Circulation_Notes_L14_Enterprise_Risk_Management___COSO_Framework[1]

8/7/2019 Circulation_Notes_L14_Enterprise_Risk_Management___COSO_Framework[1]

1/13Notes by Gautam Chitanis

L14: Enterpr ise Risk Management COSO FrameworkAssignment No.2 Appropriate Answer:

Enterprise Risk Management:Enterprise risk management is a process, effected by an entitys board of directors, managementand other personnel, applied in strategy setting and across the enterprise, designed to identifypotential events that may affect the entity, and manage risk to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives.Top CEOs/CFOs are generally.v ineffective at considering risk, return and capital issues when making decisions.v

lack of alignment between their company's strategy and appetite for riskv it is really hard (whine, whimper) to align strategy to effective risk managementv we will attempt to do it in the next 3 to 4 sessions

COSO.v Companies today face a array of risks. Driving forces like technology advances and the

internet, global competition, complex financial instruments, mergers, downsizing,deregulation, and increased consumer demands all create a riskier operating environment fororganizations.



v Stakeholders no longer accept a lack of planning or imagination as leadership excuses forbad decisions.

v In a new paradigm enterprise risk management (ERM)the management of risk isintegrated and coordinated across the organization. Recognizing the need for a well-definedERM model, the Committee of Sponsoring Organizations of the Treadway Commission(COSO) published an ERM framework with eight interrelated components in September2004.

v Once implemented, these components provide a new way of thinking about and managingrisks.

v In response to a need for principles-based guidance to help entities design and implementeffective enterprise-wide approaches to risk management, COSO issued the Enterprise RiskManagement Integrated Framework in 2004.

v This framework defines essential enterprise risk management components, discusses keyERM principles and concepts, suggests a common ERM language, and provides cleardirection and guidance for enterprise risk management.

v The guidance introduces an enterprise-wide approach to risk management as well asconcepts such as: risk appetite, risk tolerance, portfolio view.

v This framework is now being used by organizations around the world to design andimplement effective ERM processes.

Refer: www.coso.org/(Hyperlink)Why the focus on Enterprise Risk Management?Here's what COSO says;Value is maximized when management sets strategy and objectives to strike an optimal balancebetween growth and return goals and related risks, and efficiently and effectively deploys resourcesin pursuit of the entitys objectives. Enterprise risk management encompasses:#1-Aligning risk appetite and strategy Management considers the entitys risk appetite in

evaluating strategic alternatives, setting related objectives, and developing mechanisms to managerelated risks.Enhancing risk response decisions Enterprise risk management provides the rigor to identify andselect among alternative risk responses risk avoidance, reduction, sharing, and acceptance.#2-Reducing operational surprises and losses Entities gain enhanced capability to identifypotential events and establish responses, reducing surprises and associated costs or losses.#3-Identifying and managing multiple and cross-enterprise risks Every enterprise faces amyriad of risks affecting different parts of the organization, and enterprise risk managementfacilitates effective response to the interrelated impacts, and integrated responses to multiple risks.

#4-Seizing opportunities By considering a full range of potential events, management ispositioned to identify and proactively realize opportunities.#5-Improving deployment o f capital Obtaining robust risk information allows management toeffectively assess overall capital needs and enhance capital allocation.These capabilities inherent in enterprise risk management help management achieve the entitysperformance and profitability targets and prevent loss of resources. Enterprise risk managementhelps ensure effective reporting and compliance with laws and regulations, and helps avoid damage



to the entitys reputation and associated consequences. In sum, enterprise risk management helpsan entity get to where it wants to go and avoid pitfalls and surprises along the way.Basics Value:



