coso enterprise risk management framework ... · pwc | coso enterprise risk management...
TRANSCRIPT
![Page 1: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/1.jpg)
COSO Enterprise Risk Management Framework-Integrating Strategy and Performance
Presentatie voor RBB
Den Bosch, November 2017
www.pwc.com
![Page 2: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/2.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Agenda
2
How to obtain a copy of the new Framework and obtain more information
More information4
What are the key changes? What do the components and principles mean?
2 What is new?
1
Who is COSO and what is the COSO ERM Framework?
Introducing COSO
COSO recognises the growing expectation of organisations to manage, in an
integrated and cohesive manner, risks emanating from across an enterprise.
Robert B. Hirth Jr., COSO Chair
What are key messages and take aways from ERM@work?
Concluding3
![Page 3: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/3.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Why update the ERM framework now?
3
• Boards are expecting more from their organization’s ERM practices and capabilities
• Stakeholders are seeking greater transparency and accountability
• Business environments are increasingly complex, technologically driven, and global
• There is a need to incorporate lessons learned from recent events and the bar is rising
• Risk professionals are looking for a more up to date resource describing ERM concepts
• The range of ERM practices continues to evolve
Since 2004, the market has continued to evolve and the COSO Framework is evolving with it.
![Page 4: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/4.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Introducing COSO ERM
www.pwc.com
![Page 5: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/5.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
What is a company (really!) asking for…
Companies are not looking for (enterprise) risk management on itself, companies are looking for the following benefits:
- Reduce surprises and losses
- Reduce performance variability
- Improve resource deployment
- Identify and manage entity wide risks
- Increase the range of opportunities
Since the recent publication of COSO ERM, many clients have already been asking PwC where to begin…
5
![Page 6: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/6.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
COSO’s history – The Treadway Commission
6
Committee Of Sponsoring Organizations (COSO) of the Treadway Commission was formed as a joint initiative to combat corporate fraud. COSO is supported by five supporting organizations:
Target audience:
1. Directors2. Supervisors3. Auditors4. Specialists: finance, control, risk, compliance, etc5. Management
COSO Mission
To provide thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve
organizational performance and governance and to reduce the extent of
fraud in organizations.
![Page 7: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/7.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
COSO and PwC have collaborated on frameworks and publications for 25 years
COSO’s 2004 Enterprise Risk Management-Integrated Framework is one of the world’s most widely used risk management frameworks.
www.coso.org
2004
Other COSO publications authored by PwC
2017 Publication
7
2013 Internal Control – Integrated Framework Executive Summary
2013 Internal Control – Integrated Framework
2012 Understanding and Communicating Risk Appetite
2006 Internal Control over Financial Reporting Guidance for Smaller Public Companies
1992 Internal Control – Integrated Framework
![Page 8: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/8.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Other risk management standards
8
Standard Financial
services
(N=57)
Profit
sector
(N=251)
Non-profit
(N=251)
2014
None 10,5 49,1 45,4 51,3
COSO 64,9 29,3 20,3 26,3
INK/EFQM 10,5 12,0 31,5 20,4
ISO 31000 17,5 4,4 12,0 12,0
6Sigma 5,3 11,2 3,6 8,0
Basel 63,2 0,1 1,2 0,7
M_o_R 3,5 14,3 4,4 4,6
Aus/NZL 1,8 0,1 1,2 0,7
OCEG 1,8 10,0 0,4 0,4
AIRMIC 1,8 - 0,4 0,3
Other 19,3 5,1 12,0 11,7
Standards and/or frameworks may be internally developed or based on external publicly accessible standards / frameworks such as:
• Basel II / III – issued by the Basel Committee on Banking Supervision
• AS/NZS 4360:2004 Risk Management – the Australian standard for RM
• ABIB
• Turnbull
• ISO 73/31000
• Open Compliance & Ethics Group (OCEG)
• M_o_R
• AIRMIC
![Page 9: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/9.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
• There is often a ‘siloed’
approach to risk that is
separate from the day to
day management of an
organisation.
• Risk management is
perceived as an
incremental activity
performed by those
independent of the
business.
• The lack of integration can
contribute to difficulties
engaging with the business,
the ability to gain and offer
insight and ultimately curbs
the value that ERM can
offer.
Written from the perspective of the business
9
• The Framework endeavors
to removes risk ‘jargon’ and
adopts the language of
business to discuss
concepts and practices
• By using the same
language, the Framework
hopes to promote
acceptance and adoption of
ERM by the organization
Note: In practice, ERM often
refers to a team, department
or as a part of the ‘lines of
defense’ however, in the
Framework it is discussed in
the context of an
organisation’s culture,
capabilities and practices used
to manage risk
The Framework was written from the perspective of the business to facilitate the integration of ERM and support acceptance and adoption by the business
Inset a quotable quote…
![Page 10: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/10.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Reasons for the implementation of the COSO (ERM) framework
1. COSO is the first worldwide acknowledged framework for IC
2. Industry and geographically independent
3. Voluntarily instead of obligatory
4. Comprehensive, including practical implementation techniques
5. Is most referred to
6. Most other frameworks are based on COSO
7. Rapidly the most accepted standard for ERM
10
![Page 11: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/11.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
What’s new?
www.pwc.com
![Page 12: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/12.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Introducing the 10 key changes to the 2017 Framework
Greater emphasis on culture–reflecting the changing demands and expectations of today’s markets, helping your organization make responsible risk decisions
Coming soon: Compendium of Examples–highlighting the implementation of principles across a variety of industries and entity types
Explores management of risk at all altitudes of the organization–from entity level through to procedural level risks, making ERM more than just an isolated view of risk in the business.
Written from the perspective of the business–risk management concepts are discussed in terms of helping an organization create value, enabling you to realize true benefits from ERM
A focus on integrating risk management–linking risk with strategy setting and day-to-day activities, helping you to use ERM principles to support the creation, realization, and preservation of value
A new framework structure–five components and twenty principles that align to the business lifecycle, making to risk conversation more intuitive for you
Addresses the evolving role of technology–in influencing an organization’s strategy, business context and how it manages risk
Deeper discussions on challenging topics–such as risk appetite and the portfolio view of risk
Explores the different benefits of ERM–from loss mitigation through to strategic advisor and how they inform the design of a Framework
Suite of new graphics highlighting the relationship between risk and performance demonstrating a new way
identify and assess the relationship between the amount of risk and the level of performance
12
![Page 13: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/13.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC 13
• Strategic blunders account for a majority of the losses in shareholder value compared to operational events, incidents or compliance failures
• Research suggests that organisations are looking to strengthen the integration between strategy and enterprise risk management
The strategy setting process is a critical area of integration for enterprise risk management
81% of the greatest losses in
shareholder value since 2002 were
attributable to ‘strategic blunders’
*U.S. public companies around the world with at least US$1 billion in enterprise
value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle
and Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012
Focus on integrating risk and strategy
![Page 14: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/14.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
COSO – From cube to string
14
2004 COSO ERM Graphic Updated 2017 COSO ERM Graphic
![Page 15: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/15.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
The new framework emphasizes the value cycle
15
• The figure illustrates strategy in the context of mission, vision, and core values, and as a driver of an entity’s overall direction and performance
• Integrating ERM with business activities and processes results in better information that supports improved decision-making and leads to enhanced performance
• The updated Framework enhances the conversation of risk across the whole value cycle of a company
![Page 16: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/16.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Mission, Vision and Core Values
16
Describes what do you strive to be and how do you want to conduct business.
The mission and vision:• Provide a view from up high about the acceptable types
and amount of risk;• Help establish boundaries;• Focus on how decisions may effect strategy.
Core Values are considered in the context of the culture the entity wishes to embrace.
“An organization that understands its mission and vision can set strategies that will yield the desired risk profile”
Example: healthcare provider
![Page 17: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/17.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Strategy, Business objectives & Performance
17
Three dimensions regarding the relationship between Risk and Strategy:
1. Risk of: Possibility of strategy and business objectives not aligning
2. Risk from: Implications from the strategy chosen
3. Risk to: Risk to strategy and performance
Example HC provider: If strategy would be to focus on being the best specialist services provider, it would probably not be successful in providing a comprehensive range of patient services (mission).
Example HC provider: What is the type and amount of risk the organization is potentially exposed to, having adopted this strategy? What are the assumptions underlying this strategy, and would changes to these assumptions have little or great impact on achieving the strategy?
Example HC provider: Objective is to deliver high quality care, therefore the organization considers risks relating to employee capability, medical care treatment, healthcare legislation reform, access to electronic health records, etc.
![Page 18: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/18.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Enhanced performance
18
• There is always risk associated with a target of performance!
• The amount of uncertainty that exists is related to the amount of risk to performance:• E.g. agriculture producers are uncertain about their ability to produce enough to meet
customer demands and profitability targets;• Airlines are uncertain about their ability to operate all flights on their schedule.
Relation risk & performance
= Risk Profile
Considering Risk Appetite and
Acceptable Variation in Performance
![Page 19: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/19.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
The new Framework adopts a components and principles structure
20
![Page 20: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/20.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 1: Governance & Culture (1)
21
• Governance and culture together form the basis for all other components of ERM.
• Governance determines the ‘tone’, indicates the importance of ERM and ensures adequate supervision.
• Culture includes ethical values, desired behaviour, and understanding of risk within the entity.
Exercises Board
Risk Oversight
The board of directors provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and business objectives.1
Establishes
Operating
Structures
The organization establishes operating structures in the pursuit of strategy and business
objectives.2
Defines Desired
Culture
The organization defines the desired behaviours that characterize the entity’s desired
culture.3
Demonstrates
Commitment to
Core Values
The organization demonstrates a commitment to the entity’s core values.4
Attracts, Develops,
and Retains
Capable Individuals
The organization is committed to building human capital in alignment with the strategy and
business objectives.5
Component 1 consists of the following principles:
![Page 21: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/21.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 1: Governance & Culture (2)
22
1. Exercises Board
Risk Oversight
• Aansprakelijkheid
en
verantwoordelijk-
heid van hoger
management
• Deskundigheid,
ervaring en kennis
van de business
• Onafhankelijkheid
van hoger
management
• Goed begrip van
de waarde die
ERM toevoegt
3. Defines Desired
Culture
• Cultuur
karakteristieken
• Gewenst gedrag
• Cultuur spectrum
• In lijn brengen van
fundamentele
waarden,
besluitvorming en
gedrag
2. Establishes
Operating Structures
• Operating model
• Rapportage lijnen
• ERM structuur
• Rechten, rollen en
verantwoordelijk-
heden
5. Attracts, Develops,
and Retains Capable
Individuals
• Vaststellen en
evalueren van
benodigde
competenties
• Aantrekken,
trainen,
begeleiden,
beoordelen en
behouden van
werknemers
• Beloningen
• Successie-
planning
4. Demonstrates
Commitment to Core
Values
• Fundamentele
waarden
• Risicobewuste
cultuur creëren
• Gedrags-
standaarden in lijn
met cultuur
• Open
communicatie
• Evalueren en
managen van
afwijkingen
![Page 22: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/22.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Managing culture in organizations
23
Constraint
Control
Compliance
Contract
Commit
Discipline
Support
Trust
Dialogue?
Aligned?
Walk the talk?Moments that
matter?What to improve?
Stake-holders, environ-
ment
Identity, brand
promise, strategy
Governance risk, control
Desired Culture
Symbols and decisions
Behavior
Systems and structures
Actual Culture
Sustainably successful organizations are characterized by a strong similarity between the actual and the desired culture. These are organizations that have embedded core values to their daily actions.
![Page 23: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/23.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
De waarde van een zinvolle risicodialoog
24
A meaningful risk dialogue indicates:
• The importance of diversity
• The importance of the right attitude and being “competent”
• The importance of out of the box thinking (e.g. beyond organizational boundaries)
• Appreciation of (risk) culture (challenge, chronic unease)
• Awareness of human limitations*
Risk dialogue:
Continuous dialogue, discussion and debate within organizations, resulting in a better
understanding of complexity by decision makers and internal supervisors.
![Page 24: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/24.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Risicocultuur en risk appetite
25
Risk culture is linked to the conversation of management’s attitude towards
risk taking
Risk Averse Risk Neutral Risk Aggressive
![Page 25: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/25.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 2: Strategy & Objective-Setting (1)
26
• ERM is integrated into the strategic plan.
• The understanding of business context is required to assess internal and external factors (and their impact on risk).
• Determining the risk appetite is part of strategy planning/determination.
