Enterprise risk management ERMERM v2bis

FUNDAMENTALS & ROLES• The Fundamentals • COSO Enterprise Risk Management • Role of Executive Management • Role of the Director • Role of the Chief Risk Officer • Risk Management Oversigh

Enterprise Risk Management (ERM)

FUNDAMENTALS & ROLES

• The Fundamentals

• COSO Enterprise Risk Management

• Role of Executive Management

• Role of the Director

• Role of the Chief Risk Officer

• Risk Management Oversight Structure

• Role of Internal Audit

• Risk Management Vision and Objectives

• Conducting Risk Assessments

• Getting Started – Set the Foundation

• Building & Enhancing Capabilities

• Building a Compelling Business Case

• Making it Happen

• Relevance to Sarbanes-Oxley Compliance

• Other Questions

COSO Enterprise Risk Management

What is COSO? (“Committee of Sponsoring Organizations” -

formed in 1985)

voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics,

effective internal controls and corporate governance.

sponsor the National Commission on Fraudulent Financial

Reporting - the Treadway Commission

causal factors that can lead to fraudulent financial reporting

and developed recommendations for public companies and their independent auditors, for SEC and other regulators, and for educational institutions

COSO Enterprise Risk Management

COSO sponsoring organizations?

American Institute of Certified Public Accountants

(AICPA)

Institute of Internal Auditors (IIA)

Financial Executives International (FEI)

Institute of Management

Accountants (IMA)

American Accounting Association (AAA)

COSO Enterprise Risk Management

Why was the COSO Enterprise Risk Management – Integrated Framework created?

“recent years have seen heightened concern and focus on risk

management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.”

develop a framework that “would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.” high-profile business failures occurred during the period of the framework’s development, there were “calls for enhanced corporate governance and risk management, with new law, regulatory and listing standards.”

need for a framework to provide a common language and give clear

direction and guidance

COSO Enterprise Risk Management

What is the COSO Enterprise Risk Management –

Integrated Framework?

“a process, effected by an entity’s board of directors, management and other personnel, applied in

strategy-setting and across the enterprise, designed

to identify potential events that may affect the

entity, and manage risks to be within its risk

appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

COSO Enterprise Risk Management

COSO ERM – Integrated Framework

four categories of objectives – strategic, operations, reporting and compliance

entity, its divisions, business units & subsidiaries

eight components of ERM

COSO Enterprise Risk Management

Eight components of ERM

Internal environment - risk management philosophy

Objective setting - strategic objectives

Event identification - potential events (SWOT)

Risk assessment - impact of potential events

Risk response - response options and effect

Control activities - policies & procedures

Information and communication - reporting

Monitoring - assess performance

COSO Enterprise Risk Management

COSO Enterprise Risk Management

Internal environment: risk management philosophy

This component reflects an entity’s enterprise risk

management philosophy, risk appetite, board

oversight, commitment to ethical values,

competence and development of people, and

assignment of authority and responsibility It

encompasses the “tone at the top” of the enterprise and influences the organization’s governance

process and the risk and control consciousness of its people.

COSO Enterprise Risk Management

Objective-setting: strategic objectives

Management sets strategic objectives, which provide

a context for operational, reporting and compliance objectives Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event

identification, risk assessment and risk response

COSO Enterprise Risk Management

Event identification: potential events (SWOT)

Management identifies potential events that may

positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives

and performance goals Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses Potentially

positive events represent opportunities, which

management channels back into the strategy and objective-setting processes

COSO Enterprise Risk Management

Risk assessment: impact of potential events

Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon.

COSO Enterprise Risk Management

Risk response: response options and effect

Management considers alternative risk response

options and their effect on risk likelihood and

impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired

risk tolerances Risk response planning drives policy development.

COSO Enterprise Risk Management

Control activities: policies & procedures

Management implements policies and procedures

throughout the organization, at all levels and in all functions, to help ensure that risk responses are

properly executed.

COSO Enterprise Risk Management

Information and communication: Reporting

The organization identifies, captures and

communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities Effective communication also flows down, across

and up the organization Reporting is vital to risk

management and this component delivers it.

COSO Enterprise Risk Management

Monitoring: assess performance

Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time

COSO Enterprise Risk Management

How can we obtain the COSO ERM framework?

COSO Enterprise Risk Management

How was the COSO ERM framework developed?

COSO engaged PricewaterhouseCoopers

input from CEOs, CFOs, CROs, controllers and internal auditors representing public & private companies of varying sizes and from different industries &

government agencies

legislators, regulators, external auditors, lawyers and academics

COSO Enterprise Risk Management

How do we use the COSO ERM framework?

COSO Enterprise Risk Management

How do we use the COSO ERM framework?

should be used as a benchmarking tool to evaluate the effectiveness of the ERM process in place as well as specific risk management activities at all levels of

the organization

provide the context for defining improvements in risk management capabilities

COSO Enterprise Risk Management

Are companies required to use the COSO ERM

framework? NO

Does the COSO ERM – Integrated Framework replace

or supersede the COSO Internal Control – Integrated Framework? NO

COSO Enterprise Risk Management

How does the COSO ERM compare to Internal Control? broader focus on risk management and encompasses the internal control framework

new category, strategic objectives, and expanded the reporting objective to include internal reporting

concepts of risk appetite and risk tolerance

expands the risk assessment component into four

components – objective-setting, event identification, risk assessment and risk response

COSO Enterprise Risk Management

Does ERM broaden the focus beyond traditional risk management - insurable risk?

emphasizes strategic, operational, reporting and

compliance objectives

eight components of ERM are sufficiently

comprehensive and extend beyond the procurement

of insurance

COSO Enterprise Risk Management

Are there other standards and frameworks in existence and, if

so, what do they promulgate and how does the COSO ERM relate to them?

