This document provides comments on the June 2016 COSO draft guidance on enterprise risk management. The author believes the updated guidance represents an improvement over the 2004 version, but still requires major changes. Specifically, the author argues that the guidance should acknowledge weaknesses identified in past ERM implementations and the 2008 financial crisis. It should also clearly position itself as promoting an "objective-centric" rather than "risk-centric" paradigm for ERM by fully linking risk management to strategy and objectives. While the updated guidance emphasizes this objective-centric approach, the author believes it still straddles the competing paradigms which could cause confusion.
Listening and learning: Stephen Sidebottom, IRM’s first independent non executive chair, on opportunities and threats created by the pandemic.
We have been working behind the scenes for the last few months to refresh the look and feel of Enterprise risk. You have the results in your hand now – either online, mobile or in print. And we hope you like the results. Publishing, like all industries today, is beset with rapid change. As risk managers, you know better than most what such change brings – risk and opportunity. Even in the four years since I have been editing this publication, digital innovations have greatly altered the way we all consume media. The challenge is to take advantage of that diversity while maintaining a core, quality product – the magazine.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Five lines of assurance a new paradigm in internal audit & ermDr. Zar Rdj
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes.
Risk Appetite: new challenges to manage an insurance companyPhilippe Foulquier
Based on a survey of European insurance companies, the results call into question some of the risk appetite indicators chosen by insurers. The study shows how risk appetite is applied to all decisions in a fully objective manner and it signals the need for a profound culture change with regard to risk-return analysis. It is on this point, which lies at the heart of the competition among players in the insurance sector – evaluating the performance of allocated capital by activity, measured against the risks incurred – that a number of structural shifts, innovations and changes will have to be made
Listening and learning: Stephen Sidebottom, IRM’s first independent non executive chair, on opportunities and threats created by the pandemic.
We have been working behind the scenes for the last few months to refresh the look and feel of Enterprise risk. You have the results in your hand now – either online, mobile or in print. And we hope you like the results. Publishing, like all industries today, is beset with rapid change. As risk managers, you know better than most what such change brings – risk and opportunity. Even in the four years since I have been editing this publication, digital innovations have greatly altered the way we all consume media. The challenge is to take advantage of that diversity while maintaining a core, quality product – the magazine.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Five lines of assurance a new paradigm in internal audit & ermDr. Zar Rdj
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes
• Boards are provided with a tangible vehicle to demonstrate they are actively overseeing the company’s “risk appetite framework” (“RAF”)
• The process is designed to fully integrate with strategic planning, new product/service initiatives, and M&A activities.
• The process provides a clear response to emerging expectations like the UK Governance Code, Canadian Securities Administrators, SEC, FSB, credit agencies, institutional investors and TSB.
• The main role of internal audit is to report on the effectiveness of the risk management processes and the consolidated report on residual risk status the board receives from the CEO or his/her designate and to help the company build and maintain robust risk management processes.
Risk Appetite: new challenges to manage an insurance companyPhilippe Foulquier
Based on a survey of European insurance companies, the results call into question some of the risk appetite indicators chosen by insurers. The study shows how risk appetite is applied to all decisions in a fully objective manner and it signals the need for a profound culture change with regard to risk-return analysis. It is on this point, which lies at the heart of the competition among players in the insurance sector – evaluating the performance of allocated capital by activity, measured against the risks incurred – that a number of structural shifts, innovations and changes will have to be made
UK Corporate Governance Code and selected companies approaches to designing and implementing risk appetite statements, and the lessons for boards and for risk professionals.
IRM is the leading professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance.
We do this by providing internationally recognised qualifications and training, publishing research and guidance and raising professional standards across the world. Our members work in all industries, in all risk disciplines and across the public, private and not-for-profit sectors.
IRM does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Risk management and the business model - IRM India AffiliateIRM India Affiliate
IRM is the leading professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance.
We do this by providing internationally recognised qualifications and training, publishing research and guidance and
raising professional standards across the world. Our members work in all industries, in all risk disciplines and across
the public, private and not-for-profit sectors.
IRM does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or
indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any
person relying on or otherwise using this document or arising from any omission from it.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
This handbook is aimed at assisting those on the governing body of an organisation to: • gain clarity about the interaction of governance and risk management • avoid confusion in the responsibilities of those with an oversight role and those with an implementation role • achieve focus on embedding risk management within the strategic framework. ISO 31000:2009 Risk Management—Principles and guidelines and the related handbook, HB 436:2004 Risk management guidelines—Companion to AS/NZS ISO 31000:2009 deal with the implementation aspects of a risk management framework, and will assist entities to focus on operational risk management. Governance Institute’s publication Enterprise Risk Management1 also provides a framework for approaching the implementation of risk management. This handbook deals with the link between the deliberations of boards and their oversight of management and the alignment of risk management practices with strategic objectives throughout the organisation. This guide is not intended to advise directors on how to create an enterprise risk management system or a technical management-led risk process — these are more suited to development by management. It is intended to assist boards to integrate their governance and risk management frameworks. This in turn will assist organisations to achieve strategic focus, by providing boards with the information they need and ensuring ongoing ownership of risks by all employees in relation to achieving strategic objectives. The questions that conclude each section are included for consideration and to prompt directors’ thinking. Directors will need to decide if they are relevant to their circumstances.
One of our primary goals has been to improve risk management in the financial services sector through enterprise risk management (ERM) education and training. In order to advance this important goal, Global Risk Institute is launching a comprehensive ERM Roadmap program initiative to contribute to this important ERM practice area.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
Deloitte’s risk management philosophy – Risk Intelligence (RI), focuses on maintaining the right balance between risk and reward. Asking the right questions and finding effective answers to them is critical to developing the right risk management capabilities. Most organizations already have a multitude of Enterprise Risk Management (ERM) practices and processes to address risks but the lack of a strategic view to an ERM program, can expose risk management gaps and redundancies and prevent sufficient insight into key risk interdependencies
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
Julia Graham
Technical Director and Deputy CEO, Airmic
Immediate Past President and Board Member, FERMA
The Fourth Revolution Managing risk in a changing worldAre you a tenant or an owner?
