COSO

1
COSOsEnterprise Risk Management (ERM) Framework
2
Enterprise Risk ManagementOverview
Project Background
ERM Defined
Benefits of ERM
8 Components of the ERM Framework
Limitations
Roles Responsibilities
To Begin
3
Project Background

• Increased awareness of the importance of Risk
  Management due to events of the past five years
• High-profile business scandals
• Economic slowdown caused many business failures
• World events impose new risks
• Emphasized the danger of overlooking risk.
• Need for a common guide for discussing,
  identifying, evaluating and managing risk.

4
Project Background

• Project was launched by COSO in 2001
• Engaged PricewaterhouseCoopers to write the COSO
  ERM Framework, which consists of 3 parts
• Executive Summary
• Framework
• Application Guidance
• Currently in draft form, expected to be issued in
  3Q of 2004.

5
Project Background

• Enterprise Risk Management is a process for
  identifying, analyzing and managing risk across
  the entire enterprise
• ERM defines risk and risk management and provides
  key principles and concepts, a common language
  and other elements of a comprehensive risk
  management framework.
• ERM provides criteria for companies use in
  determining whether their risk management is
  effective, and if not, what is needed to make it
  so.

6
ERM Defined

• Defined in the Framework as
• Enterprise Risk Management is a process,
  effected by an entitys board of directors,
  management and other personnel, applied in
  strategy setting and across the enterprise. It
  is designed to identify potential events that may
  affect the entity, and manage risk to be within
  its risk appetite, to provide reasonable
  assurance regarding the achievement of entity
  objectives.

7
ERM Defined

• The Enterprise Risk Management process includes
• Identification of potential events that may
  impact objectives
• Assessment of Risk and a determination of an
  appropriate response
• Consideration of risk in the formulation of
  strategy
• Application across the entity takes a portfolio
  view of risk.
• Risk management within an entitys risk appetite
• Monitoring the performance of ERM

8
ERM Defined

• ERM versus the Internal Control Integrated
  Framework
• ERM is much broader than the Internal Control
  Integrated Framework
• ERM expands on internal control and provides a
  more robust and extensive focus on the broader
  subject of enterprise risk management.
• ERM does NOT replace the internal control
  framework, rather incorporates elements of the
  internal control framework within it.
• The Internal Control Integrated Framework
  remains in place as the definition of and
  framework for internal control.

9
Benefits of ERM

• ERM enables management to
• Deal effectively with future events that create
  uncertainty.
• Respond in a manner that reduces the likelihood
  of downside outcomes and increases the upside.
• Maximize value by balancing strategy and
  objectives within the entitys risk appetite.

10
Benefits of ERM

• ERM helps an enterprise to
• Align risk appetite and strategy
• Enhance risk response decisions
• Reduce operational surprises and losses
• Identify and manage enterprise-wide risks
• Seize opportunities
• Improve deployment of capital

11
ERM Framework

• The ERM Framework is geared to achieving an
  entitys objectives, set forth in 4 categories
• Strategic related to the high-level goals and
  mission of the entity,
• Operations related to efficiency, performance
  and profitability
• Reporting related to internal and external
  reporting
• Compliance related to compliance with laws and
  regulations

12
ERM Framework

• The ERM Framework has Eight Components. The cube
  depicts the interrelationship of the 8 components
  with the entitys objectives and with the
  entitys units

13
Internal Environment

• The Internal Environment encompasses
• Entitys Risk Management Philosophy
• Risk Appetite
• Board of Directors
• Integrity and Ethical Values
• Commitment to Competence
• Organizational Structure
• Assignment of Authority and Responsibility
• Human Resource Standards
• Sets the Foundation for how risk and control are
  viewed and addressed by the entity.

14
Internal Environment

• Risk Management Philosophy
• The shared beliefs and attitudes toward risk.
• Reflects the entitys values, culture and
  operating style
• Formal vs. Informal
• Conservative vs. Aggressive
• Affects how risks are identified, the types of
  risks accepted and how they are managed by an
  entity.
• Management reinforces the entitys risk
  management philosophy with everyday actions.

