cosoermsynopsis edit msd

8/8/2019 COSOERMSynopsis Edit MSD

1/6

Abstract

COSO ERM Framework

Topical Areas: ERM Frameworks COSO ERM Framework Core Elements What is ERM

Key Components to ERM

Main Analysis: This abstract provides a brief overview of COSOs Enterprise Risk

Management Integrated Frameworkissued in September 2004.

Why has COSO prepared this ERM Framework?

Several recent high-profile business scandals and failures have caused investors, politicians, andbusinesses to demand enhanced corporate governance and risk management techniques. This

demand is seen most clearly in the Sarbanes-Oxley Act of 2002. Public companies are nowrequired to test and certify their internal controls over financial reporting. ERM is a relatively

new management technique and differs across companies and industries. The goal of the ERMframework is to provide companies with key principles and concepts, a common language, and

clear direction and guidance regarding the management enterprise risks. Additionally,companies may look to this ERM framework both to satisfy their internal control needs and

move toward a fuller risk management process. This ERM framework incorporates adequatefinancial internal controls as a component of enterprise risk management.

Who are the likely readers?

In the framework COSO defines the likely readers as follows:

Board of Directors- This framework conveys the importance and value of enterprise risk

management. After reading this, boards will have a better understanding of enterprise riskmanagement aiding them in their company oversight.

Senior Management- This framework suggests that chief executives assess the organizations

enterprise risk management capabilities. This initial assessment will determine whether there isa need for, and how to proceed with a more in-depth evaluation.

Other Entity Personnel- Managers and other personnel need to consider how they are conducting

their responsibilities in light of this framework. Internal auditors should consider the breadth oftheir focus on enterprise risk management.

Regulators- This framework helps to consolidate the different views of enterprise risk.

Regulators may refer to this framework in establishing expectations for the entities they oversee.

Professional Organizations- Rule-making and other professional organizations providingguidance on financial management, auditing and related topics should consider their standards

and guidance in light of this framework.


2/6

Educators- This framework might be the subject of academic research and analysis, to see wherefuture enhancements can be made. ERM concepts and terms should also be incorporated into

university curricula.

What is ERM?

ERM is a process, effected by an entitys board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential events that

may affect the entity, and manage risk to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.

ERM is based on the premise that every entity exists to provide value for its stakeholders. Basic

business principles suggest that the greater the risk associated with a decision, the greater thepotential return that decision will yield. Uncertainty presents both risk and opportunity. Risk

can decrease value while an opportunity has the potential to enhance value. All entities faceuncertainty and the challenge for management is to determine how much uncertainty it is

prepared to accept as it strives to grow stakeholder value. ERM enables management to identify,assess, and manage these risks in the face of uncertainty. Under ERM, management is able to

assess risk on an enterprise wide basis. Traditionally entities have viewed and assessed riskunder a silo method where many different managers would view and monitor their specific risks.

However, these risks span across different business functions and should not be monitored inisolation. Under ERM, management assesses and monitors risk from a high-level, or portfolio

view. This allows management to first identify risks and then analyze the enterprise-wide affectsof these risks.

Under the COSO framework, ERM is geared to achieving an entitys objectives, set forth in four

categories:

Strategic- These objectives are high level and are aligned with an entitys mission. Operations- These objectives refer to the effective and efficient use of resources.

Reporting- These objectives surround an entitys need for reliable reporting. Compliance- These objectives refer with an entitys need to comply with applicable laws

and regulations.

Managing risks in these four categories within an entitys risk appetite will aid in the creation ofstakeholder value.

Why should an entity consider ERM?

Entities operate in environments where factors such as globalization, technology, restructurings,

changing markets, competition, and regulation create uncertainty. This uncertainty creates risks.ERM allows entities to manage risks to within their risk appetite (defined below). As a result,

entities are able to provide maximum value to stakeholders with reasonable assurance that risksoutside their risk appetite will be prevented. ERM will help prevent future business failures and

scandals. Also, a company correctly utilizing ERM will satisfy the requirements set forth by theSarbanes-Oxley Act regarding adequate financial statement internal controls.


3/6

Who are the leaders of an ERM effort within an organization?

