FUNDAMENTALS & ROLES• The Fundamentals • COSO Enterprise Risk Management • Role of Executive Management • Role of the Director • Role of the Chief Risk Officer • Risk Management Oversigh
Trang 1Enterprise Risk Management (ERM)
‘Integrated Framework’
FUNDAMENTALS & ROLES COSO Enterprise Risk Management
Trang 2FUNDAMENTALS & ROLES
• The Fundamentals
• COSO Enterprise Risk Management
• Role of Executive Management
• Role of the Director
• Role of the Chief Risk Officer
• Risk Management Oversight Structure
• Role of Internal Audit
Trang 3• Risk Management Vision and Objectives
• Conducting Risk Assessments
• Getting Started – Set the Foundation
• Building & Enhancing Capabilities
• Building a Compelling Business Case
• Making it Happen
• Relevance to Sarbanes-Oxley Compliance
• Other Questions
Trang 4COSO Enterprise Risk Management
What is COSO? (“Committee of Sponsoring Organizations” -
formed in 1985)
voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
sponsor the National Commission on Fraudulent Financial
Reporting - the Treadway Commission
causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for SEC and other regulators, and for educational institutions
Trang 5COSO Enterprise Risk Management
COSO sponsoring organizations?
American Institute of Certified Public Accountants
(AICPA)
Institute of Internal Auditors (IIA)
Financial Executives International (FEI)
Institute of Management
Accountants (IMA)
American Accounting Association (AAA)
Trang 6COSO Enterprise Risk Management
Why was the COSO Enterprise Risk Management – Integrated Framework created?
“recent years have seen heightened concern and focus on risk
management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.”
develop a framework that “would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.” high-profile business failures occurred during the period of the framework’s development, there were “calls for enhanced corporate governance and risk management, with new law, regulatory and listing standards.”
need for a framework to provide a common language and give clear
direction and guidance
Trang 7COSO Enterprise Risk Management
What is the COSO Enterprise Risk Management –
Integrated Framework?
“a process, effected by an entity’s board of directors, management and other personnel, applied in
strategy-setting and across the enterprise, designed
to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives.”
Trang 8COSO Enterprise Risk Management
COSO ERM – Integrated Framework
four categories of objectives – strategic,
operations, reporting and compliance
entity, its divisions, business units & subsidiarieseight components of ERM
Trang 9COSO Enterprise Risk Management
Eight components of ERM
Internal environment - risk management philosophy
Objective setting - strategic objectives
Event identification - potential events (SWOT)
Risk assessment - impact of potential events
Risk response - response options and effect
Control activities - policies & procedures
Information and communication - reporting
Monitoring - assess performance
Trang 10COSO Enterprise Risk Management
Trang 11COSO Enterprise Risk Management
Internal environment: risk management philosophy
This component reflects an entity’s enterprise risk
management philosophy, risk appetite, board
oversight, commitment to ethical values,
competence and development of people, and
assignment of authority and responsibility It
encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people.
Trang 12COSO Enterprise Risk Management
Objective-setting: strategic objectives
Management sets strategic objectives, which
provide a context for operational, reporting
and compliance objectives Objectives are
aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response
Trang 13COSO Enterprise Risk Management
Event identification: potential events (SWOT)
Management identifies potential events that may
positively or negatively affect an entity’s ability to
implement its strategy and achieve its objectives and performance goals Potentially negative events
represent risks that provide a context for assessing risk and alternative risk responses Potentially
positive events represent opportunities, which
management channels back into the strategy and
objective-setting processes
Trang 14COSO Enterprise Risk Management
Risk assessment: impact of potential events
Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which might affect the achievement of objectives over a given
time horizon
Trang 15COSO Enterprise Risk Management
Risk response: response options and effect
Management considers alternative risk response options and their effect on risk likelihood and
impact as well as the resulting costs versus
benefits, with the goal of reducing residual
risk to desired risk tolerances Risk response planning drives policy development
Trang 16COSO Enterprise Risk Management
Control activities: policies & procedures
Management implements policies and
procedures throughout the organization, at all
levels and in all functions, to help ensure that risk responses are properly executed
Trang 17COSO Enterprise Risk Management
Information and communication: Reporting
The organization identifies, captures and
communicates pertinent information from
internal and external sources in a form and
timeframe that enables personnel to carry out their responsibilities Effective communication also flows down, across and up the
organization Reporting is vital to risk
management and this component delivers it
Trang 18COSO Enterprise Risk Management
Monitoring: assess performance
Ongoing activities and/or separate evaluations assess both the presence and functioning of
enterprise risk management components and the quality of their performance over time
Trang 19COSO Enterprise Risk Management
How can we obtain the COSO ERM framework?