15
Internal Environment

• Risk Management Philosophy
• Risk management philosophy should be consistent
  throughout the enterprise to effectively apply
  ERM.
• However, risk management philosophy can sometimes
  vary within an enterprise
• e.g., an aggressive sales dept may be prepared to
  take more risk than the procurement dept. that is
  responsible for ensuring compliance with company
  policies and internal controls.
• These 2 depts. compliment each other and will
  collectively reflect the entitys risk management
  philosophy.

16
Internal Environment

• Risk Appetite
• The amount of risk an entity is willing to accept
  in pursuit of value.
• Reflects the entitys risk management philosophy
• Desired return from a strategy should be aligned
  with the entitys risk appetite.
• Qualitative measures e.g., high, moderate or
  low risk.
• Quantitative measures balances goals with
  growth and return with risk.

17
Internal Environment

• Board of Directors
• An active and involved board of directors is a
  critical part of the internal environment.
• A board that questions and scrutinizes
  managements activities is an effective control.
• The majority of board members should be
  independent outside directors.
• An effective board of directors will ensure that
  management maintains effective risk management
  processes.

18
Internal Environment

• Integrity and Ethical Values
• Managements integrity and ethical values
  influence the decision-making process.
• Lack of integrity and ethical values creates
  risk.
• Corporate culture influences employee behaviors
  sets the standard for which rules are followed or
  ignored.

19
Internal Environment

• Integrity and Ethical Values
• Promoting integrity and ethics
• CEO, top mgmt, sets the example and determines
  the corporate culture.
• Performance targets should be realistic and
  incentives appropriate.
• Existence of written guidance on what is right
  and wrong e..g, a Code of Conduct.
• Written guidance must be accompanied by
  communication and training.
• Upward communication channels are key.
• Penalties to employees who violate the code act
  as a deterrent for others.

20
Internal Environment

• Commitment to Competence
• Competence reflects the knowledge and skills
  needed to perform assigned tasks.
• Management must determine the level of competence
  needed for each task.
• Trade-offs are made between competence and cost.
• Trade-offs are made between the extent of
  supervision and the competence of the individual.

21
Internal Environment

• Organizational Structure
• Entitys organizational structure provides the
  framework to plan, execute, control and monitor
  its activities.
• Defines key areas of authority, responsibility
  and accountability
• Organizational structure should enable effective
  risk management by
• promoting the flow of relevant information to top
  management and key decision makers on a timely
  basis.
• Appropriate assignment of authority to carry out
  business activities

22
Internal Environment

• Organizational Structure
• Organizational structure should be suited to the
  entitys needs and corporate culture
• Centralized versus Decentralized
• Hierarchal reporting relationships versus Flat
• Structured by product lines, geographic, or
  marketing channels, etc
• Organizational structure should depend on size
  and nature of activities.

23
Internal Environment

• Assignment of Authority and Responsibility
• Increased delegation of authority empowers
  employees and often encourages creativity,
  initiative, faster response times and greater
  accountability.
• As authority and responsibility is granted to
  lower levels within an entity, risk is often
  increased.
• Must ensure that authority and responsibility is
  delegated to competent individuals who understand
  the entitys objectives.

24
Internal Environment

• Human Resource Standards
• Human resource practice play a key role in
  promoting integrity, ethical behavior and
  competence
• Hiring standards
• Orientation programs
• Training programs
• Performance evaluations
• Compensation and incentive programs
• Disciplinary actions

25
Internal Environment

• The importance of a strong Internal Environment
  must not be underestimated.
• Internal environment is the foundation of all the
  other ERM components
• Management is responsible for setting the tone -
  not just words and policies, but actions must
  permeate the organization
• Enron example flawed internal environment

26
ERM Framework

• Objective Setting

27
Objective Setting

• Objectives must exist before management can
  identify and assess risks and take steps to
  manage those risks.
• Enterprise Risk Management requires that all
  employees understand the entitys objectives as
  it relates to their individual function.
• Understand what is to be accomplished and how to
  measure accomplishment.

28
Objective Setting

• Strategic Objectives
• High level goals,
• Aligned with entitys mission/vision
• Related Objectives
• Activity level goals - 3 categories
• Operations objectives
• Reporting objectives
• Compliance objectives

29
Objective Setting

• Operations Objectives
• Pertain to the effectiveness and efficiency of
  operations.
• Reflect entitys business, industry and economic
  environment.
• Basis for allocating an entitys resources
• Unclear or misunderstood operational objectives
  could lead to the entitys resources being
  misdirected.

