Faculty of Business

accounting school

ACADEMIC REPORT

COSO ERM 2017

COURSE:

Financial Audit

AUTHOR:

Wilman Villalobos, Juan Enrique

TEACHER:

JUAN MARTIN CARRION ANSUINI

Sede - Perú

(2024)
Introduction

The first version of COSO ERM was born out of the need to have a scheme in
organizations that facilitates the effective identification, evaluation and precise
establishment of proposals for risks that affect an organization.
However, in recent years the environment has become extremely volatile and full
of complexity, uncertainty and ambiguity. Thus, demands on business risk that are
constantly advancing have resulted in risks that are more difficult to control, which
is why it is vitally important that the methods of contingency and risk control that
management adopts must evolve.

Likewise, stakeholders and all stakeholders in the organization will seek to be

actively involved in the organization, thus achieving greater transparency in
accountability.
On the other hand, according to Tam & Cusquisiban (2024) the changes have
caused companies to intelligently embrace the increasing volatility of the current
environment. This is why the Treadway Commission is in need of the first ERM
2004 regulatory framework to a more updated version such as ERM 2017.

The COSO 2017 ERM framework intertwines risk-focused enterprise risk

management practices for all types of organizations with the overall aim and
objective of increasing risk enhancement, increasing performance, refining how
resources are managed, creating better opportunities, increasing the robustness of
companies and eliminating negative surprises.
Finally, it is worth noting that the latest version of COSO ERM (2017) is compatible
with all organizations regardless of sector and size, since this scheme considers
that under no circumstances should risk-based management be a solitary process;
on the contrary, it must be integrated with what the company is looking for. This
new box gives the opportunity to investigate and analyze the trends and the
impact it will have on the company's performance management.

1
Main obstacles to implementation

According to Tam & Cusquisiban (2024) The main obstacle in the implementation
of risk-based management is the ignorance of a company's management. It is
important that all involved and stakeholders participate in risk management to
verify the effectiveness and efficiency of what is proposed. The change of a new
organizational culture will lead to a new way of managing in order to achieve the
company's objectives, which will make all the company's collaborators aware of
the existing risks that must be minimized both economically and socially.

What are their objectives for upgrading to the COSO 2017 ERM version.

In this framework they seek to

 Increased resilience: It will depend exclusively on companies proposing

significant contingencies to avoid the risks that seek to interfere with their
objectives.

 Have a common language in the risk strategy: Identification and

assessment of risks in a common factor so that everyone in the company
can understand it in a more accelerated way.

 Improved resource deployment: Obtaining early and accurate risk

information will allow for a clear and accurate assessment of what
resources are needed.

 Opportunities for improvement generated around the strategy: Considering

the positive and negative aspects of the risks, opportunities can be
generated within the risks that can be taken advantage of to create value.

Components and principles of COSO ERM 2017.

According to PwC (2018) This framework benefits companies in the development

of a risk-based profile that allows in a general way to understand the risks that in
some way may get in the way of the development of activities that aim to achieve

2
them. This is achieved through best practices including on the 5 COSO
components and their relationship to the company's vision and mission.

The framework has 5 main elements and 20 principles, which are as follows:

Governance and culture

The governance and culture of the COSO 2017 emphasizes the importance of
setting the tone of the company and directing the responsibility of the board in risk
management. Within this component are five principles, which refer to the
company's culture through ethics. Risk management practices at the board level
may include:

 Measure and test the best strategy for the company which has to be on the
same plane as the company's culture, vision and mission, and also the risk
that cannot be reduced in each of the proposed strategies.

 Definition of structure and roles in charge of supervising the company.

 Involve management in the proper assessment of risk management since

management is the closest thing to the company's operations.

 Review the company's linear performance, since this will determine the
entity's risk taking in order to define short, medium and, in most cases,
long-term objectives.

Strategies and objectives

Strategies and objectives work together in the planning of strategies and

objectives, since it is important to define which strategies to implement and which
objectives to achieve. These practices include:

 Have fixed expectations in adapting the risk-based management of the

enterprise.

3
  Understand risk appetite through talks and discussions aligning those
agreements with what stakeholders want.

 Have a way to constantly communicate with management as to how these

strategies may affect the business.
 Proactively inform the board of the potential risks inherent in the strategies
proposed.
 The board needs to understand how capable the company is of
withstanding risks in the event of major events or unexpected situations.

On the other hand, understanding the context in which the company is located is
important for deciding how much risk can be taken. To analyze the business
context, both internal and external factors that are affected by the risk must be
taken into account. After that the management must decide whether the strategy
found is adequate for how much risk the company can bear. For organizations the
risk appetite is shown in different ways such as:

 With the help of the vision and mission: Risk appetite should be in sync with
the vision as this makes it easier for management to understand if strategy
efforts are backfiring in terms of what the company wants to achieve
through its vision and mission.