5th April 2016
Moscow
UK Corporate Governance Code and selected companies approaches to designing and implementing risk appetite statements, and the lessons for boards and for risk professionals.
IRM is the leading professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance.
We do this by providing internationally recognised qualifications and training, publishing research and guidance and raising professional standards across the world. Our members work in all industries, in all risk disciplines and across the public, private and not-for-profit sectors.
IRM does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Risk management and the business model - IRM India AffiliateIRM India Affiliate
IRM is the leading professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance.
We do this by providing internationally recognised qualifications and training, publishing research and guidance and
raising professional standards across the world. Our members work in all industries, in all risk disciplines and across
the public, private and not-for-profit sectors.
IRM does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or
indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any
person relying on or otherwise using this document or arising from any omission from it.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
This handbook is aimed at assisting those on the governing body of an organisation to: • gain clarity about the interaction of governance and risk management • avoid confusion in the responsibilities of those with an oversight role and those with an implementation role • achieve focus on embedding risk management within the strategic framework. ISO 31000:2009 Risk Management—Principles and guidelines and the related handbook, HB 436:2004 Risk management guidelines—Companion to AS/NZS ISO 31000:2009 deal with the implementation aspects of a risk management framework, and will assist entities to focus on operational risk management. Governance Institute’s publication Enterprise Risk Management1 also provides a framework for approaching the implementation of risk management. This handbook deals with the link between the deliberations of boards and their oversight of management and the alignment of risk management practices with strategic objectives throughout the organisation. This guide is not intended to advise directors on how to create an enterprise risk management system or a technical management-led risk process — these are more suited to development by management. It is intended to assist boards to integrate their governance and risk management frameworks. This in turn will assist organisations to achieve strategic focus, by providing boards with the information they need and ensuring ongoing ownership of risks by all employees in relation to achieving strategic objectives. The questions that conclude each section are included for consideration and to prompt directors’ thinking. Directors will need to decide if they are relevant to their circumstances.
One of our primary goals has been to improve risk management in the financial services sector through enterprise risk management (ERM) education and training. In order to advance this important goal, Global Risk Institute is launching a comprehensive ERM Roadmap program initiative to contribute to this important ERM practice area.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Enterprise Risk Management and SustainabilityJeff B
An overview of our endeavors at implementing ISO 31000 enterprise risk management and the importance of establishing good risk culture within the company.
Deloitte’s risk management philosophy – Risk Intelligence (RI), focuses on maintaining the right balance between risk and reward. Asking the right questions and finding effective answers to them is critical to developing the right risk management capabilities. Most organizations already have a multitude of Enterprise Risk Management (ERM) practices and processes to address risks but the lack of a strategic view to an ERM program, can expose risk management gaps and redundancies and prevent sufficient insight into key risk interdependencies
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
Julia Graham
Technical Director and Deputy CEO, Airmic
Immediate Past President and Board Member, FERMA
The Fourth Revolution Managing risk in a changing worldAre you a tenant or an owner?
5th April 2016
Moscow
Controllo della telecamera virtuale in software di modellazione in base a pro...Mattias Cibien
Tesi di laurea di Mattias Cibien in cui si presenta un plugin per il software DAZ Studio attuo a generare inquadrature in base a proprietà fotografiche reali.
A Era da Informação, de forte mudança e instabilidade, está trazendo o modelo orgânico e flexível de estrutura organizacional, no qual prevalecem as equipes multifuncionais de trabalho.
É a época da gestão de pessoas e com pessoas. No mundo de hoje, as preocupações das organizações se voltam para a globalização, pessoas, clientes, produtos/serviços, conhecimento, resultados e tecnologia. As mudanças e transformações na área de RH são intensas e devido a isso, a gestão de pessoas passou a ser uma área estratégica na organização.
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.
Discussion1Explaining the results of Efficient Frontier Analysis.docxmadlynplamondon
Discussion1
Explaining the results of Efficient Frontier Analysis to non-technical decision-makers
The implementation of Efficient Frontier Analysis in an organization helps the process of strategic risk management to encompass and advanced analytical technique. The outcomes derived from it can easily be acknowledged and utilised by the non-technical decision-makers of the organisation as well. With the private utilization of Efficient Frontier Analysis, the decision-maker can easily consider identifying Complex property and developing casualty risk profiles. It has been observed in the considered case study that the most convincing organizational decision-making practices to determine efficient risk management need extensive acknowledgement of the governance structure followed by the processes and the varieties of tools used in it. In addition to it, they are also subjected to be developed on the basis of the guidance and principles of ISO 31000 followed by the guidance of implementation empowered by Australian and New Zealand handbook HB 436 (Fraser, Simkins & Narvaez, 2014). The consideration of Efficient Frontier Analysis emphasizes the hierarchical roles within an internal audit function as well as the organization and risk management function.
The results of implementing Efficient Frontier Analysis depend in-depth assessment of the risk portfolio volatility followed by the pricing structure acknowledged through decision-making. Furthermore, the considered case study also explains that the implementation of Efficient Frontier Analysis also needs to analyze the insurance layering efficiency to determine the risk portfolio application in order to ensure the catastrophic loss potential within the decision-making practices of strategic risk management (Rezaeiani & Foroughi, 2018). Additionally, a business organization implementing it can also become capable of analyzing and resolving the control break down easily with the identification of risk origins, actors, causes and consequences precisely. With the help of proper strategic management, the non-technical decision-making practices can be functional through a risk appetite framework that influences risk control framework. both these further impact on the emergence of the dynamic risks followed by integrated enterprise risk profile and scenario and stress testing by enabling untapped opportunities.
Recommendations assuming the risk appetite
The notion of risk appetite is strongly aligned with risk tolerance to influence the scenario and stress testing abilities to develop an analytical framework. The fundamental purpose of this Framework is to drive multiple sets of discussions based on analytical information to help the decision-makers in determining the risk profile and lead the organization to constitute competitive opportunities. It has been observed that the risk appetite in association with the risk tolerance helps them in categorizing the risks and further reframe them as opportuniti ...