FAQs for COSO'sEnterprise Risk Management Integrated FrameworkCOSOComprising the professional associations listed above, the Committee of Sponsoring Organizations(COSO) is a voluntary private-sector organization. COSO is dedicated to guiding executivemanagement and governance entities toward the establishment of more effective, efficient, andethical business operations on a global basis. It sponsors and disseminates frameworks andguidance based on in-depth research, analysis, and best practices.FAQs for COSO's Enterpr ise Risk Management Integrated FrameworkA. What is the framework and how do I get it?1. What is in the framework?The framework describes the critical principles and components of aneffective enterprise risk management process, setting forth how all important risks should beidentified, assessed, responded to and controlled. It also provides a common language, so thatwhen executives, directors and others talk about risk management, they are trulycommunicating. The framework sets forth how a company applies enterprise risk management in itsstrategic planning and also describes techniques some companies are using in identifying andmanaging risk. Importantly, the framework emphasizes how an effective enterprise riskmanagement process identifies not only the downside, but also the upside, or opportunities that canbe seized to enhance profitability and return. The framework also describes roles of key players inthe enterprise risk management process.2. Where can I find the framework?An executive summary of the Framework is posted in .pdfformat on www.coso.org. There, you will also be able to place an order for either a hard copy orelectronic copy of the two-volume set that includes the executive summary as well as the EnterpriseRisk Management Integrated Framework and associated Application Techniques. The samecharge ($75 or $50 for members of COSO organizations) applies to both hard and soft copyB. Why is this a framework that organizations should support?



1. What limitations of existing enterprise risk management models prompted creation of anew framework?There have been a wide variety of frameworks utilized across companies andacross countries. Some of these focus narrowly on risk management (rather than enterprise riskmanagement). Others focus on specific industries or specific types of risk. In addition, many ofthese focus on mechanisms for reducing rather than managing risk. By contrast, the COSOEnterprise Risk Management Integrated Framework addresses enterprise risk managementapplicable to all industries and encompassing all types of risk. Moreover, the framework recognizesthat an effective enterprise risk management process must be applied within the context of strategysetting. This is a fundamental difference from most risk models used to date. It starts with the top of

the organization and supports an organizations major mission.In addition, many of the pre-existingframeworks stood by themselves, and thus tended to be implemented within functions. As a result,many risk management practices have been implemented in silos (i.e., in one part or one function,of the organization). Consequently, risk management may be done very well in one section, but notconsider how actions of other parts of the organization affect their risks, or it might not capture theoverall significant risks that the organization faces. The Enterprise Risk Management IntegratedFramework presents an enterprise-wide perspective of risk and standardizes terms and concepts topromote effective implementation across the organization.2. How might the framework assis t organizations in st ructuring their entities to best manageexposure to risk?By formally organizing risk management responsibilities and activities anorganization is much better positioned to achieve its objectives. To achieve its business objectives,

management will want to ensure that sound risk management processes are in place andfunctioning. Board and audit committees have an oversight role to determine that appropriate riskmanagement processes are in place and that these processes are adequate and effective. TheCOSO Enterprise Risk Management Integrated Framework provides comprehensive guidance oneach of these points and includes numerous examples of approaches used by risk managementpractitioners in a diverse group of organizations.3. Is there such a thing as being overly conscientious about risk?The purpose of an entity is toprovide goods and services that people value. The pursuit of that goal is paramount in mostorganizations. An organization that focuses more on risk management than on pursing its primarygoals is likely to under perform.

C. What are some of the key concepts established in this framework?1. What is the difference between risk appetite and risk tolerance?Both risk appetite and risktolerance set boundaries of how much risk an entity is prepared to accept. Risk appetite is a higherlevel statement that considers broadly the levels of risks that management deems acceptable whilerisk tolerances are more narrow and set the acceptable level of variation around objectives. Forinstance, a company that says that it is does not accept risks that could result in a significant loss ofits revenue base is expressing appetite. When the same company says that it does not wish toaccept risks that would cause revenue from its top-10 customers to decline by more than 10% it isexpressing tolerance. Operating within risk tolerances provides management greater assurance thatthe company remains within its risk appetite, which, in turn, provides a higher degree of comfort thatthe company will achieve its objectives.

