Emerging Trends in Auditing ERM COSO ERM 2017

Transcription

1 Emerging Trends in Auditing ERM COSO ERM 2017

2 AGENDA Our Agenda for today will Include; Introducing COSO ERM Organizational Bias Risk - Aware Culture Risk Portfolio View. Risk Appetite & Tolerance. Conclusion Q&A

3 What Happened to COSO ERM The COSO board has published the ERM - integrated framework in Over past 10 years most of international organizations has broadly accepted the published framework. During these 10 years new risks have arised and new techniques have been introduced. It was realized the need for a new ERM framework which will integrate business objectives, strategy & risk.

4 ERM MAP

5 ERM Components Governance and Culture: Governance sets the organization s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

6 ERM Components Performance: An Organization identifies and assess risk that may affect the entity ability to achieve its strategy and business objectives. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

7 ERM Principles

8 COSO ERM 2017

9 Organizational Bias In April 1999, a class action lawsuit was filed against the Coca Cola Company by four current and former African-American employees for racial discrimination under the US Civil Rights Act. On behalf of themselves and 2200 colleagues, they had suffered discrimination in pay, promotions and performance evaluations. They provided statistics showing that the median salary for African American employees was about one-third less than that of whites within the company.

10 Organizational Bias In 2000, Coca-Cola agreed to a $192 million settlement, the largest settlement ever in a corporate racial discrimination case. Coca-Cola denied the allegations, but agreed to make sweeping changes to its personnel policies and procedures. In addition, the settlement gave an outside panel, jointly selected by Coca-Cola and the plaintiffs lawyers and approved by the court, limited authority to revise the company s personnel policy. The Task Force issued its final report in December 2006, finding that its mission has been a success and that the company had made significant progress.

11 Tackling Organizational Bias Ensure transparency Examine decision-making, social networking, policies and procedures to determine where bias might exist. Make comparisons against similarly situated organizations Seek multi-dimensional feedback Obtain multiple perspectives to gain deeper insights about whether your business environment is fair, inclusive and impartial. Review Policies & Procedures Ensure the proper consideration of organizational bias, examine the preparation, regular review & update if required.

12 Tackling Organizational Bias Training Ensure availability of training programs for all staff to allow them to identify and treat the unconscious Bias. Challenge decisions of Compensation committee ensure the proper internal audit access and audit of compensation committee Promotions, profit Sharing and other benefits)

13 Risk - Aware Culture

14 Risk - Aware Culture Risk - Aware Culture is a foundation of values, knowledge, beliefs, understanding and communication of the risks associated to the organization s objectives and assets necessary to achieving the objectives. When risk management is successfully incorporated into the culture of an organization, it would mean the beliefs, practices, and decisions taken in that organization involve elements of riskunderstanding

15 Assessing level of Risk - Aware Culture Audit programs developed by internal audit should be updated and enhanced in order to be able to assess the level of risk awareness throughout the organization. The audit programs may include but not limited to; assessing the level ERM leadership, assessing the effectiveness of the management style, assessing the accountability & authorities, linking risk aware decisions with performance management, review the decision making process and ensure that risk is embedded, analyze the setting process of risk appetite, assess the risk awareness activities across the organization.

16 Risk Portfolio View A silo approach to managing risk is dangerous in today s rapidly changing environment. Organizations can face change with greater confidence with an enterprise-wide perspective. That is why an enterprise risk management (ERM) approach is intended to be holistic in its perspective toward risk and how it is managed.

17 Risk Portfolio View Standard 14 of ERM framework recommend organizations to build a portfolio view for its risk exposure. A portfolio view allows the management and BOD to consider the type, severity & interdependencies of risks and how will they affect the performance. With a risk portfolio view the management should be well positioned to determine whether the organization s residual risk aligns with risk appetite or not

18 Risk Portfolio View

19 Define Risk Appetite Risk Appetite (coso 2017) is the type and amount of risks, on a broad level, the organization is welling to accept in pursuit of value. Some organizations consider risk appetite in qualitative terms while others prefer quantitative terms. The risk appetite should not exceed the organization risk capacity.

20 Articulate Risk Appetite The risk appetite should be matching with the organization s culture. Organizations articulate their risk appetite based on strategies, business objectives, and performance targets. Risk appetite is recommended by the management, approved by the BOD and disseminated throughout the organization.

21 Auditing Risk Appetite Strategy Ownership Governance Organization culture Design & Implementation` Operational Effectiveness Risk Measures Policy & Process framework Policies Monitoring & Activities and corrective actions. Reporting structure and effectiveness of reports. Monitoring & Reporting

22 Risk Portfolio View Tolerance is the boundaries of acceptable variation in performance related to achieving business objectives. Risk Capacity is the Maximum amount of risks that an entity is able to absorb to achieve its business objectives. Tolerance is closely linked to risk appetite

23 Performance Tolerance Performance measures related to business objectives help in determining actual performance against the performance tolerance. With a narrow tolerance, the organization is required to deploy more resources (Additional Cost) to comply with tolerance.

24 Auditing Tolerance Internal audit and other assurance function should enhance all audit programs and tools in order to be able to assess the compliance with performance tolerance and justification of positive or negative variation. Internal audit cannot examine the effectiveness of the of the performance tolerance far away of risk appetite due to the strong link between both of them.

25 Thank you