Applying COSO’s

Enterprise Risk Management —

Integrated Framework

September 29, 2004

Today’s organizations are

concerned about:
• Risk Management
• Governance
• Control
• Assurance (and Consulting)
ERM Defined:
“… a process, effected by an entity's
board of directors, management and
other personnel, applied in strategy
setting and across the enterprise,
designed to identify potential events that
may affect the entity, and manage risks
to be within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

Why ERM Is Important

Underlying principles:

• Every entity, whether for-profit

or not, exists to realize value for
its stakeholders.

• Value is created, preserved, or eroded

by management decisions in all
activities, from setting strategy to
operating the enterprise day-to-day.
Why ERM Is Important

ERM supports value creation by enabling

management to:

• Deal effectively with potential future

events that create uncertainty.

• Respond in a manner that reduces

the likelihood of downside outcomes
and increases the upside.
Enterprise Risk Management —

Integrated Framework

This COSO ERM framework defines

essential components, suggests a
common language, and provides clear
direction and guidance for enterprise risk
management.
The ERM Framework

Entity objectives can be viewed in the

context of four categories:

• Strategic
• Operations
• Reporting
• Compliance
The ERM Framework

ERM considers activities at all levels

of the organization:
• Enterprise-level
• Division or
subsidiary
• Business unit
processes
The ERM Framework

Enterprise risk management

requires an entity to take a
portfolio view of risk.
The ERM Framework

• Management considers how

individual risks interrelate.

• Management develops a portfolio

view from two perspectives:
- Business unit level
- Entity level
The ERM Framework

The eight components

of the framework
are interrelated …
Internal Environment
• Establishes a philosophy regarding risk
management. It recognizes that
unexpected as well as expected events
may occur.

• Establishes the entity’s risk culture.

• Considers all other aspects of how the

organization’s actions may affect its risk
culture.
Risk Culture
• set of encouraged and acceptable behaviors,
discussions, decisions and attitudes toward
taking and managing risk within an
institution
• is the glue that binds all elements of risk
management infrastructure together,
because it reflects the shared values, goals,
practices and reinforcement mechanisms
that embed risk into an organization’s
decision-making processes and risk
management into its operating processes.
• it is a look into the soul of an organization to
ascertain whether risk/reward trade-offs
really matter.
Objective Setting
• Is applied when management considers
risks strategy in the setting of
objectives.

• Forms the risk appetite of the entity — a

high-level view of how much risk
management and the board are willing
to accept.

• Risk tolerance, the acceptable level of

variation around objectives, is aligned
with risk appetite.
Event Identification

• Differentiates risks and opportunities.

• Events that may have a negative impact

represent risks.

• Events that may have a positive impact

represent natural offsets
(opportunities), which management
channels back to strategy setting.
Event Identification

• Involves identifying those incidents,

occurring internally or externally, that
could affect strategy and achievement
of objectives.

• Addresses how internal and external

factors combine and interact to
influence the risk profile.
Risk Assessment
• Allows an entity to understand the
extent to which potential events might
impact objectives.

• Assesses risks from two perspectives:

- Likelihood
- Impact

• Is used to assess risks and is normally

also used to measure the related
objectives.
Risk Assessment

• Employs a combination of both

qualitative and quantitative risk
assessment methodologies.

• Relates time horizons to objective

horizons.

• Assesses risk on both an inherent and a

residual basis.
• Inherent Risk is typically defined as
the level of risk in place in order to
achieve an entity’s objectives and
before actions are taken to alter
the risk’s impact or likelihood.

• Residual Risk is the remaining

level of risk following the
development and implementation
of the entity’s response.
The steps between the assessment of

inherent risk and the final evaluation of

1. Risk risk
residual Response – Management
designs risk responses at various
levels based on the analysis of the
risk (impact and likelihood) and on
the defined level of risk tolerance.
The response typically includes the
categories of acceptance,
avoidance, reduction, and sharing. •
Steps

2. Establishment of Controls –
Controls are typically established in
those operations areas that are
essential, and acceptance is too
risky, and avoidance and sharing are
not possible or practical.
• A control is any activity which
mitigates or reduces risk, but
typically it involves an additional
activity to ensure that a process
occurs as it should. Cost vs benefit
is always considered in the
establishment of controls. •
Steps
3. Testing and Assessment of
Internal Controls –
To ensure that controls are
operating efficiently, testing is
usually necessary, particularly in
automated processes. The testing
provides confidence that controls
have reduced risk to a tolerable
level.
Steps

4. Corrective Action – Corrective

action is warranted when a control is
weak, not in place, or not
functioning properly. These actions
are documented and added to the
entity’s risk assessment plan with a
timeline for action
. Testing can be time-consuming and
not always possible, and an
alternative is to combine on-going
monitoring with a regular review of
control design to provide assurance
that activities are being carried out
in a timely and accurate manner.
Risk Response
• Identifies and evaluates possible
responses to risk.

