Enterprise Risk Management (ERM)
‘Integrated Framework’
FUNDAMENTALS & ROLES
COSO Enterprise Risk Management


FUNDAMENTALS & ROLES
•
•
•
•
•
•
•

The Fundamentals
COSO Enterprise Risk Management
Role of Executive Management
Role of the Director
Role of the Chief Risk Officer
Risk Management Oversight Structure
Role of Internal Audit
2


IMPLEMENTATION
•
•
•
•
•

•
•
•

Risk Management Vision and Objectives
Conducting Risk Assessments
Getting Started – Set the Foundation
Building & Enhancing Capabilities
Building a Compelling Business Case
Making it Happen
Relevance to Sarbanes-Oxley Compliance
Other Questions
3


COSO Enterprise Risk Management
What is COSO? (“Committee of Sponsoring Organizations” formed in 1985)
voluntary private-sector organization dedicated to improving the
quality of financial reporting through business ethics, effective
internal controls and corporate governance.
sponsor the National Commission on Fraudulent Financial
Reporting - the Treadway Commission
causal factors that can lead to fraudulent financial reporting and
developed recommendations for public companies and their
independent auditors, for SEC and other regulators, and for
educational institutions
4


COSO Enterprise Risk Management

COSO sponsoring organizations?
American Institute of Certified Public Accountants
(AICPA)
Institute of Internal Auditors (IIA)
Financial Executives International (FEI)
Institute of Management
Accountants (IMA)
American Accounting Association (AAA)
5


COSO Enterprise Risk Management
Why was the COSO Enterprise Risk Management – Integrated Framework
created?
“recent years have seen heightened concern and focus on risk
management, and it became increasingly clear that a need exists for a
robust framework to effectively identify, assess, and manage risk.”
develop a framework that “would be readily usable by managements to
evaluate and improve their organizations’ enterprise risk management.”
high-profile business failures occurred during the period of the framework’s
development, there were “calls for enhanced corporate governance and
risk management, with new law, regulatory and listing standards.”
need for a framework to provide a common language and give clear
direction and guidance

6


COSO Enterprise Risk Management
What is the COSO Enterprise Risk Management –

Integrated Framework?
“a process, effected by an entity’s board of directors,
management and other personnel, applied in
strategy-setting and across the enterprise, designed
to identify potential events that may affect the entity,
and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives.”
7


COSO Enterprise Risk Management
COSO ERM – Integrated Framework
four categories of objectives – strategic,
operations, reporting and compliance
entity, its divisions, business units & subsidiaries
eight components of ERM
8


COSO Enterprise Risk Management
Eight components of ERM
Internal environment - risk management philosophy
Objective setting - strategic objectives
Event identification - potential events (SWOT)
Risk assessment - impact of potential events
Risk response - response options and effect
Control activities - policies & procedures
Information and communication - reporting
Monitoring - assess performance

9


COSO Enterprise Risk Management

10


COSO Enterprise Risk Management
Internal environment: risk management philosophy
This component reflects an entity’s enterprise risk
management philosophy, risk appetite, board
oversight, commitment to ethical values,
competence and development of people, and
assignment of authority and responsibility. It
encompasses the “tone at the top” of the enterprise
and influences the organization’s governance process
and the risk and control consciousness of its people.
11


COSO Enterprise Risk Management
Objective-setting: strategic objectives
Management sets strategic objectives, which
provide a context for operational, reporting
and compliance objectives. Objectives are
aligned with the entity’s risk appetite, which
drives risk tolerance levels for the entity, and
are a precondition to event identification, risk
assessment and risk response

12


COSO Enterprise Risk Management
Event identification: potential events (SWOT)
Management identifies potential events that may
positively or negatively affect an entity’s ability to
implement its strategy and achieve its objectives and
performance goals. Potentially negative events
represent risks that provide a context for assessing
risk and alternative risk responses. Potentially
positive events represent opportunities, which
management channels back into the strategy and
objective-setting processes
13


COSO Enterprise Risk Management
Risk assessment: impact of potential events
Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which might affect
the achievement of objectives over a given
time horizon.

14


COSO Enterprise Risk Management

Risk response: response options and effect
Management considers alternative risk response
options and their effect on risk likelihood and
impact as well as the resulting costs versus
benefits, with the goal of reducing residual
risk to desired risk tolerances. Risk response
planning drives policy development.

15


COSO Enterprise Risk Management
Control activities: policies & procedures
Management implements policies and
procedures throughout the organization, at all
levels and in all functions, to help ensure that
risk responses are properly executed.

16


COSO Enterprise Risk Management
Information and communication: Reporting
The organization identifies, captures and
communicates pertinent information from
internal and external sources in a form and
timeframe that enables personnel to carry out
their responsibilities. Effective communication
also flows down, across and up the
organization. Reporting is vital to risk

management and this component delivers it.
17


COSO Enterprise Risk Management
Monitoring: assess performance
Ongoing activities and/or separate evaluations
assess both the presence and functioning of
enterprise risk management components and
the quality of their performance over time

18


COSO Enterprise Risk Management
How can we obtain the COSO ERM framework?
www.coso.org
integrated framework:
• Executive Summary
• Framework
• Application Techniques
Risk Management in the Electricity Industry (EurElectric)
/>19


COSO Enterprise Risk Management
How was the COSO ERM framework developed?
COSO engaged PricewaterhouseCoopers
input from CEOs, CFOs, CROs, controllers and
internal auditors representing public & private

companies of varying sizes and from different
industries & government agencies
legislators, regulators, external auditors, lawyers
and academics
20


COSO Enterprise Risk Management
How do we use the COSO ERM framework?

21


COSO Enterprise Risk Management
How do we use the COSO ERM framework?
should be used as a benchmarking tool to
evaluate the effectiveness of the ERM process
in place as well as specific risk management
activities at all levels of the organization.
provide the context for defining improvements
in risk management capabilities

22


COSO Enterprise Risk Management
Are companies required to use the COSO ERM
framework? NO
Does the COSO ERM – Integrated Framework
replace or supersede the COSO Internal

Control – Integrated Framework? NO

23


COSO Enterprise Risk Management
How does the COSO ERM compare to Internal Control?
broader focus on risk management and encompasses
the internal control framework
new category, strategic objectives, and expanded the
reporting objective to include internal reporting
concepts of risk appetite and risk tolerance
expands the risk assessment component into four
components – objective-setting, event identification,
risk assessment and risk response
24


COSO Enterprise Risk Management
Does ERM broaden the focus beyond
traditional risk management - insurable risk?
emphasizes strategic, operational, reporting and
compliance objectives
eight components of ERM are sufficiently
comprehensive and extend beyond the
procurement of insurance

25