30
Objective Setting

• Reporting Objectives
• Complete and accurate information
• Supports managements decision making process
• Enables monitoring activities
• Internal vs. external reporting
• Financial vs. non-financial data

31
Objective Setting

• Compliance Objectives
• Actions taken to comply with applicable laws and
  regulations
• Examples
• Taxes, markets, pricing
• Environmental
• Employee welfare
• International trade
• Failure to meet compliance objectives can be
  costly
• Fines, penalties imposed
• Impact entitys reputation, loss of market share

32
Objective Setting

• Overlap of Objectives
• Activities may support more than one objective
• Achievement of Objectives
• Reporting and Compliance objectives are generally
  easier as within an entitys control
• Operations objectives more difficult as may be
  dependent upon external factors
• Competitors actions
• Poor weather
• Changes in government
• Risk identification and risk management can
  mitigate the impact of external events.

33
Objective Setting

• Risk Appetite
• The acceptable balance between growth, risk and
  return
• Strategy setting must be aligned with the
  entitys risk appetite.
• ERM, applied in strategy setting, helps
  management select a strategy within its risk
  appetite
• Risk Tolerance
• Amount of variation the entity is willing to
  accept in achieving objectives

34
ERM Framework

• Event Identification

35
Event Identification

• Identification of potential events from internal
  or external sources that influence strategy,
  and/or the achievement of objectives.
• Events may be negative or positive risk or
  opportunity
• Event Identification Techniques
• Event Categories

36
Event Identification

• Examples of Techniques for Identifying Events
• Event inventories
• Internal analysis
• Escalation or threshold triggers
• Facilitated workshops and interviews
• Leading event indicators
• Loss event data methodologies
• Process flow analysis
• Event interdependencies

37
Event Categories

• Examples

External Factors Internal Factors
Economic Natural Environment Political Social Technological Infrastructure Personnel Process Technology
38
ERM Framework

• Risk Assessment

39
Risk Assessment

• The extent to which potential events will impact
  an entitys objectives.
• Inherent and Residual risk
• Events are evaluated from 2 perspectives
• Likelihood that the event will occur
• Impact - the effect of the event on the entity
• Techniques used to assess Likelihood and Impact
• Qualitative
• Quantitative

40
Risk Assessment

• Qualitative Techniques
• Used when quantification of risk amounts is not
  feasible due to lack of data or collection of
  data is not cost effective.
• Not as accurate as quantitative
• Examples
• Self-assessment (low, medium, high)
• Questionnaires
• Internal audit reviews

41
Risk Assessment

• Quantitative Techniques
• More accurate than qualitative
• Used when there is enough data to produce
  mathematical or statistical models, performance
  or benchmarking metrics.
• Examples
• Probability based
• Non-probabilistic models utilize impact
  assumptions only, not likelihood
• Benchmarking

42
Risk Assessment

• Events Relationships
• While the impact of a singe event might be
  minimal, a sequence of events can be significant.
• When a correlation between events exists, events
  should be assessed together
• Risks that impact multiple business units may be
  grouped into common event categories, and
  assessed in the aggregate.

43
ERM Framework

• Risk Response

44
Risk Response

• 4 categories of Risk Responses
• Avoidance Exit the activities causing the risk
• Reduction Take action to reduce the likelihood
  or impact of risk
• Sharing Transfer or share the risk or portion
  of the risk with another party
• Acceptance Risk accepted, No action is taken

45
Risk Response

• In selecting an appropriate risk response,
  management should consider
• Impacts of each response on risk likelihood and
  impact
• Which response best fits with the entitys risk
  appetite and tolerances
• Cost versus benefits of potential responses
• Potential opportunities that may result from each
  risk response.

46
ERM Framework

• Control Activities

47
Control Activities

• Control activities are the policies and
  procedures established to ensure that the risk
  responses are carried out.
• Control activities vary based upon the entitys
  goals, implementation techniques, and internal
  and external environments.

48
Control Activities

• Examples of Control Activities
• Senior Management reviews
• Project management monitor progress
• Information processing controls to check
  completeness and accuracy
• Physical controls inventories, security
  controls
• Performance indicators results analysis
• Segregation of duties

49
Control Activities

• Control Activity Examples (contd)
• Information Technology Controls
• General controls IT infrastructure and
  management, security management and software.
• Application controls ensure completeness,
  accuracy and validity of data.