The requirement for presentation(need in 4hrs)slide1ERM at M.docxkathleen23456789
The requirement for presentation:(need in 4hrs)
slide1:
ERM at Mars and UC
slide2:ERM in industry and academia
slide3:Measuring and Selecting an ERM Framework
slide 4:Special Rick Management Topic
slide 5 :conclusion
below is the content for doing a presentation
1. ERM at Mars and UC
Two different organizations can approach similar to the ERM due to some common benefit or some common purpose suppose we have following two organization the ERM at Mars incorporated and ERM in practice at the University of California Health The system both the approaches are used to spread and include the process in business units and other units. The developments in these growths of this program caused working with the professionals to address the business units.
Ways the two organization’s approaches to ERM differ
Two different organizations can approach in a different way to ERM because it has different purposes and different advantages which vary from field to field (WARNER, LARRY, 2015). Suppose we have following two different organizations that approach differently the ERM at Mars can be migrated to the non-family management i.e., it can apply to other areas/platforms different from professional organizations, while ERM at UC focuses on the enterprise risk analysis, audits, monitoring and report generation. ERM at Mars uses simple technology in framework building like word, excel and some tools. Whereas ERM at UC focuses on complex technologies for the building of the framework.
One aspect of each ERM implementation from which the other organization would benefit
For any organization implementing Enterprise Risk Management is a key, initially, an organization has to know about the fundamentals i.e. scope and tools that accommodate the ERM implementation plan. To implement ERM getting essentials right up to an organization explicit ERM system that unmistakably and quantifiably characterizes what ERM will mean for the organization and utilizing that structure to build up an ERM execution plan that is explicitly for accomplishment in the organization.
Enterprise Risk Management (ERM) mainly involves six fundamentals.
Identify
Analyze
Control
Transfer
Reduce
Assess
Most Organizations have faith in big business change administration like ERM. In many cases, many have been baffled by execution issues at this point, caused ERM to miss the mark regarding its potential. Before starting ERM they have to do solid back end work to implement.
What advantages can an organization acknowledge through ERM
Organizations that comprehend their dangers have a more noteworthy capacity to anticipate or respond to occasions that can affect objectives and targets. Eventually, this can convert into less unpredictability and an aggressive edge. A decent handle of hazard can likewise open up an organization's viewpoint on circumstances it might need to seek after.
ERM empowers the board and the board to have an increasingly steady perspective of a way .
Discussion1From time to time most organizations make improvement.docxmadlynplamondon
Discussion1
From time to time most organizations make improvements in their ERM framework to compete with latest trends in market and reduce risk factors, or simply choose best ERM framework which adds more value and powerful when compared to current ERM framework. Before selecting any ERM the organization should understand that no ERM is perfect and organizations should choose the best available tool by considering their requirements and future enhancements. In addition to risk analysis and risk management, these days may organizations choosing best ERM for the purpose of financial investments decisions making (Will kenton, 2018).
The ISO31000 is much simpler and superior to Risk scorecard model to mitigate the risk, According to current situation Edmonton Police Service (EPS) who wants to share their ERM with other city departments where new programs and initiatives are needed to be created, Using ISO 31000 is one of the best frameworks an organization can use to manage their risk because it increases the likelihood of an organization to improve on the identification of objectives of threats, achieving organization aim, and objectives and effective allocation and use of resources in risk treatment. Although, ISO 31000 is not used for certification purposes it provides an organization with the best guidelines for internal and external audit programs. This guideline helps an organization to compare their risks with that of other international benchmarks, which end up in providing sound principles for effective corporate governance and effective management. ISO 31000 risk assessment techniques mainly focus on the risk assessment, which helps different decision, makes to be able to understand the risk that may end up affecting the adequacy of the control that is in place and the achievement of the objectives. Therefore in a situation where an organization wants to develop a new ERM for their organization the best framework to use it the ISO 31000 (John Fraser & Betty Simkins, 2014).
Discussion2
The organization needed an enterprise-wide common risk framework, annual assessment cycle, and integration into the strategic planning process. ISO 31000 is intended to provide guidance on the nature of the risk management process and how to implement it. This distinction is a crucial one to understand when comparing the two frameworks and understanding how they can be used.ISO 31000’s focus on risk management as a process devotes more attention to implementation, which broadens its appeal for those looking for insights on that subject
“Risk management creates value, is an integral part of organizational processes; is part of decision making; explicitly addresses uncertainty; is systematic, structured and timely; is based on best available information; is tailored; is transparent and inclusive; is dynamic, iterative and responsive to change; and facilitates continual improvement and enhancement of the organization.”Therefore, ISO 31000 is focused on in ...
Due to the current instability in the business world, organizations should be able to anticipate changes and have coherent responses at hand to effective manage risks, create value, build good relations, increase profit and improve competitive positioning.
A report titled Exploring Strategic Risk issued in 2013 for Forbes Insights by Deloitte, contains some very important conclusions for the business community. 300 executives from around the world were interviewed for the study, in an attempt to find out their vision of the risk strategy and current changes and analysing how organizations should face these new challenges.
Sometimes it is difficult to link risks to a specific financial impact and not all data are pertinent to the evaluation of emerging risks. That's why companies have to be aware of internal risks and manage them well in order to be able to manage external risks and invest into strategic assets such as human capital, clients and innovation.
This insight explains the case of the financial services as the sector that less trust generates due to its short-sightedness, lack of values and lack of professional education that resulted in corruption and bad practices, which compromised the financial sector.
The report A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services examines the role of integrity and knowledge in restoring culture in the financial services industry. The conclusions appear in the full version of this document.
The financial industry is just one example in the wider panorama. Lack of values is widespread and creates significant risks. Bad practices trigger problems such as loss of profit, loss of reputation and even loss of shareholders, clients and employees.
The crisis, as well as the arrival of new technologies, urges companies to maintain their good practices and emphasize aspects as ethics, leadership, commitment, performance, transparency and sustainability.
The digital revolution and social networks encourage companies to be more transparent: companies meet their promises and obligations, deliver a coherent dialogue and improve the relationship with their stakeholders.
