SlideShare a Scribd company logo

COSO ERM Framework

Download as PPT, PDF
S
ssuser6ea258

The document discusses COSO's Enterprise Risk Management Integrated Framework. It defines ERM and describes its eight interrelated components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring. ERM supports organizations in identifying and managing risks across the enterprise. The framework helps entities achieve objectives and create value for stakeholders. Internal auditors can assist with ERM implementation by evaluating risk management processes and controls, and advising on improvements.

Business
1 of 50
www.theiia.org Applying COSO’s Enterprise Risk Management — Integrated Framework
www.theiia.org Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting)
www.theiia.org ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
www.theiia.org Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
www.theiia.org Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
www.theiia.org Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
www.theiia.org The ERM Framework • Entity objectives can be viewed in the • context of four categories: – Strategic – Operations – Reporting – Compliance
www.theiia.org The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or subsidiary • Business unit processes
www.theiia.org The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk.
www.theiia.org The ERM Framework • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level
www.theiia.org The ERM Framework The eight components of the framework are interrelated …
www.theiia.org Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture.
www.theiia.org Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
www.theiia.org Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
www.theiia.org Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.
www.theiia.org Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives.
www.theiia.org Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis.
www.theiia.org Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses.
www.theiia.org Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls.
www.theiia.org Information & Communication • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization.
www.theiia.org Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two.
www.theiia.org Internal Control A strong system of internal control is essential to effective enterprise risk management.
www.theiia.org Relationship to Internal Control — Integrated Framework • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.”
www.theiia.org ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors
www.theiia.org Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
www.theiia.org Internal Auditors Visit the guidance section of The IIA’s Web site for The IIA’s position paper, “Role of Internal Auditing’s in Enterprise Risk Management.”
www.theiia.org Standards • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
www.theiia.org Key Implementation Factors 1. Organizational design of business 2. Establishing an ERM organization 3. Performing risk assessments 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management
www.theiia.org Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage)
www.theiia.org Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under- performing hospitals and negotiate agreements with two this year
www.theiia.org Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities
www.theiia.org Example: ERM Organization ERM Director Vice President and Chief Risk Officer Corporate Credit Risk Manager Insurance Risk Manager ERM Manager ERM Manager Staff Staff Staff FES Commodity Risk Mg. Director
www.theiia.org Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
www.theiia.org Example: Risk Model • Environmental Risks – Capital Availability – Regulatory, Political, and Legal – Financial Markets and Shareholder Relations • Process Risks – Operations Risk – Empowerment Risk – Information Processing / Technology Risk – Integrity Risk – Financial Risk • Information for Decision Making – Operational Risk – Financial Risk – Strategic Risk
www.theiia.org Risk Analysis Control It Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Level Entity Level Risk Monitoring Identification Measurement Prioritization Risk Assessment
www.theiia.org DETERMINE RISK APPETITE • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
www.theiia.org DETERMINE RISK APPETITE Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
www.theiia.org IDENTIFY RISK RESPONSES • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage)
www.theiia.org Impact vs. Probability Control Share Mitigate & Control Accept High Risk Medium Risk Medium Risk Low Risk Low High High I M P A C T PROBABILITY
www.theiia.org Example: Call Center Risk Assessment Low High High I M P A C T PROBABILITY High Risk Medium Risk Medium Risk Low Risk • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers • Entry errors • Equipment obsolescence • Repeat calls for same problem • Fraud • Lost transactions • Employee morale
www.theiia.org Example: Accounts Payable Process Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing
www.theiia.org Communicate Results • Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments
www.theiia.org Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks
www.theiia.org Management Oversight & Periodic Review • Accountability for risks • Ownership • Updates - Changes in business objectives - Changes in systems - Changes in processes
www.theiia.org Internal auditors can add value by: • Reviewing critical control systems and risk management processes. • Performing an effectiveness review of management's risk assessments and the internal controls. • Providing advice in the design and improvement of control systems and risk mitigation strategies.
www.theiia.org Internal auditors can add value by: • Implementing a risk-based approach to planning and executing the internal audit process. • Ensuring that internal auditing’s resources are directed at those areas most important to the organization. • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.
www.theiia.org Internal auditors can add value by: • Facilitating ERM workshops. • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.
www.theiia.org For more information On COSO’s Enterprise Risk Management — Integrated Framework, visit www.coso.org or www.theiia.org
www.theiia.org Applying COSO’s Enterprise Risk Management — Integrated Framework This presentation was produced by
www.theiia.org

