I – Who is COSO?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA])
Regarding enterprise risk management (ERM), in 2004 COSO issued Enterprise Risk Management – Integrated Framework. COSO has also published several thought papers beginning in 2009 relating to ERM.
Regarding internal control, in 1992, COSO published Internal Control – Integrated Framework. This framework was revised and reissued in May 2013.
Finally, in the area of fraud deterrence, COSO has published two research studies. The first study released in 1999 was titled Fraudulent Financial Reporting: 1987-1997. A continuation study called Fraudulent Financial Reporting: 1998-2007 was released in 2010.
II – What Enterprise Risk Management has achieved? Why has there been need for an update?
COSO published Enterprise Risk Management – Integrated Framework in 2004. Its philosophy was to help entities better protect and enhance stakeholder value: “Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”
The Framework has been used successfully around the world and across industries and in organizations of all types and sizes to identify risks, manage those risks within a defined risk appetite, and support the achievement of objectives. Yet, while many have applied the Framework in practise, it has the potential to be used more extensively. It would benefit from examining certain aspects with more depth and clarity and by providing greater insight into the links between strategy, risk and performance.
Since 2004, the complexity of risk has changed, significant new risks have emerged, and boards have enhanced their awareness and oversight of risk management while asking for improved risk reporting. Updates to the Framework reflect current and evolving concepts and applications of enterprise risk management, so that organizations worldwide can attain better value from enterprise risk management. The updated document is titled the Enterprise Risk Management – Aligning Risk with Strategy and Performance.
The COSO board released the Enterprise Risk Management – Aligning Risk with Strategy and Performance for public comments on June 15, 2016 and will end the public exposure period on September 30, 2016. For more detailed information, please visit www.coso.org
III – What are differences between 2004 and 2017 Frameworks of ERM?
Differences between definitions
2004 COSO ERM
Enterprise risk management is defined here as : “ Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The definition reflects certain fundamental concepts. Enterprise risk management is:
- A process, ongoing and flowing through an entity
- Effected by people at every level of an organization
- Applied in strategy setting
- Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
- Designed to identify potential events that, if they occur, will affect the entity and to Manage risk within its risk appetite
- Able to provide reasonable assurance to an entity’s management and board of directors
- Geared to achievement of objectives in one or more separate but overlapping categories.
2017 COSO ERM
Enterprise risk management is defined here as: The culture, capabilities and practises integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving and realizing value.
A more in depth look at the definiation ERM emphasizes its focus on managing risk through:
- Recognizing culture.
- Developing capabilities.
- Applying practices.
- Integrating with strategy-setting and performance.
- Managing risk to strategy and business objectives.
- Linking to value.
Differences between components
2004 COSO ERM
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:
- Internal Environment– The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’speople, including risk management philosophy and risk appetite, integrity and ethicalvalues, and the environment in which they operate.
- Objective Setting– Objectives must exist before management can identify potentialevents affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectivessupport and align with the entity’s mission and are consistent with its risk appetite.
- Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
Opportunities are channeled back to management’s strategy or objective-setting processes.
- Risk Assessment– Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
- Risk Response– Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
- Control Activities– Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
- Information and Communication– Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
- Monitoring– The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Achievement of Objectives
Within the context of an entity’s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the
enterprise. This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories:
- Strategic– high-level goals, aligned with and supporting its mission
- Operations– effective and efficient use of its resources
- Reporting– reliability of reporting
- Compliance– compliance with applicable laws and regulations
Relationship of Objectives and Components
There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them.
The relationship is depicted in a three-dimensional matrix, in the form of a cube.
Figure 1 : Risk Management Components in COSO ERM 2004
2017 COSO ERM
The Framework consists of the five interrelated components and twenty principles. Components are Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication and Reporting. Figure 2 illustrates these compenants and their relationship with the entity’s mission, vision and core values. The three ribbons in the diagram of Strategy and Objective-Setting, Performance and Review and Revision represent the common processes that flow through the entity. The other two ribbons, Governance and Culture, and Information, Communication and Reporting represent supporting aspects of enterprise risk management.
The figure further illustrates that when enterprise risk management is integrated across strategy development, business objective formulation and implementation and performance, it can enhance value. Enterprise risk management is not static. It is integrated into the development of strategy, formulation of business objectives and the implementation of those objectives through day-to-day decision-making.
Figure 2: Risk Management Components in COSO ERM 2017
Within these five components are a series of principles as illustrated in Figure 3. The principles represent the fundamental concepts associated with each component. These principles are worded as things organizations would do as part of the entity’s ERM practices. While these principles are universal and form part of any effective ERM initiative, management must bring judgement to bear in applying them.
Figure 3 : Risk Management Components Principles
IV – Compenents and Principles Enterprise Risk Management Integrated with Strategy and Performance
COSO introduces five interrelated components supported by 20 principles that cover everything from governance to monitoring.
1- Governance and Culture: Governance and culture form a basis for all other components of ERM. Risk governance sets the entity’s tone, reinforces the importance of and establishes oversight responsibilities for ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the organization. Culture is reflected in decision-making. An entity’s board of directors plays an important role in governance and significantly influences enterprise risk management.