Members of top management play a critical role in ERM. Currently, some large companies are

creating a Chief Risk Officer position to oversee ERM. Others are having their internal audit

function coordinate ERM implementations. Regardless of who is exactly implementing ERM,top management must express a strong desire to implement ERM. This desire and theimportance of ERM must then be spread throughout an organization. To some extent every

member of an organization plays a role in ERM and can affect the organizations risks.

Top management must be ethical. Management integrity is a prerequisite for ethical behavior.The effectiveness of ERM cannot rise above the integrity and ethical values of people who

create, administer, and monitor entity activities. Management must appear ethical to companypersonnel and stress the importance of being ethical. If management appears unethical, company

personnel may follow their example and begin to make unethical business decisions.

How should ERM relate to an entitys strategy?ERM should directly influence an entitys strategy. An entitys mission sets the overarching

goals of an entity. From this, management sets its strategic objectives. Strategic objectives arehigh-level goals. It is important that strategic objectives are aligned with an entitys mission.

They reflect managements choice as to how the entity will attempt to create value for itsstakeholders. Management then considers alternate ways to achieve its strategic objectives

through different strategy choices. Management uses ERM to evaluate risks associated witheach strategy alternative. Prior to finalizing an entitys strategy, management must determine

that their strategy is within their overall risk appetite. Focusing on strategic objectives andstrategy allows an entity to develop related objectives at the entity level. Entity-level objectives

are linked to and integrated with more specific objectives (i.e. operations, reporting, andcompliance). These specific objectives are broken down further into sub-objectives established

for various activities, such as sales, production, and infrastructure functions.

What are the eight key components of the COSO ERM Framework?

COSOs ERM-Integrated Framework consists of the eight components:

1. Internal Environment- Management sets a philosophy regarding risk and establishes arisk appetite. The internal environment sets the basis for how risk and control are viewed

and addressed by an entitys people. It is critical that upper management express theimportance of ERM throughout all levels of an entity.

2. Objective Setting- Objectives must exist before management can identify potential eventsaffecting their achievement. ERM ensures that management has in place a process to set

objectives and that the chosen objectives support and align with the entitys mission andare consistent with its risk appetite.

3. Event Identification- Potential events that might have an impact on the entity must beidentified. Event identification involves identifying potential events from internal or


4/6

external sources affecting achievement of objectives. It includes distinguishing betweenevents that represent risks, those that represent opportunities, and those that may be both.

4. Risk Assessment- Identified risks are analyzed in order to form a basis for determininghow they should be managed. Risks are associated with objectives that may be affected.

Risks are assessed on both an inherent and residual basis, with the assessment

considering both risk likelihood and impact. Risk assessment needs to be donecontinuously and throughout an entity.5. Risk Response- Personnel identify and evaluate possible responses to risks, which include

avoiding, accepting, reducing, and sharing risks. Management selects a set of actions toalign risks with the entitys risk tolerances and risk appetite.

6. Control Activities- Policies and procedures are established and executed to help ensurethe risk responses management selects are effectively carried out.

7. Information and Communication- Relevant information is identified, captured, andcommunicated in a form and timeframe that enable people to carry out their

responsibilities. Information is needed at all levels of an entity for identifying, assessing,and responding to risk.

8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary.In this way, it can react dynamically, changing as conditions warrant.

Risk Terms

-Riskis the possibility that an event will occur and adversely affect the achievement of

objectives.

-Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept as it tries toachieve its goal and provide value to stakeholders. It reflects the enterprises risk management

philosophy, and in turn influences the entitys culture and operating style. Many entities definetheir risk appetite qualitative, while other take a more quantitative approach.

-Risk Tolerance is the acceptable level of variation relative to achievement of a specific

objective. This variation is often measured using the same units as its related objective. Insetting risk tolerance, management considers the relative importance of the related objective and

aligns risk tolerances with risk appetite. Therefore, an entity operating with its risk tolerances isoperating within its risk appetite.

-Risk Culture is the appearance and attitude of management regarding ERM that is conveyed to

entity personnel. Are managements actions aligned with the implemented ERM strategies?

What is meant by assessing risk likelihood and impact?

