Enterprise Risk Management (ERM) ‘Integrated Framework’ FUNDAMENTALS & ROLES COSO Enterprise Risk Management Roles & Oversight Structure FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions COSO Enterprise Risk Management What is COSO? (“Committee of Sponsoring Organizations” formed in 1985) voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance sponsor the National Commission on Fraudulent Financial Reporting - the Treadway Commission causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for SEC and other regulators, and for educational institutions COSO Enterprise Risk Management COSO sponsoring organizations? American Institute of Certified Public Accountants (AICPA) Institute of Internal Auditors (IIA) Financial Executives International (FEI) Institute of Management Accountants (IMA) American Accounting Association (AAA) COSO Enterprise Risk Management Why was the COSO Enterprise Risk Management – Integrated Framework created? “recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.” develop a framework that “would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.” high-profile business failures occurred during the period of the framework’s development, there were “calls for enhanced corporate governance and risk management, with new law, regulatory and listing standards.” need for a framework to provide a common language and give clear direction and guidance COSO Enterprise Risk Management What is the COSO Enterprise Risk Management – Integrated Framework? “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” COSO Enterprise Risk Management COSO ERM – Integrated Framework four categories of objectives – strategic, operations, reporting and compliance entity, its divisions, business units & subsidiaries eight components of ERM COSO Enterprise Risk Management Eight components of ERM Internal environment - risk management philosophy Objective setting - strategic objectives Event identification - potential events (SWOT) Risk assessment - impact of potential events Risk response - response options and effect Control activities - policies & procedures Information and communication - reporting Monitoring - assess performance COSO Enterprise Risk Management 10 Role of Internal Audit Core roles for internal audit Giving assurance on the risk management processes Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks 91 Role of Internal Audit Roles that are not appropriate for internal audit Setting the risk appetite Authorizing and dictating the implementation of risk management processes Assuming the role of management in providing assurance on risks and risk management performance Making decisions on risk responses Implementing risk responses on management’s behalf Accepting accountability for risk management 92 Role of Internal Audit “legitimate internal audit roles” Facilitating identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidating reporting on risks Maintaining and developing the ERM framework Championing establishment of ERM Developing a risk management strategy for BOD 93 94 Role of Internal Audit Should internal audit lead the ERM effort? NO Should internal audit integrate the COSO ERM framework into its work? Recommended Hasn’t internal audit evaluated the application of ERM within the organization? Not necessarily 95 Role of Internal Audit Does the Institute of Internal Auditors (IIA) support the COSO Enterprise Risk Management – Integrated Framework? Yes Do The IIA standards require the use of the COSO Enterprise Risk Management – Integrated Framework? Not required – Issued guidance 96 IMPLEMENTATION • • • • • • • • Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions 97 Vision and Objectives 98 Conducting Risk Assessments 99 Getting Started – Set the Foundation 100 Building & Enhancing Capabilities 101 Building a Compelling Business Case 102 Making it Happen 103 Relevance to SOX Compliance 104 Other Questions 105 ... Risk Management 10 COSO Enterprise Risk Management Internal environment: risk management philosophy This component reflects an entity’s enterprise risk management philosophy, risk appetite, board... 4360: Risk Management Risk Management Standard (Institute of Risk Management, Association of Insurance and Risk Management) COSO did not publish a reconciliation – but considered them 26 COSO Enterprise. .. COSO Enterprise Risk Management Integration of risk responses within business plans Integration of risk management with strategy-setting Alignment of organizational behavior with risk appetite Risk