Component 2 consists of the following principles:
Analyzes Business
Context The organization considers potential effects of business context on risk profile.6
Defines Risk
Appetite
The organization defines risk appetite in the context of creating, preserving, and realizing
value.7
Evaluates
Alternative
Strategies
The organization evaluates alternative strategies and potential impact on risk profile.8
Formulates
Business
Objectives
The organization considers risk while establishing the business objectives at various levels
that align and support strategy.9
![Page 26: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/26.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 2: Strategy & Objective-Setting (2)
27
8. Evaluates Alternative
Strategies
• Implicaties van de
gekozen strategie
begrijpen
• Strategie in lijn
brengen met de risk
appetite
• Strategiewijzigingen
maken
7. Defines Risk Appetite
• Risk appetite
vaststellen
• Risk appetite
verwoorden
• Vaststellen doel,
range, boven- en
ondergrens
• Risk appetite
cascaderen en
toepassen
9. Formulates Business
Objectives
• Business doelen
vaststellen
• Business doelen in lijn
brengen met de
strategie
• Implicaties van de
gekozen doelen
begrijpen
• Categoriseren van
doelen
• Prestatie indicatoren,
targets en risico
tolerantie
6. Analyzes Business
Context
• Business context =
dynamisch, complex &
onvoorspelbaar
• Rekening houden met
interne en externe
omgevingen en
stakeholders
![Page 27: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/27.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
The business context defines the risk profile…
28
FOUNDATION / STATE PARTICIPATION
MONOPOLIST
REGULATED ON SEVERAL THEMES
SENSITIVE TO FRAUD
ACTIVE IN NL ONLY
OFF-LINE MARKET ONLY
LIMITED/PUBLIC COMPANY
MARKET PARTY
REGULATED ONSEVERAL THEMES
SENSITIVE TO FRAUD
ACTIVE IN NL AND OUTSIDE NL?
OFF-LINE AND ON-LINE MARKET
…And therefor influences the risk appetite
Now:
?
??
Future:
![Page 28: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/28.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
An example: Risk appetite
29
Now
Very Low(1)
Very High(5)
High(4)
Medium(3)
Low (2)
Future
(untill privatization)
(after privatization)
3
3
Strategic
Service
Reputation
Financial
Compliance
Very Low (1) Very High (5)High (4)Medium (3)Low (2)
Impact on realization of strategic
goals and competitiveness
Impact on quality of service (client
satisfaction)
Impact on reputation and / or
relationship with external stakeholders
Impact on profit and loss statement
and / or balance.
Impact in form of penalties imposed
by supervisor or supervisory pressure
3 3
3 3
3 3
3
3 3
3
![Page 29: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/29.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Risk appetite nader ‘vertaald’
30
• “Risicomanagementcriteria”:
o Waarderingscriteria
o Duidelijke grens voor het nemen van (aanvullende) risk management maatregelen (i.p.v. top 5 of top 10)
o Wanneer welke risicostrategie
o Eventueel onderscheid naar risicotype
o Risicotolerantie (KRI’s)
• Maar ook “operationele criteria”:
o Procuratieschema
o Investeringscriteria
o Tendercriteria
o Dashboard criteria (kleurcodes)
o Ranges rondom doelen
o Etc.
Risk appetite (risicobereidheid):
“De hoeveelheid risico (per type), op een hoog abstractieniveau, die een organisatie bereid is te nemen in het nastreven van waardecreatie.”
42% heeft de risicobereidheid bepaald
Risicobereidheid karakteristieken Percentage
Kwalitatief bepaald 77,0
Kwantitatief bepaald 68,2
Specifiek bepaald voor één of
meerdere risicogroepen
48,2
Risicobereidheid vastgelegd 66,2
Risicobereidheid gecommuniceerd 61,0
![Page 30: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/30.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 3: Performance (1)
31
• Identification and assessment of risks which are threatening the realization of strategy
• Prioritization of risk based on size / severity and in line with the risk appetite.
• Selecting van “risk responses” and monitoring performance
• In this manner, the organization develops a “portfolio view” of the total amount of risks to which the organization is exposed.
Component 3 consists of the following principles:
Identifies Risk The organization identifies risk that impact the performance of strategy and business
objectives.10
Assesses Severity
of Risk The organization assesses the severity of risk.11
Prioritizes Risks The organization prioritizes risks as a basis for selecting responses to risks.12
Implements Risk
Responses The organization identifies and selects risk responses.13
Develops Portfolio
View The organization develops and evaluates a portfolio view of risk.14
![Page 31: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/31.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 3: Performance (2)
32
10. Identifies Risk
• Risicoregister
• Identificeren van
risico’s d.m.v. data
analyse,
interviews,
workshops, proces
analyse, etc.