Application of values raises the possibility of good results and profits for companies through improvement of their reputation and business as well as optimization of resources. This certainly creates competitive advantages, establishes a strong cultural connection and improves employees’ motivation.
Before taking any decision, an institution should keep in mind the fact that it needs implicit and explicit public approval. Good business management implies risk management, creating a climate of trust, good will, credibility, social commitment and empathy between stakeholders and the company.
FEBRUARY–MARCH 2005 BANK ACCOUNTING & FINANCE 29David M. .docxssuser454af01
FEBRUARY–MARCH 2005 BANK ACCOUNTING & FINANCE 29
David M. Bowling is an Executive, Corporate Governance and Enterprise
Risk Management, at Crowe Chizek and Company LLC, Lexington,
Kentucky. He can be reached at [email protected]
Lawrence A. Rieger is an Executive, Corporate Governance and Enterprise
Risk Management, at Crowe Chizek and Company, LLC, Chicago, Illinois.
He can be reached at [email protected]
Making Sense of COSO’s New
Framework for Enterprise
Risk Management
By David M. Bowling and Lawrence A. Rieger
Enterprise risk management (ERM) has been widely discussed for more than a decade but has taken root in only a few, primarily larger,
fi nancial institutions. Interest has built slowly since
the mid-1990s, when the Economist Intelligence
Unit created an extensive ERM framework. Pro-
fessional associations—from internal audit groups
to business risk managers to chief fi nancial offi -
cers—have been discussing the potential of ERM
at conferences, in papers and in trade publications
for several years. But corporate interest was driven
primarily by intellectual
curiosity and internal au-
dit experimentation.
ERM can provide a
solid foundation upon
which companies can
enhance corporate gov-
ernance and deliver
greater shareholder val-
ue. Very few attempts, however, have come close
to fully achieving these objectives. Many fi nancial
institutions that launched ERM initiatives began
by assessing and then roughly quantifying risks
across their enterprises. Most of the attempts did
not progress to aggregating risks, creating formal
strategies or implementing plans to address the
risks, let alone developing frameworks to test for
risk or take corrective action.
The time for widespread ERM implementation,
however, fi nally seems to be dawning for at least
two reasons:
1. The logical next step after Sarbanes-Oxley. Pub-
lic financial institutions are coming off an intense
period of initial implementation of the Sarbanes-
Oxley Act of 2002 (SOA), Section 404 in particular.
The resulting increased emphasis on corporate
governance and the related mounting compliance
costs are motivating company leaders to consider
if enterprisewide approaches to risk management
will generate greater value from their consider-
able investments in SOA compliance. They see
ERM as the next step in a logical progression
for the development of their risk management
activities. At its fullest, ERM has the potential to
reduce compliance costs, improve operational
performance, enhance corporate governance
and deliver greater shareholder value.
2. Release of COSO’s new framework. The Com-
mittee of Sponsoring Organizations (COSO) of
the Treadway Commis-
sion1 in late September
released its long-awaited
Enterprise Risk Man-
agement—Integrated
Framework (COSO ERM
Framework). Three years
in the making, the ERM
model describes key
components and risk-management principles
for organizations regardless of si ...
The underlying premise of enterprise risk management is that the Company exists to provide value for its stakeholders – customers, employees, and shareholders. Like any business, every Company faces some uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables senior management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. These capabilities inherent in enterprise risk management help management achieve the Company’s performance and profitability targets, and minimize loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the Company’s reputation and associated consequences. In sum, enterprise risk management helps the Company get to where it wants to go and avoid pitfalls and surprises along the way. Enterprise risk management encompasses:
• Aligning Risk Appetite and Strategy
• Enhancing Risk Response Decisions
• Reducing Operational Surprises and Losses
• Identifying and Managing Multiple and Cross-Enterprise Risks
• Seizing Opportunities
• Improving Deployment of Capital
• Leveraging Talent, Structure, Process, and Capital
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxmadlynplamondon
Discussion- 1
1. How does efficient frontier analysis (EFA) differ from other forms of complex risk assessment techniques?
The issue of the selection of the risk management methods to support investment decision-making is one of the key issues discussed in the management of portfolios. The factor contributing to the development and dissemination of the risk management methods is the fact that the development of this theory, the risk of portfolios of financial institutions began to measure widely using the Markowitz portfolio selection model. Currently, this problem has been solved, since his designation used linear programming. It cannot be missed with these two facts. The indication of such a relationship, as well as its characteristics are the main purpose of the publication, in which there was not only used the study literature. The efficient frontier can be defined as the image of a set of portfolios that provide the maximum return for each level of risk or minimal risk for any level of return. In addition, this measure brings important details in the development area of portfolios’ management of financial instruments, on the grounds that it considers the possibility of the investor’s bankruptcy and may be regarded as a dynamic measurement of the risk (Bali T.G).
2. What limitations might an analyst encounter with EFA?
The financial equivalent of racing cars if They're one of the most touted, yet most misunderstood and misused, tools in the field of financial planning. Understanding the nature of an efficient frontier model and the assumptions on which it relies. As with a sophisticated racing car, a powerful tool in the wrong hands can be a very dangerous thing. For example, it's logical to believe that stocks will outperform bonds in the future. Efficient frontier models rely on historical data and relationships to generate the "perfect" portfolio. In my experience, many investors who use efficient frontier models are unaware of their pitfalls. These models are being marketed as solutions to the problem of portfolio construction, but they come without instructions.
3. How can efficient frontier analysis results be communicated and utilized with nonmathematical decision maker?
Communication is not a crank to be turned mindlessly, but a decision problem of its own. As we will see, there are many alternatives to consider. The analyst’s choices constitute the design of a communication plan. In ideal cases, the client is infinitely patient, unshakably invested in the problem, fully committed to finding the highest quality solutions, flexible about the process, and unwavering in confidence in the analyst’s work. In such cases, tight outlines or rambling jumbles may lead to the same outcome. Good quantitative analysis alone does not usually produce good decisions, because rarely does the analyst control all the resources required to decide and act. Decision makers and other players who influence the decision must assimilate the results of th ...