2. How does an organization determine the right amount of risk for the value it is trying tocreate for stakeholders and how should it communicate its risk policy to s takeholders?Thelevel of risk that an entity is willing to accept is a management decision and there is no rightanswer to this question. One companys management will pursue a higher-risk strategy whileanother will pursue a lower risk strategy. The shareholder should understand the risk chosen bymanagement and invest in accordance with his/her own tolerances for potential variation in stockperformance. Organizations communicate the levels of risk accepted through the MDA, quarterlyand annual reports, press releases, investor calls, etc.3. What is the relationship between effective enterprise risk management and improvedfinancial reporting and transparency?There are natural linkages between enterprise risk



management, improved financial reporting and transparency. The Enterprise Risk Management Integrated Framework requires that organizations establish a risk appetite, measure actions anddecisions against that risk appetite and communicate results. Communication of enterprise riskmanagement to users of financial information clearly enhances transparency.4. Is this intended for private organizations? Is there any organization this is not intendedfor?Enterprise risk management is a process that companies of all sizes and degrees ofsophistication should consider. The framework is scalable, enabling companies to be able to matchthe process to the companys complexity and sophistication. There is an intrinsic expectation that allorganizations be they for profit, not-for-profit, government organizations, etc, each work to manage

risk. The Enterprise Risk Management Integrated Framework will facilitate the process.D. How does this framework relate to COSO's Internal Control Framework?1. Are you replacing the Internal Control Framework wi th the Enterprise Risk ManagementFramework?The Internal Control Integrated Framework is conceptually sound and has stood thetest of time. The Enterprise Risk Management Integrated Framework is a broader framework thatincorporates the internal control framework within it. In other words, one approach to risk is todevelop controls to mitigate the risks. The frameworks are compatible and are based on the sameconceptual foundation. We believe the consistent conceptual underpinnings are a major strength ofthe two models. Appendix C of the Enterprise Risk Management Integrated Framework provides adetailed discussion of the relationship to Internal Control Integrated Framework.

2. What is the relationship between technology cont rols and effective enterprise riskmanagement?The Enterprise Risk Management Integrated Framework requires feedback ofinformation from throughout the company. This information must be current and accurate and mustbe robust enough to support the analysis of different risk responses. Therefore, the technology thatprovides this data must have the highest levels of integrity and controls. Enterprise riskmanagement cannot be effective if the technology that provides the data used to manage risk isflawed. Controls related to technology, also referred to as general computer controls, were alsodiscussed in the Internal Control Integrated Framework.3. If you have good internal contro l, isnt that a way of managing risk?A strong system ofinternal control supports the achievement of the organizations business objectives and thereforegood internal control is a way of managing risk. However, enterprise risk management is much

broader than internal control. In addition to supporting managements efforts to achieve businessobjectives, it aligns risk management with strategy setting and aids a companys ability to assesswhether the organization is accepting risk appropriately.4. What does the new framework offer clients that are focusing on internalcontrol?Companies that want to move beyond internal control and get more out of their efforts, nowhave a framework that will help them go to the next level. As the Enterprise Risk Management Integrated Framework includes the concepts and components initially developed in the InternalControl Integrated Framework, expanding their practices to incorporate risk management will bemore evolutionary and not require that they throw away all of the previous efforts. The EnterpriseRisk Management Integrated Framework details, for the first time, the link between value, risk,strategy, objective setting, performance measurement, risk response and control processes.

E. How might organizations view the framework in the context of their Sarbanes-Oxley 404compl iance process?1. With the signi ficant amount of implementation efforts companies are currentlyundertaking for Sarbanes-Oxley compliance and adoption of new accounting standards, whyshould companies be moti vated to implement enterprise risk management?Theimplementation of COSOs Enterprise Risk Management Integrated Framework will provide longterm benefits to an organization and therefore should be viewed with a longer term implementationperspective. The current emphasis on control in Sarbanes-Oxley is primarily focused on financialreporting. However, there are additional aspects of risk management that go beyond internal



controls and are rooted in the strategy setting activities of a company and in the managementanalysis of risk appetite and risk tolerance necessary to pursue its objectives as a company. Not allcompanies are at the same level of expertise or knowledge of risk management techniques andapproaches vary widely. Continued adoption of the Enterprise Risk Management Framework byboth companies and academics will result in a more consistent approach to risk management ascompanies strive to create value for stakeholders.2. What makes this different from the internal cont rol f ramework? How does it relate toSarbanes-Oxley reporting?The Enterprise Risk Management Integrated Framework is broaderthan internal control, and actually incorporates the key concepts set out in COSO's earlier Internal

Control Integrated Framework. While there are several differences, the three points that areprobably the most prominent are that risk management considers risks during strategy setting,requires management to form a view of how much risk the organizations is prepared to accept known as risk appetite and requires that risk management be done outside of silos through aportfolio view of the organization's risks.Much of the internal control focus today is on only oneaspect of internal control internal controls over financial reporting for Sarbanes-Oxley 404. This isdistinct from reporting on risk management.F. How do people in an organization intersect with th is framework?1. What is the role of the board in enterprise risk management? How does this frameworkhelp them?The Board provides oversight of enterprise risk management. They will be asked to

understand key elements of enterprise risk management, inquire of management about risks, andconcur on certain management decisions. However, the board is not in the position of makingchoices on behalf of management and does not alleviate managements role in enterprise riskmanagement.2. What is the role of the CFO and others in the financial management organization inenterprise risk management? How will t his framework help them?The CFO and the financialorganization play a key role in providing the needed disciplines and procedures to establish riskmanagement as an integral part of the business strategy setting process. The CFO provides theorganization with analytical tools to help determine risk appetite and risk tolerance. The CFO is wellpositioned to look across the businesses and functions within a company to develop and implementthe portfolio view of risk. He/she has the experience and knowledge to establish controls necessary

to assure that the evaluation of risk is a continuing and integral part of the management processand is consistent with the risk management philosophy agreed to with the board.3. What is the role of internal auditors in enterprise risk management? How will th isframework help them?Board and audit committees have an oversight role to determine thatappropriate risk management processes are in place and that these processes are adequate andeffective. Internal auditors can assist both management and the audit committee by examining,evaluating, reporting, and recommending improvements on the adequacy and effectiveness ofmanagements risk management processes. The COSO Enterprise Risk Management IntegratedFramework provides a benchmark for internal auditors to use in the evaluation of theirorganizations risk management efforts.4. Who are the potent ial implementers of the framework?The framework is robust. It works best

when an organization develops an integrated process to address risk throughout the organization,and further, that risk approach is led from the top of the organization. The framework can be used inall functional areas, including information technology, finance, accounting, internal audit and riskspecialists within any organization. However, the framework is designed to promote entity-widecapabilities for identifying, documenting, and dealing with risk on a consistent basis. Chapter 10 ofthe Enterprise Risk Management Framework Integrated Framework addresses roles andresponsibilities in detail.



The auditors of today are trained to conduct audits on COSO framework

Review this now:http://www.theiia.org/training/index.cfm?act=seminar.detail&semID=30 (Hyperlink)HOW TO APPLY COSO TO A FRAUD CASEv The five COSO control components are the core criteria for assessing the potential

effectiveness of any internal control system and its vulnerability to fraud.v But they also can take a backward look at a fraud case to analyze how it happened.v And using the lessons learned, we can use them to avoid and/or detect unexpected

misconduct, potential mismanagement or even fraud in the future.

v A close look at what went wrong at WorldCom gives us a good understanding of how COSO

concepts work. The COSO (Committee of Sponsoring Organizations of the TreadwayCommission) framework has been recognized since the early 1990s, as the No. 1 internalcontrol framework for any for-profit or nonprofit organization in any geographical area orculture in the world.

v The framework is explicitly recommended by international standard-setting governmental,

private, and professional organizations worldwide. Furthermore, COSO can be used not onlyfor the setup and development of an internal control system but also for the analysis andunderstanding of control system failures in historical fraud cases. In this column, Illdemonstrate the effectiveness of the five COSO control components in the framework tohighlight former WorldComs major control weaknesses, which led to the spectacular $11billion fraud.



WorldCom Fraud in Briefv For a time, WorldCom was the United States's second largest long distance phone company

(after AT&T). WorldCom grew largely by aggressively acquiring other telecommunicationscompanies.

v On November 10, 1997, WorldCom and MCI Communications announced their US$37 billionmerger to form MCI WorldCom, making it the largest merger in US history. On September15, 1998 the new company, MCI WorldCom, opened for business.

v On October 5, 1999 Sprint Corporation and MCI WorldCom announced a $129 billion mergeragreement between the two companies.

v However, the deal did not go through because of pressure from the US Department ofJustice and the European Union on concerns of it creating a monopoly.

v In the year 2000, MCI WorldCom renamed itself to simply "WorldCom" without Sprint beingpart of the company.

v WorldCom caused one of the largest fraud and bankruptcy scandals in American and globalcorporate history. In total, more than $11 billion worth of fraudulent accounting entries andmisstatements were detected, which represented 28.9 percent of total annual revenue in2002.

v This fraud was significantly higher than the blockbuster fraud at Enron.v All WorldCom fraudsters were sentenced. Former CEO Bernie Ebbers received 25 years in

prison a virtual life sentence because he was in his mid-60s at the time. The CFO got a

five-year prison sentence and his chief controller one year and one day. In addition, thecorrupt senior accountants were jailed or faced long-term probation.

v Fraudulent accounting at WorldCom was a collusive action among top management and afew accountants, in conjunction with weak controls. According to the ACFEs 2008 Report tothe Nation, the collusion resulted in a median loss over four times higher than the amountlost in schemes committed by a single perpetrator.

v The scheme lowered line costs (the companys largest single expense) by capitalizing themas prepaid capacity and reversing allowances without sufficient justification. The corporatemotive for this fraud was to meet Wall Streets expectations for growth and also to hide real,deteriorating operative results, which were caused by the bursting dot-com and telecombubbles. But there were individual drivers also: personal financial enrichment through

misappropriation of corporate assets (especially cash) and a mix of other personal targetssuch as the improvement of social and business status (for example, CEO, CFO), theadvancement of a professional career (for example, CFO, chief controller), and job securityamong several senior accountants.

COSO PINPOINTS WHAT WENT WRONGTo find the major weaknesses at WorldCom, I screened the internal control system by applying thefive COSO control components and mapping them that is, plotting the weaknesses against thecorresponding fraud exposures. See the;v Control Environmentv Risk Assessment

v Control Activities andv Monitoring

charts to view my findings.



Following WorldComs experience, we have to accept that:v Any control can give only reasonable, but never absolute, assurance to reach a tracked

business target.v Fraud is overwhelmingly detected through tip-offs or by accident instead of systematic

development of internal control activities or subsequent internal auditing.v When fraud is conducted by collusive action of top management and their accountants, as

was the case at WorldCom, almost any control can be overridden.But apart from these discouraging facts, COSO

v But apart from these discouraging facts, COSO, as the worlds No. 1 concept for internalcontrols, is still a reliable basis for the development and the analysis of internal controlsystems with special focus on risks, weaknesses, and potential vulnerabilities to fraud.

v Within this context, COSO also offers great support for anti-fraud management. The ACFE,American Institute of Certified Public Accountants, and Institute of Internal Auditors jointlypublished Managing the Business Risk of Fraud: A Practical Guide, which reflects onthe control concept called COSO.

Note; Managing the Business Risk of Fraud: A Practical Guide a $299 book is given free to theclass. (Read it now)

Oversight Systems Report on Corporate Fraudv According to the 2007 Oversight Systems Report on Corporate Fraud, these motives parallel

statistical data about why people say they commit fraud:o Pressure to do whatever it takes to meet goals (81 percent)o Personal gain (72 percent)o I wont get caught (41 percent)o I dont consider it as fraudulent (40 percent)o The belief that regulations can easily be bypassed (21 percent)

v Additionally, people are subject to overestimate their capabilities with a tendency tomegalomania as they become more and more successful and admired by the public, as in

Ebbers case. His financial escapades, both business and personal, were legendary.


13/13

Assignment No. 3.As discussed in the class

Documents

Circulation_Notes_L14_Enterprise_Risk_Management___COSO_Framework[1]