 Direction of the companies: To define strategies and objectives, risk

appetite would be a key factor since the directive will assume strategies
already proposed, which provide important information on the risk and
growth potential.

Performance

According to PwC (2018), risk and performance do not always align. It is not
prudent to think that as performance increases proportionally, risk will increase. In
case the company changes its purpose or is presented with external or internal
situations that affect such objectives, it is going to vary the perceived risk.

4
Therefore, this performance results in actions, functions and tasks that are vital for
carrying out the strategies. Performance-based management focuses on the
efficient distribution and measurement of movements and responsibilities
according to the objectives that were determined for the short-term medium and
long term as risk may vary depending on time. According to COSO (2017)
performance has 5 principles:

 Risk identification: The company has to evaluate and identify how much risk
the business has to choose the strategy from this you can identify any risk
in the process to evaluate the execution risk.

 Assessing the severity of risks: When the risks are already defined, start
assessing the systematic risks in 2 classes, one is how likely it is and the
other is how much impact it will have.

 Risk prioritization: Management will be successful if and only if each risk is

prioritized separately and appropriately.

 Implementing responses to risks: These responses have to be chosen by

management according to how much risk the company can bear.

 Develop a risk portfolio: After agreeing on the risks to be taken by the board
you have to have a detailed report of all the risks to be taken and how likely
they are to occur or what impacts they will have in order to be properly
prepared for any eventuality.

Review

According to COSO (2017), through the review we can monitor how risk
management participants behave in case there are transcendent changes. In this
component, the board is questioned about any manifestation of risk in business
performance, whether positive or negative. On the other hand, this component
focuses on tracking risk along with management performance. If this is done in the
right way, the relationship between performance and risk will be found and known
in the right way. In this component we can mention three principles:

5
 ● Evaluates substantial changes: External and internal changes must be
evaluated in order to know what impact they will have on the assessed
risks.

● Review risk and performance: It is necessary to verify the controls imposed

by management. Through this mechanism, employees can inform
management about inappropriate behavior or non-compliant controls.

● Pursue improvement in enterprise risk management: By reviewing on a

day-to-day basis, we can identify problems in the company's operations and
thus corrective actions can be taken.

Information, Communication and Reporting

The objective of this component is to provide useful data to make decisions

regarding the performance of risk-based management, since internal reports
improve communication and the image of management. Here it will be
communicated how well they are working and data will be provided to make better
decisions in the entity.

On the other hand, in some jurisdictions it is mandatory for companies to provide

data on their risk management process and disclose which risks are important for
stakeholders

According to Tam & Cusquisiban (2024), they tell us that it is the constant reviews
that will decide whether these control components are in place and working. These
reviews will provide timely information where imperfections in the reviews are
reported to management with the objective of implementing corrective actions. The
reviews allow the company to propose improvement actions to increase the
effectiveness and efficiency of the procedures.

In addition, information and communication is vital so that a company's employees

and outsiders have information on the risk management being carried out.

6
Also, internal communication is the way in which communication is communicated
throughout the organization and flows to all levels of the company. Through this
type of communication everyone receives a message from management about
what responsibilities and what the risk-based management system is expected to
achieve. Finally, external communication will inform interested persons and
stakeholders about issues that may affect risk management.

As far as this information, communication and reporting component is concerned,

it has 3 principles:

● Leverages information and technology: Technology will be used to provide

data to the company's management, so that the monitoring of any
eventuality can be responded to immediately.

● Communicate information about risks: Any type of compliance control must

be known throughout the company and can be communicated in different
ways such as emails, meetings, informal messages from management or
senior management where the responsibilities of employees in the
management based on risks are informed and it must be ensured that
everyone receives a clean communication.

● Risk, culture and performance reporting: Information must be known about

how the process for assessing risks will be, how they will be identified, what
responses they will have to risks. Metrics have to be used to measure
performance and report the category of culture within the organization and
this can be investigated with employee surveys or interviews.

7
References

PwC. 2018. Resiliencia Organizacional y Gestión de riesgo. Recuperando de:

https://www.pwc.com/cl/es/publicaciones/assets/2018/Resilencia_organizacional_y_
gestion_de_riesgo.pdf

Tam, G & Cusquisiban, F. 2024. COSO ERM 2017: Gestión de riesgos y su impacto
en la gestión empresarial en las empresas importadoras de productos ópticos de
cadena en la ciudad de Lima año 2020. Recuperado de:
https://repositorioacademico.upc.edu.pe/bitstream/handle/10757/657624/
Tam_ChG.pdf?sequence=3&isAllowed=y

COSO. 2017. Gestión de riesgo empresarial integrando estrategia y desempeño.

Recuperado de:
https://iaiecuador.org/documentos/Resumen_ejecutivo_cosoERM.pdf