COSOs

Enterprise Risk
Management
(ERM) Framework

Enterprise Risk
Management
Overview
Project Background
ERM Defined
Benefits of ERM
8 Components of the
ERM Framework
Limitations
Roles & Responsibilities
To Begin

Project Background
Increased awareness of the
importance of Risk Management
due to events of the past five years:
High-profile business scandals
Economic slowdown caused many
business failures
World events impose new risks

Emphasized the danger of

overlooking risk.
Need for a common guide for
discussing, identifying, evaluating
and managing risk.

Project Background
Project was launched by COSO in 2001
Engaged PricewaterhouseCoopers to
write the COSO ERM Framework,
which consists of 3 parts:
Executive Summary
Framework
Application Guidance

Currently in draft form, expected to

be issued in 3Q of 2004.

Project Background
Enterprise Risk Management is a
process for identifying, analyzing and
managing risk across the entire enterprise
ERM defines risk and risk management
and provides key principles and concepts,
a common language and other elements of
a comprehensive risk management
framework.
ERM provides criteria for companies use
in determining whether their risk
management is effective, and if not, what
is needed to make it so.

ERM Defined
Defined in the Framework as:
Enterprise Risk Management is a
process, effected by an entitys board of
directors, management and other
personnel, applied in strategy setting
and across the enterprise. It is designed
to identify potential events that may
affect the entity, and manage risk to be
within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.

ERM Defined
The Enterprise Risk Management
process includes:
Identification of potential events that may
impact objectives
Assessment of Risk and a determination of
an appropriate response
Consideration of risk in the formulation of
strategy
Application across the entity takes a
portfolio view of risk.
Risk management within an entitys risk
appetite
Monitoring the performance of ERM

ERM Defined
ERM versus the Internal Control
Integrated Framework:
ERM is much broader than the Internal
Control Integrated Framework
ERM expands on internal control and
provides a more robust and extensive focus
on the broader subject of enterprise risk
management.
ERM does NOT replace the internal control
framework, rather incorporates elements of
the internal control framework within it.
The Internal Control Integrated Framework
remains in place as the definition of and
framework for internal control.

Benefits of ERM
ERM enables management to:
Deal effectively with future events
that create uncertainty.
Respond in a manner that reduces
the likelihood of downside
outcomes and increases the
upside.
Maximize value by balancing
strategy and objectives within the
entitys risk appetite.

Benefits of ERM
ERM helps an enterprise to:
Align risk appetite and strategy
Enhance risk response decisions
Reduce operational surprises and
losses
Identify and manage enterprisewide risks
Seize opportunities
Improve deployment of capital

ERM Framework
The ERM Framework is geared to
achieving an entitys objectives, set
forth in 4 categories:
Strategic related to the high-level
goals and mission of the entity,
Operations related to efficiency,
performance and profitability
Reporting related to internal and
external reporting
Compliance related to compliance
with laws and regulations

ERM Framework
The ERM Framework has Eight Components. The cube
depicts the interrelationship of the 8 components with
the entitys objectives and with the entitys units:

Internal Environment
The Internal Environment
encompasses:

Entitys Risk Management Philosophy

Risk Appetite
Board of Directors
Integrity and Ethical Values
Commitment to Competence
Organizational Structure
Assignment of Authority and Responsibility
Human Resource Standards

Sets the Foundation for how risk and

control are viewed and addressed by
the entity.

Internal Environment
Risk Management Philosophy:
The shared beliefs and attitudes toward
risk.
Reflects the entitys values, culture and
operating style
Formal vs. Informal
Conservative vs. Aggressive

Affects how risks are identified, the

types of risks accepted and how they are
managed by an entity.
Management reinforces the entitys risk
management philosophy with everyday
actions.

Internal Environment
Risk Management Philosophy
Risk management philosophy should be
consistent throughout the enterprise to
effectively apply ERM.
However, risk management philosophy can
sometimes vary within an enterprise:
e.g., an aggressive sales dept may be
prepared to take more risk than the
procurement dept. that is responsible for
ensuring compliance with company policies
and internal controls.
These 2 depts. compliment each other and
will collectively reflect the entitys risk
management philosophy.

Internal Environment
Risk Appetite:
The amount of risk an entity is willing to
accept in pursuit of value.
Reflects the entitys risk management
philosophy
Desired return from a strategy should be
aligned with the entitys risk appetite.
Qualitative measures e.g., high,
moderate or low risk.
Quantitative measures balances goals
with growth and return with risk.

Internal Environment
Board of Directors
An active and involved board of directors is
a critical part of the internal environment.
A board that questions and scrutinizes
managements activities is an effective
control.
The majority of board members should be
independent outside directors.
An effective board of directors will ensure
that management maintains effective risk
management processes.

Internal Environment
Integrity and Ethical Values:
Managements integrity and ethical
values influence the decision-making
process.
Lack of integrity and ethical values
creates risk.
Corporate culture influences
employee behaviors; sets the
standard for which rules are
followed or ignored.

Internal Environment
Integrity and Ethical Values:
Promoting integrity and ethics:
CEO, top mgmt, sets the example and
determines the corporate culture.
Performance targets should be realistic and
incentives appropriate.
Existence of written guidance on what is
right and wrong e..g, a Code of Conduct.
Written guidance must be accompanied by
communication and training.
Upward communication channels are key.
Penalties to employees who violate the
code act as a deterrent for others.

Internal Environment
Commitment to Competence
Competence reflects the knowledge and
skills needed to perform assigned tasks.
Management must determine the level
of competence needed for each task.
Trade-offs are made between
competence and cost.
Trade-offs are made between the extent
of supervision and the competence of
the individual.

Internal Environment
Organizational Structure:
Entitys organizational structure
provides the framework to plan, execute,
control and monitor its activities.
Defines key areas of authority,
responsibility and accountability
Organizational structure should enable
effective risk management by:
promoting the flow of relevant information
to top management and key decision
makers on a timely basis.
Appropriate assignment of authority to
carry out business activities

Internal Environment
Organizational Structure:
Organizational structure should be
suited to the entitys needs and
corporate culture
Centralized versus Decentralized
Hierarchal reporting relationships versus
Flat
Structured by product lines, geographic,
or marketing channels, etc

Organizational structure should

depend on size and nature of
activities.

Internal Environment
Assignment of Authority and
Responsibility:
Increased delegation of authority empowers
employees and often encourages creativity,
initiative, faster response times and greater
accountability.
As authority and responsibility is granted to
lower levels within an entity, risk is often
increased.
Must ensure that authority and responsibility
is delegated to competent individuals who
understand the entitys objectives.

Internal Environment
Human Resource Standards
Human resource practice play a key role
in promoting integrity, ethical behavior
and competence

Hiring standards
Orientation programs
Training programs
Performance evaluations
Compensation and incentive programs
Disciplinary actions

Internal Environment
The importance of a strong Internal
Environment must not be
underestimated.
Internal environment is the foundation
of all the other ERM components
Management is responsible for setting
the tone - not just words and policies,
but actions must permeate the
organization
Enron example: flawed internal
environment

ERM Framework
Objective Setting:

Objective Setting
Objectives must exist before
management can identify and
assess risks and take steps to
manage those risks.
Enterprise Risk Management
requires that all employees
understand the entitys objectives
as it relates to their individual
function.
Understand what is to be accomplished
and how to measure accomplishment.

Objective Setting
Strategic Objectives
High level goals,
Aligned with entitys mission/vision

Related Objectives
Activity level goals - 3 categories:
Operations objectives
Reporting objectives
Compliance objectives

Objective Setting
Operations Objectives:
Pertain to the effectiveness and
efficiency of operations.
Reflect entitys business, industry
and economic environment.
Basis for allocating an entitys
resources
Unclear or misunderstood operational
objectives could lead to the entitys
resources being misdirected.

Objective Setting
Reporting Objectives:
Complete and accurate
information
Supports managements decision
making process
Enables monitoring activities
Internal vs. external reporting
Financial vs. non-financial data

Objective Setting
Compliance Objectives:
Actions taken to comply with applicable
laws and regulations
Examples:
Taxes, markets, pricing
Environmental
Employee welfare
International trade

Failure to meet compliance objectives can

be costly:
Fines, penalties imposed
Impact entitys reputation, loss of market
share

Objective Setting
Overlap of Objectives
Activities may support more than one
objective

Achievement of Objectives
Reporting and Compliance objectives are
generally easier as within an entitys control
Operations objectives more difficult as may
be dependent upon external factors:
Competitors actions
Poor weather
Changes in government

Risk identification and risk management can

mitigate the impact of external events.

Objective Setting
Risk Appetite
The acceptable balance between growth,
risk and return
Strategy setting must be aligned with
the entitys risk appetite.
ERM, applied in strategy setting, helps
management select a strategy within its
risk appetite

Risk Tolerance
Amount of variation the entity is willing
to accept in achieving objectives

ERM Framework
Event Identification:

Event Identification
Identification of potential
events from internal or
external sources that
influence strategy, and/or the
achievement of objectives.
Events may be negative or
positive risk or opportunity
Event Identification Techniques
Event Categories

Event Identification
Examples of Techniques for
Identifying Events:
Event inventories
Internal analysis
Escalation or threshold triggers
Facilitated workshops and interviews
Leading event indicators
Loss event data methodologies
Process flow analysis
Event interdependencies

Event Categories
Examples:
External
Factors

Internal
Factors

Economic
Natural
Environment
Political
Social
Technological

Infrastructure
Personnel
Process
Technology

ERM Framework
Risk Assessment

Risk Assessment
The extent to which potential events
will impact an entitys objectives.
Inherent and Residual risk
Events are evaluated from 2
perspectives:
Likelihood that the event will occur
Impact - the effect of the event on the
entity

Techniques used to assess Likelihood

and Impact:
Qualitative
Quantitative

Risk Assessment
Qualitative Techniques:
Used when quantification of risk
amounts is not feasible due to
lack of data or collection of data
is not cost effective.
Not as accurate as quantitative
Examples:
Self-assessment (low, medium, high)
Questionnaires
Internal audit reviews

Risk Assessment
Quantitative Techniques:
More accurate than qualitative
Used when there is enough data to
produce mathematical or statistical
models, performance or
benchmarking metrics.
Examples:
Probability based
Non-probabilistic models utilize impact
assumptions only, not likelihood
Benchmarking

Risk Assessment
Events Relationships
While the impact of a singe event
might be minimal, a sequence of
events can be significant.
When a correlation between
events exists, events should be
assessed together
Risks that impact multiple
business units may be grouped
into common event categories,
and assessed in the aggregate.

ERM Framework
Risk Response

Risk Response
4 categories of Risk Responses:
Avoidance Exit the activities
causing the risk
Reduction Take action to reduce
the likelihood or impact of risk
Sharing Transfer or share the risk
or portion of the risk with another
party
Acceptance Risk accepted, No
action is taken

Risk Response
In selecting an appropriate risk
response, management should
consider:
Impacts of each response on risk
likelihood and impact
Which response best fits with the
entitys risk appetite and tolerances
Cost versus benefits of potential
responses
Potential opportunities that may
result from each risk response.

ERM Framework
Control Activities

Control Activities
Control activities are the
policies and procedures
established to ensure that the
risk responses are carried out.
Control activities vary based
upon the entitys goals,
implementation techniques, and
internal and external
environments.

Control Activities
Examples of Control Activities:
Senior Management reviews
Project management monitor
progress
Information processing controls to
check completeness and accuracy
Physical controls inventories,
security controls
Performance indicators results
analysis
Segregation of duties

Control Activities
Control Activity Examples
(contd):
Information Technology Controls:
General controls: IT infrastructure
and management, security
management and software.
Application controls: ensure
completeness, accuracy and validity
of data.

ERM Framework
Information and Communication

Information and
Communication
Information is needed at all levels
of an organization to identify,
assess and respond to risk.
Communicating accurate
information, on time, to the right
people is key to effective ERM.
Information sources:
Internal and external data
Historical and Current data

Information and
Communication
Information Quality Test:
Is it at the appropriate level of
detail?
Is it there when required?
Is it the latest information
available?
Is the data accurate?
Is is easy to obtain by those who
need it?

Information and
Communication
The design of information systems
architecture and acquisition of new
technology are important aspects of
entity strategy.
IT systems are often fully integrated
into most aspects of operations.
Choices regarding technology can be
critical to an entity.
Reliance on IT systems bring risks
e.g., security breaches and cybercrimes
Risk management techniques can
assist in making technology decisions.

ERM Framework
Monitoring

Monitoring
Monitoring ensures that the
components of ERM continue to
function at all levels even as
conditions change over time.
2 Types:
One-time evaluations
Ongoing activities
A combination of the 2 may be
appropriate.

Monitoring
Examples of Ongoing Monitoring activities:
A review of operating reports may spot
inaccuracies or inconsistencies with anticipated
results. Timely and complete reporting and
resolution of these inconsistencies enhance the
effectiveness of the process.
Communications from external parties may
corroborate internal data or, indicate problems.
Internal and external auditors identify and
monitor weaknesses in control activities, i.e., risk
Training seminars, planning sessions and
meetings provide insights to employees
competency, ethical conduct and risk behaviors.

Monitoring
One-Time Evaluations:
Separate, targeted tests can also
be effective.
Can provide a fresh look at the
process, end-to-end test
Scope and frequency depends on
the significance of the risk and
risk response, objectives to be
achieved.

Monitoring
Who evaluates?
Self-assessment is common:
Division head directs the evaluation of ERM
activities for their unit.. Assesses risks
associated with objectives and strategic
choices, and assesses the internal
environment.
Line managers focus on operations and
compliance objectives,
Controller focuses on reporting objectives
Senior management evaluates all assessments
together.

Internal Auditors offer independent view.

Monitoring
Reporting deficiencies
What to Report all deficiencies should be
reported to those in a position to take
necessary action
To Whom to Report may vary based upon
the individuals authority to deal with the
circumstance. Communication must
continue upstream until appropriate
actions are taken.
Protocols should be established to identify
what information is needed at a particular
level for effective decision making.

Limitations
No matter how well deigned and
executed, Enterprise Risk
Management cannot ensure an
organizations success or guarantee
results.
The future will always be uncertain
Some events are outside of
managements control
Human factors, such as errors in
judgment, collusion, and cost/benefit
considerations may impede results.

Roles and Responsibilities

Everyone in the organization has
responsibility for enterprise risk
management.
The chief executive officer is ultimately
responsible.
Managers support the risk philosophy,
promote compliance within the risk
appetite and manage risks within their
functional areas
Other key support persons:
Risk Officer
Financial Officer
Internal Auditor

Roles and Responsibilities

Board of Directors provide
oversight role:
Ensure that an effective risk
management program is in place
Understand the entitys risk appetite
Review the entitys portfolio view of
risk
Understand the most significant risks
and managements response.

To Begin
Board Members:
Discuss with senior management
the entitys ERM process and
provide oversight as needed.
Understand the significant risks
and managements response
Seek input from internal &
external auditors, other advisors
as necessary

To Begin
Chief Executive Officer:
Gather Business Unit heads and
key functional staff to discuss an
initial assessment of ERM
capabilities and effectiveness.
This initial assessment should
determine whether there is a
need for, and how to proceed
with, a broader, more in-depth
evaluation.

Enterprise Risk
Management
Visit the COSO ERM
website for more
information and current
developments:
www.erm.coso.org