Trang 20COSO Enterprise Risk Management
How was the COSO ERM framework developed?
COSO engaged PricewaterhouseCoopers
input from CEOs, CFOs, CROs, controllers and
internal auditors representing public & private companies of varying sizes and from different industries & government agencies
legislators, regulators, external auditors, lawyers and academics
Trang 21COSO Enterprise Risk Management
How do we use the COSO ERM framework?
Trang 22COSO Enterprise Risk Management
How do we use the COSO ERM framework?
should be used as a benchmarking tool to
evaluate the effectiveness of the ERM process
in place as well as specific risk management activities at all levels of the organization
provide the context for defining improvements
in risk management capabilities
Trang 23COSO Enterprise Risk Management
Are companies required to use the COSO ERM framework? NO
Does the COSO ERM – Integrated Framework replace or supersede the COSO Internal
Control – Integrated Framework? NO
Trang 24COSO Enterprise Risk Management
How does the COSO ERM compare to Internal Control?
broader focus on risk management and encompasses the internal control framework
new category, strategic objectives, and expanded the reporting objective to include internal reporting
concepts of risk appetite and risk tolerance
expands the risk assessment component into four
components – objective-setting, event identification, risk assessment and risk response
Trang 25COSO Enterprise Risk Management
Does ERM broaden the focus beyond
traditional risk management - insurable risk?
emphasizes strategic, operational, reporting and compliance objectives
eight components of ERM are sufficiently
comprehensive and extend beyond the
procurement of insurance
Trang 26COSO Enterprise Risk Management
Are there other standards and frameworks in existence and, if
so, what do they promulgate and how does the COSO ERM relate to them?
Internal Control Guidance for Directors on the Combined Code (United Kingdom)
King Report on Corporate Governance for South Africa
International Organization for Standardization – ISO/IEC Guide
Australian/New Zealand Standard 4360: Risk Management
Risk Management Standard (Institute of Risk Management,
Association of Insurance and Risk Management)
COSO did not publish a reconciliation – but considered them
Trang 27COSO Enterprise Risk Management
What is the point of view of the SEC with
respect to ERM?
SEC Rule 33-9089, which “mandates disclosure
of risk oversight and risk reporting lines, risk assessment by business unit, and assessment
of the risk associated with compensation
plans”
Trang 28COSO Enterprise Risk Management
What are the deliverables when the COSO ERM framework is implemented?
Presence on CEO agenda
Overall risk management policy
Common risk language
Enterprisewide risk assessment process
Common process view
Clarity of roles and responsibilities related to risk management Focused risk committee(s)
CRO (or equivalent executive)
Trang 29COSO Enterprise Risk Management
Integration of risk responses within business plans
Integration of risk management with strategy-setting
Alignment of organizational behavior with risk appetite
improved capabilities managing priority risks
value proposition strategic
Trang 30COSO Enterprise Risk Management
Can a company “partially” adopt the COSO
ERM with success?
centralized view of the business, an enterprise view must of necessity extend to the entire
organization
decentralized view of the organization with
different units operating autonomously, an
enterprise view would apply at the unit level