COSO - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

COSO

Description:

Project Background ' ... Changes in government ... Discuss with senior management the entity's ERM process and provide oversight as needed. ... – PowerPoint PPT presentation

Number of Views:275
Avg rating:3.0/5.0
Slides: 66
Provided by: kpy
Category:
Tags: coso

less

Transcript and Presenter's Notes

Title: COSO


1
COSOsEnterprise Risk Management (ERM) Framework
2
Enterprise Risk ManagementOverview
Project Background
ERM Defined
Benefits of ERM
8 Components of the ERM Framework
Limitations
Roles Responsibilities
To Begin
3
Project Background
  • Increased awareness of the importance of Risk
    Management due to events of the past five years
  • High-profile business scandals
  • Economic slowdown caused many business failures
  • World events impose new risks
  • Emphasized the danger of overlooking risk.
  • Need for a common guide for discussing,
    identifying, evaluating and managing risk.

4
Project Background
  • Project was launched by COSO in 2001
  • Engaged PricewaterhouseCoopers to write the COSO
    ERM Framework, which consists of 3 parts
  • Executive Summary
  • Framework
  • Application Guidance
  • Currently in draft form, expected to be issued in
    3Q of 2004.

5
Project Background
  • Enterprise Risk Management is a process for
    identifying, analyzing and managing risk across
    the entire enterprise
  • ERM defines risk and risk management and provides
    key principles and concepts, a common language
    and other elements of a comprehensive risk
    management framework.
  • ERM provides criteria for companies use in
    determining whether their risk management is
    effective, and if not, what is needed to make it
    so.

6
ERM Defined
  • Defined in the Framework as
  • Enterprise Risk Management is a process,
    effected by an entitys board of directors,
    management and other personnel, applied in
    strategy setting and across the enterprise. It
    is designed to identify potential events that may
    affect the entity, and manage risk to be within
    its risk appetite, to provide reasonable
    assurance regarding the achievement of entity
    objectives.

7
ERM Defined
  • The Enterprise Risk Management process includes
  • Identification of potential events that may
    impact objectives
  • Assessment of Risk and a determination of an
    appropriate response
  • Consideration of risk in the formulation of
    strategy
  • Application across the entity takes a portfolio
    view of risk.
  • Risk management within an entitys risk appetite
  • Monitoring the performance of ERM

8
ERM Defined
  • ERM versus the Internal Control Integrated
    Framework
  • ERM is much broader than the Internal Control
    Integrated Framework
  • ERM expands on internal control and provides a
    more robust and extensive focus on the broader
    subject of enterprise risk management.
  • ERM does NOT replace the internal control
    framework, rather incorporates elements of the
    internal control framework within it.
  • The Internal Control Integrated Framework
    remains in place as the definition of and
    framework for internal control.

9
Benefits of ERM
  • ERM enables management to
  • Deal effectively with future events that create
    uncertainty.
  • Respond in a manner that reduces the likelihood
    of downside outcomes and increases the upside.
  • Maximize value by balancing strategy and
    objectives within the entitys risk appetite.

10
Benefits of ERM
  • ERM helps an enterprise to
  • Align risk appetite and strategy
  • Enhance risk response decisions
  • Reduce operational surprises and losses
  • Identify and manage enterprise-wide risks
  • Seize opportunities
  • Improve deployment of capital

11
ERM Framework
  • The ERM Framework is geared to achieving an
    entitys objectives, set forth in 4 categories
  • Strategic related to the high-level goals and
    mission of the entity,
  • Operations related to efficiency, performance
    and profitability
  • Reporting related to internal and external
    reporting
  • Compliance related to compliance with laws and
    regulations

12
ERM Framework
  • The ERM Framework has Eight Components. The cube
    depicts the interrelationship of the 8 components
    with the entitys objectives and with the
    entitys units

13
Internal Environment
  • The Internal Environment encompasses
  • Entitys Risk Management Philosophy
  • Risk Appetite
  • Board of Directors
  • Integrity and Ethical Values
  • Commitment to Competence
  • Organizational Structure
  • Assignment of Authority and Responsibility
  • Human Resource Standards
  • Sets the Foundation for how risk and control are
    viewed and addressed by the entity.

14
Internal Environment
  • Risk Management Philosophy
  • The shared beliefs and attitudes toward risk.
  • Reflects the entitys values, culture and
    operating style
  • Formal vs. Informal
  • Conservative vs. Aggressive
  • Affects how risks are identified, the types of
    risks accepted and how they are managed by an
    entity.
  • Management reinforces the entitys risk
    management philosophy with everyday actions.

