Your SlideShare is downloading. ×
  • Like
Alinhamento das Iniciativas em Gestão de Riscos (COSO, ISO 31000, RIMS, IFAC...)
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Alinhamento das Iniciativas em Gestão de Riscos (COSO, ISO 31000, RIMS, IFAC...)


Slides do evento promovido pelo ISO TC 262 (Gestão de Riscos) sobre as principais iniciativas em GR desenvolvidas ao redor do mundo.

Slides do evento promovido pelo ISO TC 262 (Gestão de Riscos) sobre as principais iniciativas em GR desenvolvidas ao redor do mundo.

Published in Business , Economy & Finance
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1.  Vincent Tophoff, IFAC International Federation of Accountants  David Landsittel, COSO Committee of Sponsoring Organizations  Gigi Dawe, CPA ROGB Canada Risk Oversight and Governance Board  Carol Fox, RIMS The Risk Management Society  Julia Graham, FERMA & IFRIMA Federation of European Risk Mgmt Assoc Int’l Federation of Risk and Insurance Mgmt Assoc.  Jan Mattingly, ISO 31004 Work Group International Standards Organization 2
  • 2. Pursuing Global Alignment of Risk Management Guidelines Vincent Tophoff, International Federation of Accountants (IFAC) COSO, IFAC, ISO, RIMS, and ROGB Panel Discussion and Networking Event Chicago September 24, 2013 Page 3 | Confidential and Proprietary Information
  • 3. International Federation of Accountants The International Federation of Accountants (IFAC) is: • The global organization of the accountancy profession • 164 member bodies and associates in 125 countries • 2.5 million professional accountants in public practice, commerce, industry, financial services, the public sector, education, and the not-for-profit sector • Public interest focused More than half are in this box. We call them PAIBs and the PAIB Committee exists to support them Page 4 | Confidential and Proprietary Information
  • 4. International Federation of Accountants What IFAC does: • Establish and promote adherence to high quality professional standards • Further adoption and implementation of standards • Support the global development of the accountancy profession • Provides a global voice and promotes the value of professional accountants worldwide • Helps its members support professional accountants in business and small and medium practices Page 5 | Confidential and Proprietary Information
  • 5. Professional Accountants in Business • Supports professional accountants in following areas: – Governance and ethics – Risk management and internal control – Sustainability and corporate responsibility – Financial and performance management – Business reporting – Promoting and contributing to the value of professional accountants • All areas of critical importance to professional accountants (and for risk managers too…) Page 6 | Confidential and Proprietary Information
  • 6. Bad vs. Good RM/IC Practices There has been an overwhelming load of bad practice: – RM/IC as objective in itself vs. RM/IC to achieve objectives – Auditor / staff driven vs. Board and management driven – Rules-based vs. Principles-based – Of the shelf systems vs. Tailor made – Focused on threats only vs. Also focused on opportunities – Mainly hard controls vs. Social / human aspects – Artificially implemented vs. Organically implemented – Stand-alone / “bolt-on” vs. Integrated / ”built-in” – Static, out-of-date vs. Dynamic, evolving – Creates costs vs. Creates results / value – Abandoned vs. Supported Page 7 | Confidential and Proprietary Information
  • 7. Global Crisis • Global Crisis, according to IFAC research, caused by: – Ethical flaws – Governance, RM/IC in name, but not in spirit – Regulatory overload, leading to legalistic compliance – Risk & control systems too narrowly focused on only financial reporting controls • Conclusions from the crisis: – Organizations should take a broader approach in risk management and internal control – Appropriate application of risk management and internal control standards and principles is often the problem Page 8 | Confidential and Proprietary Information
  • 8. Emerging Trends Respondents to the IFAC Global Survey on Risk Management & Internal Control recommended the following : • Emphasize the benefits of (more integrated) risk management and internal control • Bring various risk management and internal control standard setting organizations (e.g., COSO, ISO 31000, the Risk Oversight & Governance Board, etc.) and their guidelines closer together • Collaborate with experts on developing practical application guidance for (integration of) risk management & internal control Page 9 | Confidential and Proprietary Information