• Evaluates options in relation to entity’s

risk appetite, cost vs. benefit of potential
risk responses, and degree to which a
response will reduce impact and/or
likelihood.

• Selects and executes response based on

evaluation of the portfolio of risks and
responses.
Control Activities

• Policies and procedures that help

ensure that the risk responses, as well
as other entity directives, are carried
out.

• Occur throughout the organization, at

all levels and in all functions.

• Include application and general

information technology controls.
Information & Communication

• Management identifies, captures, and

communicates pertinent information in
a form and timeframe that enables
people to carry out their responsibilities.

• Communication occurs in a broader

sense, flowing down, across, and up
the organization.
Monitoring

Effectiveness of the other ERM

components is monitored through:

• Ongoing monitoring activities.

• Separate evaluations.

• A combination of the two.

Internal Control

A strong system of internal

control is essential to effective
enterprise risk management.
Relationship to Internal Control —

Integrated Framework
• Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”

• Includes objective setting as a separate

component. Objectives are a “prerequisite” for
internal control.

• Expands the control framework’s “Financial

Reporting” and “Risk Assessment.”
ERM Roles & Responsibilities

• Management

• The board of directors

• Risk officers

• Internal auditors
Internal Auditors
• Play an important role in monitoring
ERM, but do NOT have primary
responsibility for its implementation
or maintenance.

• Assist management and the board or

audit committee in the process by:
- Monitoring - Evaluating
- Examining - Reporting
- Recommending improvements
Internal Auditors

Visit the guidance section of

The IIA’s Web site for The IIA’s
position paper, “Role of Internal
Auditing’s in Enterprise Risk
Management.”
Standards

• 2010.A1 – The internal audit activity’s plan

of engagements should be based on a risk
assessment, undertaken at least annually.

• 2120.A1 – Based on the results of the risk

assessment, the internal audit activity
should evaluate the adequacy and
effectiveness of controls encompassing the
organization’s governance, operations, and
information systems.

• 2210.A1 – When planning the engagement,

the internal auditor should identify and
assess risks relevant to the activity under
review. The engagement objectives should
reflect the results of the risk assessment.
Key Implementation Factors

1. Organizational design of business

2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review
by management
Organizational Design

• Strategies of the business

• Key business objectives
• Related objectives that cascade
down the organization from key
business objectives
• Assignment of responsibilities to
organizational elements and leaders
(linkage)
Example: Linkage
• Mission – To provide high-quality
accessible and affordable community-
based health care

• Strategic Objective – To be the first

or second largest, full-service health
care provider in mid-size metropolitan
markets

• Related Objective – To initiate

dialogue with leadership of 10 top under-
performing hospitals and negotiate
agreements with two this year
Establish ERM

• Determine a risk philosophy

• Survey risk culture

• Consider organizational integrity

and ethical values

• Decide roles and responsibilities

Example: ERM Organization

Vice President and

Chief Risk Officer

Insurance ERM Corporate Credit

Risk Manager Director Risk Manager

FES
ERM ERM Commodity
Manager Manager Risk Mg.
Director

Staff Staff Staff

Assess Risk

Risk assessment is the

identification and analysis of
risks to the achievement of
business objectives. It forms a
basis for determining how risks
should be managed.
Example: Risk Model
Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations

Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk

Information for Decision Making

• Operational Risk
• Financial Risk
• Strategic Risk
Environment Risk
actual or potential threat of adverse
effects on living organisms and the
environment by effluents, emissions,
radiation, wastes, resource depletion,
etc., arising out of an organization’s
activities.
Environmental exposures, whether
physical, chemical, or biological, can
induce a harmful response and may affect
soil, water, air, natural resources or entire
ecosystems, as well as the plants and
animals - including humans - and the
surroundings where they live.
Impact of Environmental Risk
• Damage to brand reputation
• Penalties for violation
• Damages resulting from faulty or defective
construction or materials
• Losses from first- and third party property
and material liability
• Expenses for clean-up of emissions
• Business interruption losses during
contamination removal
• Costs associated with premiums, litigation,
investigation, and compliance
Impact of Environmental Risk

• Expenses for remediation measures

• Historical (pre-existing) coverage for
past events or operations
• Demonstrating financial assurance to
satisfy regulation requirements in a
contamination event: financial security,
complete and complementary
mechanisms (i.e. bonds, surety), closure
and post-closure care of hazardous
waste facilities and landfills, etc.
PROCESS RISK
is a loss in revenue as a result of
ineffective and/or inefficient processes.