12. Prioritizes Risks
• Criteria opstellen
voor
risicoprioritering
• Risicoprioritering
in lijn met de risk
appetite
11. Assesses Severity
of Risk
• Meten van de
impact van risico’s
• Beoordelen van
risico’s d.m.v.
kwalitatieve en/of
kwantitatieve
benadering
• (Grafisch)
presenteren van
risicobeoordeling
14. Develops Portfolio
View
• 4 niveaus:
minimale
integratie,
beperkte
integratie,
gedeeltelijke
integratie en
volledige integratie
• Analyseren van
portfolio view
d.m.v. kwalitatieve
en/of kwantitatieve
technieken
13. Implements Risk
Responses
• 5 categorieën:
accepteren,
vermijden,
nastreven,
reduceren en
overdragen
• Selecteren van
risk response aan
de hand van
factoren zoals
business context,
kosten vs.
opbrengsten, risk
appetite, etc.
![Page 32: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/32.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Prioritizing risks
33
1. AdaptabilityThe capacity to adapt and respond to risks.
• e.g. responding to changing demographics such as age of the population.
2. ComplexityThe scope and nature of a risk to the entity’s success.
• Interdependency of risks will typically increase complexity.
3. VelocityThe speed at which a risk impacts an entity.
• This may move the entity away from the acceptable variation in performance
4. PersistenceHow long a risk impacts an entity.
• e.g. immediacy of disrupted operations versus long-term reputational impact.
5. RecoveryThe capacity of an entity to return to the acceptable variation in performance.
• e.g. continuing to function after a severe natural disaster.
By the use of 5 criteria:
![Page 33: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/33.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Risk Responses
34
Doel: resterend risico binnen gewenste risicotolerantie brengen
Vijf risk respons categorieën:• Accepteren (“accept”)
• Vermijden (“avoid”)
• Nastreven (“pursue”)
• Reduceren (“reduce”)
• Overdragen (“share”)
Reduce
Omgaan met risico vereist aanpassing van:
• Organisatie
• Mensen & Relaties
• Richting
• Uitvoering
• Monitoring
Pursue
• Aannemen groeistrategieën
• Uitbreiden activiteiten
• Ontwikkeling nieuwe
producten en diensten
Share
• Verzekeren
• Delen (JV, allianties, partnerships)
• Contracteren (outsource, toewijzen)
• Diversificatie / spreiden
• Hedge
Avoid
• Staken activiteiten
• Uit de markt terugtrekken
• Desinvesteren
• Doelen veranderen
• Schaal verkleinen
Accept
• Opzettelijk najagen
• Totale acceptatie
• Financier de consequentie
• Hou rekening met onzekerheid
Management hanteert een organisatiebrede, of portfolio, kijk op risico om te bepalen of het
restrisico overeenkomt met de gewenste risk appetite van de organisatie.
![Page 34: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/34.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
De key risks
35
High
Avoid
Med
Reduces
and/or
share
Impact
Low
Accept
Low Medium
Likelihood
High
Key risks
1
23 4
5
6
7
8
9
12
10
11• Objective is to drive
action and allocation of resources
• Begin to define – at a high level - the organizational risk response strategy
PracticalConsiderations
Note: Risks are evaluated on likelihood and impact here – certain risks may warrant more complex or quantitative risk measurement models
Note: mapping on the strategy map provides an
explicit insight in how risks potentially impact the objectives and strategy
![Page 35: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/35.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC 36
Mappen van risico’s op de strategiekaart
May, 2013
3
Kwalitatief personeel vasthouden
Krapte arbeidsmarkt
Innovatieniveau
Beschikbaarheid IT
Onhygiënisch handelenToenemende volumenormen
Financieringssystematiek
Uitwisseling patiëntinformatie
Privacywetgeving
Agressie in de zorgEindverantwoordelijkheid multidisciplinaire ziektebeelden
Collectieve toetsing specialisten
Toenemende werkdruk
…
…
…
…
![Page 36: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/36.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 4: Review & Revision (1)
37
• Changes in the internal and external environment can ensure that the chosen strategy is no longer optimal.
• By evaluating performance, an organization can determine how well the ERM components function over time and under influence of significant changes.
• Organizations can systematically identify and implement improvements in their ERM by continuously evaluating.
Component 4 consists of the following principles:
Assesses
Substantial Change
The organization identifies and assesses changes that may substantially effect strategy and
business objectives.15
Reviews Risk and
Performance The organization reviews entity performance results and considers risk.16
Pursues
Improvement in
ERM
The organization pursues improvement of enterprise risk management.17
![Page 37: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/37.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 4: Review & Revision (2)
38
15. Assesses Substantial
Change
• Veranderingen in de
interne omgeving
• Veranderingen in de
externe omgeving
17. Pursues Improvement in
ERM
• Nastreven van
verbeteringen
(bruikbaarheid en
efficiëntie) in ERM
• Continue evaluatie
16. Reviews Risk and
Performance
• Prestaties beoordelen
• Beoordelen en
aanpassen van doelen,
strategie, cultuur, risk
appetite, etc. indien
targets niet behaald
worden
![Page 38: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/38.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Feedback gedurende het proces zorgt voor continue verbetering van (omgaan met) risico’s en RM
39
Controlimplementatie
Risicoanalyse
Controldesign
Controlverbetering
Controlevaluatie
Controlmonitoring
Risico-elementen als onderdeel van de management cyclus:
RM kan op verschillende niveaus worden toegepast:
• Groepsniveau• Regio niveau• Vestiging niveau• Project niveau• Proces niveau• IT niveau• Afdeling niveau
Om de doelstellingen te realiseren:
• Strategisch• Operationeel• Rapportage• Compliance
![Page 39: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/39.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 5: Information, Communication, & Reporting (1)
40
• Communication = het continuous process of obtaining and sharing information
• Management uses relevant and qualitatively good information from internal and external sources to support ERM.
• The organization uses information systems to capture, process and manage data in information.
Component 5 consists of the following principles:
Leverages
Information and
Technology
The organization leverages the entity’s information systems to support enterprise risk
management.18
Communicates
Risk Information The organization uses communication channels to support enterprise risk management.19
Reports on Risk,
Culture, and
Performance
The organization reports on risk, culture, and performance at multiple levels and across the
entity.20
![Page 40: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/40.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Component 5: Information, Communication, & Reporting (2)
41
18. Leverages Information
and Technology
• Relevante informatie
gebruiken
• Data analyse
• Kwaliteit van informatie
bewaken
• Categoriseren van
informatie
• Data management
• Geavanceerde
technologieën gebruiken
20. Reports on Risk, Culture,
and Performance
• Identificeren gebruikers
• Verschillende typen
rapportages
• Rapporteren aan de
Board
• KPI’s en KRI’s
• Frequentie: dagelijks,
maandelijks, per
kwartaal, etc.
19. Communicate Risk
Information
• Communiceren met
stakeholders
• Communiceren met de
Board
• Diverse
communicatievormen en
methoden
![Page 41: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/41.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Een gemeenschappelijke risicotaal
42
• Standaard risicocategorieën en definities (risicomodel) ter bevordering van
ondubbelzinnige risicocommunicatie
29. Capacity risk Insufficient resources threatens the firm’s ability to meet customer demands, or excess capacity threatens the firm’s ability to generate competitive profit margins.
30. Leadership risk The firm’s people are not being effectively led, which may result in a lack of direction, customer focus, motivation to perform, management credibility and trust throughout the firm.
31. Management fraud risk Intentional misstatement of financial statements or misrepresentation of the firm’s capabilities or intentions may adversely affect external stakeholders’ decisions.
Event An incident or occurrence, from sources internal or external to an entity, that affects achievement of objectives.
Inherent risk The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.
Risk tolerance The acceptable variation relative to the achievement of an objective.
• Gemeenschappelijk begrip van risicomanagement termen om misinterpretaties in de
uitvoering van risicomanagement processen te voorkomen
![Page 42: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/42.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
KRI’s verschillen van KPI’s
43
Performance indicators (KPI’s)
• Focussen op behaalde resultaten;
• Worden gebruikt voor het monitoren van operationele efficiëntie; alarmbellen gaan af als de indicatoren een vooraf vastgestelde grens overschrijden.
Risk indicators (KRI’s)
• Focussen op risico tracking, zijn ontworpen om continue risico’s te monitoren en om waarschuwingen af te geven als een risico toeneemt en/of beheersmaatregelen niet functioneren;
• Zijn over het algemeen meer proactief, KRI’s focussen zich op het “waarom” en helpen bij het identificeren van zwakheden voordat een probleem zich voordoet.
Key Performance Indicators
• Aantal transacties per seconde
• Kostenbesparing in proces X
• Opbrengstengroei voor business unit Y
Key Risk Indicators
•Transactievolume vs. optimale capaciteit
• Fouten in proces X
• Verliezen door fraude voor business unit Y
23% heeft KRI’s opgenomen in
de rapportage
![Page 43: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/43.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Risk Reporting: example Key Risk Indicators
44
Key Risks
Risk Drivers
• Avg. days of Inv. (material)
• Slow-moving % (3M)
• $ Disposal value
• Lead time (imported)
• Material Shortage %
• % Cost saving on purchasing
• Material cost % (to Total cost)
Over-supplied High CostFraud/
Embezzlement
Increase of
Slow-moving items
Excess order
$ potential slow-moving (1M)
• Automated order %
• Excess order %
• (needed vs. ordered)
Inaccuracy of BOM
BOM error %
Delay of new product project
Pre-order $ before
mass-production
Discontinued items
% of items with sharp dropped
value
Late Delivery
% on time delivery (imported)
Dependency on
specific suppliers
• Sole Vendor item %
• % Concentration of suppliers)
Inconsistency suppliers
(bankrupt, pulled out, …)
# of halted/suspended
Frequent changes to
Production Plans
% variability of production plan
Overload at Purchasing
• % of new item registered
• % of item w/o registered
• unit price
Increase of market price of
raw material
Limited ways for cost saving
Unit cost variability
• % cost savings by types
(negotiating, development of
new vendors, sources, etc)
• % Geographical proportion
of sources
Limited information/negotiation
• Cost gap among divisions
• Turn over % at purchasing
• % of certified member
Insufficient supplier
management
Supplier assessment
results
Preferential purchasing
• # of suppliers with sharp
increase of order volume/$
• Changes of pre-defined
Quotas
• Abnormal increase unit price
• Change of terms of payment
Fictitious supplier
Duplicated
invoices
Conflicts of interest
Lagging
Leading
Unstable supplies
![Page 44: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/44.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Concluding
www.pwc.com
![Page 45: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/45.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Practical ideas for how to get started…
46
Insert date here
Aligning Culture
• Secure board and senior management endorsement for implementing or enhancing the Enterprise Risk Management Framework
• Incorporate risk management expectations into training and incentives to enhance consistency in decision-making
• Communicate and clarify roles and responsibilities for risk management
3) Prioritize the initiatives and resources required to implement or enhance existing cultures, capabilities and practices
2) Determine the desired integration of enterprise risk management within the organisation
• Invest in tools, templates or technology that support risk management activities and decision-making
• Include third party providers and vendors in discussions on risk and performance
• Encourage discussion of entity’s risk appetite and profile within governance forums and as part of management decision-making
1) Identify the benefits being sought from ERM by your organization
• Evaluate whether current practices align with desired integration and achieve benefits sought from ERM
• Review risk identification, assessment, prioritization and response processes for opportunities for enhancement
• Analyse reporting practices for opportunities to further integrate with performance reporting
Augmenting Capabilities
Enhancing Practices
Percentage of respondents that stated implementation
of effective ERM Frameworks as the most common challenge in deriving its expected benefits
![Page 46: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/46.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Risicomanagement: hoe laat ik het werken
47
• Existence : is a adequate system/approach available?
• Communication : is it conveyed to relevant people?
• Understanding : do they understand it?
• Support : does management support the implementation?
• Monitoring : is there an effective process for monitoring it?
• Enforcement : has management a plan in place for enforcing it?
![Page 47: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/47.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
De menselijke maat telt
48
Echter de menselijk maat is leidend voor het succesvol toepassen van
risicomanagement. De belangrijkste aandachtspunten zijn:
• Groepsprocessen zijn de sleutel tot een kwalitatief goed risicoprofiel, dialoog
en actiegerichtheid liggen daaraan ten grondslag;
• Communiceer over risico’s en de wijze hoe ermee wordt omgegaan;
• Zorg voor verantwoordelijkheid, aanspreekbaarheid en eigenaarschap van
risico’s;
• Risicomanagement kan als bedreigend worden ervaren; de transparantie
leidt tot kwetsbaarheid en biedt zicht op performance;
• Zorg voor een RM taal.
Een kwalitatief goede uitvoering van risicomanagement lijkt gebaat bij
en richt zich veelal op een sterke instrumentele benadering!
![Page 48: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/48.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Concluderend
49
• COSO ERM is een manier, niet een doel op zich
• COSO ERM is niet limitatief
• COSO ERM dient gezien te worden als een verbeteringscyclus; niet
als ogenblikkelijke perfectie
• COSO ERM verschaft geen ‘one-size-fits-all’ oplossing
• COSO ERM is niet verplicht; je kan het doen op je eigen manier
![Page 49: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/49.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
More information
www.pwc.com
![Page 50: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/50.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Staying involved
Access the Framework at the COSO ERM Spark!-website (internal use only)
51
View videos, blogs and articles at www.pwc.com/coso-erm
Thomas R. Malthusstraat 5P.O. Box 96161006 GC AmsterdamThe NetherlandsT: +31 (0)88 792 7665 M: +31 (0)6 51 22 52 [email protected]
Marcel PrinsenbergSenior Director Risk Consulting
Thomas R. Malthusstraat 5P.O. Box 96161006 GC AmsterdamThe NetherlandsT: +31 (0)88 792 46 18 M: +31 (0)6 22 93 91 [email protected]
Roy van der SluisManager Risk Consulting
![Page 51: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/51.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Compendium of Examples
52
A compendium of examples is also being developed. The proposed compendium will illustrate:
• All principles
• A variety of entity sizes from global through to national, regional, and local entities
• A variety of industry types
• Actual company practices and be augmented with expected practices in select areas, as needed
• Written from the perspective of the business
Examples:
• Governance in a higher education institution
• Culture in a government entity
• Culture in a financial services company
• Strategy and objective-setting in an energy company
• Strategy and objective-setting in a not-for-profit entity
• Performance in a consumer products company
• Performance in a technology company
• Review and revision in an industrial products company
• Risk information in a healthcare company
Coming Soon….
Coming Soon
![Page 52: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/52.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Bijlagen
www.pwc.com
![Page 53: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/53.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Explores the benefits of ERM
54
Management can
anticipate the
risks that would
affect
performance and
put in place the
actions needed to
minimize
disruption and
maximize
opportunity
Improve
management’s
ability to identify
risks and
establish
appropriate
responses,
reducing
surprises and
related costs or
losses
Management
identifies and
manages these
entity-wide risks
to sustain and
improve
performance
By considering all
possibilities, both
positive and
negative aspects
of risk,
management can
identify new
opportunities and
associated
challenges
Increasing the range of opportunities
Reducing performance variability
Increasing positive outcomes
Improving resource deployment
• Enterprise risk management frameworks are as varied as the organizations they support.
• In their infancy, many frameworks focus on increasing positive outcomes and identifying entity-wide risks.
• Boards, senior management and stakeholders are increasingly expecting ERM to reduce performance variability, improve resource deployment and enhance enterprise resilience.
• This will often require that the capabilities and practices of an organization to evolve in line with increasing expectations.
• The effectiveness of an enterprise risk management Framework is founded on fostering, designing and implementing the culture, capabilities and practices that align to intended benefits.
• A more detailed discussion of the benefits of ERM can be found in the COSO Executive Summary
Risk information
enables
management, in
the face of finite
resources, to
prioritize resource
deployment and
enhance
resource
allocation
Identify and manage risks entity-wide
Enhancing enterprise resilience
Enhance
management’s
ability to
anticipate and
respond to
change, not only
to survive but
also to evolve
and thrive
![Page 54: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/54.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC
Explores managing risk at all altitudes of the organization
55
The Framework highlights that risks emanate and must be managed at all levels of the organization. The Framework explores how risks can manifest at multiple levels within an organization with some risks directly impacting the entity strategy while others impacting business objectives.
The Framework also addresses how risks can change in severity and prioritization at different levels of the organization and how the impacts of correlation and diversification are considered when analyzing the risk profile of portfolio view of risk.
• Risk frameworks should ensure existing risk identification and assessment practices account for risks occurring at different levels of the organization
• Risk capabilities should account for how risk ratings and responses may exist and change at different altitudes within an organization
• Management should designate appropriate roles and responsibilities for the management of risk and execution of risk responses
Entity Level Business Objective 1
Business Objective 2
Business Objective 1
Risk 1 Risk 3 Risk 4
Entity Strategy
Risk 2
Entity Level Business Objective 2
Business Objective 3
![Page 55: COSO Enterprise Risk Management Framework ... · PwC | COSO Enterprise Risk Management –Integrating with Strategy and Performance Agenda 2 How to obtain a copy of the new Framework](https://reader031.vdocuments.site/reader031/viewer/2022021606/5c5c965709d3f2dc448b8d05/html5/thumbnails/55.jpg)
PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC 56
32Where to next?
Encourage your risk professionals to:
• Sync with the language of business in your organisation
• Understand how organisation creates, realises and preserves value and the supporting assumptions
• Develop a clear understanding of where ERM is integrated
Challenge your organisation to not:
• View ERM simply as a function, team or department
• Consider ERM to be a stand alone, periodic risk assessment or heat map
• View GRC technology as the entire approach for implementing ERM