Recommended

Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
SALIH AHMED ISLAM
 
Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 

Recommended

Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
Irfan Ahmed - ACA, CICA
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
SALIH AHMED ISLAM
 
Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
Manoj Agarwal
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for Bankers
David Vu
 
Internal Control
Internal ControlInternal Control
Internal Control
Salih Islam
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
Ravinder Kumar Bhan
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
alygale
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Internal Auditor Roles
Internal Auditor RolesInternal Auditor Roles
Internal Auditor Roles
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal Audit
ArmeniaFED
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
Max Neira Schliemann
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
Letzconsult.com
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
International Federation of Accountants
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
Manoj Agarwal
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
VALUES & SENSE
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Riskpro - Operational Risk Management
Riskpro - Operational Risk ManagementRiskpro - Operational Risk Management
Riskpro - Operational Risk Management
Manoj Jain
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
Naresh Parandhaman
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
Dina Pramudianti
 

More Related Content

What's hot

Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
alygale
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 

What's hot (20)

Coso erm
Coso ermCoso erm
Coso erm
 
Control Self Assessment
Control Self AssessmentControl Self Assessment
Control Self Assessment
 
Risk Management Essentials for Bankers
Risk Management Essentials for BankersRisk Management Essentials for Bankers
Risk Management Essentials for Bankers
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Internal Auditor Roles
Internal Auditor RolesInternal Auditor Roles
Internal Auditor Roles
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal Audit
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Riskpro - Operational Risk Management
Riskpro - Operational Risk ManagementRiskpro - Operational Risk Management
Riskpro - Operational Risk Management
 

Similar to COSO ERM Framework

mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
Neeraj Verma
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
veritama
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
Tim Leech
 
Five lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & ermFive lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & erm
Dr. Zar Rdj
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 

Similar to COSO ERM Framework (20)

COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINAL
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
 
Five lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & ermFive lines of assurance a new paradigm in internal audit & erm
Five lines of assurance a new paradigm in internal audit & erm
 
Risk management
Risk managementRisk management
Risk management
 
Internal auditing
Internal auditingInternal auditing
Internal auditing
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Evolving role of internal auditing function
Evolving role of internal auditing functionEvolving role of internal auditing function
Evolving role of internal auditing function
 

Recently uploaded

Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
Workforce Group
 

Recently uploaded (20)

Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptxUnveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
Unveiling the Dynamic Gemini_ Personality Traits and Sign Dates.pptx
 
The Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdfThe Truth About Dinesh Bafna's Situation.pdf
The Truth About Dinesh Bafna's Situation.pdf
 
USA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdfUSA classified ads posting – best classified sites in usa.pdf
USA classified ads posting – best classified sites in usa.pdf
 
Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datass
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)
 
Hyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseHyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings release
 
Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
 
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
 
HR and Employment law update: May 2024.
HR and Employment law update: May 2024.HR and Employment law update: May 2024.
HR and Employment law update: May 2024.
 
Copyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowCopyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to Know
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
New Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9loNew Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9lo
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
sales plan presentation by mckinsey alum
sales plan presentation by mckinsey alumsales plan presentation by mckinsey alum
sales plan presentation by mckinsey alum
 
India’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdfIndia’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdf
 
Event Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybridEvent Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybrid
 
Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deck
 
The Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdfThe Leading Cyber Security Entrepreneur of India in 2024.pdf
The Leading Cyber Security Entrepreneur of India in 2024.pdf
 
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
8 Questions B2B Commercial Teams Can Ask To Help Product Discovery
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 

COSO ERM Framework

  • 2. www.theiia.org Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting)
  • 3. www.theiia.org ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
  • 4. www.theiia.org Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
  • 5. www.theiia.org Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
  • 6. www.theiia.org Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
  • 7. www.theiia.org The ERM Framework • Entity objectives can be viewed in the • context of four categories: – Strategic – Operations – Reporting – Compliance
  • 8. www.theiia.org The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or subsidiary • Business unit processes
  • 9. www.theiia.org The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk.
  • 10. www.theiia.org The ERM Framework • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level
  • 11. www.theiia.org The ERM Framework The eight components of the framework are interrelated …
  • 12. www.theiia.org Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture.
  • 13. www.theiia.org Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
  • 14. www.theiia.org Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
  • 15. www.theiia.org Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.
  • 16. www.theiia.org Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives.
  • 17. www.theiia.org Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis.
  • 18. www.theiia.org Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses.
  • 19. www.theiia.org Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls.
  • 20. www.theiia.org Information & Communication • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization.
  • 21. www.theiia.org Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two.
  • 22. www.theiia.org Internal Control A strong system of internal control is essential to effective enterprise risk management.
  • 23. www.theiia.org Relationship to Internal Control — Integrated Framework • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.”
  • 24. www.theiia.org ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors
  • 25. www.theiia.org Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
  • 26. www.theiia.org Internal Auditors Visit the guidance section of The IIA’s Web site for The IIA’s position paper, “Role of Internal Auditing’s in Enterprise Risk Management.”
  • 27. www.theiia.org Standards • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
  • 28. www.theiia.org Key Implementation Factors 1. Organizational design of business 2. Establishing an ERM organization 3. Performing risk assessments 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management
  • 29. www.theiia.org Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage)
  • 30. www.theiia.org Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under- performing hospitals and negotiate agreements with two this year
  • 31. www.theiia.org Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities
  • 32. www.theiia.org Example: ERM Organization ERM Director Vice President and Chief Risk Officer Corporate Credit Risk Manager Insurance Risk Manager ERM Manager ERM Manager Staff Staff Staff FES Commodity Risk Mg. Director
  • 33. www.theiia.org Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
  • 34. www.theiia.org Example: Risk Model • Environmental Risks – Capital Availability – Regulatory, Political, and Legal – Financial Markets and Shareholder Relations • Process Risks – Operations Risk – Empowerment Risk – Information Processing / Technology Risk – Integrity Risk – Financial Risk • Information for Decision Making – Operational Risk – Financial Risk – Strategic Risk
  • 35. www.theiia.org Risk Analysis Control It Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Level Entity Level Risk Monitoring Identification Measurement Prioritization Risk Assessment
  • 36. www.theiia.org DETERMINE RISK APPETITE • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
  • 37. www.theiia.org DETERMINE RISK APPETITE Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
  • 38. www.theiia.org IDENTIFY RISK RESPONSES • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage)
  • 39. www.theiia.org Impact vs. Probability Control Share Mitigate & Control Accept High Risk Medium Risk Medium Risk Low Risk Low High High I M P A C T PROBABILITY
  • 40. www.theiia.org Example: Call Center Risk Assessment Low High High I M P A C T PROBABILITY High Risk Medium Risk Medium Risk Low Risk • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers • Entry errors • Equipment obsolescence • Repeat calls for same problem • Fraud • Lost transactions • Employee morale
  • 41. www.theiia.org Example: Accounts Payable Process Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing
  • 42. www.theiia.org Communicate Results • Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments
  • 43. www.theiia.org Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks
  • 44. www.theiia.org Management Oversight & Periodic Review • Accountability for risks • Ownership • Updates - Changes in business objectives - Changes in systems - Changes in processes
  • 45. www.theiia.org Internal auditors can add value by: • Reviewing critical control systems and risk management processes. • Performing an effectiveness review of management's risk assessments and the internal controls. • Providing advice in the design and improvement of control systems and risk mitigation strategies.
  • 46. www.theiia.org Internal auditors can add value by: • Implementing a risk-based approach to planning and executing the internal audit process. • Ensuring that internal auditing’s resources are directed at those areas most important to the organization. • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.
  • 47. www.theiia.org Internal auditors can add value by: • Facilitating ERM workshops. • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management.
  • 48. www.theiia.org For more information On COSO’s Enterprise Risk Management — Integrated Framework, visit www.coso.org or www.theiia.org
  • 49. www.theiia.org Applying COSO’s Enterprise Risk Management — Integrated Framework This presentation was produced by