COSO, which has provided global thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence for over three decades, recently released a draft update to the original COSO ERM Framework. This framework is widely used by organizations to enhance their ability to manage uncertainty, gauge risk, and increase stakeholder value. However, significant new risks have emerged since the Framework was released, demanding heightened board awareness and oversight of risk management, as well as improved risk reporting. For those organizations exploring ESRM – these themes will be strikingly familiar and the lessons learned, highly relevant. Presentation by: Bob Hirth, Global Chairman of COSO.

2. I am the Chair at COSO.
robert.hirth@protiviti.com

4. Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is
dedicated to providing thought leadership through the development of frameworks and guidance
on enterprise risk management (ERM) internal control and fraud deterrence.

5. COSO’s Mission is “To provide thought leadership through the development of
comprehensive frameworks and guidance on enterprise risk management,
internal control and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in
organizations.”
Good risk management and internal control are necessary for the long-term
success of all organizations.

6. 6
National Commission on Fraudulent Financial
Reporting formed with James C. Treadway, Jr.,
former SEC Commissioner and General
Counsel, Paine Webber, as its Chairman.
Became known as the “Treadway
Commission” - a private-sector initiative,
formed in 1985 to inspect, analyze, and make
recommendations on fraudulent corporate
financial reporting.
Source: sechistorical.org

7. All public companies should maintain internal controls that
provide reasonable assurance that fraudulent financial
reporting will be prevented or subject to early detection -
this is a broader concept than internal accounting
controls…
…The Commission also recommends that its sponsoring
organizations cooperate on developing additional,
integrated guidance on internal controls…
- Treadway Commission report

9. … in end user computing (EUC), increasing powerful
microcomputers and even cheaper minicomputers allow
for distributing data and computing power.
Departments and line units do their own processing,
often supported by a stand-alone, low cost local area
network. These are user maintained systems rather
than centrally developed software.”

10. 1985
1990 1995 2000 2005 2010
1987: Treadway
Commission Report
1992: Internal Control –
Integrated Framework
1999: Fraud Study I -
Fraudulent Financial
Reporting: 1987-1997
2004: Enterprise Risk
Management Framework
2006: Guidance
for Smaller
Businesses on
Internal Control
over Financial
Reporting
2009: Guidance on
Monitoring Internal
Control Systems
1996: Internal Control
Issues in Derivatives
2010: Fraud Study II -
Fraudulent Financial
Reporting: 1998-2007
2010-2013:
Recent ERM
thought
papers on
current issues

11. Environmental changes... …have driven Framework updates
• Expectations for governance oversight.
• Globalization of markets and operations.
• Changes and greater complexity in business.
• Demands and complexities in laws, rules,
regulations, and standards.
• Expectations for competencies and
accountabilities.
Use of, and reliance on, evolving technologies
• Expectations relating to preventing and
detecting fraud.
COSO Cube (2013 Edition)

12. • Prioritize resource focus
based on risk.
• Improve performance.
• Address fraud proactively.
• Promote board & executive
engagement.
• ADD & PRESERVE VALUE.
• NO SURPRISES.

14. 1. Demonstrates
commitment to
integrity and ethical
values.
2. Exercises
oversight
responsibility.
3. Establishes
structure, authority
and responsibility.
4. Demonstrates
commitment to
competence.
5. Enforces
accountability.
6. Specifies suitable
objectives.
7. Identifies and
analyzes risk.
8. Assesses fraud
risk.
9. Identifies and
analyzes significant
change.
10. Selects and
develops control
activities.
11. Selects and
develops general
controls over
technology.
12. Deploys
through policies and
procedures.
13. Uses relevant
information.
14. Communicates
internally.
15. Communicates
externally.
16. Conducts
ongoing and/or
separate
evaluations.
17. Evaluates and
communicates
deficiencies.

16. “The beliefs and approach to leadership
that have guided my career are inconsistent with
what I experienced at Uber and I can no longer
continue as president of the ride sharing
business.”
Jeff Jones, March 2017, six months after
arriving at Uber from Target Corporation

19. NEW YORK, October 21, 2014 -- The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) today announced a project to review and update the 2004
Enterprise Risk Management–Integrated Framework (Framework).
The Framework, originally published in 2004, is a widely accepted framework used by
management to enhance an organization’s ability to manage uncertainty and to consider how
much risk to accept as it strives to increase stakeholder value.
This initiative is intended to enhance the Framework’s content and relevance in an increasingly
complex business environment so that organizations worldwide can attain better value from
their enterprise risk management programs. The initiative also will develop tools to assist
management in reporting risk information and in reviewing and assessing the application of
enterprise risk management.

20. ▪ Concepts and practices have evolved.
▪ Lessons learned.
▪ Bar raised with respect to enterprise risk management.
▪ Business and operating environments are more complex,
technologically driven, and global in scale.
▪ Stakeholders are more engaged, seeking greater transparency and
accountability.
▪ Risk discussions increasingly prominent at the board level.

21. ▪ Done right - creates, preserves and realizes value.
▪ Reduces uncertainty, improves performance.
▪ Unrecognized assumptions are dangerous.
▪ Must be part of decision-making.
▪ Objectives are critical for ERM and performance.
▪ Culture is a key player.

22. ▪ “Enterprise list management”.
▪ Not driven from strategy.
▪ Lack of objectives, value proposition- 5 why’s.
▪ Not part of decision-making.
▪ No “risk aware” culture.
▪ Not tailored, customized or adapted.
▪ No evaluation of performance and value.
▪ A function, not a set of activities and capabilities.

23. ▪ NEW MATERIAL!
▪ Lay out objectives and value
proposition.
▪ Pilot launch and evaluate.
▪ Benchmark with peers.
▪ Educate, then launch.

25. Provide Information About Board Leadership Structure and the Board's
Role in Risk Oversight:
▪ The SEC approved rules relating to board leadership structure and the board's
role in risk oversight. The rules require disclosure about:
▪ A company's board leadership structure, including whether the company has
combined or separated the chief executive officer and chairman position, and why
the company believes its structure is the most appropriate for the company at the
time of the filing.
▪ In certain circumstances, whether and why a company has a lead independent
director and the specific role of such director.
The extent of the board's role in the
risk oversight of the company.

26. Understanding the company’s key
drivers of success.
Assess the risk inherent in the
strategy.
Define the role of the full board
and its standing committees with
regard to risk oversight.
Consider whether the risk
management system is
appropriate and sufficiently
resourced.
Understand and agree with
management of the types and
format of risk information
required.
Encourage dynamic, constructive
risk dialogue between
management and the board.
Closely monitor the potential risks
in the company’s culture and its
incentive structure.
Monitor critical alignments – of
strategy, risk, controls compliance
incentives and people.
Consider emerging and
interrelated risks: What’s around
the next corner?
Periodically assess the risk
oversight process in view of the
board’s oversight objectives.

27. Educate Them
Ask for Input
Tie to Strategy
Demonstrate Value

29. ▪ Retitles the framework as Enterprise
Risk Management—Aligning Risk
with Strategy and Performance.
▪ Recognizes the importance of
strategy and entity performance.
▪ Delineates between internal control
and enterprise risk management.
▪ Integrates enterprise risk
management with decision-making.

30. ▪ Increases the range of opportunities.
▪ Identifies and manages entity-wide risks.
▪ Reduces surprises and losses.
▪ Reduces performance variability.
▪ Improves resource deployment.
▪ Anticipates, identifies, adapts, and responds to change.

31. ▪ Our understanding of the nature of risk, the art and science of
choice lies at the core of our modern market economy.
▪ Every choice we make in the pursuit of objectives has its risks.
From day-to-day operational decisions to the fundamental
trade-offs in the boardroom, dealing with uncertainly in these
choices is a part of our organizational lives.

32. ▪ The Advisory Council is
comprised of senior
executives, academics and
professional risk practitioners.
▪ Observers include
representatives from
regulators and industry
associations.
COSO Board
PwC Project Team
Advisory Council Observers

33. ▪ Executive Summary
▪ FAQ document
▪ Draft Framework
▪ Numerous articles
▪ Accounting/Consulting
▪ Firm publications

34. Updates components and adopts principles.
Simplifies definitions.
Emphasizes value.
Renews the focus on integration.
Examines role of culture.

35. Elevates discussion of strategy.
Enhances alignment with performance.
Links with decision-making.
Delineates enterprise risk management from internal control.
Refines risk appetite and acceptable variation in performance.

38. The possibility that events will occur and
affect the achievement of strategy and
business objectives (or will not occur).
The culture, capabilities, and practices,
integrated with strategy and execution, that
organizations rely on to manage risk in
creating, preserving, and realizing value.

39. ▪ Enhances the focus on value – how entities
create, preserve, and realize value.
▪ Embeds value throughout the framework, as evidenced by its:
-Prominence in the core definition of enterprise risk
management.
-Extensive discussion in principles.
-Linkage to risk appetite.
-Focus on the ability to manage risk to acceptable levels.

40. ▪ Integrates enterprise risk management with other business processes:
▪ Focuses on applying enterprise risk management at various levels of the organization (e.g.
entity level, business unit, division).
Strategy-Setting
Performance
Management
Objectives-Setting
Governance
Processes

41. ▪ Addresses the growing focus, attention and importance of
culture within enterprise risk management.
▪ Influences all aspects of enterprise risk management.
▪ Explores the relationship with culture in the context of:
-Risk governance.
-Oversight of the entity.
-Connection between framework components.
-Depicts the behavior within a risk spectrum from risk averse to risk aggressive.
-Affects the entity’s decision-making.
-Explores the alignment of culture between individual and entity behavior.

42. ▪ Explores enterprise risk management and strategy from three different perspectives:
-The possibility of strategy and business objectives not aligning with mission, vision
and values.
-The implications from the strategy chosen.
-Risk to executing the strategy.

43. ▪ Enables the achievement of business objectives by actively managing risk and
performance.
Focuses on how risk is integral to performance by:
▪ Exploring how enterprise risk management practices support the identification and
assessment of risks that impact performance.
▪ Discussing acceptable variations in performance.
▪ Manages risk in the context of achieving business objectives not as individual risks.
▪ Seeks to enhance the integrated reporting on risk and performance.

44. ▪ Introduces a new depiction referred to
as a risk profile.
Incorporates:
▪ Risk
▪ Performance
▪ Risk appetite
▪ Risk capacity
▪ Offers a dynamic and comprehensive
view of risk and enables more risk-aware
decision-making.
▪ The framework provides a complete
depiction of how to build a risk profile.

45. ▪ Explores how enterprise risk
management drives risk
aware decision-making.
▪ Highlights how risk
awareness optimizes and
aligns decisions impacting
performance.
▪ Explores how risk aware
decisions affect the risk
profile.
Risk Aware
Decision
Making
Assumptions
Risk
Appetite
Culture
Strategy
Business
Context
Risk Profile

46. ▪ The document does not replace the 2013
Internal Control – Integrated Framework.
▪ The two frameworks are distinct and
complementary.
▪ Both use a components and principles
structure.
▪ Aspects of internal control common to
enterprise risk management are not repeated.
▪ Some aspects of internal control are
developed further in this framework.

47. The amount of risk, on a broad level, an
organization is willing to accept in
pursuit of value.
The boundaries of acceptable outcomes
related to achieving business objectives.

48. ▪ Allows for the development of
awareness and acceptance by the
public.
▪ Provides the ability to gain input
across:
- Geography
- Industry
- Risk disciplines
▪ Extends from June 15, 2016 through
September 30, 2016 and includes:
- Executive summary
- Framework
- Appendices

49. ▪ Integral to the COSO framework revision process.
▪ Enhances confidence by regulators.
▪ Leverages other good thinking.
▪ Provides non-US perspective.
▪ Challenges our assumptions.
▪ Provides confirmation.
▪ Creates improvement.

50. ▪ Over 200 survey responses – double that of
the Internal Control-Integrated Framework
update.
▪ Over 70% of responses from individuals,
who are often less inclined to write letters.
▪ Over 50% of participation outside of North
America.
▪ Almost 50% of those responding had
affiliations beyond COSO memberships.
▪ Almost 50% of respondents had 10 or more
years of risk management experience.
▪ Positive ratings outnumbered negative
ratings by 4.5:1.
▪ 48 letters received – many of
which demonstrated
considerable investment.
▪ Comments on concepts (flawed
missing, unnecessary) collectively
represented less than 15% of the
total number of comments
received.
▪ Greatest number of comments
requested clarity of drafted
content versus adding/deleting
content.

51. ▪ Almost 10,000 downloads of the
document during the public
exposure period.
▪ Strong international interest in the
Update, with 46% of the
downloads occurring outside North
America.
▪ Widespread interest across
industries.
▪ Equal interest between private and
public companies.
▪ Survey feedback provided
through the website.
▪ Letters provided by associations,
companies, and individuals.
▪ Meetings, conferences, seminars
attended by the PwC Project
Team, providing direct feedback
on the update.
▪ Social media outreach with over
3 million connections.

52. ▪ Culture
▪ Decision-making
▪ Definitions
▪ Integration of ERM
▪ Risk assessment
▪ Risk information
▪ Strategy

53. Public Exposure
Period
Public Exposure
Comment
Analysis
Framework
Release
Framework
Revisions
PwC Project Team
analyzes surveys and
comment letters.
Draft framework
released for comment
and survey launched.
PwC Project Team
revises framework.
The COSO Board
approves the final
framework and publishes.

54. ▪ # of Principles
▪ Graphics
▪ Linkage to internal control
▪ Definitions
▪ Change “execution”
▪ More integration explanation
▪ “Wordsmithing”

55. ▪ Inclusion in strategy setting.
▪ Board oversight and culture.
▪ Link to performance.
▪ Use in decision-making.
▪ Components and principles structure.
▪ Risk profiles concept.
▪ “DNA” embedded- not a function.
▪ Examples compendium (not in public comment).

56. ▪ Protect the organization, add value.
▪ Be competent.
▪ Help to realize the strategy.
▪ Engage, leverage the organization.
▪ Create efficiencies .
▪ RECOGNIZE, ACT ON CHANGE.
WIN!!!

57. ▪ THERE’S NEW MATERIAL OUT THERE! Adapt it
to your circumstances, use best of breed parts.
▪ Collaborate with others.
▪ Do you have common vocabulary?
▪ IS IT WORKING - WHY, WHY NOT?
▪ ERM is not a function.

58. “
The culture, capabilities, and practices,
integrated with strategy and execution, that
organizations rely on to manage risk in
creating, preserving, and realizing value.

61. “
How would you like to meet
more of your objectives more
often?

63. robert.hirth@protiviti.com