Enterprise Risk Management (ERM) ‘Integrated Framework’ FUNDAMENTALS & ROLES COSO Enterprise Risk Management FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions COSO Enterprise Risk Management What is COSO? (“Committee of Sponsoring Organizations” formed in 1985) voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance sponsor the National Commission on Fraudulent Financial Reporting - the Treadway Commission causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for SEC and other regulators, and for educational institutions COSO Enterprise Risk Management COSO sponsoring organizations? American Institute of Certified Public Accountants (AICPA) Institute of Internal Auditors (IIA) Financial Executives International (FEI) Institute of Management Accountants (IMA) American Accounting Association (AAA) COSO Enterprise Risk Management Why was the COSO Enterprise Risk Management – Integrated Framework created? “recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.” develop a framework that “would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.” high-profile business failures occurred during the period of the framework’s development, there were “calls for enhanced corporate governance and risk management, with new law, regulatory and listing standards.” need for a framework to provide a common language and give clear direction and guidance COSO Enterprise Risk Management What is the COSO Enterprise Risk Management – Integrated Framework? “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” COSO Enterprise Risk Management COSO ERM – Integrated Framework four categories of objectives – strategic, operations, reporting and compliance entity, its divisions, business units & subsidiaries eight components of ERM COSO Enterprise Risk Management Eight components of ERM Internal environment - risk management philosophy Objective setting - strategic objectives Event identification - potential events (SWOT) Risk assessment - impact of potential events Risk response - response options and effect Control activities - policies & procedures Information and communication - reporting Monitoring - assess performance COSO Enterprise Risk Management 10 COSO Enterprise Risk Management Control activities: policies & procedures Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed 16 COSO Enterprise Risk Management Information and communication: Reporting The organization identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities Effective communication also flows down, across and up the organization Reporting is vital to risk management and this component delivers it 17 COSO Enterprise Risk Management Monitoring: assess performance Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time 18 COSO Enterprise Risk Management How can we obtain the COSO ERM framework? www.coso.org integrated framework: • Executive Summary • Framework • Application Techniques Risk Management in the Electricity Industry (EurElectric) http://www.eurelectric.org/CatPub/Document.aspx?FolderID=1535&DocumentID=21945 19 COSO Enterprise Risk Management How was the COSO ERM framework developed? COSO engaged PricewaterhouseCoopers input from CEOs, CFOs, CROs, controllers and internal auditors representing public & private companies of varying sizes and from different industries & government agencies legislators, regulators, external auditors, lawyers and academics 20 COSO Enterprise Risk Management How we use the COSO ERM framework? 21 COSO Enterprise Risk Management How we use the COSO ERM framework? should be used as a benchmarking tool to evaluate the effectiveness of the ERM process in place as well as specific risk management activities at all levels of the organization provide the context for defining improvements in risk management capabilities 22 COSO Enterprise Risk Management Are companies required to use the COSO ERM framework? NO Does the COSO ERM – Integrated Framework replace or supersede the COSO Internal Control – Integrated Framework? NO 23 COSO Enterprise Risk Management How does the COSO ERM compare to Internal Control? broader focus on risk management and encompasses the internal control framework new category, strategic objectives, and expanded the reporting objective to include internal reporting concepts of risk appetite and risk tolerance expands the risk assessment component into four components – objective-setting, event identification, risk assessment and risk response 24 COSO Enterprise Risk Management Does ERM broaden the focus beyond traditional risk management - insurable risk? emphasizes strategic, operational, reporting and compliance objectives eight components of ERM are sufficiently comprehensive and extend beyond the procurement of insurance 25 COSO Enterprise Risk Management Are there other standards and frameworks in existence and, if so, what they promulgate and how does the COSO ERM relate to them? Internal Control Guidance for Directors on the Combined Code (United Kingdom) King Report on Corporate Governance for South Africa International Organization for Standardization – ISO/IEC Guide Australian/New Zealand Standard 4360: Risk Management Risk Management Standard (Institute of Risk Management, Association of Insurance and Risk Management) COSO did not publish a reconciliation – but considered them 26 COSO Enterprise Risk Management What is the point of view of the SEC with respect to ERM? SEC Rule 33-9089, which “mandates disclosure of risk oversight and risk reporting lines, risk assessment by business unit, and assessment of the risk associated with compensation plans” 27 COSO Enterprise Risk Management What are the deliverables when the COSO ERM framework is implemented? Presence on CEO agenda Overall risk management policy Common risk language Enterprisewide risk assessment process Common process view Clarity of roles and responsibilities related to risk management Focused risk committee(s) CRO (or equivalent executive) 28 COSO Enterprise Risk Management Integration of risk responses within business plans Integration of risk management with strategy-setting Alignment of organizational behavior with risk appetite Risk reporting Knowledge sharing process for identifying best practices Common training Proprietary tools to portray a portfolio view of risk Supporting technology improved capabilities managing priority risks value proposition  strategic 29 COSO Enterprise Risk Management Can a company “partially” adopt the COSO ERM with success? centralized view of the business, an enterprise view must of necessity extend to the entire organization decentralized view of the organization with different units operating autonomously, an enterprise view would apply at the unit level 30 ... COSO Enterprise Risk Management 10 COSO Enterprise Risk Management Internal environment: risk management philosophy This component reflects an entity’s enterprise risk management philosophy, risk. .. 4360: Risk Management Risk Management Standard (Institute of Risk Management, Association of Insurance and Risk Management) COSO did not publish a reconciliation – but considered them 26 COSO Enterprise. .. auditors, lawyers and academics 20 COSO Enterprise Risk Management How we use the COSO ERM framework? 21 COSO Enterprise Risk Management How we use the COSO ERM framework? should be used as a benchmarking