  • 9. COSO ERM vs. ISO 31000 Many entities use both COSO ERM & ISO 31000… COSO ISO 31000 Too short, however, to really understand Lengthy vs. Short Focused on ERM vs. General approach to managing risk One cube vs. Framework and process Skewed to negative vs. Risk can be positive or negative Risk already exists vs. Risk tied to achieving objectives Risk & opportunities vs. Opportunities also source of risk More sequential process vs. More iterative process … Biggest challenge is that concepts not aligned Page 10 | Confidential and Proprietary Information
  • 10. Next step > Further Global Alignment of Guidelines • IFAC facilitates further global alignment of risk management and internal control guidelines • Through bringing various risk management and internal control standard setting organizations (and their guidelines!) closer together • As per the outcomes of our survey! • And now over to you… Page 11 | Confidential and Proprietary Information
  • 11. • For further information please contact: • Vincent Tophoff at • Visit Page 12 | Confidential and Proprietary Information
  • 12. Recent COSO Internal Control and Risk Management Developments IFAC and ISO Panel Discussion September 24, 2013 David L. Landsittel Former Chair - COSO
  • 13. About COSO • Formed in 1985 to sponsor a group to make recommendations on Fraudulent Financial Reporting • A joint initiative of five private sector organizations: ▫ American Accounting Association (AAA) ▫ American Institute of Certified Public Accountants (AICPA) ▫ Financial Executives International (FEI) ▫ Institute of Management Accountants (IMA) ▫ The Institute of Internal Auditors (IIA)
  • 14. Mission COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” COSO’s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations
  • 15. COSO’s Three Areas of Focus 1. Internal Control 2. Enterprise Risk Management 3. Fraud Deterrence
  • 16. Timeline 2010: Fraud Study II Fraudulent Financial Reporting: 1998-2007 2004: Enterprise Risk Management Framework 1987: Treadway Commission Report 2009: Guidance on Monitoring Internal Control Systems 1996: Internal Control Issues in Derivatives 1985 1990 1995 2000 1999: Fraud Study I Fraudulent Financial Reporting: 1987-1997 1992: Internal Control – Integrated Framework 2005 2006: Guidance for Smaller Businesses on Internal Control over Financial Reporting 2010 2010-2013: Recent ERM thought papers on current issues
  • 17. COSO Internal Control Framework • First published in 1992 • Gained wide acceptance following financial control failures of early 2000’s • Most widely used framework in the US • Also widely used around the world – translated into 7 languages
  • 18. Why Update What Works? ICIF Works Well Today COSO’s Internal Control–Integrated Framework (1992 Edition) Enhancements ICIF Will Work  Better  Tomorrow Reflect changes in  to facilitate effective   business & operating  internal control  Update Objectives Articulate principles  environments Clarifies Requirements Updates  Context Expand operations and   reporting objectives Broadens Application COSO’s Internal Control–Integrated Framework (2013 Edition)
  • 19. Project Plan & Timetable Assess & Survey Stakeholders 2010 Design & Build 2011 Public Exposure & Assess 2012 Finalize 2013
  • 20. Project Participants COSO Board of Directors PwC Author and Project Leader COSO Advisory Council Stakeholder Input • • • • • • • • •Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework AICPA AAA FEI IIA IMA Public Accounting Firms Regulatory observers Others (IFAC, ISACA, others) •Public Exposures of updated Framework draft and supporting documents •Webcasts, round tables, direct correspondence via et al
  • 21. Summary of Updates … What is not changing... What is changing... 1. Definition of internal control 1. Updated to reflect the current business environment 2. Five components of internal control 3. The fundamental criteria used to assess effectiveness of systems of internal control 4. Use of judgment in designing and implementing controls and in evaluating the effectiveness of systems of internal control 2. Formalized fundamental concepts underlying the five components as principles 3. Expanded financial reporting objective to address internal and external, financial and nonfinancial reporting objectives 4. Increased focus on operations and compliance objectives based on user input
  • 22. 23 Summary of Updates A changing business environment... Expectations for governance oversight Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Use and reliance on evolving technology Expectations for preventing and detecting fraud Drives updates to the Framework...