There are five principles relating to this component:
Principle 1: Exercises Board Risk Oversight: The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives.
The board of directors has the primary responsibility for risk oversight of the entity. For an effective risk oversight, board needs to have requisite skills, experience and business knowledge collectively, to understand the entity’s strategy and industry, and to be informed on issues affecting the entity.
Principle 2: Establishes Operating Structures: The organization establishes governance and operating structures in the pursuit of strategy and business objectives.
The organization establishes an operating model and designs reporting lines to execute the strategy and business objectives. Different operating models may result in different perspectives of a risk profile which may affect ERM practices. Organizations consider all relevant factors when deciding what operating model to adopt.
Principle 3: Defines Desired Organizational Behaviors: The organization defines the desired behaviors that characterize the entity’s desired culture.
An entity’s culture influences how the organization applies this Framework: how it identifies risk, what types of risk it accepts, and how it manages risk. A risk-aware culture can be established within the organization by maintaining strong leadership, employing a participative management style, enforcing accountability for all actions, embedding risk in decision making, having open communication and reporting about risk.
Principle 4: Demonstrates Commitment to Core Values: The organization demonstrates a commitment to the entity’s core values.
Strong and supportive tone that is communicated from the top of the organization is fundamental to ERM. Having a consistent tone helps an organization establish a common understanding of the core values, business drivers, and desired behavior of personnel and business partners. To communicate the organization’s expectations of ethics and desired behaviors, including behaviors relating to ERM and decision-making, a conduct of conduct is established.
Principle 5 : Attracts, Develops and Retains Capable Individuals: The organization is committed to building human capital in alignment with the strategy and business objectives.
Management, with board oversight, defines human capital needed to carry out strategy and business objectives. Management considers knowledge, skills and experience requirements, establishes the structure and process to attract, train, evaluate and retain people as well as succession planning.
2- Strategy and Objective-Setting: Enterprise risk management is integrated into the entity’s strategic plan through the process of setting strategy and business objectives. With and understanding of business context, the organization can gain insight into internal and external factors and their effect on risk. Risk appetite is established and aligned with strategy. The business objectives allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities.
Four principles have been set relating to this component:
Principle 6: Analyzes Business Context: The organization considers potential effects of business context on risk profile.
“Business context” refers to the trends, relationships and other factors that influence, clarify, or drive change to an organization’s current and future strategy and business objectives. Therefore, an organization considers business context when developing strategy to support its mission, vision and core values. Both external and internal environments and stakeholders must be taken into account as components of the business context. All the factors included in business context have effects on an entity’s risk profile that may be viewed in three stages as past, current and future performance.
Principle 7: Defines Risk Appetite: The organization defines risk appetite in the context of creating, preserving, and realizing value.
“Risk appetite” is the types and amount of risk, on a broad level, an entity is willing to accept in the pursuit of value. It sets the range of appropriate practices rather than specifying a limit. There is no standard or “right” risk appetite that applies to all entities. Management and the board of directors choose a risk appetite with full understanding of the trade-offs involved. A variety of approaches are available to determine it, such as facilitating discussions, reviewing past and current performance targets, and modeling. Also, an organization may consider strategic, financial and operating parameters, as well as its risk profile, risk capacity and ERM capability and maturity, when determining risk appetite. Risk appetite is communicated by management, endorsed by the board, and disseminated throughout the entity; since the goal is for all decision makers to understand and apply it for all operations.
Principle 8: Evaluates Alternative Strategies: The organization evaluates alternative strategies and impact on risk profile.
An organization must evaluate alternative strategies as part of its strategy-setting process and assess the risk and opportunities of each option. Alternative strategies are assessed in the context of the organization’s resources and capabilities to create, preserve and realize value. Alternative strategies are evaluated from two different perspectives of risk: 1) the possibility that the strategy does not align with the mission, vision and core values of the entity, as well as its culture and risk appetite, and 2) understanding the implications of the chosen strategy.
Principle 9: Formulates Business Objectives: The organization considers risk while establishing the business objectives at various levels that align and support strategy.
The organization develops business objectives that are measurable or observable, attainable, and relevant. They may relate to financial performance, customer aspirations, operational excellence, compliance obligations, efficiency gains, innovation leadership and so on. Individual objectives are aligned with strategy and risk appetite and support the achievement of the mission and vision of the entity. An organization must understand the potential implications of chosen business objectives to its risk profile, resources and capabilities.
3 – Performance
An organization identifies and assesses risks that may affect the entity’s ability to achieve its strategy and business objectives. Risks are prioritized according to their severity and considering the entity’s risk appetite. The organization then selects risk responses and monitors performance for change. The organization determines a portfolio view of the amount of risk the entity has assumed in the pursuit of its strategy and business objectives.
There are five principles relating to the third component:
Principle 10: Identifies Risk: The organization identifies risk that impacts the performance of strategy and business objectives.
The organization identifies new, emerging and changing risks to the achievement of its strategy and business objectives. Those risks may arise from a change in business objectives or business context and may alter the risk profile in the future. Identifying risks allows management to look to the future and gives them time to assess the potential severity of them, to anticipate the risk response or to review the entity’s strategies and business objectives as necessary. The risks captured by the risk identification process are commonly referred to as a “risk universe”, a qualitative listing of the risk the entity faces.
Principle 11: Assesses Severity of Risk: The organization assesses the severity of risk.
Identified risks are assessed to understand the severity of each risk to the achievement of an entity’s strategy and business objectives. Risk assessment approaches may be qualitative, quantitative, or both. Types of approaches include scenario analysis, simulation, data analysis, and interviews. Management considers inherent risk, target residual risk and actual residual risk as part of the risk assessment. The severity of the risk is determined by management to select an appropriate risk response, allocate resources, and support management decision-making and performance.
Principal 12: Prioritizes Risk: The organization prioritizes risks as a basis for selecting responses to risks.
Organizations prioritize risks in order to identify and select appropriate risk responses. The priorities are determined by applying such agreed-upon criteria as adaptability, complexity, velocity, persistence and recovery. Risk prioritization occurs at all levels of the entity, and different risks may be assigned different priorities at different levels.
Principle 13: Implements Risk Responses: The organization identifies and selects risk responses.
For all identified risks, management selects and deploys an appropriate risk response. Responses are categorized as to “accept, avoid, pursue, reduce, and share” risk. Management considers business context, costs and benefits, obligations and expectations, risk priority, risk severity, and risk appetite while selecting and deploying risk responses.
Principle 14: Develops Portfolio View: The organization develops and evaluates a portfolio view of risk.
ERM requires the organization to consider potential implications to the risk profile from an entity-wide, or portfolio, perspective. This view allows management and the board to consider the type, severity, and interdependencies of risks, and how they may affect performance. With portfolio view, management is able to determine whether the entity’s residual risk profile aligns with the overall risk appetite.
4 – Review and Revision
An entity’s strategy or business objectives and ERM practices and capabilities may change over time as the entity adapts to shifting business context. In additıon the business context in which the entity operates can also change, resulting in current practices no longer applying or sufficient to support the achievement of current or updated business objectives. As necessary, the organization revises its practices or supplements it capabilities.
The forth component has three principles:
Principle 15: Assesses Substantial Change: The organization identifies and assesses changes that may substantially affect strategy and business objectives.
Monitoring substantial change, which may lead to new or changed risks, should be built into business processes and performed continually. Substantial changes in internal and external environment, such as rapid growth, new technology, changing regulatory environment, mergers and acquisitions, could potentially change the entity’s portfolio view of risk or impact how ERM functions.
Principle 16: Reviews Risk and Performance: The organization reviews entity performance and considers risk.
From time to time, the organization may wish to consider its ERM capabilities and practices. Observations, may relate to incorrect assumptions, imlemented practices, entity capabilities, or cultural factors. Sometimes, however, performance is affected because of the inherent nature of risk, which an organization cannot predict with complete accuracy. By reviewing performance, organizations seek answers to questions such as:
- Has the entity performed as expected and achieved its target?
- What risks are occuring that may be affecting performance?
- Was the entity taking enough risk to attain its target?
- Was the estimate of the amount of risk accurate?
Principle 17: Pursues Improvement in Enterprise Risk Management: The organization pursues improvement of enterprise risk management
Management pursues continual improvement throughout the entity (functions, operating units, divisions) to improve efficiency and usefulness of enterprise risk management at all levels.
5 – Information, Communication and Reporting
Communication is the continual, iterative process of providing, sharing and obtaining information, which flows throughout the entity. Management uses relevant information from both internal and external sources to support enterprise risk management. The organization reports on risk, culture, and performance at multiple levels of the entity.
There are three principles regarding this component:
Principle 18: Leverages Information and Technology: The organization leverages the entity’s information and technology systems to support enterprise risk management.
Information systems provide organizations with the data and information they need to support ERM. Information systems can be as simple as spreadsheets or as complex as fully integrated systems and tools. The decision on what technology to implement depends on many factors, including organizational goals, marketplace needs, competitive requirements, and the costs and benefits.
Principal 19: Communicates Risk Information: The organization uses communication channels to support enterprise risk management.
Organizations use various channels to communicate risk data and information effectively to internal and external stakeholders as well as the board of directors and shareholders. Also, effective communication between the board of directors and the management is critical to achieve the strategy and business objectives. Risk responsibilities should be defined clearly at the board and management levels, board and management should continually discuss risk appetite and management provides any information that helps board fulfill its oversight responsibilities concerning risk.
Principal 20: Reports on Risk, Culture, and Performance: The organization reports on risk, culture and performance at multiple levels of and across the entity.
Reporting supports personnel at all levels to understand the relationships between risk, culture, ad performance and to improve decision-making in strategy and objective setting, governance, and day-to-day operations. Reporting can include quantitative and qualitative risk information, and the presentation can range from being fairly simple to more complex depending on the size, scope, scale, and complexity of the entity.