Ineffective processes hamper the

achievement of the organization's
objectives,

whereas the processes that are

inefficient, may be successful in achieving
objectives, yet fail to consider high costs
incurred
Types of Process Risk
1. Infrastructure Risk
Infrastructure outages such as failure of basic
communications linkages can trigger process failures.

2. Information Technology Risk

The risk of technology errors or security incidents that
disrupt or invalid processes.

3. Human Error
Errors or oversights can result in low quality or failed
processes. For example, if a stock trader incorrectly
enters an order the order may execute at the wrong price
or quantity, potentially representing a significant loss.
It is often possible to reduce human error by designing
processes that are human-friendly and error tolerant.
 Types of Process Risk
4. Workplace Safety
Potential threats to human health and
safety such as a physical accident or
injury due to repetitive strains.

5. Mechanical Failure
Breakdown of equipment can disrupt
processes such as manufacturing or
supply chain operations.
Types of Process Risk
6. Process Quality
In many cases, it is the quality of a
process itself that leads to failures. A
low quality process may not properly
anticipate real world conditions and
may break down with changes in the
business environment. For example, a
customer service process may work
under normal conditions but may fail
when call volumes spike.
Operational risk

is "the risk of a change in value

caused by the fact that actual
losses, incurred for inadequate or
failed internal processes, people and
systems, or from external events
(including legal risk), differ from the
expected losses".
Employee empowerment

entails giving employees the

authority to make critical business
decisions on their own with little to
no supervision.
Employee empowerment Risk

• Increased Arrogance
– When employees are empowered,
their confidence levels tend to
increase. (Positive)
– confidence is a good thing because
it creates happier workers and
productivity levels soar. (Positive)
– confidence levels can be taken too
far and end up crossing the line
into arrogance. (Negative)
Employee empowerment Risk: Confidentiality and

Security Risks
• sharing important information with
them. This free exchange of ideas
and information makes the
employees feel appreciated and
important (Positive)
• when information is freely exchanged
with people throughout the company,
there is an increased risk of
confidential and security-related data
(Negative)
Employee empowerment Risk: Lack of Experience Risks

• take on more responsibility within the

company. As they take on more
responsibility, they begin working
independently with little to no
supervision. – (positive)
• saves them money by decreasing their
managerial workforce. (positive)
• managers and supervisors who are
educated and trained in making sound
decisions. (negative)
• This lack of experience lends to an
increase in mistakes and unnecessary
company risks. (negative)
Employee empowerment Risk: Interpersonal
Relations Suffer
• Confuse empowerment and being
able to make their own decisions
with having the authority to do
whatever they want. (negative)
• Take on additional responsibilities,
some may end up taking things too
far. (negative)
• interpersonal relations within the
company will suffer and incidents
involving conflict will rise. (negative)
Technology Risk
• The potential for losses due to
technology failures.
– An ecommerce website crashes
resulting in lost revenue.
– A technology project goes over
budget and fails to meet goals set out
in its business case.
– A security incident results in theft of
customer data resulting in legal
liability, reputational damage and
compliance issues.
Integrity Risk
• the probability that integrity is not
achieved
– Operations
• Performance

– Financial reporting
• Reliable, transparent

– Compliance
• Honest
Financial Risk
possibility that shareholders or
other financial stakeholders will lose
money when they invest in company
that has debt if the company's cash
flow proves inadequate to meet its
financial obligations.

When a company uses

debt financing, its creditors are
repaid before shareholders if the
company becomes insolvent.
Types of Financial Risk
• Credit risk, also referred to as default
risk, is the type of risk associated
with people who borrow money and
become unable to pay for the money
they borrowed.
– decreased income from loan payments,

– lost principal and interest, or they deal

with a rise in

– costs for collection.