ERM Implementation ERM is essential for organizations.docxelbanglis
ERM Implementation
ERM is essential for organizations in managing risks and improve on opportunities related to the achievement of organizational objectives. Statoil and United Grain Growers have established an enterprise risks management that meets their company goals based on the challenges each of them is facing.
The primary difference between ERM in Statoil and United Grain Growers is that ERM will affect management at the latter. Additionally, ERM at United Grain Growers seeks to retrieve the company from financial constraints while at Statoil, ERM seeks to improve organizational performance. However, ERM at the two companies share some similarities. For instance, ERM at United Grain Growers seeks to identify and access principle risks. The same applies to Statoil which seeks to identify any potential risks during the exercise. Besides, the two companies have a strategic risk plan. A strategic plan is essential as it outlines the role of a manager, CEO and everyone involved in the steps of an ERM (Robert and Liebenberg, 2011). United Grain growers has a strategic plan to improve financial dividends while Statoil has a risk map and committee with outlined roles and responsibilities.
The Statoil ERM seems workable and productive meaning I can implement it is it were up to me. On the contrary, I will not implement the United Grain Growers ERM. In my opinion, the ERM lacks the potential to solve financial constraints that the company is experiencing. However, some parts of it are productive, but a merger comes in with other risks for the struggling company. For instance, a merger will lead to employee layoff which might put the company at a risk of losing some important skills (Chui, 2011). Additionally, the company assets might be miscalculated during financial evaluation leading to more losses.
Generally, the ERM at Statoil might be successful in future because it is based on company goals and values. On the contrary, UGG ERM might not succeed because there are many risks associated with its strategy for implementation.
References
Chui, B.S. 2011. A Risk Management Model for Merger and Acquisition.
Robert, E.H. and Liebenberg, A.P. (2011). The Value of Enterprise Risk Management. The
Journal of Risk and Insurance, 78(4).pp. 795-822.
https://doi.org/10.1111/j.15396975.2011.01413.x
According to Brustbauer, 2016 Enterprise risk management help the company prepare for the uncertainties and disasters that may occur all along. Every business must identify the threats likely to face the business and come up with a contingency plan. Different companies faces different threats and uncertainties and therefore while coming up with the risk management plan one must consider the uniqueness of the enterprise and the likely threats to occur. These differences make the companies and business have different hierarchy of risks that are likely to occur. This paper is going to compare and contrast the enterprise risk management of the united g ...
The GARP Buy Side Risk Managers Forum published Risk Principles for Asset Managers, a statement of best-practices guidelines prepared by senior risk management executives of leading investment firms. The Risk Principles document is updated and enhanced from a previous version published in 2008.
1. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
Comments on the June 2016 COSO draft “Enterprise Risk Management: Aligning
Risk with Strategy and Performance”
Thank you for the invitation to provide comments on the June 2016 COSO exposure draft
“Enterprise Risk Management: Aligning Risk with Strategy and Performance”. (“ED”) Based on
my detailed review of the three COSO documents that comprise the ED I believe that this update
represents a major improvement over COSO ERM 2004. The development and advisory teams
have made significant improvements and positive direction changes. Having said that, I still
believe major changes and clarifications are required if the rapidly escalating needs of key
stakeholders, including boards, senior management, risk and internal audit specialists, regulators,
shareholders, the general public, and others are to be better served.
My comments are drafted from the perspective of a consultant, ERM software designer, trainer,
and author that has worked globally over the last 30 years with hundreds of public and private
sector organizations interested in implementing ERM. I have expert level knowledge related to
the 1992 and 2013 COSO integrated control frameworks, COSO ERM 2004, ISO 31000 2009
global risk management standard, the extensive work done by the Financial Stability Board and
global senior supervisors to study root causes of the 2008 financial crisis and develop risk
governance guidance for regulators globally, and governance and risk regulatory frameworks in
Canada, the U.S., and the UK. My work in the space has been recognized with Outstanding
Contributor awards from the Ontario CPA/CA institute in Canada, IIA Canada, IIA Global, and
the ACFE. My articles on board oversight of risk and the need for radical changes in status quo
ERM and internal audit methods have been published in The Handbook of Board Governance,
Conference Board Director Notes, Ethical Boardroom, Harvard and Columbia Law Governance
Blogs, Internal Auditor magazine, Governance Institute of Australia, the National Post, and many
others.
My remarks have been drafted at a macro level with the sincere hope they will significantly
influence the direction the COSO ERM development team takes in the final guidance. I would be
happy to meet in person to provide more details and support for my observations and
recommendations if there is interest.
Sincerely,
Tim Leech FCPA CIA CRMA CCSA CFE
Managing Director
2. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
Concern #1 – LACK OF RESEARCH ON CAUSES OF ERM FAILURES – the FAQ
release of the updated June 2016 COSO ERM documents indicates on page 4/10 that some effort
has been made to analyze ERM implementation “challenges”, “critical issues”, and “concerns”.
Assess and Envision – Through literature reviews, global surveys, and public roundtables and
forums, this phase identified current challenges for organizations implementing enterprise risk
management. During this phase, PwC analyzed information, reviewed various sources of input,
and identified critical issues and concerns. COSO launched a global survey, available to the
general public, for providing input on the original Framework, soliciting almost 900 responses.
A new guide, a very good one that could compete with the COSO ERM guidance if it had elevated
authoritative stature, has been issued by Southampton University Center for Risk Research titled
“Directing risk management in organizations”. What is noteworthy about this new and radical
risk management guidance is it explicitly recognizes that little empirical research has been done
to assess the true effectiveness of different ERM methods. The harsh truth is that over the past 20
years tens of thousands of expensive ERM efforts, including those using COSO ERM 2004, have
failed badly resulting in trillions of dollars of damage to stakeholders that could have been
prevented. An excerpt from page 4 of the Southampton guidance is included below:
Those overseeing risk management often receive advice from risk management specialists and
are expected to be appropriately sceptical and challenging while still supportive of the goal of
managing risk well. In doing this, they should understand that risk management is a difficult and
controversial area. Experts do not yet agree on many important points such as the meaning of
the word “risk”, the scope of risk management, and the value of commonly used and
recommended techniques. Very few initiatives to improve risk management are evaluated
scientifically and general guidance and regulations on risk management by organizations are
not yet evidence based. The evidence that does exist shows that some familiar methods have
serious logical flaws, are confusing to users, and produce poor results. Proposals for
developing risk management within an organization may not lead to initiatives that are effective
and worthwhile, even if they have been designed by experts and are consistent with leading
guidance and applicable regulations.
Recommendation: the full COSO ERM guidance document should have a short section,
perhaps in the Appendix, that candidly discusses the extent of real implementation of the
COSO ERM 2004 guidance between 2004 and 2016; identifies areas where efforts to implement
the COSO ERM 2004 guidance and ERM generally have been identified by various expert 2008
financial crisis post-mortem inquiries as sub-optimal; and outlines what has been done in this
draft release to address the areas of ERM implementation now seen by regulators and other
experts as needing improvement. In particular, it would be very helpful if the ED summarized
specific areas/elements of status quo approaches to ERM identified by groups like the Financial
Stability Board, Senior Supervisors Group, and Group of Thirty as major weaknesses that
significantly contributed to the 2008 global financial crisis and outline how the new guidance
addresses them.
3. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
Concern #2 – STRADDLING TWO CONFLICTING ERM PARADIGMS – the June ED is
to be complimented on its heavy and consistent focus on the need to link ERM directly to strategy
and objectives. Unfortunately, it appears to me that the exposure draft is attempting to straddle
and maintain two competing ERM paradigms – the existing “risk centric” ERM paradigm on the
one hand; and promoting the need for a new and better “objective centric” ERM paradigm on the
other. A small sample of the ED’s emphasis on the premise that risk management should be
fundamentally about managing uncertainty linked to the achievement of strategic and business
objectives is included below.
An “uncertainty” is generally understood to be something not completely known, or the condition of not being
sure of something. Risk involves uncertainty and affects an organization’s ability to achieve its strategy and
business objectives. Therefore, one challenge for management is determining how much uncertainty—and
therefore how much risk—the organization is prepared and able to accept. Effective enterprise risk management
allows management to balance exposure against opportunity, with the goal of enhancing capabilities to create,
preserve, and ultimately realize value. (p. 9/132)
“Strategy” refers to an organization’s plan to achieve its mission and vision, and to apply its core values. A
well-defined strategy drives the efficient allocation of resources and effective decision-making. It also provides
a road map for establishing business objectives. (P.10/132
In business uncertainty exists whenever an entity sets out to achieve future strategies and business objectives.
In this context, risk is defined as: The possibility that events will occur and affect the achievement of strategy
and business objectives. (p. 14/132)
Enterprise risk management is integral to achieving strategy and business objectives. Well-designed enterprise
risk management practices provide management and the board of directors with a reasonable expectation that
they can achieve the overall strategy and business objectives of the entity. Having a reasonable expectation
means that the amount of uncertainty of achieving strategy and business objectives is appropriate for that entity,
recognizing that no one can predict risk with precision. (p.16/132)
In assessing risk to executing the strategy, management specifies business objectives—such as financial
performance, customer satisfaction, learning and growth, and compliance—and assigns these to different parts
of the entity. An organization should have a means to reliably provide to the entity’s stakeholders a reasonable
expectation that it is able to manage risk associated with the strategy and business objectives to an acceptable
level. (p. 30/132)
207. The organization develops business objectives that are measurable or observable, attainable, and relevant.
Business objectives provide the link to practices within the entity to support the achievement of the strategy. For
example, business objectives may relate to:
• Financial performance: Maintain profitable operations for all businesses.
• Customer aspirations: Establish customer care centers in convenient locations for customers to access.
• Operational excellence: Negotiate competitive labor contracts to attract and retain employees.
• Compliance obligations: Comply with applicable health and safety laws on all work sites.
• Efficiency gains: Operate in an energy-efficient environment.
• Innovation leadership: Lead innovation in the market with frequent new product launches.
208. Business objectives may cascade throughout the entity (divisions, operating units, functions) or be applied
selectively. Cascading objectives become more detailed as they are applied progressively from the top of the
entity down. For example, financial performance objectives are cascaded from divisional targets to individual
4. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
operating units. Alternatively, many business objectives will be specific to an operational dimension, geography,
product, or service. (p.60/132)
234. Creating, preserving, and realizing an entity’s value is further enabled by identifying, assessing, and
responding to risk that may impact the achievement of the entity’s strategy and business objectives (p.68/132)
Unfortunately, large sections of the June 2016 ED still promote methods that use risk registers as
a foundation for ERM; promote the use of heat maps that separate risks from the
strategy/objectives they relate; promote the development and reporting of risk profiles that
separate risks from the strategy/objectives they relate; promote risk analysis that looks at risks to
strategy/objectives in isolation of other linked risks, not collectively in terms of their composite
impact on the achievement of objectives. I can find no indication in the ED that suggests that the
authors/COSO believe that an organized attempt should be made to ensure that key value creation
and value preservation objectives are documented; and decisions made on which of those strategic
and business objectives warrant the cost of formal risk management methods. Nor can I find any
guidance on how organizations should decide the level of risk assessment rigour warranted on
specific and key strategic value creation and value preservation objectives. As an outside
observer, it almost appears that the ED authors are divided in two competing groups – one camp
that support a new and better objective-centric/performance linked approach to ERM; and another
camp that are still strongly wed to the risk-centric approach that is the dominant and sub-optimal
ERM paradigm in the world today - a paradigm that uses risk registers as a foundation for ERM
supplemented by risk heat maps, risk profiles, and other risk-centric tools.
Recommendation: The ED should recognize that the current dominant ERM paradigm in use in
the world today is risk centric; generally uses risk registers as a foundation; focuses on risks in
isolation to objectives; does not link performance being achieved on specific objectives to the risks
and risk treatments in place; and most importantly, does not relentlessly emphasize that the
primary purpose of formal risk management should be to manage uncertainty linked to the
achievement of strategy and objectives. It should describe to readers the key elements of a true
objective-centric ERM approach, an approach that starts with the simple step of documenting an
organizations top strategic objectives and value preservation objectives key to long term value
creation and value preservation, and then makes conscious decisions on which of those objectives
warrant the cost of formal risk management. Once the strategic and value creation/value
preservation objectives that warrant the cost of formal risk assessment are agreed by senior
management and the board and documented in an “OBJECTIVES REGISTER”, decisions should
be made on who will be responsible for assessing and reporting upwards to senior management
and the board on the state of residual/retained risk; the level of risk assessment rigour senior
management and the board think is appropriate in light of cost/benefit considerations; and which
group/person, if any, will provide independent assurance that the risk assessment process and
representations on status to the board are reliable. The OBJECTIVES REGISTER should be
regularly revisited and objectives added and deleted as priorities and risk governance resources
change. Pro-forma objectives being considered for new strategies can be included in the
REGISTER.
In an objective-centric ERM approach internal audit should be tasked with reporting on the
reliability of the overall ERM framework and the reliability of the consolidated report on risk
5. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
status linked to key value creation and value preservation objectives the board receives from senior
management. More details on objective-centric ERM approaches that use an OBJECTIVES
REGISTER as a foundation can be found in the list of supplemental readings at the end of this
response. An illustration of an objective-centric/ISO 31000 compliant risk assessment approach
that encompasses many of the risk assessment elements covered in the June 2016 ED is shown
below. This assessment approach is consistent with a large percentage of the guidance in the
exposure draft. The words “risk treatment” in the diagram can be replaced with “risk response”
without any change in meaning. The concept of painting a picture of “residual risk status” for
decision makers to decide if it is within an entity’s risk appetite/tolerance and the focus on risk
treatment “optimization” are unique to this approach.
6. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
Concern #3 – CONFLICTING GUIDANCE ON ERM AND INTERNAL CONTROL – the
ED makes references in a few places to the linkages between the June 2016 ERM ED and the
COSO 2013 Integrated Control Framework. As someone who has expert knowledge of the
evolution of internal control models and the evolution of ERM I am not persuaded that the current
attempt in the ED to distinguish what is, in essence, two very different ways to accomplish the
same goal is useful or successful. Page 10 of 132 of the main ED states:
Internal Control
11. “Internal control” is best described as a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance that objectives
relating to operations, compliance, and reporting will be achieved. Internal control helps the
organization to understand the risks to achieving those objectives and how to manage risks to an
acceptable level. Having a system of internal control allows management to stay focused on the
entity’s operations and the pursuit of its performance targets while operating within the
parameters of relevant laws and regulations.
12. COSO’s publication Internal Control—Integrated Framework is intended to help management
better manage the risks associated with achieving their objectives, and to enable a board of
directors to oversee internal control. To avoid redundancy, some aspects of internal control that
are common to both this publication and Internal Control—Integrated Framework have not been
repeated here (e.g., assessment of fraud risk relating to financial reporting objectives, control
activities relating to compliance objectives, the need to conduct ongoing and separate evaluations
relating to operations objectives). However, other aspects of internal control are further
developed in the Framework 2 section (e.g., governance aspects of enterprise risk management).
Please review Internal Control— Integrated Framework3 as part of applying the Framework in
this publication.
The ED communicates repeatedly that the purpose of formal risk management is to manage
uncertainty related to the achievement of objectives, including, presumably, core value
preservation objectives like publishing reliable financial statements, complying with the law,
cyber security, and others to a level of retained risk acceptable to senior management and boards.
Unfortunately, initiatives like SOX 404 in the U.S. ask that senior management (CEOs and CFOs)
and external auditors form binary opinions on whether they think “internal controls” are
“effective”. In risk speak, this is akin to asking an auditor if they like the level of residual risk
being accepted by management. The term “internal control” is not covered in the ED as a way of
responding/treating specific risks to objectives, but the term “Risk responses” is introduced and
explained. Internal controls are only one form of risk response. They are primarily intended to
work on reducing likelihood and/or consequences of one or more risks. There are four other
primary risk treatment/response methods.
I have difficulty understanding why the authors of this guidance and COSO are reluctant to
recommend that the risk identification and assessment methods being described in this draft
guidance should be applied to all objectives, including reliable financial statements; safeguarding
7. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
confidential information against theft, alteration, loss; complying with laws, and other areas
currently seen as being in the “internal control” domain, but not the ERM domain. That decision
condemns the world to continued maintenance of two parallel and expensive frameworks – an
ERM framework as well as a conflicting “internal control” framework.
Recommendation: This ED should do a better job explaining why COSO supports maintaining
two competing and conflicting paradigms – one that says that an effective ERM framework can
manage uncertainty to the full range of objectives; and another that says auditors, both internal
and external should still focus on doing direct report audits and opining on the “effectiveness of
internal controls” without requiring a documented risk assessment be made by management on
relevant objectives that auditors review and opine on. National regulators, particularly the SEC in
the U.S., are perpetuating the problem caused by this disjoint by requiring, via current SOX 404
implementation rules, binary opinions on “control effectiveness” from management and external
auditors, while at the same time indicating publicly listed companies should all implement
effective risk management frameworks that focus on developing frameworks that assess the
acceptability of residual risk. Why should companies be required by law to maintain two different
taxonomies and approaches and provide boards and regulators with assurance on both – one being
an ERM paradigm focused on ensuring management and the board are aware of the true state of
retained risk linked to key objectives, and the other, arguably obsolete, internal control
effectiveness paradigm that is usually applied to a small subset of the risk universe? It is both
hugely expensive and counterproductive. More details on the solution we propose to the massive
global burden caused by the current regulatory/COSO drive to maintain two parallel and
competing assurance approaches can be found in my April 2015 article, Reinventing Internal
Audit, and our 2011 article Preventing the Next Wave of Unreliable Financial Reporting: Why
U.S. Congress Should Amend Section 404 of the Sarbanes-Oxley Act. The article Reinventing
Internal Audit was recently awarded the 2016 Outstanding Contributor award from the global
Institute of Internal Auditors.
Concern #4 – LACK OF RECOGNITION AND INTEGRATION WITH ISO 31000 RISK
MANAGEMENT STANDARD
I completed a word search on the primary 132 page COSO ED document for the words “ISO
31000”. ISO 31000 2009 is the global risk management standard. The search indicated no
matches were found. Since this COSO ERM guidance will, almost certainly, compete against ISO
31000 for global dominance as the global risk management standard; and surveys have
consistently indicated that ISO 31000 has, at least to date, been more globally accepted as ERM
guidance; I found this surprising. For those interested that want to better understand the evolution
and differences in the two main ERM frameworks, a very good presentation that describes the
global dominance of ISO 31000 from PwC South Africa can be found at http://g31000.org/wp-
content/uploads/2014/08/G31000-PwC-presentation-on-COSO-ISO-at-the-IIA-SA-conference-
11-Aug-2014.pdf. Another useful reference to gain insight on global acceptance of COSO ERM
2004 is a post from Norman Marks available at
https://normanmarks.wordpress.com/2012/05/11/final-results-of-coso-vs-iso-risk-management-
survey/. My analysis of the June 2016 COSO ERM draft is that it has moved closer to the
8. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
philosophies in ISO 31000 2009 in a number of important ways, but continues to have some
significant differences in terms of taxonomy and emphasis.
Recommendation: Instead of ignoring the global dominance of ISO 31000 as the leading risk
management standard and the practical need to help organizations decide which of the two
approaches best meet their needs, I recommend that the COSO team add an appendix which
describes the key differences between COSO ERM 2016/17 and ISO 31000 2009 and explains
why the COSO development team and advisors chose the approach they selected in the final
COSO ERM guidance. This should include identifying all major differences in specific definitions
and overall guidance approach between ISO 31000 and COSO ERM, including the definition of
the word “risk”, the use of the term “severity” vs “consequences”, the use of “risk responses” vs
“risk treatments” and many others. The increased focus in the ED on the importance of
understanding internal and external context brings COSO ERM closer to ISO 31000. I believe the
heavy emphasis in the ED on the need to link ERM to strategy and business objectives has the
potential to make COSO ERM 2016/2017 the more effective framework relative to ISO 31000
2009.
Concern #5 – THE ROLE OF INTERNAL AUDIT – the ED describes a vague role for internal
audit that is captured below. Internal audit can play a key role in effective ERM, but needs to
fundamentally change its current role and methods in the majority of organizations around the
world if effective risk governance and healthy risk cultures are primary goals.
Third Line: Assurance Functions
419. Assurance functions, most commonly internal audit, often provide the last line of
accountability by performing audits or reviews of enterprise risk management practices,
identifying issues and improvement opportunities, making recommendations, and keeping the
board and executive management up-to-date on matters requiring resolution. Two factors
distinguish the last line of accountability from the others: the high level of independence and
objectivity (enabled by direct reporting to the board), and the authority to evaluate and make
recommendations to management on the design and operating effectiveness of the entity overall.
At the current time the vast majority of internal audit departments complete direct report audits
(audits where the primary assessor is internal audit not management) on a small percentage of the
risk universe each year with a focus on opining on the “effectiveness” of internal control. These
opinions are often subjective views that are, in essence, whether the auditors think the current
retained/residual risk is, or is not, within what they think is senior management and the board’s
risk appetite. Research surveys confirm that only a small percentage of internal auditors focus on
their organization’s top strategic and value creation objectives. Most do not complete assessments
that identify and assess all key risks to an objective or objectives being assessed or identify and
consider the full range of risk responses/treatments. Very few internal audit departments provide
boards with a composite picture of the retained/residual risks linked to the organization’s top value
creation and value preservation objectives. The approach used by many internal auditors is often
not the type of structured risk assessment approach described in the COSO ERM exposure draft.
The current internal audit paradigm impedes rather than supports effective risk management
9. www.riskoversightsolutions.com
216 CARLINI COURT, SUITE 201, OAKVILLE, ONTARIO, CANADA, L6K 3Y8 (T) 416.720.0392 (F) 905.337.3627
practices and healthy risk culture. More details on the problems caused by the current status quo
approach to internal audit are available in my April 2015 article “Reinventing Internal Audit”.
Recommendation: Include a full section headed “IMPLICATIONS FOR INTERNAL AUDIT,
SAFETY, ENVIRONMENT, INSURANCE AND OTHER ASSURANCE SPECIALISTS”.
This should describe how the role of these groups should/would change in organizations that
implement the objective centric and management driven ERM approach being recommended in
this new guidance. I believe that the role of internal audit should be to focus on quality assuring
the risk assessment and management framework maintained by management; providing
feedback and coaching to management groups; and providing an overall report on the reliability
and effectiveness of the organization’s risk management processes, including the reliability of
the consolidated retained risk status reports prepared for the board. Insurance departments need
to significantly increase their reliance on the organization’s ERM framework to analyze the need
for insurance and other risk sharing/transfer responses. Risk assessments done should include
relevant details on insurance and other vehicles to finance/share risks. Safety and Environment
groups should use the same risk assessment methodology the rest of the company uses for its
ERM framework.
SUPPLEMENTAL REFERENCES/SUPPORT:
1. Paradigm Paralysis in ERM and Internal Audit, Tim Leech and Lauren Hanlon, Ethical
Boardroom, Summer 2016
2. Reinventing Internal Audit, Tim Leech, Internal Auditor, April 2015, 2016 IIA
Outstanding Contributor Award
3. The Next Frontier for Boards: Oversight of Risk Culture, Parveen Gupta and Tim Leech,
Conference Board Director Notes, June 2015
4. Three Lines of Defense versus Five Lines of Assurance: Elevating the Role of the CEO
and Board, Tim Leech and Lauren Hanlon, The Handbook of Board Governance, Richard
Leblanc, Wiley, June 2016
5. Preventing the Next Wave of Unreliable Financial Reporting: Why US Congress Should
Amend Section 404 of the Sarbanes – Oxley Act, Tim Leech and Lauren Hanlon,
International Journal of Disclosure and Governance, 2011
NOTE: These articles are readily available via the internet using a simple Google search command.