34
COSO ERM: Integrating with Strategy and Performance Michael Parkinson

COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Embed Size (px)

Citation preview

Page 1: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM: Integrating with Strategy and Performance

Michael Parkinson

Page 2: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Content

• The COSO Frameworks

• Risk

• (Enterprise) Risk Management

• The COSO risk management framework

• A few highlights

• Questions for management

• Issues for the internal auditor

Page 3: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The COSO Frameworks

• Internal Control Integrated Framework• 1992 -> 2013

• Enterprise risk management• 2004 -> 2017

• Updates because:• Concepts and practices have changed• The business environment has changed.• We have learned• Boards & management are better engaged

These frameworks are compatible

Page 4: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Other Frameworks

• Especially ISO• Management Systems frameworks

• Risk Management Framework

• Will work together with COSO

BUT

• They use different definitions

Page 5: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Enterprise Risk Management

• Is not the same as “Internal Control”

• Control is one way an organisation can respond to risk

• It is not the only way…

Page 6: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Risk

• Risk exists because:• We have objectives

• We operate in an uncertain environment

• Risk is the way we describe the relationship between uncertainty and our objectives

• Our organisation is successful if it can manage risk

• Our ability to manage risk is our competitive advantage

Page 7: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Risk

• Our understanding of the nature of risk and its application to choices lies at the heart of our economy

• Every choice made in the pursuit of objectives has risk and changes risk

• Dealing with uncertainty in decision-making is part of our organisational lives.

Page 8: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Management ISRisk ManagementThere is no way they can be separated from each other.

Page 9: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM

• The possibility that events will occur and affect the achievement of strategy and business objectives

ISO 31000

• Effect of uncertainty on objectives

Different definitions

Usually considers possible events but does not require them.

An event can be something expected not happening.

Page 10: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

ERM Definition

Enterprise Risk Management is:

The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Page 11: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO 2017

• New structure• Has fewer components

(5 rather than 8)

• Has 20 Principles

• Integrates to the business model

• Emphasises that risk management is part of business management

• Emphasis on integration

• Emphasis on value

• Links to strategy

• Links to performance

• Recognises the importance of culture

• Focuses on decision-making

Page 12: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM -Components

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

Integrated, Internal external

factors, Risk Appetite

Identify, assess,

prioritise, respond, monitor

Targets, Context

Sharing, external &

internal sources

Tone, Leadership, Oversight

Page 13: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM - Principles

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

• Exercises Board Risk Oversight

• Establishes Operating Structures

• Defines Desired Culture

• Demonstrates Commitment to Core Values

• Attracts, Develops, and Retains Capable Individuals

Page 14: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM - Principles

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

• Analyses business context

• Defines Risk Appetite

• Evaluates Alternative Strategies

• Formulates Business Objectives

Page 15: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM - Principles

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

• Identifies risks

• Assesses Severity of Risks

• Prioritizes Risks

• Implements Risk Responses

• Develops Portfolio View

Page 16: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM - Principles

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

• Assesses Substantial Change

• Reviews Risk and Performance

• Pursues Improvement in Enterprise Risk Management

Page 17: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

COSO ERM - Principles

Governance & Culture

Strategy & Objective

Setting

PerformanceReview & Revision

Information, Communication

& Reporting

• Leverages Information & Technology

• Communicates Risk Information

• Reports on Risk, Culture and Performance

Page 18: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Emphasis on Integration

• Risk management cannot be separated from management

• Getting risk management right improves decision-making and leads to enhanced performance

• Good risk management helps:• Identify risks earlier and/or more explicitly giving more

options for response

• Identify and pursue opportunities

• Better respond to deviations in performance

• Develop a better portfolio understanding of risk

• Improve collaboration, trust and information sharing

Page 19: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Emphasis on value

• Good risk management creates, preserves and enhances value

• This framework:• Places value in the core of its definition

• Extensive discussion of value in the principles

• Links value to risk appetite

• Considers value in the discussion of managing risk to acceptable levels.

Page 20: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Links to Strategy

• Considers the possibility that strategy may not align with mission, vision and values

• Considers the implications of risk for overall strategy

• Considers the risk in executing strategy

Page 21: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Links to Performance

• Achieve strategy/objectives by actively managing performance

• ERM supports identification and assessment of risks related to performance

• ERM actively considers the tolerance for variations in performance

• Manages risk in the context of strategy and business objectives – does not treat risks in isolation

Page 22: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Links to Performance

• Develops concept of risk profile:• Risk

• Performance

• Appetite

• Capacity

Risk/Performance Curve

Risk Appetite

Target Performance

Risk Capacity

Acceptable range of performance

Page 23: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The Importance of Culture

• Culture is critical to Governance, Risk Management and Internal Control

• Influences all aspects of enterprise risk management

• Is specifically addressed in the principles

• Explores the possible effects of culture on decision-making

• Considers the alignment of culture between the individual and the organisation.

Page 24: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Focus on Decision-making

• Explores how ERM drives risk-aware decision-making

• Highlights how risk awareness optimises and aligns decisions that impact performance

• Explores how risk aware decisions affect the risk profile.

Risk-aware

Decision Making

Assumptions

Risk Appetite

Culture

Strategy

Business Context

Risk Profile

Page 25: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Managers should be asking themselves:

• Does our approach help us identify the weaknesses in our strategy?

• Are we able to recognise changes in the environment in time to respond?

• Are we looking for and analysing uncertainty?

• Are our decisions based on rigorous analysis or on wishful thinking?

• Do we really know how much contingency we need?

Questions for Management

Page 26: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Standard 2010 - Planning

Page 27: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The ERM Framework will help you:

• Understand the organisation’s business objectives and strategies

• Understand the risks to business objectives and the way the risks are managed

• Identify which risks are most important

• Understand the risk culture and risk appetite

• Identify existing assurance mechanisms

• Determine priorities for internal audit review

Page 28: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Internal auditors must develop and document a plan for each engagement… The plan must consider the … strategies, objectives, and risks relevant to the engagement.Standard 2200 – Engagement Planning

Page 29: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The ERM Framework will help you:

• Understand which business risks relate to an engagement

• Align the engagement risk assessment to the organisation’s risk assessment

• Design scope and testing based on the organisation’s tolerance for risk

• Make observations in the context of the organisation’s objectives and risk profile

Page 30: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.Standard 2120 – Risk Management

Page 31: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Internal Audit’s role in ERM

• Educate and facilitate understanding of ERM components and principles

• Advise and participate in the risk assessment process

• Assess the effectiveness of information, communication and reporting

• Evaluate the effectiveness of the ERM process and framework

Page 32: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Every contribution by internal audit to governance, risk management or control is a contribution to ERM.Risk management IS management

Using a sound & consistent framework will produce better results

Page 33: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017

Sound ERM will

• Increase the range of opportunities

• Identify and manage the range of threats

• Reduce surprises and losses

• Reduce performance variability

• Improve resource deployment

• Anticipate, identify, adapt and respond to change

In short, it will:• Increase the likelihood of achieving objectives and• Improve performance

Page 34: COSO ERM: Integrating with Strategy and Performance ... · The COSO Frameworks •Internal Control Integrated Framework •1992 -> 2013 •Enterprise risk management •2004 -> 2017