  • 23. 17 Principles of the Updated ICIF Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
  • 24. Update Articulates Principles of Effective Internal Control Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
  • 25. Project Deliverables: Internal ControlIntegrated Framework • Consists of three volumes: ▫ Executive Summary ▫ Framework and Appendices ▫ Illustrative Tools: Assessing Effectiveness of a System of Internal Control • Sets out: ▫ Definition of internal control ▫ Categories of objectives ▫ Components of internal control ▫ and related principles and points of focus Requirements for Effectiveness
  • 26. Project Deliverables: Internal Control over External Financial Reporting: A Compendium • Provides approaches and Examples illustrating how principles are applied in preparing financial statements for external purposes • Is relevant for variety of entities – public, private, notfor-profit, and government • Is consistent with and does not modify the updated Framework
  • 27. The ERM Framework • Published in 2004 • Based upon a framework with similarities to the COSO 92 framework • Widely recognized, but not as widely adopted as COSO 92 • Implementation not as robust as COSO 92
  • 28. Some Current ERM Challenges • Uneven support to adopt any formal risk management process • Less than robust ERM implementation • Difficulty “getting started” with ERM implementation • Difficulty aligning ERM with top management view • Inadequate board oversight of risk management – and regulatory pressure mounting for better oversight • Immature development of risk appetite • Failure to consider low likelihood but high impact risks – overconfidence
  • 29. 30 COSO ERM Response Our objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process Publication of a series of thought papers
  • 30. 31 COSO ERM “Thought Papers” • Four Papers issued in 2009 surveying ERM practices – and particularly practices and recommendations related to board of director oversight • Four Papers in 2011 and 2012 focusing on difficult ERM process implementation issues: ▫ “Getting Started” ▫ ▫ Understanding and Communicating Risk Appetite ▫ • Developing Key Risk Indicators Risk Assessment Practices Two Papers in 2012-2013 dealing with applying ERM to current Management issues: ▫ ▫ • “Cloud” Computing Risks Sustainability Risks A Behavioral Paper in 2012 dealing with Judgment Biases
  • 31. Questions or Comments? Thank You! David Landsittel
  • 32. CPA Canada Risk Oversight and Governance Board Role in Risk GIGI DAWE. PRINCIPAL, GOVERNANCE, STRATEGY AND RISK
  • 33. Role of CPA Canada’s ROGB in Risk • Chartered professional Accountants of Canada, through its Risk Oversight and Governance Board (ROGB), develops guidance materials for boards of directors and senior officers • As such, our focus is on the oversight of enterprise risk, vs. risk management. • Our goal is to offer unique support specifically for directors that supports the activities of management
  • 34. Role of CPA Canada’s ROGB in Risk • Twelve year ago the ROGB began the 20 Questions series for directors – concise, practical guidance • The 20 Questions series address subjects important to directors by posing questions that directors may ask of management, advisors, or themselves • A brief summary of current thinking and some recommended practices are provided for each question
  • 35. Issues • Insufficient time spent on risk oversight – and on risk management • Limited knowledge of the organization and risks associated • Lack of clarity – board / management role • Limited knowledge of finance • Excessive reliance on management / few advisors • No system in place to manage risks or to communicate them to the board
  • 36. Role of CPA Canada’s ROGB in Risk • In 2012 the ROGB published A Framework for Board Oversight of Enterprise Risk – a slightly different, more “prescriptive” approach • Intended to support management use of COSO, ISO-31000 or other • Feedback from directors – very positive – unique, usable, new • Feedback from risk managers – “keep out” – made changes for more support
  • 37. Risk Oversight Framework • Oversight of the risk management systems and processes by the board including continuously reviewing both the planning and outcomes of such processes. • Propose the board needs to play a more active and direct role in the oversight of risk • Boards need to much better understand their role
  • 38. Where are we going? • Like this group we want to support international efforts and provide CPAs a picture of international initiatives • Want to ensure that any director materials are aligned with risk management • We will vary delivery methods
  • 39. © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
  • 40. RIMS Mission To advance risk management for your organization’s success As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals located in over 60 countries. For more information on RIMS, visit Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 41
