entity’s values, culture and operating style
    • Formal vs. Informal
    • Conservative vs. Aggressive
  • Affects how risks are identified, the types of risks accepted and how they are managed by an entity.
  • Management reinforces the entity’s risk management philosophy with everyday actions.
internal environment2
Internal Environment

Risk Management Philosophy

  • Risk management philosophy should be consistent throughout the enterprise to effectively apply ERM.
  • However, risk management philosophy can sometimes vary within an enterprise:
    • e.g., an aggressive sales dept may be prepared to take more risk than the procurement dept. that is responsible for ensuring compliance with company policies and internal controls.
    • These 2 depts. compliment each other and will collectively reflect the entity’s risk management philosophy.
internal environment3
Internal Environment

Risk Appetite:

  • The amount of risk an entity is willing to accept in pursuit of value.
  • Reflects the entity’s risk management philosophy
  • Desired return from a strategy should be aligned with the entity’s risk appetite.
  • Qualitative measures – e.g., high, moderate or low risk.
  • Quantitative measures – balances goals with growth and return with risk.
internal environment4
Internal Environment

Board of Directors

  • An active and involved board of directors is a critical part of the internal environment.
  • A board that questions and scrutinizes management’s activities is an effective control.
  • The majority of board members should be independent outside directors.
  • An effective board of directors will ensure that management maintains effective risk management processes.
internal environment5
Internal Environment

Integrity and Ethical Values:

  • Management’s integrity and ethical values influence the decision-making process.
  • Lack of integrity and ethical values creates risk.
  • Corporate culture influences employee behaviors; sets the standard for which rules are followed or ignored.
internal environment6
Internal Environment

Integrity and Ethical Values:

  • Promoting integrity and ethics:
    • CEO, top mgmt, sets the example and determines the corporate culture.
    • Performance targets should be realistic and incentives appropriate.
    • Existence of written guidance on what is right and wrong – e..g, a Code of Conduct.
    • Written guidance must be accompanied by communication and training.
    • Upward communication channels are key.
    • Penalties to employees who violate the code act as a deterrent for others.
internal environment7
Internal Environment

Commitment to Competence

  • Competence reflects the knowledge and skills needed to perform assigned tasks.
  • Management must determine the level of competence needed for each task.
  • Trade-offs are made between competence and cost.
  • Trade-offs are made between the extent of supervision and the competence of the individual.
internal environment8
Internal Environment

Organizational Structure:

  • Entity’s organizational structure provides the framework to plan, execute, control and monitor its activities.
  • Defines key areas of authority, responsibility and accountability
  • Organizational structure should enable effective risk management by:
    • promoting the flow of relevant information to top management and key decision makers on a timely basis.
    • Appropriate assignment of authority to carry out business activities
internal environment9
Internal Environment

Organizational Structure:

  • Organizational structure should be suited to the entity’s needs and corporate culture
    • Centralized versus Decentralized
    • Hierarchal reporting relationships versus Flat
    • Structured by product lines, geographic, or marketing channels, etc
  • Organizational structure should depend on size and nature of activities.
internal environment10
Internal Environment

Assignment of Authority and Responsibility:

  • Increased delegation of authority empowers employees and often encourages creativity, initiative, faster response times and greater accountability.
  • As authority and responsibility is granted to lower levels within an entity, risk is often increased.
  • Must ensure that authority and responsibility is delegated to competent individuals who understand the entity’s objectives.
internal environment11
Internal Environment

Human Resource Standards

  • Human resource practice play a key role in promoting integrity, ethical behavior and competence
    • Hiring standards
    • Orientation programs
    • Training programs
    • Performance evaluations
    • Compensation and incentive programs
    • Disciplinary actions
internal environment12
Internal Environment
  • The importance of a strong Internal Environment must not be underestimated.
  • Internal environment is the foundation of all the other ERM components
  • Management is responsible for setting the tone - not just words and policies, but actions must permeate the organization
    • Enron example: flawed internal environment
erm framework2
ERM Framework

Objective Setting:

objective setting
Objective Setting
  • Objectives must exist before management can identify and assess risks and take steps to manage those risks.
  • Enterprise Risk Management requires that all employees understand the entity’s objectives as it relates to their individual function.
    • Understand what is to be accomplished and how to measure accomplishment.
objective setting1
Objective Setting

Strategic Objectives

  • High level goals,
  • Aligned with entity’s mission/vision

Related Objectives

Activity level goals - 3 categories:

    • Operations objectives
    • Reporting objectives
    • Compliance objectives
objective setting2
Objective Setting

Operations Objectives:

  • Pertain to the effectiveness and efficiency of operations.
  • Reflect entity’s business, industry and economic environment.
  • Basis for allocating an entity’s resources
    • Unclear or misunderstood operational objectives could lead to the entity’s resources being misdirected.
objective setting3
Objective Setting

Reporting Objectives:

  • Complete and accurate information
  • Supports management’s decision making process
  • Enables monitoring activities
  • Internal vs. external reporting
  • Financial vs. non-financial data
objective setting4
Objective Setting

Compliance Objectives:

  • Actions taken to comply with applicable laws and regulations


    • Taxes, markets, pricing
    • Environmental
    • Employee welfare
    • International trade
  • Failure to meet compliance objectives can be costly:
    • Fines, penalties imposed
    • Impact entity’s reputation, loss of market share
objective setting5
Objective Setting

Overlap of Objectives

  • Activities may support more than one objective

Achievement of Objectives

  • Reporting and Compliance objectives are generally easier as within an entity’s control
  • Operations objectives more difficult as may be dependent upon external factors:
    • Competitors actions
    • Poor weather
    • Changes in government
  • Risk identification and risk management can mitigate the impact of external events.
objective setting6
Objective Setting

Risk Appetite

  • The acceptable balance between growth, risk and return
  • Strategy setting must be aligned with the entity’s risk appetite.
  • ERM, applied in strategy setting, helps management select a strategy within its risk appetite

Risk Tolerance

  • Amount of variation the entity is willing to accept in achieving objectives
erm framework3
ERM Framework

Event Identification:

event identification
Event Identification
  • Identification of potential events from internal or external sources that influence strategy, and/or the achievement of objectives.
  • Events may be negative or positive – risk or opportunity
  • Event Identification Techniques
  • Event Categories
event identification1
Event Identification

Examples of Techniques for Identifying Events:

  • Event inventories
  • Internal analysis
  • Escalation or threshold triggers
  • Facilitated workshops and interviews
  • Leading event indicators
  • Loss event data methodologies
  • Process flow analysis

Event interdependencies

erm framework4
ERM Framework

Risk Assessment

risk assessment
Risk Assessment
  • The extent to which potential events will impact an entity’s objectives.
  • Inherent and Residual risk
  • Events are evaluated from 2 perspectives:
    • Likelihood that the event will occur
    • Impact - the effect of the event on the entity
  • Techniques used to assess Likelihood and Impact:
    • Qualitative
    • Quantitative
risk assessment1
Risk Assessment

Qualitative Techniques:

  • Used when quantification of risk amounts is not feasible due to lack of data or collection of data is not cost effective.
  • Not as accurate as quantitative
  • Examples:
    • Self-assessment (low, medium, high)
    • Questionnaires
    • Internal audit reviews
risk assessment2
Risk Assessment

Quantitative Techniques:

  • More accurate than qualitative
  • Used when there is enough data to produce mathematical or statistical models, performance or benchmarking metrics.
  • Examples:
    • Probability based
    • Non-probabilistic models – utilize impact assumptions only, not likelihood
    • Benchmarking
risk assessment3
Risk Assessment

Events Relationships

  • While the impact of a singe event might be minimal, a sequence of events can be significant.
  • When a correlation between events exists, events should be assessed together
  • Risks that impact multiple business units may be grouped into common event categories, and assessed in the aggregate.
erm framework5
ERM Framework

Risk Response

risk response
Risk Response

4 categories of Risk Responses:

  • Avoidance – Exit the activities causing the risk
  • Reduction – Take action to reduce the likelihood or impact of risk
  • Sharing – Transfer or share the risk or portion of the risk with another party
  • Acceptance – Risk accepted, No action is taken
risk response1
Risk Response

In selecting an appropriate risk response, management should consider:

  • Impacts of each response on risk likelihood and impact
  • Which response best fits with the entity’s risk appetite and tolerances
  • Cost versus benefits of potential responses
  • Potential opportunities that may result from each risk response.
erm framework6
ERM Framework

Control Activities

control activities
Control Activities
  • Control activities are the policies and procedures established to ensure that the risk responses are carried out.
  • Control activities vary based upon the entity’s goals, implementation techniques, and internal and external environments.
control activities1
Control Activities

Examples of Control Activities:

  • Senior Management reviews
  • Project management – monitor progress
  • Information processing – controls to check completeness and accuracy
  • Physical controls – inventories, security controls
  • Performance indicators – results analysis
  • Segregation of duties
control activities2
Control Activities

Control Activity Examples (cont’d):

  • Information Technology Controls:
    • General controls: IT infrastructure and management, security management and software.
    • Application controls: ensure completeness, accuracy and validity of data.
erm framework7
ERM Framework

Information and Communication

information and communication
Information and Communication
  • Information is needed at all levels of an organization to identify, assess and respond to risk.
  • Communicating accurate information, on time, to the right people is key to effective ERM.
  • Information sources:
    • Internal and external data
    • Historical and Current data
information and communication1
Information and Communication

Information Quality Test:

  • Is it at the appropriate level of detail?
  • Is it there when required?
  • Is it the latest information available?
  • Is the data accurate?
  • Is is easy to obtain by those who need it?
information and communication2
Information and Communication
  • The design of information systems architecture and acquisition of new technology are important aspects of entity strategy.
  • IT systems are often fully integrated into most aspects of operations.
  • Choices regarding technology can be critical to an entity.
  • Reliance on IT systems bring risks – e.g., security breaches and cyber-crimes
  • Risk management techniques can assist in making technology decisions.
erm framework8
ERM Framework


  • Monitoring ensures that the components of ERM continue to function at all levels even as conditions change over time.
  • 2 Types:
    • One-time evaluations
    • Ongoing activities

A combination of the 2 may be appropriate.


Examples of Ongoing Monitoring activities:

  • A review of operating reports may spot inaccuracies or inconsistencies with anticipated results. Timely and complete reporting and resolution of these inconsistencies enhance the effectiveness of the process.
  • Communications from external parties may corroborate internal data or, indicate problems.
  • Internal and external auditors identify and monitor weaknesses in control activities, i.e., risk
  • Training seminars, planning sessions and meetings provide insights to employee’s competency, ethical conduct and risk behaviors.

One-Time Evaluations:

  • Separate, targeted tests can also be effective.
  • Can provide a “fresh look” at the process, end-to-end test
  • Scope and frequency depends on the significance of the risk and risk response, objectives to be achieved.

Who evaluates?

Self-assessment is common:

  • Division head directs the evaluation of ERM activities for their unit.. Assesses risks associated with objectives and strategic choices, and assesses the internal environment.
  • Line managers focus on operations and compliance objectives,
  • Controller focuses on reporting objectives
  • Senior management evaluates all assessments together.

Internal Auditors offer independent view.


Reporting deficiencies

  • What to Report – all deficiencies should be reported to those in a position to take necessary action
  • To Whom to Report – may vary based upon the individual’s authority to deal with the circumstance. Communication must continue upstream until appropriate actions are taken.
  • Protocols should be established to identify what information is needed at a particular level for effective decision making.

No matter how well deigned and executed, Enterprise Risk Management cannot ensure an organization’s success or guarantee results.

  • The future will always be uncertain
  • Some events are outside of management’s control
  • Human factors, such as errors in judgment, collusion, and cost/benefit considerations may impede results.
roles and responsibilities
Roles and Responsibilities
  • Everyone in the organization has responsibility for enterprise risk management.
  • The chief executive officer is ultimately responsible.
  • Managers support the risk philosophy, promote compliance within the risk appetite and manage risks within their functional areas
  • Other key support persons:
    • Risk Officer
    • Financial Officer
    • Internal Auditor
roles and responsibilities1
Roles and Responsibilities
  • Board of Directors provide oversight role:
    • Ensure that an effective risk management program is in place
    • Understand the entity’s risk appetite
    • Review the entity’s portfolio view of risk
    • Understand the most significant risks and management’s response.
to begin
To Begin

Board Members:

  • Discuss with senior management the entity’s ERM process and provide oversight as needed.
  • Understand the significant risks and management’s response
  • Seek input from internal & external auditors, other advisors as necessary
to begin1
To Begin

Chief Executive Officer:

  • Gather Business Unit heads and key functional staff to discuss an initial assessment of ERM capabilities and effectiveness.
  • This initial assessment should determine whether there is a need for, and how to proceed with, a broader, more in-depth evaluation.
enterprise risk management
Enterprise Risk Management

Visit the COSO ERM website for more information and current developments: