COSO ERM – What’s Changed and Why Douglas J Anderson, CIA, CRMA, CPA, CMA Managing Director – CAE Solutions The Institute of Internal Auditors
COSO ERM – What’s Changed and Why
Douglas J Anderson, CIA, CRMA, CPA, CMAManaging Director – CAE Solutions
The Institute of Internal Auditors
Agenda
• The Risk Management Journey• COSO ERM Revisions – Why• COSO ERM Revisions – What• Is ISO Asleep?• Why This Matters to Internal Audit
Risk Management Journey
Foundational Concepts of ERM
• Every entity exists to provide value forits stakeholders
• All entities face uncertainty• Uncertainty presents both risk and opportunity • The challenge for management is to determine how much
uncertainty to accept as it strives to grow stakeholder value• ERM enables management to effectively manage uncertainty
and associated risk and opportunity
The Strategic Value of Enterprise Risk Management
• Increases the range of opportunities• Identifies and manages entity-wide risks • Reduces surprises and losses• Reduces performance variability • Improves resource deployment• Anticipates, identifies, adapts, and responds to change
SEC Proxy Requirement…
Provide Information About Board Leadership Structure and the Board's Role in Risk Oversight:
• The SEC approved rules relating to board leadership structure and the board's role in risk oversight. The rules require disclosure about:
• A company's board leadership structure, including whether the company has combined or separated the chief executive officer and chairman position, and why the company believes its structure is the most appropriate for the company at the time of the filing.
• In certain circumstances, whether and why a company has a lead independent director and the specific role of such director.
• The extent of the board's role in the risk oversight of the company.
COSO: Thought Leadership to Improve Your Organization
COSO Mission
COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”
COSO’s Fundamental PrincipleGood risk management and internal control are necessary for long term success of all organizations
Topics Included in the 2004 COSO ERM Framework…
• Aligning Risk Appetite and Strategy • Enhancing Risk Response Decisions • Reducing Operational Surprises and Losses • Identifying and Managing Multiple and
Cross-enterprise Risks• Seizing Opportunities• Improving Deployment of Capital
ERM is Defined as….
“A process effected by an entity’s board of directors, management and other personnel, applied in a strategic setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
COSO ERM Revisions –Why?
COSO ERM Update
Like Fine Wine…2004 - 2017
Why Update the Framework Now?
• Concepts and practices have evolved• Lessons learned• Bar raised with respect to enterprise risk management• Business and operating environments more complex,
technologically driven, and global in scale• Stakeholders more engaged, seeking greater transparency
and accountability • Risk discussions increasingly prominent at the board level
COSO ERM Revisions –What?
It’s all About Performance …
16
A Key Introduction…
• Our understanding of the nature of risk, the art and science of choice lies at the core of our modern market economy
• Every choice we make in the pursuit of objectives has its risks
• From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives
The possibility that events will occur and affect the achievement of strategy and business objectives
Risk
The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value
Enterprise Risk
Management
COSO ERM
19
Examines the Role of Culture
• Influences all aspects of enterprise risk management• Explores the relationship with culture in the context of:
– Risk governance– Oversight of the entity– Connection between framework Components
• Depicts the behavior within a risk spectrum from risk averse to risk aggressive
• Explores the alignment of culture between individual and entity behavior
Elevates Discussion of Strategy
Explores enterprise risk management and strategy from three different perspectives: • The possibility of strategy and business objectives not aligning
with mission, vision and values• The implications from the strategy chosen• Risk to executing the strategy
Align with Performance
Actively managing risk to achieve business objectives
Focus on how risk is integral to decision making & performance‒ ERM practices support the
identification and assessment of risks that impact performance
‒ Discussing acceptable variations in performance Manages portfolio of risk in the context of achieving business objectives
not as individual risks Seeks to enhance the integrated reporting on risk and performance
Risk Responses
23
•Accept•Avoid•Pursue•Reduce•Share
24
Delineates Between Enterprise Risk Management and Internal Control
• The document does not replace the 2013 Internal Control – Integrated Framework
• The two frameworks are distinct and complementary• Both use a components and principles structure• Aspects of internal control common to enterprise risk
management are not repeated• Some aspects of internal control are developed further
in this framework
ERM Update Approach and Timing
Q2 2016 Q4 2016 - Q2 2017Q3 2014 Q4 2014
FinalizationPublic Exposure
Build and Design
Assess and Envision
Is ISO Asleep?
ISO 31000
28
Why This Matters to internal Audit
Strategic Risks
Yes64%
No20%
Unsure16%
Should Internal Audit Have a More Active Role in an Organization’s Strategic Risks?
30
Responding to Strategic Risks
31
45%
48%
48%
69%
74%
45%
53%
53%
76%
86%
Facilitating risk assessment
Assessing reliability of metrics used tomonitor strategic initiatives
Evaluating execution of strategicinitiatives
Evaluating and communicating key risks
Focusing on strategic risks during auditprojects
Board C-Suite2015 CBOK Stakeholder Study
Beyond Assurance, What Should Be in Scope
71%
74%
76%
78%
78%
85%
60% 65% 70% 75% 80% 85% 90%
Assurance on compliance with legal and regulatoryrequirements
Alert operational management to emerging issuesand changing regulatory and risk scenarios
Consult on business process improvements
Identify appropriate risk management frameworks,practices and processes
Facilitate and monitor effective risk managementpractices by operational management
Identify known and emerging risk areas
32
Measuring Risk
IIA Standard 210 – Planning“The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.”
33
Risk Profile
• COSO ERM Introduces a new depiction referred to as a risk profile
• Incorporates:- Risk - Performance- Risk appetite- Risk capacity
34
Determining the Severity of Risk
“The severity of the risk is determined by management in order to select an appropriate risk response, allocate resources, and support management decision-making and performance. Measures may include:• Impact: Result or effect of a risk. There may be a range of
possible impacts associated with a risk. The impact of a risk may be positive or negative relative to the strategy or business objectives.
• Likelihood: The possibility of a risk occurring.”
35
Traditional Heat Map
36
Like
lihoo
d
Impact
Prioritizing Risk
“Organizations prioritize risks in order to inform decision-making and optimize the allocation of resources. Risk prioritization considers the severity of a risk and informs the selection of the risk response. The priorities are determined by applying agreed-upon criteria. Examples of these criteria include:• Adaptability: The capacity of an entity to adapt and respond to risks…• Complexity: The scope and nature of a risk to the entity’s success. The
interdependency of risks will typically increase their complexity.• Velocity: The speed of onset at which a risk impacts an entity… • Persistence: How long a risk impacts an entity…• Recovery: The capacity of an entity to return to acceptable variation in performance…
37
Charge to You
• Risk is an inherent aspect of internal audit• Digest the revisions to COSO ERM and ISO 31000• Become a “master” of risk theory and practical
application
38
Thank YouThe Institute of Internal Auditors
Douglas J AndersonManaging Director – CAE [email protected]