• Liquidity risk involves securities
and assets that cannot be
purchased or sold quickly enough
to cut losses in a volatile market.
currency risk
• interest rate changes and
monetary policy changes, can alter
the value of the asset that
investors are holding.
• changes in prices because of
market differences, political
changes, natural calamities,
diplomatic changes or economic
conflicts – investment risk
Strategic Risk
• is the risk that failed business decisions,
or lack thereof, may pose to a company.
• is often a major factor in determining a
company's worth, particularly
observable if the company experiences
a sharp decline in a short period of time.
• Due to this and its influence on
compliance risk, it is a leading factor in
modern risk management.
Strategic Risk

companies whose cultures

do not put a strong emphasis on
integrity, have been found to be 10
times more likely to commit
unethical acts than those who do.
• customer service strategies—
chiefly, the idea that a customer
service worker should do
everything they can to please the
customer, or what many call
"going the extra mile".
 Risk Analysis

Risk Risk Risk

Assessment Management Monitoring

Process
Identification Control It Level

Share or Activity
Measurement Transfer It Level

Diversify or
Prioritization Avoid It
Entity Level

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

Steps in risk assessment
• Identify
– Risk and opportunities
– Who/what are affected
– Scope of impact
• Evaluate- measure
– Who/what are affected
– Scope of impact
• Select and execute
– Prioritize according to impact
Risk Management
• Control
– setting internal controls
–Reducing/mitigate – lessen the impact
–Accept – low impact

• Transfer –
–Share the liability (insurance, out-
sourced,

• Avoid
–High impact (re schedule, stop)
Risk Monitoring

• Risk monitoring is the ongoing

process of managing risk.
– Residual risk
– New risk
• Risk monitoring is the process of
tracking risk management
execution and continuing to
identify and manage new risks.
DETERMINE RISK APPETITE

• Risk appetite is the amount of risk — on

a broad level — an entity is willing to
accept in pursuit of value.

• Use quantitative or qualitative terms

(e.g. earnings at risk vs. reputation
risk), and consider risk tolerance (range
of acceptable variation).
DETERMINE RISK APPETITE

Key questions:

• What risks will the organization not

accept?
(e.g. environmental or quality compromises)

• What risks will the organization take

on new initiatives?
(e.g. new product lines)

• What risks will the organization

accept for competing objectives?
(e.g. gross profit vs. market share?)
IDENTIFY RISK RESPONSES

• Quantification of risk exposure

• Options available:
- Accept = monitor
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone
(e.g. insurance)

• Residual risk (unmitigated risk – e.g. shrinkage)

Impact vs. Probability

High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

Example: Call Center Risk

Assessment
High Medium Risk High Risk
• Loss of phones • Credit risk
Loss of computers Customer has a long wait
I
• •
• Customer can’t get through
M • Customer can’t get answers
P
A Low Risk Medium Risk
C
Fraud • Entry errors
T •
• Lost transactions • Equipment obsolescence
• Employee morale • Repeat calls for same problem

Low PROBABILITY High

Example: Accounts Payable

Process
Control Risk Control
Objective Activity

Completeness Material Accrual of

transaction open liabilities
not recorded
Invoices accrued
after closing

Issue: Invoices go to field and AP is not aware of liability.

Communicate Results
• Dashboard of risks and related responses
(visual status of where key risks stand relative
to risk tolerances)

• Flowcharts of processes with key controls

noted

• Narratives of business objectives linked to

operational risks and responses

• List of key risks to be monitored or used

• Management understanding of key business

risk responsibility and communication of
assignments
Monitor

• Collect and display information

• Perform analysis
- Risks are being properly addressed
- Controls are working to mitigate risks
Management Oversight &

Periodic Review
• Accountability for risks

• Ownership

• Updates
- Changes in business
objectives
- Changes in systems
- Changes in processes
Internal auditors can add value

by:
• Reviewing critical control systems and
risk management processes.

• Performing an effectiveness review of

management's risk assessments and
the internal controls.

• Providing advice in the design and

improvement of control systems and
risk mitigation strategies.
Internal auditors can add value

by:
• Implementing a risk-based approach to
planning and executing the internal
audit process.

• Ensuring that internal auditing’s

resources are directed at those areas
most important to the organization.

• Challenging the basis of management’s

risk assessments and evaluating the
adequacy and effectiveness of risk
treatment strategies.
Internal auditors can add value

by:
• Facilitating ERM workshops.

• Defining risk tolerances where none

have been identified, based on internal
auditing's experience, judgment, and
consultation with management.
For more information

On COSO’s
Enterprise Risk Management
— Integrated Framework,

visit

www.coso.org
or

www.theiia.org
 Applying COSO’s

Enterprise Risk Management —

Integrated Framework

This presentation
was produced
by