  • 41. Involved in Standards Development RIMS Approved as Accredited Standards Organization by American National Standards Institute 7/15/2011 NEW YORK (July 15, 2011) — RIMS today announced that it has been approved as an accredited standards development organization by the American National Standards Institute (ANSI) Executive Standards Council. This status will increase RIMS’ profile in the standards and practices arena by enabling it to take a lead role in shaping and developing risk management standards. Collaborating with other associations and SDOs on standards development Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 42
  • 42. RIMS Risk Maturity Model™ Attributes  Seven core areas of ERM that drive effectiveness  Compatible with various specialized frameworks Risk competency measurement  25 factors and 68 indicators  Objective evaluation criteria  Key issues that differentiate maturity levels Maturity levels  Five maturity levels  Detailed descriptions unique for each attribute  Measure to help reach goals for improvement Benchmarking with more than 2,000 organizations  Standing in peer group  Highlights ERM trends and priorities Complements multiple standards and frameworks Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 43
  • 43. Research Using RIMS Risk Maturity Model        Non Existent Ad hoc Initial ERM-based approach ERM process management Risk appetite management Root cause discipline Uncovering risks Performance management Resiliency and sustainability Repeatable Managed Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. Leadership 44
  • 44. Executive Reports Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 45
  • 45. Executive Reports Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 46
  • 46. RIMS Strategic Risk Management Framework Strategic risk management (“SRM”) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution. Also complements multiple standards and frameworks Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 47
  • 47. Webinars on ERM and SRM Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 48
  • 48. Surveys Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 49
  • 49. Understanding Expectations Q: What are the top two areas of improvement to help senior management and board more fully understand the risk landscape of your organization? Source: Marsh/RIMS Excellence in Risk Management 10 Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 50
  • 50. Risk Appetite and Risk Tolerance Q: Has your organization developed formal enterprise-level risk appetite and/or risk tolerance statements? Source: Marsh/RIMS Excellence in Risk Management 10 Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 51
  • 51. Surveys Q: To what extent has your organization adopted an enterprise risk management (ERM) program? Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved. Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 52
  • 52. Who Is Primarily Responsible for ERM? Source: RIMS 2013 Benchmark Survey Produced by Advisen Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 53
  • 53. Standards or Frameworks Used Q: Our program is most closely aligned with …  ISO 31000 up 5% from 2011  COSO up 2% from 2011 Source: RIMS 2013 Benchmark Survey Produced by Advisen Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved. 54
  • 54. Carol Fox, ARM Director of Strategic and Enterprise Risk Practice +1 212.655.6004
  • 55. FERMA The Federation of  Risk Management  Associations  56
  • 56. Mission and Objectives 57
  • 57. FERMA Alliances    Represents 22 national risk management associations 20 countries who have individual members Partners with other associations where mutual interest:       European Confederation of Institutes of Internal Auditing (ECIIA) European Confederation of Directors Associations (ecoDA) Insurance intermediaries association (BIPAR) European Insurance Law association (AIDA) FERMA strengthens the voice of risk management in Europe by increasing contacts with their members and through joint representation to the European Commission Promotes the profession of risk manager by encouraging the development of risk management education and qualifications and support for young risk managers 58
  • 58. FERMA Certification of Risk Managers  A European professional Certification framework in order to value the Risk Manager’s function with more credibility, visibility and recognition.  The ambition is for the Certification to be recognized by Risk Managers, Insurance Managers and more broadly all the functions involved in the 1st and 2nd lines of defence as the European leading reference in Risk Management.  FERMA aims at balancing expenses on a medium term, not to make profit on the certification activity  Two levels:  Passport  Professional  Develop a body of knowledge  A number of potential global and European partners 59
