COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

Transcription

1 COSO ERM: Integrating with Strategy and Performance Michael Parkinson

2 Content The COSO Frameworks Risk (Enterprise) Risk Management The COSO risk management framework A few highlights Questions for management Issues for the internal auditor

3 The COSO Frameworks Internal Control Integrated Framework > 2013 Enterprise risk management > 2017 These frameworks are compatible Updates because: Concepts and practices have changed The business environment has changed. We have learned Boards & management are better engaged

4 Other Frameworks Especially ISO Management Systems frameworks Risk Management Framework Will work together with COSO BUT They use different definitions

5 Enterprise Risk Management Is not the same as Internal Control Control is one way an organisation can respond to risk It is not the only way

6 Risk Risk exists because: We have objectives We operate in an uncertain environment Risk is the way we describe the relationship between uncertainty and our objectives Our organisation is successful if it can manage risk Our ability to manage risk is our competitive advantage

7 Risk Our understanding of the nature of risk and its application to choices lies at the heart of our economy Every choice made in the pursuit of objectives has risk and changes risk Dealing with uncertainty in decision-making is part of our organisational lives.

8 Management IS Risk Management There is no way they can be separated from each other.

9 Different definitions COSO ERM The possibility that events will occur and affect the achievement of strategy and business objectives ISO Effect of uncertainty on objectives An event can be something expected not happening. Usually considers possible events but does not require them.

10 ERM Definition Enterprise Risk Management is: The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

11 COSO 2017 New structure Has fewer components (5 rather than 8) Has 20 Principles Integrates to the business model Emphasises that risk management is part of business management Emphasis on integration Emphasis on value Links to strategy Links to performance Recognises the importance of culture Focuses on decisionmaking

12 COSO ERM - Components Sharing, external & internal sources Targets, Context Information, Communication & Reporting Governance & Culture Strategy & Objective Setting Integrated, Tone, Internal Leadership, external Oversight factors, Risk Appetite Identify, assess, prioritise, respond, monitor Review & Revision Performance

13 COSO ERM - Principles Information, Communication & Reporting Review & Revision Governance & Culture Performance Strategy & Objective Setting Exercises Board Risk Oversight Establishes Operating Structures Defines Desired Culture Demonstrates Commitment to Core Values Attracts, Develops, and Retains Capable Individuals

14 COSO ERM - Principles Information, Communication & Reporting Review & Revision Governance & Culture Performance Strategy & Objective Setting Analyses business context Defines Risk Appetite Evaluates Alternative Strategies Formulates Business Objectives

15 COSO ERM - Principles Information, Communication & Reporting Review & Revision Governance & Culture Performance Strategy & Objective Setting Identifies risks Assesses Severity of Risks Prioritizes Risks Implements Risk Responses Develops Portfolio View

16 COSO ERM - Principles Information, Communication & Reporting Governance & Culture Strategy & Objective Setting Assesses Substantial Change Reviews Risk and Performance Pursues Improvement in Enterprise Risk Management Review & Revision Performance

17 COSO ERM - Principles Information, Communication & Reporting Governance & Culture Strategy & Objective Setting Leverages Information & Technology Communicates Risk Information Reports on Risk, Culture and Performance Review & Revision Performance

18 Emphasis on Integration Risk management cannot be separated from management Getting risk management right improves decisionmaking and leads to enhanced performance Good risk management helps: Identify risks earlier and/or more explicitly giving more options for response Identify and pursue opportunities Better respond to deviations in performance Develop a better portfolio understanding of risk Improve collaboration, trust and information sharing

19 Emphasis on value Good risk management creates, preserves and enhances value This framework: Places value in the core of its definition Extensive discussion of value in the principles Links value to risk appetite Considers value in the discussion of managing risk to acceptable levels.

20 Links to Strategy Considers the possibility that strategy may not align with mission, vision and values Considers the implications of risk for overall strategy Considers the risk in executing strategy

21 Links to Performance Achieve strategy/objectives by actively managing performance ERM supports identification and assessment of risks related to performance ERM actively considers the tolerance for variations in performance Manages risk in the context of strategy and business objectives does not treat risks in isolation

22 Links to Performance Develops concept of risk profile: Risk Performance Appetite Capacity Risk Capacity Risk Appetite Acceptable range of performance Risk/Performance Curve Target Performance

23 The Importance of Culture Culture is critical to Governance, Risk Management and Internal Control Influences all aspects of enterprise risk management Is specifically addressed in the principles Explores the possible effects of culture on decisionmaking Considers the alignment of culture between the individual and the organisation.

24 Focus on Decisionmaking Explores how ERM drives risk-aware decision-making Highlights how risk awareness optimises and aligns decisions that impact performance Explores how risk aware decisions affect the risk profile. Risk Profile Business Context Assumptions Riskaware Decision Making Strategy Risk Appetite Culture

25 Questions for Management Managers should be asking themselves: Does our approach help us identify the weaknesses in our strategy? Are we able to recognise changes in the environment in time to respond? Are we looking for and analysing uncertainty? Are our decisions based on rigorous analysis or on wishful thinking? Do we really know how much contingency we need?

26 The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization s goals. Standard Planning

27 The ERM Framework will help you: Understand the organisation s business objectives and strategies Understand the risks to business objectives and the way the risks are managed Identify which risks are most important Understand the risk culture and risk appetite Identify existing assurance mechanisms Determine priorities for internal audit review

28 Internal auditors must develop and document a plan for each engagement The plan must consider the strategies, objectives, and risks relevant to the engagement. Standard 2200 Engagement Planning

29 The ERM Framework will help you: Understand which business risks relate to an engagement Align the engagement risk assessment to the organisation s risk assessment Design scope and testing based on the organisation s tolerance for risk Make observations in the context of the organisation s objectives and risk profile

30 The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120 Risk Management

31 Internal Audit s role in ERM Educate and facilitate understanding of ERM components and principles Advise and participate in the risk assessment process Assess the effectiveness of information, communication and reporting Evaluate the effectiveness of the ERM process and framework

32 Every contribution by internal audit to governance, risk management or control is a contribution to ERM. Risk management IS management Using a sound & consistent framework will produce better results

33 Sound ERM will Increase the range of opportunities Identify and manage the range of threats Reduce surprises and losses Reduce performance variability Improve resource deployment Anticipate, identify, adapt and respond to change In short, it will: Increase the likelihood of achieving objectives and Improve performance

34