COSO: Current ERM Challenges and Our Responses

COSO: Current ERM Challenges and Our Responses

RIMS 2012 Annual Conference

April 17, 2012

by David LandsittelCOSO Chairman

About COSO• Formed in 1985 to sponsor a Commission to examine

fraudulent financial reporting• A joint initiative of five private sector organizations • Sponsors:– American Accounting Association (AAA)– American Institute of Certified Public Accountants

(AICPA) – Financial Executives International (FEI)– Institute of Management Accountants (IMA)– The Institute of Internal Auditors (IIA)

COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”

COSO’s Fundamental PrincipleGood risk management and internal control are necessary for long term success of all organizations

Mission

COSO’s Three Areas of Focus

1. Enterprise Risk Management2. Internal Control3. Fraud Deterrence

1985 1990 1995 2000 2005 2010

1987: TreadwayCommission Report

1992: Internal Control – Integrated Framework

1999: Fraud Study I - Fraudulent FinancialReporting: 1987-1997

2004: Enterprise RiskManagement Framework

2006: Guidance for Smaller Businesses on Internal Control over Financial Reporting

2009: Guidance onMonitoring InternalControl Systems

Timeline

1996: Internal ControlIssues in Derivatives

2010: Fraud Study II - Fraudulent FinancialReporting: 1998-2007

2010-2012: Recent ERM thought papers on current issues

COSO ERM Framework• Issued in 2004• Fundamental characteristics– A portfolio view of risks at the entity-level– Risk identification, prioritization, and response – Managing risk within the entity’s risk appetite– Consideration of risks in formulation of strategy• Widely but not universally used• Implementation not as robust

Some Current ERM Challenges that Impact COSO

• Uneven support to adopt any formal risk management process

• Less than robust ERM implementation• Difficulty “getting started” with ERM implementation• Failure to consider low likelihood but high impact risks –

overconfidence• Inadequate board oversight of risk management – and

regulatory pressure mounting for better oversight • Immature development of risk appetite

COSO ERM Response

Our objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process

8

COSO ERM “Thought Papers”

9

1.“Effective Enterprise Risk Oversight: The Role of Board of Directors” – 09/20092.“Strengthening Enterprise Risk Management for Strategic Advantage” –

10/2009 3.“Board Risk Oversight – A Progress Report” – 12/20104.“COSO’s 2010 Report on ERM” – 12/20105.“Embracing Enterprise Risk Management: Practical Approaches for Getting

Started” – 01/20116.“Developing Key Risk Indicators to Strengthen Enterprise Risk Management” –

01/20117.“Understanding and Communicating Risk Appetite” – 01/20128.“Enhancing Board Oversight: Avoiding Judgment Traps and Biases” – 03/2012

Coming Soon:– “COSO Enterprise Risk Management for Cloud Computing”

Outlines four areas contributing to effective ERM board oversight

1. Understanding risk appetite2. Understanding how an entity’s portfolio of risks aligns

with risk appetite3. Understanding most significant risks and how

management is responding4. Understanding and assessing risk management processes

1. “Effective Enterprise Risk Oversight: The Role of Board of Directors”

• Focuses on how management can work with board to enhance board’s oversight capabilities

• Discusses the four ERM focus areas noted on preceding slide, but from a management perspective

2. “Strengthening Enterprise Risk Management for Strategic Advantage”

3. “Board Risk Oversight – A Progress Report”

• Major findings:– Strong majority reports boards not executing

mature/robust risk oversight processes

– Overall dissatisfaction in the way risk is considered in context of enterprise’s strategy

– Processes for monitoring and reporting of risks should be enhanced

– Public companies report better processes than other enterprises

• The state of ERM appears to be relatively immature, with a notable level of dissatisfaction with how organizations are currently overseeing enterprise-wide risks

• Reporting of top risk exposures to the board appears to be casual and unstructured

• Most respondents believe that the COSO ERM Framework is theoretically sound and describes key elements of a robust ERM process

4. “COSO’s 2010 Report on ERM: Current State of Enterprise Risk Oversight”

• Describes how an organization can start to move from informal risk management to ERM

• Discusses the increasing importance of an enterprise focus on risks

• Examines perceived barriers to starting ERM and working through those barriers

5. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started”

6. “Developing Key Risk Indicators to Strengthen Enterprise Risk Management”

• Emphasizes need for ERM processes that focus on forward looking information – i.e. key risk indicators or ”KRI’s”

• Illustrates how KRIs heighten board and management enterprise risk awareness

• Provides practical examples to help executives develop effective KRI’s

7. “Understanding and Developing Risk Appetite”

• Emphasizes that risk appetite is the amount of risk an organization is willing to accept in pursuit of its objectives

• Stresses that risk and strategy are intertwined – strategy must be formulated with due regard to risk appetite

• Points out that risk appetite should be communicated by management, embraced by the board, and integrated throughout the entity

• Emphasizes that well communicated risk appetite serves as a boundary around the amount of risk an organization might take on

8. “Enhancing Board Oversight: Avoiding Judgment Traps and Biases”

• Observes that the complexities of the global business environment place a premium on sound judgment and decision making

• Highlights some pitfalls and biases in judgment to which decision makers are vulnerable

• Details a five-step judgment process that board members and others can use to overcome common pitfalls and mitigate the effects of judgment bias

“COSO Enterprise Risk Management for Cloud Computing” – Coming Soon

• Emphasizes that cloud computing entails new business risks because it brings to organizations a different dimension of collaboration and human interaction et al

• Applies COSO ERM model to risk considerations• Points out that for many organizations applying cloud

computing with appropriate risk mitigation in place will bring multiple benefits

David Landsittelwww.coso.org

Thank You