50
ERM Framework

• Information and Communication

51
Information and Communication

• Information is needed at all levels of an
  organization to identify, assess and respond to
  risk.
• Communicating accurate information, on time, to
  the right people is key to effective ERM.
• Information sources
• Internal and external data
• Historical and Current data

52
Information and Communication

• Information Quality Test
• Is it at the appropriate level of detail?
• Is it there when required?
• Is it the latest information available?
• Is the data accurate?
• Is is easy to obtain by those who need it?

53
Information and Communication

• The design of information systems architecture
  and acquisition of new technology are important
  aspects of entity strategy.
• IT systems are often fully integrated into most
  aspects of operations.
• Choices regarding technology can be critical to
  an entity.
• Reliance on IT systems bring risks e.g.,
  security breaches and cyber-crimes
• Risk management techniques can assist in making
  technology decisions.

54
ERM Framework

• Monitoring

55
Monitoring

• Monitoring ensures that the components of ERM
  continue to function at all levels even as
  conditions change over time.
• 2 Types
• One-time evaluations
• Ongoing activities
• A combination of the 2 may be appropriate.

56
Monitoring

• Examples of Ongoing Monitoring activities
• A review of operating reports may spot
  inaccuracies or inconsistencies with anticipated
  results. Timely and complete reporting and
  resolution of these inconsistencies enhance the
  effectiveness of the process.
• Communications from external parties may
  corroborate internal data or, indicate problems.
• Internal and external auditors identify and
  monitor weaknesses in control activities, i.e.,
  risk
• Training seminars, planning sessions and meetings
  provide insights to employees competency,
  ethical conduct and risk behaviors.

57
Monitoring

• One-Time Evaluations
• Separate, targeted tests can also be effective.
• Can provide a fresh look at the process,
  end-to-end test
• Scope and frequency depends on the significance
  of the risk and risk response, objectives to be
  achieved.

58
Monitoring

• Who evaluates?
• Self-assessment is common
• Division head directs the evaluation of ERM
  activities for their unit.. Assesses risks
  associated with objectives and strategic choices,
  and assesses the internal environment.
• Line managers focus on operations and compliance
  objectives,
• Controller focuses on reporting objectives
• Senior management evaluates all assessments
  together.
• Internal Auditors offer independent view.

59
Monitoring

• Reporting deficiencies
• What to Report all deficiencies should be
  reported to those in a position to take necessary
  action
• To Whom to Report may vary based upon the
  individuals authority to deal with the
  circumstance. Communication must continue
  upstream until appropriate actions are taken.
• Protocols should be established to identify what
  information is needed at a particular level for
  effective decision making.

60
Limitations

• No matter how well deigned and executed,
  Enterprise Risk Management cannot ensure an
  organizations success or guarantee results.
• The future will always be uncertain
• Some events are outside of managements control
• Human factors, such as errors in judgment,
  collusion, and cost/benefit considerations may
  impede results.

61
Roles and Responsibilities

• Everyone in the organization has responsibility
  for enterprise risk management.
• The chief executive officer is ultimately
  responsible.
• Managers support the risk philosophy, promote
  compliance within the risk appetite and manage
  risks within their functional areas
• Other key support persons
• Risk Officer
• Financial Officer
• Internal Auditor

62
Roles and Responsibilities

• Board of Directors provide oversight role
• Ensure that an effective risk management program
  is in place
• Understand the entitys risk appetite
• Review the entitys portfolio view of risk
• Understand the most significant risks and
  managements response.

63
To Begin

• Board Members
• Discuss with senior management the entitys ERM
  process and provide oversight as needed.
• Understand the significant risks and managements
  response
• Seek input from internal external auditors,
  other advisors as necessary

64
To Begin

• Chief Executive Officer
• Gather Business Unit heads and key functional
  staff to discuss an initial assessment of ERM
  capabilities and effectiveness.
• This initial assessment should determine whether
  there is a need for, and how to proceed with, a
  broader, more in-depth evaluation.

65
Enterprise Risk Management

• Visit the COSO ERM website for more information
  and current developments
• www.erm.coso.org