ApplyingCOSO’sEnterpriseRiskManagement—IntegratedFrameworkSeptember29,2004Today’sorganizationsareconcernedabout:•RiskManagement•Governance•Control•Assurance(andConsulting)ERMDefined:“…aprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.”Source:COSOEnterpriseRiskManagement–IntegratedFramework.2004.COSO.WhyERMIsImportantUnderlyingprinciples:•Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.•Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.WhyERMIsImportantERMsupportsvaluecreationbyenablingmanagementto:•Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty.•Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.ThisCOSOERMframeworkdefinesessentialcomponents,suggestsacommonlanguage,andprovidescleardirectionandguidanceforenterpriseriskmanagement.EnterpriseRiskManagement—IntegratedFrameworkTheERMFrameworkEntityobjectivescanbeviewedinthecontextoffourcategories:•Strategic•Operations•Reporting•ComplianceTheERMFrameworkERMconsidersactivitiesatalllevelsoftheorganization:•Enterprise-level•Divisionorsubsidiary•BusinessunitprocessesEnterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk.TheERMFramework•Managementconsidershowindividualrisksinterrelate.•Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-EntitylevelTheERMFrameworkTheeightcomponentsoftheframeworkareinterrelated…TheERMFrameworkInternalEnvironment•Establishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.•Establishestheentity’sriskculture.•Considersallotheraspectsofhowtheorganization’sactionsmayaffectitsriskculture.ObjectiveSetting•Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives.•Formstheriskappetiteoftheentity—ahigh-levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept.•Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.EventIdentification•Differentiatesrisksandopportunities.•Eventsthatmayhaveanegativeimpactrepresentrisks.•Eventsthatmayhaveapositiveimpactrepresentnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.EventIdentification•Involvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives.•Addresseshowinternalandexternalfactorscombineandinteracttoinfluencetheriskprofile.RiskAssessment•Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives.•Assessesrisksfromtwoperspectives:-Likelihood-Impact•Isusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.RiskAssessment•Employsacombinationofbothqualitativeandquantitativeriskassessmentmethodologies.•Relatestimehorizonstoobjectivehorizons.•Assessesriskonbothaninherentandaresidualbasis.RiskResponse•Identifiesandevaluatespossibleresponsestorisk.•Evaluatesoptionsinrelationtoentity’sriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewillreduceimpactand/orlikelihood.•Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.ControlActivities•Policiesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.•Occurthroughouttheorganization,atalllevelsandinallfunctions.•Includeapplicationandgeneralinformationtechnologycontrols.•Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities.•Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.Information&CommunicationMonitoringEffectivenessoftheotherERMcomponentsismonitoredthrough:•Ongoingmonitoringactivities.•Separateevaluations.•Acombinationofthetwo.InternalControlAstrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement.•ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO’s“controlframework.”•Includesobjectivesettingasaseparatecomponent.Objectivesarea“prerequisite”forinternalcontrol.•Expandsthecontrolframework’s“FinancialReporting”and“RiskAssessment.”RelationshiptoInternalControl—IntegratedFrameworkERMRoles&Responsibilities•Management•Theboardofdirectors•Riskofficers•InternalauditorsInternalAuditors•PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.•Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-RecommendingimprovementsVisittheguidancesectionofTheIIA’sWebsiteforTheIIA’spositionpaper,“RoleofInternalAuditing’sinEnterpriseRiskManagement.”InternalAuditors•2010.A1–Theinternalauditactivity’splanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.•2120.A1–Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffe