coso erm: integrating with strategy and performance ... · the coso frameworks •internal control...
TRANSCRIPT
COSO ERM: Integrating with Strategy and Performance
Michael Parkinson
Content
• The COSO Frameworks
• Risk
• (Enterprise) Risk Management
• The COSO risk management framework
• A few highlights
• Questions for management
• Issues for the internal auditor
The COSO Frameworks
• Internal Control Integrated Framework• 1992 -> 2013
• Enterprise risk management• 2004 -> 2017
• Updates because:• Concepts and practices have changed• The business environment has changed.• We have learned• Boards & management are better engaged
These frameworks are compatible
Other Frameworks
• Especially ISO• Management Systems frameworks
• Risk Management Framework
• Will work together with COSO
BUT
• They use different definitions
Enterprise Risk Management
• Is not the same as “Internal Control”
• Control is one way an organisation can respond to risk
• It is not the only way…
Risk
• Risk exists because:• We have objectives
• We operate in an uncertain environment
• Risk is the way we describe the relationship between uncertainty and our objectives
• Our organisation is successful if it can manage risk
• Our ability to manage risk is our competitive advantage
Risk
• Our understanding of the nature of risk and its application to choices lies at the heart of our economy
• Every choice made in the pursuit of objectives has risk and changes risk
• Dealing with uncertainty in decision-making is part of our organisational lives.
Management ISRisk ManagementThere is no way they can be separated from each other.
COSO ERM
• The possibility that events will occur and affect the achievement of strategy and business objectives
ISO 31000
• Effect of uncertainty on objectives
Different definitions
Usually considers possible events but does not require them.
An event can be something expected not happening.
ERM Definition
Enterprise Risk Management is:
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
COSO 2017
• New structure• Has fewer components
(5 rather than 8)
• Has 20 Principles
• Integrates to the business model
• Emphasises that risk management is part of business management
• Emphasis on integration
• Emphasis on value
• Links to strategy
• Links to performance
• Recognises the importance of culture
• Focuses on decision-making
COSO ERM -Components
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
Integrated, Internal external
factors, Risk Appetite
Identify, assess,
prioritise, respond, monitor
Targets, Context
Sharing, external &
internal sources
Tone, Leadership, Oversight
COSO ERM - Principles
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
• Exercises Board Risk Oversight
• Establishes Operating Structures
• Defines Desired Culture
• Demonstrates Commitment to Core Values
• Attracts, Develops, and Retains Capable Individuals
COSO ERM - Principles
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
• Analyses business context
• Defines Risk Appetite
• Evaluates Alternative Strategies
• Formulates Business Objectives
COSO ERM - Principles
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
• Identifies risks
• Assesses Severity of Risks
• Prioritizes Risks
• Implements Risk Responses
• Develops Portfolio View
COSO ERM - Principles
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
• Assesses Substantial Change
• Reviews Risk and Performance
• Pursues Improvement in Enterprise Risk Management
COSO ERM - Principles
Governance & Culture
Strategy & Objective
Setting
PerformanceReview & Revision
Information, Communication
& Reporting
• Leverages Information & Technology
• Communicates Risk Information
• Reports on Risk, Culture and Performance
Emphasis on Integration
• Risk management cannot be separated from management
• Getting risk management right improves decision-making and leads to enhanced performance
• Good risk management helps:• Identify risks earlier and/or more explicitly giving more
options for response
• Identify and pursue opportunities
• Better respond to deviations in performance
• Develop a better portfolio understanding of risk
• Improve collaboration, trust and information sharing
Emphasis on value
• Good risk management creates, preserves and enhances value
• This framework:• Places value in the core of its definition
• Extensive discussion of value in the principles
• Links value to risk appetite
• Considers value in the discussion of managing risk to acceptable levels.
Links to Strategy
• Considers the possibility that strategy may not align with mission, vision and values
• Considers the implications of risk for overall strategy
• Considers the risk in executing strategy
Links to Performance
• Achieve strategy/objectives by actively managing performance
• ERM supports identification and assessment of risks related to performance
• ERM actively considers the tolerance for variations in performance
• Manages risk in the context of strategy and business objectives – does not treat risks in isolation
Links to Performance
• Develops concept of risk profile:• Risk
• Performance
• Appetite
• Capacity
Risk/Performance Curve
Risk Appetite
Target Performance
Risk Capacity
Acceptable range of performance
The Importance of Culture
• Culture is critical to Governance, Risk Management and Internal Control
• Influences all aspects of enterprise risk management
• Is specifically addressed in the principles
• Explores the possible effects of culture on decision-making
• Considers the alignment of culture between the individual and the organisation.
Focus on Decision-making
• Explores how ERM drives risk-aware decision-making
• Highlights how risk awareness optimises and aligns decisions that impact performance
• Explores how risk aware decisions affect the risk profile.
Risk-aware
Decision Making
Assumptions
Risk Appetite
Culture
Strategy
Business Context
Risk Profile
Managers should be asking themselves:
• Does our approach help us identify the weaknesses in our strategy?
• Are we able to recognise changes in the environment in time to respond?
• Are we looking for and analysing uncertainty?
• Are our decisions based on rigorous analysis or on wishful thinking?
• Do we really know how much contingency we need?
Questions for Management
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Standard 2010 - Planning
The ERM Framework will help you:
• Understand the organisation’s business objectives and strategies
• Understand the risks to business objectives and the way the risks are managed
• Identify which risks are most important
• Understand the risk culture and risk appetite
• Identify existing assurance mechanisms
• Determine priorities for internal audit review
Internal auditors must develop and document a plan for each engagement… The plan must consider the … strategies, objectives, and risks relevant to the engagement.Standard 2200 – Engagement Planning
The ERM Framework will help you:
• Understand which business risks relate to an engagement
• Align the engagement risk assessment to the organisation’s risk assessment
• Design scope and testing based on the organisation’s tolerance for risk
• Make observations in the context of the organisation’s objectives and risk profile
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.Standard 2120 – Risk Management
Internal Audit’s role in ERM
• Educate and facilitate understanding of ERM components and principles
• Advise and participate in the risk assessment process
• Assess the effectiveness of information, communication and reporting
• Evaluate the effectiveness of the ERM process and framework
Every contribution by internal audit to governance, risk management or control is a contribution to ERM.Risk management IS management
Using a sound & consistent framework will produce better results
Sound ERM will
• Increase the range of opportunities
• Identify and manage the range of threats
• Reduce surprises and losses
• Reduce performance variability
• Improve resource deployment
• Anticipate, identify, adapt and respond to change
In short, it will:• Increase the likelihood of achieving objectives and• Improve performance