Internal Control Guidance for Directors on the Combined Code (United Kingdom)

King Report on Corporate Governance for South Africa

International Organization for Standardization – ISO/IEC Guide Australian/New Zealand Standard 4360: Risk Management

Risk Management Standard (Institute of Risk Management,

Association of Insurance and Risk Management)

COSO did not publish a reconciliation – but considered them

COSO Enterprise Risk Management

What is the point of view of the SEC with respect to

ERM?

SEC Rule 33-9089, which “mandates disclosure of risk oversight and risk reporting lines, risk assessment

by business unit, and assessment of the risk

associated with compensation plans”

COSO Enterprise Risk Management

What are the deliverables when the COSO ERM framework is implemented?

Presence on CEO agenda

Overall risk management policy

Common risk language

Enterprisewide risk assessment process

Common process view

Clarity of roles and responsibilities related to risk management Focused risk committee(s)

CRO (or equivalent executive)

COSO Enterprise Risk Management

Integration of risk responses within business plans

Integration of risk management with strategy-setting

Alignment of organizational behavior with risk appetite

improved capabilities managing priority risks

value proposition  strategic

COSO Enterprise Risk Management

Can a company “partially” adopt the COSO ERM with success?

centralized view of the business, an enterprise view

must of necessity extend to the entire organization decentralized view of the organization with different units operating autonomously, an enterprise view would apply at the unit level

Role of Executive Management

Who should participate in the ERM process, and how? best when all key managers of the organization

contribute (CRO, CFO, Legal & Audit)

“support the entity’s risk management philosophy,

promote compliance with its risk appetite and

manage risks within their spheres of responsibility consistent with risk tolerances.”

Role of Executive Management

Must the CEO be fully engaged in the ERM process or system for it to be successful, or can he or she delegate it to

someone else?

“CEO is ultimately responsible and should assume

ownership”

are there any unknown exposures to events that can

abruptly shift the organization’s agenda to “damage

control” in a heartbeat should they occur?

what can be done cost-effectively to prevent the potential future events from happening and how will the

organization respond should the events occur?

Role of Executive Management

How will senior management benefit from supporting ERM implementation?

6 in 10 senior executives lack high confidence that their

organization’s capabilities are identifying and managing all potentially significant business risks

Enterprise wide approach to business risk management will help executives meet the challenges they face by

improving the linkage of risk and opportunity during the strategy-setting process and positioning risk management

as a differentiating skill in managing the business

Role of Executive Management

How should executive management evaluate ERM?

four categories of objectives

the extent of application (across the entity and its

divisions and business units)

eight components of ERM, as defined by the COSO

framework, provide the basis for that evaluation.

Role of Executive Management

What is the role of the CIO in an ERM environment?

overall governance issues relating to the IT operations processes impacting IT

various application and data owners

need to eliminate gaps and overlaps in the ownership

of IT-related risks

Role of Executive Management

What is the role of the treasury and insurance in an ERM environment?

physical and financial assets on the balance sheet

prospects for expected future cash flows from core

business activities

various contractual obligations of the enterprise,

among other things

Role of Executive Management

Enterprise wide view

those closest to the risks must be directly engaged in the

management of the risks

assume primary responsibility to decide, design and monitor

or secondary responsibility to build and execute (according

to the design)

treasuries and insurable risk management functions are

taking a broader, more strategic view of the business,

leading their organizations to a more formal and

systematic approach to managing operational and other business risks

Role of Executive Management

Does ERM require reporting to executive

management? If so, what types of reports are most suitable for executive management?

Information and communication – reporting drives

transparency about risk and risk management

throughout the organization to enable risk

assessment, execution of risk responses and control activities as well as monitoring of performance

dashboard or scorecard reporting

Role of Executive Management

enterprise’s risks, broken down by operating unit, geographic

location, product group, etc

existing gaps in the capabilities for managing the priority risks

top and worst performing investments and reasons why

report of emerging issues or risks that warrant immediate attention sensitivity of existing portfolio positions to market rate changes

beyond specified limits - exposure of earnings or cash flow to

severe losses

impact of changes in other key variables beyond management’s

control (e.g., inflation, weather, competitor acts and supplier

performance levels) on earnings, cash flow, capital and the

business plan

Role of Executive Management

Operational risk reports summarizing exceptions that have

occurred versus policies or established limits (i.e., limit

breaches), including any significant breakdowns, errors,

accidents, incidents, losses (as well as lost opportunities) or

“close calls” and “near misses.”

specific events or anticipated concerns that could “stop the show.” For example, what is our Latin American or Asian exposure?

significant findings of business process audits performed by

internal audit or reviews conducted by other independent

parties such as the organization’s regulators

status of improvement initiatives Are planned improvement

initiatives on track? If not, why?

Role of the Director

How are ERM and governance related?

Governance is the process by which directors oversee the

decisions and actions of executive management in a

constructive manner, consistent with applicable laws and regulations, as management formulates and executes

strategies to accomplish enterprise objectives

Top performers will be those that best understand their risks and align their risk taking with what they do best

Management can use guidance and input from savvy,

experienced directors as they work to achieve this

objective

Role of the Director

Why should directors be concerned about whether

their companies implement ERM?

shortfall of knowledge about the current and future strategy of their companies

certain lack of confidence in management

desire to assume a more active overall role