Enterprise Risk Management Take a Close Look at COSO’s New Internal Control Framework
EightComponentsThree more layersadded to theoriginal five COSOcomponents: • Internal Environment • Objective Setting • Event Identification
FourObjectivesStrategic objectiveadded to theoriginal threeCOSO objectives:• Operations• Reporting*• Compliance* Reporting is now much more than financial reporting
Internal EnvironmentThe internal environment encompasses the tone of an organiza-tion, influencing the risk consciousness of its people, and is thefoundation for all other components of enterprise risk manage-ment, providing discipline and structure.Internal environment factors include: • an entity’s risk management philosophy; • its risk appetite and risk culture; • oversight by the board of directors; • the integrity, ethical values and competence of the entity’s people; • management’s philosophy and operating style; and • the way management assigns authority and responsibility, and organizes and develops its people.
Objective SettingEvery entity faces a variety of risks from external and internalsources, and a precondition to effective event identification, riskassessment and risk response is establishment of objectives,linked at different levels and internally consistent.Objectives are set at the strategic level, establishing a basis foroperations, reporting, and compliance objectives.Objectives are aligned with the entity’s risk appetite, whichdrives risk tolerance levels for the entity’s activities.
Event IdentificationManagement identifies potential events affecting an entity’sability to successfully implement strategy and achieve objectives.Events with a potentially negative impact represent risks, whichrequire management’s assessment and response.Events with a potentially positive impact may offset negativeimpacts or represent opportunities. Management channelsopportunities back into the strategy and objective-settingprocesses.A variety of internal and external factors give rise to events.When identifying potential events, management considers the fullscope of the organization. Management considers the contextwithin which the entity operates and its risk tolerances.
Risk AssessmentRisk assessment allows an entity to consider the extent to whichpotential events might have an impact on achievement ofobjectives.Management should assess events from two perspectives –likelihood and impact – and normally uses a combination ofqualitative and quantitative methods.The positive and negative impacts of potential events should beexamined, individually or by category, across the entity.Potentially negative events are assessed on both an inherent and aresidual basis.
Risk Response Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing and acceptance. In considering its response, management considers costs and benefits, and selects a response that brings expected likelihood and impact within the desired risk tolerances.
Control ActivitiesControl activities are the policies and procedures that helpensure that management’s risk responses are carried out.Control activities occur throughout the organization, at alllevels and in all functions.They include a range of activities as diverse as: • approvals, • authorizations, • verifications, • reconciliations, • reviews of operating performance, • security of assets, and • segregation of duties.
Information and CommunicationPertinent information is identified, captured and communicated in aform and timeframe that enable people to carry out theirresponsibilities. Information systems use internally generated data,and information about external events, activities and conditions,providing information for managing enterprise risks and makinginformed decisions relative to objectives. Effective communicationalso occurs, flowing down, across and up the organization. Allpersonnel receive a clear message from top management thatenterprise risk management responsibilities must be taken seriously.They understand their own role in enterprise risk management, aswell as how individual activities relate to the work of others. Theymust have a means of communicating significant informationupstream. There is also effective communication with externalparties.
MonitoringEnterprise risk management is monitored –a process thatassesses the presence and functioning of its components overtime.This is accomplished through ongoing monitoring activities,separate evaluations or a combination of the two. Ongoingmonitoring occurs in the normal course of managementactivities.The scope and frequency of separate evaluations will dependprimarily on an assessment of risks and the effectiveness ofongoing monitoring procedures.Enterprise risk management deficiencies are reported upstream,with serious matters reported to top management and the board.
Internal Environment Risk Risk Risk Board of Integrity and CommitmentManagement Appetite Culture Directors Ethical toPhilosophy Values Competence•Value •Value •Independent •Independent •Standards of •Knowledge•Communicate •Qualitative •Active •Active behavior •Skills in words and •Quantitative •Involved •Involved •Prerequisite •Trade-offs actions •Linked to •CEO example strategy Incentives Management Organizational Assignment of Human Resource Differences in Philosophy and Structure Authority and Policies and Environment Operating Style Responsibility Practices•Formal vs. •Reporting lines •Empowerment •Qualified •Management Informal •Centralized/ •Accountability •Training preferences•Conservative vs. Decentralized •Compensation •Value judgments Aggressive •Matrix/Function/ •Incentives and •Management•Aligned Geography Discipline Styles
OBJECTIVE SETTING Strategic Related Selected Risk Risk Objectives Objectives Objectives Appetite Tolerance•High-level •Operations •Align and •Growth, risk •Acceptable goals •Reporting support and return variance•Support •Compliance •Manage- •Resource •Unit of mission/ •Safeguard- ment allocation measure vision ing of decision •People, of•Strategic assets process and objective choices infrastructure
EVENT IDENTIFICATION Factors Events Influencing Metho- Event Event Risks and Strategy and dology and Interdepen- Categories Opportu- Objectives Techniques dencies nities•Incident •Internal •Ongoing •Triggering •Common •Negative•Positive and/ •External •Periodic events groupings impact: risks or negative •Past and •Interrelate •Positive impacts future impact: •Supporting opportunity; tools offsets to risks
RISK ASSESSMENT Inherent and Likelihood and Qualitative and Correlation Residual Risk Impact Quantitative Methodologies and Techniques•Before •Expected, worst- •Qualitative •Sequence of events management case, distribution •Quantitative •Categories actions •Time horizons •Inherent and •Stress testing•After management •Unit of measure residual basis •Scenarios actions •Observable data•Expected and unexpected
CONTROL ACTIVITIES Integration Types of General Application Entity- with Risk Control Controls Controls Specific Response Activities•Build directly •Policies •Information •Completeness •Entity specific into •Procedures technology (IT) •Accuracy strategies and management •Preventative management •Authorization objectives processes •Detective •IT infra- •Validity •Operating•Interrelate •Manual structure environment •Automatic •Security •Complexity of management the entity •Software development & maintenance
INFORMATION & COMMUNICATION Information Strategic and Integrated Communication Systems•Internal •Strategic •Internal•External •Operational •External•Manual •Past and current •Entity-wide•Computerized •Level of detail •Expectations and•Formal •Timeliness responsibilities•Informal •Quality •Framing•Information systems •Means of transmission architecture