15
Internal Environment
  • Risk Management Philosophy
  • Risk management philosophy should be consistent
    throughout the enterprise to effectively apply
    ERM.
  • However, risk management philosophy can sometimes
    vary within an enterprise
  • e.g., an aggressive sales dept may be prepared to
    take more risk than the procurement dept. that is
    responsible for ensuring compliance with company
    policies and internal controls.
  • These 2 depts. compliment each other and will
    collectively reflect the entitys risk management
    philosophy.

16
Internal Environment
  • Risk Appetite
  • The amount of risk an entity is willing to accept
    in pursuit of value.
  • Reflects the entitys risk management philosophy
  • Desired return from a strategy should be aligned
    with the entitys risk appetite.
  • Qualitative measures e.g., high, moderate or
    low risk.
  • Quantitative measures balances goals with
    growth and return with risk.

17
Internal Environment
  • Board of Directors
  • An active and involved board of directors is a
    critical part of the internal environment.
  • A board that questions and scrutinizes
    managements activities is an effective control.
  • The majority of board members should be
    independent outside directors.
  • An effective board of directors will ensure that
    management maintains effective risk management
    processes.

18
Internal Environment
  • Integrity and Ethical Values
  • Managements integrity and ethical values
    influence the decision-making process.
  • Lack of integrity and ethical values creates
    risk.
  • Corporate culture influences employee behaviors
    sets the standard for which rules are followed or
    ignored.

19
Internal Environment
  • Integrity and Ethical Values
  • Promoting integrity and ethics
  • CEO, top mgmt, sets the example and determines
    the corporate culture.
  • Performance targets should be realistic and
    incentives appropriate.
  • Existence of written guidance on what is right
    and wrong e..g, a Code of Conduct.
  • Written guidance must be accompanied by
    communication and training.
  • Upward communication channels are key.
  • Penalties to employees who violate the code act
    as a deterrent for others.

20
Internal Environment
  • Commitment to Competence
  • Competence reflects the knowledge and skills
    needed to perform assigned tasks.
  • Management must determine the level of competence
    needed for each task.
  • Trade-offs are made between competence and cost.
  • Trade-offs are made between the extent of
    supervision and the competence of the individual.

21
Internal Environment
  • Organizational Structure
  • Entitys organizational structure provides the
    framework to plan, execute, control and monitor
    its activities.
  • Defines key areas of authority, responsibility
    and accountability
  • Organizational structure should enable effective
    risk management by
  • promoting the flow of relevant information to top
    management and key decision makers on a timely
    basis.
  • Appropriate assignment of authority to carry out
    business activities

22
Internal Environment
  • Organizational Structure
  • Organizational structure should be suited to the
    entitys needs and corporate culture
  • Centralized versus Decentralized
  • Hierarchal reporting relationships versus Flat
  • Structured by product lines, geographic, or
    marketing channels, etc
  • Organizational structure should depend on size
    and nature of activities.

23
Internal Environment
  • Assignment of Authority and Responsibility
  • Increased delegation of authority empowers
    employees and often encourages creativity,
    initiative, faster response times and greater
    accountability.
  • As authority and responsibility is granted to
    lower levels within an entity, risk is often
    increased.
  • Must ensure that authority and responsibility is
    delegated to competent individuals who understand
    the entitys objectives.

24
Internal Environment
  • Human Resource Standards
  • Human resource practice play a key role in
    promoting integrity, ethical behavior and
    competence
  • Hiring standards
  • Orientation programs
  • Training programs
  • Performance evaluations
  • Compensation and incentive programs
  • Disciplinary actions

25
Internal Environment
  • The importance of a strong Internal Environment
    must not be underestimated.
  • Internal environment is the foundation of all the
    other ERM components
  • Management is responsible for setting the tone -
    not just words and policies, but actions must
    permeate the organization
  • Enron example flawed internal environment

26
ERM Framework
  • Objective Setting

27
Objective Setting
  • Objectives must exist before management can
    identify and assess risks and take steps to
    manage those risks.
  • Enterprise Risk Management requires that all
    employees understand the entitys objectives as
    it relates to their individual function.
  • Understand what is to be accomplished and how to
    measure accomplishment.

28
Objective Setting
  • Strategic Objectives
  • High level goals,
  • Aligned with entitys mission/vision
  • Related Objectives
  • Activity level goals - 3 categories
  • Operations objectives
  • Reporting objectives
  • Compliance objectives

29
Objective Setting
  • Operations Objectives
  • Pertain to the effectiveness and efficiency of
    operations.
  • Reflect entitys business, industry and economic
    environment.
  • Basis for allocating an entitys resources
  • Unclear or misunderstood operational objectives
    could lead to the entitys resources being
    misdirected.

30
Objective Setting
  • Reporting Objectives
  • Complete and accurate information
  • Supports managements decision making process
  • Enables monitoring activities
  • Internal vs. external reporting
  • Financial vs. non-financial data

31
Objective Setting
  • Compliance Objectives
  • Actions taken to comply with applicable laws and
    regulations
  • Examples
  • Taxes, markets, pricing
  • Environmental
  • Employee welfare
  • International trade
  • Failure to meet compliance objectives can be
    costly
  • Fines, penalties imposed
  • Impact entitys reputation, loss of market share

32
Objective Setting
  • Overlap of Objectives
  • Activities may support more than one objective
  • Achievement of Objectives
  • Reporting and Compliance objectives are generally
    easier as within an entitys control
  • Operations objectives more difficult as may be
    dependent upon external factors
  • Competitors actions
  • Poor weather
  • Changes in government
  • Risk identification and risk management can
    mitigate the impact of external events.

33
Objective Setting
  • Risk Appetite
  • The acceptable balance between growth, risk and
    return
  • Strategy setting must be aligned with the
    entitys risk appetite.
  • ERM, applied in strategy setting, helps
    management select a strategy within its risk
    appetite
  • Risk Tolerance
  • Amount of variation the entity is willing to
    accept in achieving objectives

34
ERM Framework
  • Event Identification

35
Event Identification
  • Identification of potential events from internal
    or external sources that influence strategy,
    and/or the achievement of objectives.
  • Events may be negative or positive risk or
    opportunity
  • Event Identification Techniques
  • Event Categories

36
Event Identification
  • Examples of Techniques for Identifying Events
  • Event inventories
  • Internal analysis
  • Escalation or threshold triggers
  • Facilitated workshops and interviews
  • Leading event indicators
  • Loss event data methodologies
  • Process flow analysis
  • Event interdependencies

37
Event Categories
  • Examples

External Factors Internal Factors
Economic Natural Environment Political Social Technological Infrastructure Personnel Process Technology
38
ERM Framework
  • Risk Assessment

39
Risk Assessment
  • The extent to which potential events will impact
    an entitys objectives.
  • Inherent and Residual risk
  • Events are evaluated from 2 perspectives
  • Likelihood that the event will occur
  • Impact - the effect of the event on the entity
  • Techniques used to assess Likelihood and Impact
  • Qualitative
  • Quantitative

40
Risk Assessment
  • Qualitative Techniques
  • Used when quantification of risk amounts is not
    feasible due to lack of data or collection of
    data is not cost effective.
  • Not as accurate as quantitative
  • Examples
  • Self-assessment (low, medium, high)
  • Questionnaires
  • Internal audit reviews

41
Risk Assessment
  • Quantitative Techniques
  • More accurate than qualitative
  • Used when there is enough data to produce
    mathematical or statistical models, performance
    or benchmarking metrics.
  • Examples
  • Probability based
  • Non-probabilistic models utilize impact
    assumptions only, not likelihood
  • Benchmarking

42
Risk Assessment
  • Events Relationships
  • While the impact of a singe event might be
    minimal, a sequence of events can be significant.
  • When a correlation between events exists, events
    should be assessed together
  • Risks that impact multiple business units may be
    grouped into common event categories, and
    assessed in the aggregate.

43
ERM Framework
  • Risk Response

44
Risk Response
  • 4 categories of Risk Responses
  • Avoidance Exit the activities causing the risk
  • Reduction Take action to reduce the likelihood
    or impact of risk
  • Sharing Transfer or share the risk or portion
    of the risk with another party
  • Acceptance Risk accepted, No action is taken

45
Risk Response
  • In selecting an appropriate risk response,
    management should consider
  • Impacts of each response on risk likelihood and
    impact
  • Which response best fits with the entitys risk
    appetite and tolerances
  • Cost versus benefits of potential responses
  • Potential opportunities that may result from each
    risk response.

46
ERM Framework
  • Control Activities

47
Control Activities
  • Control activities are the policies and
    procedures established to ensure that the risk
    responses are carried out.
  • Control activities vary based upon the entitys
    goals, implementation techniques, and internal
    and external environments.

48
Control Activities
  • Examples of Control Activities
  • Senior Management reviews
  • Project management monitor progress
  • Information processing controls to check
    completeness and accuracy
  • Physical controls inventories, security
    controls
  • Performance indicators results analysis
  • Segregation of duties

49
Control Activities
  • Control Activity Examples (contd)
  • Information Technology Controls
  • General controls IT infrastructure and
    management, security management and software.
  • Application controls ensure completeness,
    accuracy and validity of data.

50
ERM Framework
  • Information and Communication

51
Information and Communication
  • Information is needed at all levels of an
    organization to identify, assess and respond to
    risk.
  • Communicating accurate information, on time, to
    the right people is key to effective ERM.
  • Information sources
  • Internal and external data
  • Historical and Current data

52
Information and Communication
  • Information Quality Test
  • Is it at the appropriate level of detail?
  • Is it there when required?
  • Is it the latest information available?
  • Is the data accurate?
  • Is is easy to obtain by those who need it?

53
Information and Communication
  • The design of information systems architecture
    and acquisition of new technology are important
    aspects of entity strategy.
  • IT systems are often fully integrated into most
    aspects of operations.
  • Choices regarding technology can be critical to
    an entity.
  • Reliance on IT systems bring risks e.g.,
    security breaches and cyber-crimes
  • Risk management techniques can assist in making
    technology decisions.

54
ERM Framework
  • Monitoring

55
Monitoring
  • Monitoring ensures that the components of ERM
    continue to function at all levels even as
    conditions change over time.
  • 2 Types
  • One-time evaluations
  • Ongoing activities
  • A combination of the 2 may be appropriate.

56
Monitoring
  • Examples of Ongoing Monitoring activities
  • A review of operating reports may spot
    inaccuracies or inconsistencies with anticipated
    results. Timely and complete reporting and
    resolution of these inconsistencies enhance the
    effectiveness of the process.
  • Communications from external parties may
    corroborate internal data or, indicate problems.
  • Internal and external auditors identify and
    monitor weaknesses in control activities, i.e.,
    risk
  • Training seminars, planning sessions and meetings
    provide insights to employees competency,
    ethical conduct and risk behaviors.

57
Monitoring
  • One-Time Evaluations
  • Separate, targeted tests can also be effective.
  • Can provide a fresh look at the process,
    end-to-end test
  • Scope and frequency depends on the significance
    of the risk and risk response, objectives to be
    achieved.

58
Monitoring
  • Who evaluates?
  • Self-assessment is common
  • Division head directs the evaluation of ERM
    activities for their unit.. Assesses risks
    associated with objectives and strategic choices,
    and assesses the internal environment.
  • Line managers focus on operations and compliance
    objectives,
  • Controller focuses on reporting objectives
  • Senior management evaluates all assessments
    together.
  • Internal Auditors offer independent view.

59
Monitoring
  • Reporting deficiencies
  • What to Report all deficiencies should be
    reported to those in a position to take necessary
    action
  • To Whom to Report may vary based upon the
    individuals authority to deal with the
    circumstance. Communication must continue
    upstream until appropriate actions are taken.
  • Protocols should be established to identify what
    information is needed at a particular level for
    effective decision making.

60
Limitations
  • No matter how well deigned and executed,
    Enterprise Risk Management cannot ensure an
    organizations success or guarantee results.
  • The future will always be uncertain
  • Some events are outside of managements control
  • Human factors, such as errors in judgment,
    collusion, and cost/benefit considerations may
    impede results.

61
Roles and Responsibilities
  • Everyone in the organization has responsibility
    for enterprise risk management.
  • The chief executive officer is ultimately
    responsible.
  • Managers support the risk philosophy, promote
    compliance within the risk appetite and manage
    risks within their functional areas
  • Other key support persons
  • Risk Officer
  • Financial Officer
  • Internal Auditor

62
Roles and Responsibilities
  • Board of Directors provide oversight role
  • Ensure that an effective risk management program
    is in place
  • Understand the entitys risk appetite
  • Review the entitys portfolio view of risk
  • Understand the most significant risks and
    managements response.

63
To Begin
  • Board Members
  • Discuss with senior management the entitys ERM
    process and provide oversight as needed.
  • Understand the significant risks and managements
    response
  • Seek input from internal external auditors,
    other advisors as necessary

64
To Begin
  • Chief Executive Officer
  • Gather Business Unit heads and key functional
    staff to discuss an initial assessment of ERM
    capabilities and effectiveness.
  • This initial assessment should determine whether
    there is a need for, and how to proceed with, a
    broader, more in-depth evaluation.

65
Enterprise Risk Management
  • Visit the COSO ERM website for more information
    and current developments
  • www.erm.coso.org
Write a Comment
User Comments (0)
About PowerShow.com