Enterprise Risk Management: Integrated Framework A COSO-Based Approach

1
Enterprise Risk ManagementIntegrated
FrameworkA COSO-Based Approach

• presented by Larry Hubbard
• 14th Annual NYS Leadership Accountability
  Conference

2

• Controls are OK
• John C. Egan
• May 4, 2005

3
Topics/Agenda

• What is COSO
• Overview of I/C and ERM
• Hard and Soft Controls
• Some of the Evaluation Tools
• Wrap-up

4
Internal Control and ERM

• Management owns I/C and ERM
• Internal auditors, and others, provide
  information
• Internal Control is broadly defined, and
  includes ISO, TQM, process improvement, Balanced
  Scorecards, Six Sigma, etc.
• Enterprise Risk Management is broader than, and
  encompasses, I/C
• One definition

5
One Definition of IC and ERM

• COSO stands for the Committee Of Sponsoring
  Organizations of the Treadway Commission. The
  sponsoring organizations are
• Institute of Internal Auditors (IIA)
• American Institute of Certified Public
  Accountants (AICPA)
• American Accounting Association (AAA)
• Institute of Management Accountants (IMA)
• Financial Executives Institute (FEI)
• Later, also endorsed by GAO, Federal agencies and
  SEC

6
COSO Background

• 1992 - Internal Control (I/C) Integrated
  Framework
• Framework volume
• Evaluation Tools volume
• 2004 - Enterprise Risk Management (ERM)
  Integrated Framework
• Framework volume
• Example techniques

7
ERM Definition

• Enterprise risk management is a process, effected
  by an entitys board of directors, management and
  other personnel, applied in strategy setting and
  across the enterprise, designed to identify
  potential events that may affect the entity, and
  manage risk to be within its risk appetite, to
  provide reasonable assurance regarding the
  achievement of entity objectives.
• Objective categories
• Strategic high-level goals, aligned with and
  supporting its mission
• Operations effective and efficient use of its
  resources
• Reporting reliability of reporting
• Compliance compliance with applicable laws and
  regulations

8
Definition of Internal Control

• Internal control is a process, effected by an
  entitys board of directors, management and other
  personnel, designed to provide reasonable
  assurance regarding the achievement of objectives
  in the following categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting (SOX Focus)
• Compliance with applicable laws and
  regulations

9
Components of Internal Control

• Control Environment The core of any business is
  its people their individual attributes,
  including integrity, ethical values and
  competence and the environment in which they
  operate. They are the engine that drives the
  entity and the foundation on which everything
  rests.
• Risk Assessment The entity must be aware of and
  deal with the risks it faces. It must set
  objectives, integrated with the sales,
  production, marketing, financial and other
  activities so that the organization is operating
  in concert. It also must establish mechanisms to
  identify, analyze and manage the related risks.
• Control Activities Control policies and
  procedures must be established and executed to
  help ensure that the actions identified by
  management as necessary to address risks to
  achievement of the entity's objectives are
  effectively carried out.
• Information and Communication Surrounding these
  activities are information and communication
  systems. These enable the entity's people to
  capture and exchange the information needed to
  conduct, manage and control its operations.
• Monitoring The entire process must be
  monitored, and modifications made as necessary.
  In this way, the system can react dynamically,
  changing as conditions warrant.

10
Key Concepts

• an ongoing process that flows throughout the
  organization
• effected by people. Its not just policy
  manuals and forms, but people at every level of
  an organization
• ... applied in strategy setting and across the
  organization
• can be expected to provide reasonable
  assurance, not absolute assurance, to an entitys
  management and board
• is geared to the achievement of objectives in
  one or more separate but overlapping categories

11
Focus on Soft Controls

• Hard controls tend to be
• formal
• objective
• quantitatively measurable
• the map

• Soft controls tend to be
• informal
• subjective
• intangible
• the real terrain

12
COSO Internal Control
Hard Controls Activities Reviews Inspections Pol
icies Reconciliations Structure Limits of
Authority Userids and Password Physical Counts
Soft Controls People Openness Shared
Values Clarity Commitment to Competence Honesty Hi
gh Expectations Communications
13
The COSO Cubes I/C and ERM
14
Effective I/C, or ERM, Means

• That Management has a flow of reliable
  information about each component of control for
  all the objectives, from all areas of the
  organization.
• COSO does not specify who should provide what
  information, just that management should be
  receiving and acting on the information.
• Many different sources, or flows, of information
  exist in an organization.
• Soft controls relate to the people doing the
  work to meet the objectives of the organization
  hard controls relate the processes and
  activities those people do.

15
Effective Enterprise Risk Management Means
16
Limitations

• Reasonable, not absolute, assurance
• Different levels of assurance for different
  objectives
• The future is uncertain
• Other limiting factors
• Judgment, breakdowns
• Collusion, management override
• Cost versus benefits
• Not part of IC or ERM
• The objectives selected to be achieved
• The responses taken to the risks

17
Other Thoughts on I/C and ERM

• Controls for reliability of financial reporting
  are mainly in finance areas (Financial)
• Controls over effective and efficient operations
  (Operational) and compliance with laws and
  regulations (Compliance) are mainly in
  operational areas
• Discussing objectives, risks and responses is the
  most valuable part of ERM
• Anyone can put together a list of risks and
  controls, but true ERM can only be done by those
  directly responsible for achieving the objectives
• The same soft controls in the COSO I/C
  framework also apply to the ERM framework. I/C is
  fully incorporated into ERM.
• ERM does not replace good management practices,
  does not replace setting the right objectives,
  and does not replace the business experience
  needed to have the right vision of where an
  organization should be heading.

18
SOX Section 404

• 404 requires that annual reports contain
• A statement that management is responsible for
  maintaining an adequate internal control
  structure and procedures for financial reporting
• An assessment, as of the end of the most recent
  fiscal year, of the effectiveness of the internal
  control structure and procedures for financial
  reporting
• Attestation of this assessment by the external
  audit firm
• All based on a nationally accepted framework
  COSO is the one being used

19
OMB Circular A-123

• Managements Responsibility for Internal Control
• Annual assessment of internal control over
  financial reporting in Federal agencies,
  effective for FY 2006
• Based on COSO

20
SOX - COSO Objectives
S T R A T E G I C
S O X
21
Evaluation Tools - Entity Level

• Soft Control Questionnaires
• CSA/RSA Workshops
• CSA/RSA Questionnaires
• Structured Interviews

22
Sample Questions (Rate each 1 to 5)

• Management demonstrates a commitment to integrity
  and ethical behavior by example in their
  day-to-day activities.
• Employees in your function feel they are adding
  value within the Companys overall strategy.
• Management addresses and resolves violations of
  behavioral and ethical standards consistently,
  timely, and equitably in accordance with the
  provisions of the Companys Code of Conduct.
• The process used to analyze risks in your
  function is clearly understood and includes
  estimating the significance of risks, assessing
  the likelihood of their occurring, and
  determining steps to mitigate them.
• The current organizational structure facilitates
  the flow of information both up and down within
  your function and across to other functions.
• Control activities described in policy and
  procedure manuals are actually applied the way
  they are intended to be applied and relate
  clearly to identified risks.
• Control deficiencies are identified by on-going
  monitoring activities of the Company, including
  managerial activities and everyday supervision of
  employees.
• Taking into consideration my evaluation of the
  components of internal control in previous
  sections of this survey, the internal control
  objective of reliability of financial reporting
  has been met.

23
Evaluation Tools - Activity Level

• Risk and Control Matrix
• CSA/RSA Workshops
• CSA/RSA Questionnaires
• Structured Interviews

24
Final Thoughts on I/C and ERM

• Anyone can put together a list of risks and
  controls, but true ERM can only be done by those
  directly responsible for achieving the objectives
• The same soft controls in the COSO I/C
  framework also apply to the ERM framework. I/C is
  fully incorporated into ERM.
• ERM does not replace good management practices,
  does not replace setting the right objectives,
  and does not replace the business experience
  needed to have the right vision of where an
  organization should be heading.
• The discussions about the risks are the
  controls its all about readiness for the
  unknown

25
More Information?

• Larry Hubbard
• Larry_at_LHubbard.com
• (301) 529-8118
• www.LHubbard.com