  • 59. Leadership in Risk Management          C-Suite supervision of risk management increasing and there is increasingly a role for leadership of risk management The majority of companies have education and review processes in place that keep the C-suite informed about risk exposures Most think communication between the C-Suite and the "CRO" could be better Companies aspire to improve the link between risk management and strategic planning Risk management has some way to go to use the risk management function for making more effective strategic decisions Risk-based incentives as part of remuneration slow Brand and reputation rising concerns Some executives and "experts" cite lack of risk management talent as an important area especially in emerging products and markets Processes to define risk appetite now in place at nearly half of the companies Leadership in Risk Management – Zurich, Harvard, FERMA and PRIMO 2013 60
  • 60. FERMA Forum         Maastricht 29 September – 2 October 1500 professionals in risk management and insurance Panels, Workshops and Master Classes Global subject matter leaders Demonstration of tools and techniques Promotion of young professionals and Diversity Affiliation meetings including IFRIMA 61
  • 61. 62
  • 62. Julia Graham Director of Risk Management and Insurance T +44 20 7796 6428 F +44 207 796 6594 M +44 7968 558 898 E 63
  • 63. Exploring Common Paths in Risk Management  Risk Management Perspectives in ISO Standardization Experience
  • 64. Overview    Risk Management Standards & ISO Development challenges and successes Looking Ahead: exploring shared perspectives 65
  • 65. ISO Standards Development – An Opinion      Governance structures, directives, tools and guidance exist to support standards development There are various types of standards’ products Development process has many checks and balances to ensure country and stakeholder feedback: it ain’t perfect! All work is done by volunteers nominated by their national technical committee and endorsed by each country’s national standards bodies: discussion can be colorful, exciting and heated! Developing products takes time because of the create-feedback-review cycle: 66
  • 66. ISO Standards & Risk Management The ISO community is very gradually moving towards harmonization in risk management expectations, terminology but progress is slow, still fragmented ◦ ◦ ◦ ◦ ISO 31010 Guide 73 ISO 22301 Etc. Within the ISO context Technical Committee 262 is seen as a natural home for risk management but it is only ONE ISO home. ISO is at the early stage of harmonization on risk management activity. 67
  • 67. Sample Successes  Publication of ISO 31000 in 2009 – Risk Management Principles and Guidelines ◦ Globally popular ◦ Early feedback that it has helped     Update of Guide 73 – Risk Management Terminology in 2009 Technical Committee established 2012 by ISO’s Technical Management Board Liaisons established with some other ISO committees to help harmonize risk management expectations, etc. Upcoming publication of ISO 31004 – Guidance for Implementation of ISO 31000: October 2013 68
  • 68. Challenges        Understanding who our primary audience is and is not Communicating the value of the risk management standard Streamlining standards development processes Applying good practices in engaging and monitoring stakeholders throughout development Promoting regional cooperation Varying capacities of standards bodies Risk management as a lever for innovation 69
  • 69. Looking Ahead – Exploring Shared Perspectives 1. 2. 3. Coherent expectations: Would it be helpful to organizations to have a coherent understanding of what is expected as part of ‘good risk management practice’? Better practice in risk management: can we share and consolidate our knowledge to help organizations Roles/Responsibilities: can we help organizations with a common approach to establishing who does what? (See attached sample) 70
  • 70. Framework Design: Clarifying Who Does What (Based on the Institute of Internal Auditors  Position Paper (Sample Organization) Core internal audit roles in regard to ERM Legend Proposed Planning role Proposed ERM Leadership Roles Legitimate internal audit roles with safeguards Audit/evaluation Role Proposed Business Unit Role Roles internal audit should not undertake Risk Oversight Role Legal The adaptation and use of this graphic as a tool for ERM design and implementation is copyrighted to RiskResults Consulting Inc. 2010 © 71
  • 71. Conclusion  We have similar challenges ◦ Value proposition of our respective auditing and risk management functions  We have a major common objective ◦ helping organizations to achieve their objectives One Road: How can we pull together, on what topics, to help organizations worldwide improve performance? 72
  • 72. Jan Mattingly RiskResults Consulting Inc. T/M: 613-286-6885 Email: