Implementing the updated COSO ERM framework Enterprise Risk Management Integrated with Strategy & Performance Frank Balabyeki February 2, 2018
What is the Updated COSO ERM Framework? Key Changes to the framework Objectives of Updated Framework Relevance to Internal Auditors How to manage Implementation of Updated ERM framework Benefits of implementation of the updated framework Limitations of the framework Stakeholders in the development of the Updated Framework
What is the updated COSO ERM Framework? Committee of Sponsoring Organisations (COSO); 5 private sector organisations - Institute of Management Accountants (IMA) - American Accounting Association (AAA) - American Institute of Certified Public Accountants (AICPA) - Institute of Internal Auditors (IIA) - Financial Executives International (FEI)
What is the updated COSO ERM Framework cont d? COSO formation 1985 National Commission on Fraudulent Financial reporting (The Treadway Commission) Mandate To develop integrated guidance on internal control James C Treadway original Chairman of Commission 1985-1987 Duration of the commission; Report of the National Commission on Fraudulent Financial Reporting.
What is the updated COSO ERM Framework cont d? CPA firm (PwC) Produced follow up report; Internal Control Integrated Framework in 1992 Report defined internal control COSO framework usage in USA 82% 2001: Project to develop ERM Integrated framework (PWC) High profile business scandals (Enron, Tyco International, Adelphia, Worldcom etc)
What is the updated COSO ERM Framework cont d? ERM Integrated Framework a robust and extensive focus on the broader subject of enterprise risk management. June 2016 release: ERM Aligning Risk with Strategy and performance. provides boards and management with principles to manage risk, from strategy-setting through execution, and recognizes the increasingly important connection between strategy and performance.
Key changes to the framework Adoption of components and principles structure; Simplifies the definition of enterprise risk management; Emphasises the relationship between risk and value; Renews the focus on integration of enterprise risk management; Examines the role of culture; Elevates discussion of strategy;
Key changes to the framework cont d Enhances the alignment between performance and enterprise risk management; Links enterprise risk management into decision making more explicitly Delineates between enterprise risk management and internal control Refines risk appetite and tolerance
Objectives of the updates framework Review process started Oct 2014 Updated Framework was released in 2004 Enterprise Risk Management Integrated Framework. Changes in complexity of risk Emergence of significant new risks Changing risk management awareness by boards Provision of greater insight into strategy Accommodates expectations for governance and oversight Enhances alignment between organisational performance and ERM
Why IAs should know the updated framework The Framework is complementary to the 3 lines of defence model in risk management Emphasis on ERM gives a holistic understanding of risk management Makes risk profiling of business more effective as a tool in developing IA workplans Linking risk to business strategy, value and performance improves effectiveness of risk monitoring
Why IAs should know the updated framework - ERM Roles & Responsibilities Management The board of directors Risk officers Internal auditors
Why IAs should know the updated framework their role Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
Why IAs should know the updated framework Visit the guidance section of The IIA s Web site for The IIA s position paper, Role of Internal Auditing s in Enterprise Risk Management.
Why IAs should know the updated framework - Standards 2010.A1 The internal audit activity s plan of engagements should be based on a risk assessment, undertaken at least annually. 2120.A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization s governance, operations, and information systems. 2210.A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment.
Implementation of the updated framework
Benefits of implementation of the framework Increasing the range of opportunities: By considering all possibilities both positive and negative aspects of risk. Identifying and managing risk entity-wide: Not managing risks as single events but looking at all risks in the business and their interrelation. Increasing positive outcomes and advantages while reducing negative surprises: better ability to identify risks, establish appropriate responses, reducing surprises and related costs while profiting from advantages
Benefits of implementation of the framework cont d Makes risk management more dynamic as it aligns to changing business environment. Addresses management of risk in the context of all business stakeholders e.g profit for shareholders, regulatory compliance for gov t, performance alignment to strategy for employees etc
Limitations of the framework Framework in many instances is dependent on human judgement making it susceptible to error in decision making; Collusion by two or more people can allow for circumventing of controls; Ability by management to override risk management decisions; It is not mandatory for all companies to implement the framework and may not be appropriate for small businesses
Stakeholders involved in the framework development Committee of sponsoring organisations of the Treadway Commision; The general public; PriceWaterhouseCoopers (PWC);