Likelihoodis the possibility that an event may occur. Likelihood can be described usingqualitative terms such as high, medium, and low. Alternately, likelihood can be described using

quantitative measures such as a percentage and frequency.


5/6

Impactrepresents the effect that a given event will have on an entity. Impact can be describedboth qualitatively and quantitatively. Entities often describe events based on severity,

consequences, or dollar amounts.

Management is most concerned with events that have a high likelihood and high potential

impact.

What is meant by inherent risk and residual risk?

Inherent riskis the risk to an entity in the absence of any actions management might take to alter

the risks likelihood or impact. These risks may result from an entitys industry, strategy, andenvironmental factors.

Residual riskis the risk that remains after managements response to the risk. Management must

decide whether this residual risk is within the entitys risk appetite.

What is a risk map?

A risk map is a graphic representation of likelihood and impact of one or more risks. Risk mapsmay plot quantitative or qualitative estimates of risk likelihood and impact. Often, risk maps are

referred to as heat maps since they present risk levels by color, where red represents high risk,yellow moderate risk, and green low risk. [link to Beasley heat map]

What is an event inventories and leading event indicators?

During the event identification process management identifies events that, if they occur, will

affect the entity. Events that have positive effects represent opportunities and those withnegative effects represent risks.

Event inventories are detailed listings of potential events common to a company in a particular

industry. Software products can generate a generic list of potential events. Often, entities willuse this software as a starting point in the event identification process.

Leading event indicators are found by monitoring data correlated to events. Entities can create a

list of conditions that could give rise to an event. Entities can monitor indicators to help mitigaterisks.

What are the four risk responses?

Avoidance is a response where you exit the activities that cause the risk. Some examples of

avoidance are exiting product line, selling a division, or deciding against expansion.

Reduction is a response where action is taken to mitigate the risk likelihood and impact.

Sharingis a response that reduces the risk likelihood and impact by sharing a portion of the risk.An extremely common sharing response is insurance.


6/6

Acceptance is a response where no action is taken to affect the risk likelihood or impact.

How does the ERM Framework reconcile to the COSO Internal Control- Integrated

Framework?

In 1992, COSO issued the Internal Contro - Integrated Framework. This framework providestools to evaluate internal control systems. It is based on five interrelated components. ERM

expands on internal controls by focusing on risk from a portfolio perspective. For example, theInternal Control- Integrated Frameworkspecifies three categories of objectives operations,

financial reporting, and compliance. ERM includes these three categories and expands thereporting objective. While the Internal Control- Integrated Frameworkis concerned with

published financial statements, ERM is concerned with reports, both internal and external,generated across the entire entity. Also, ERM adds an additional category of objectives, namely,

strategic objectives, which are based on an entitys mission. ERM requires that strategicobjectives align with operations, reporting, and compliance objectives.

ERM also expands on the Internal Control- Integrated Frameworks risk assessment component

by dividing it into four components: objective setting, event identification, risk assessment andrisk response. Both frameworks acknowledge that risks are found at all levels of an entity and

result from internal and external factors. However, ERM discusses the concept of potentialevents. It recognizes that events can have positive and negative effects. ERM, also further

explores what triggers events to help minimize risk and maximize potential benefits. Riskassessment is a more detailed process under ERM. It looks risk on a residual and inherent basis,

and describes how a risk can create multiple risks across an entity. Lastly, risk response optionsare more detailed under ERM.

ERM also expands on other components of the Internal Control- Integrated Framework. ERM

stresses that in some cases control activities themselves serve as a risk response. ERM alsoexpands on the information and communication component by focusing on data derived from

past, present and future events. Combined, these three types of data allow an entity to identifyevents and respond as necessary to remain within its risk appetite. Overall, COSO has used the

Internal Control- Integrated Frameworkas a foundation in the creation theirEnterprise RiskManagement- Integrated Framework.

Source: COSOs Enterprise Risk Management Integrated Framework, Committee of

Sponsoring Organizations of the Treadway Commission (COSO), New York, NY, September2004 (see www.coso.org)

Abstract Prepared by: ERM Initiative Faculty and Brian Ziberna
http://www.coso.org/

cosoermsynopsis edit msd

Documents