COSO ERM – What’s Changed and Why

Douglas J Anderson, CIA, CRMA, CPA, CMAManaging Director – CAE Solutions

The Institute of Internal Auditors

Agenda

• The Risk Management Journey• COSO ERM Revisions – Why• COSO ERM Revisions – What• Is ISO Asleep?• Why This Matters to Internal Audit

Risk Management Journey

Foundational Concepts of ERM

• Every entity exists to provide value forits stakeholders

• All entities face uncertainty• Uncertainty presents both risk and opportunity • The challenge for management is to determine how much

uncertainty to accept as it strives to grow stakeholder value• ERM enables management to effectively manage uncertainty

and associated risk and opportunity

The Strategic Value of Enterprise Risk Management

• Increases the range of opportunities• Identifies and manages entity-wide risks • Reduces surprises and losses• Reduces performance variability • Improves resource deployment• Anticipates, identifies, adapts, and responds to change

SEC Proxy Requirement…

Provide Information About Board Leadership Structure and the Board's Role in Risk Oversight:

• The SEC approved rules relating to board leadership structure and the board's role in risk oversight. The rules require disclosure about:

• A company's board leadership structure, including whether the company has combined or separated the chief executive officer and chairman position, and why the company believes its structure is the most appropriate for the company at the time of the filing.

• In certain circumstances, whether and why a company has a lead independent director and the specific role of such director.

• The extent of the board's role in the risk oversight of the company.

COSO: Thought Leadership to Improve Your Organization

COSO Mission

COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”

COSO’s Fundamental PrincipleGood risk management and internal control are necessary for long term success of all organizations

Topics Included in the 2004 COSO ERM Framework…

• Aligning Risk Appetite and Strategy • Enhancing Risk Response Decisions • Reducing Operational Surprises and Losses • Identifying and Managing Multiple and

Cross-enterprise Risks• Seizing Opportunities• Improving Deployment of Capital

ERM is Defined as….

“A process effected by an entity’s board of directors, management and other personnel, applied in a strategic setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

COSO ERM Revisions –Why?

COSO ERM Update

Like Fine Wine…2004 - 2017

Why Update the Framework Now?

• Concepts and practices have evolved• Lessons learned• Bar raised with respect to enterprise risk management• Business and operating environments more complex,

technologically driven, and global in scale• Stakeholders more engaged, seeking greater transparency

and accountability • Risk discussions increasingly prominent at the board level

COSO ERM Revisions –What?

It’s all About Performance …

16

A Key Introduction…

• Our understanding of the nature of risk, the art and science of choice lies at the core of our modern market economy

• Every choice we make in the pursuit of objectives has its risks

• From day-to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainly in these choices is a part of our organizational lives

The possibility that events will occur and affect the achievement of strategy and business objectives

Risk

The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value

Enterprise Risk

Management

COSO ERM

19

Examines the Role of Culture

• Influences all aspects of enterprise risk management• Explores the relationship with culture in the context of:

– Risk governance– Oversight of the entity– Connection between framework Components

• Depicts the behavior within a risk spectrum from risk averse to risk aggressive

• Explores the alignment of culture between individual and entity behavior

Elevates Discussion of Strategy

Explores enterprise risk management and strategy from three different perspectives: • The possibility of strategy and business objectives not aligning

with mission, vision and values• The implications from the strategy chosen• Risk to executing the strategy

Align with Performance

Actively managing risk to achieve business objectives

Focus on how risk is integral to decision making & performance‒ ERM practices support the

identification and assessment of risks that impact performance

‒ Discussing acceptable variations in performance Manages portfolio of risk in the context of achieving business objectives

not as individual risks Seeks to enhance the integrated reporting on risk and performance

Risk Responses

23

•Accept•Avoid•Pursue•Reduce•Share

24

Delineates Between Enterprise Risk Management and Internal Control

• The document does not replace the 2013 Internal Control – Integrated Framework

• The two frameworks are distinct and complementary• Both use a components and principles structure• Aspects of internal control common to enterprise risk

management are not repeated• Some aspects of internal control are developed further

in this framework

ERM Update Approach and Timing

Q2 2016 Q4 2016 - Q2 2017Q3 2014 Q4 2014

FinalizationPublic Exposure

Build and Design

Assess and Envision

Is ISO Asleep?

ISO 31000

28

Why This Matters to internal Audit

Strategic Risks

Yes64%

No20%

Unsure16%

Should Internal Audit Have a More Active Role in an Organization’s Strategic Risks?

30

Responding to Strategic Risks

31

45%

48%

48%

69%

74%

45%

53%

53%

76%

86%

Facilitating risk assessment

Assessing reliability of metrics used tomonitor strategic initiatives

Evaluating execution of strategicinitiatives

Evaluating and communicating key risks

Focusing on strategic risks during auditprojects

Board C-Suite2015 CBOK Stakeholder Study

Beyond Assurance, What Should Be in Scope

71%

74%

76%

78%

78%

85%

60% 65% 70% 75% 80% 85% 90%

Assurance on compliance with legal and regulatoryrequirements

Alert operational management to emerging issuesand changing regulatory and risk scenarios

Consult on business process improvements

Identify appropriate risk management frameworks,practices and processes

Facilitate and monitor effective risk managementpractices by operational management

Identify known and emerging risk areas

32

Measuring Risk

IIA Standard 210 – Planning“The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

33

Risk Profile

• COSO ERM Introduces a new depiction referred to as a risk profile

• Incorporates:- Risk - Performance- Risk appetite- Risk capacity

34

Determining the Severity of Risk

“The severity of the risk is determined by management in order to select an appropriate risk response, allocate resources, and support management decision-making and performance. Measures may include:• Impact: Result or effect of a risk. There may be a range of

possible impacts associated with a risk. The impact of a risk may be positive or negative relative to the strategy or business objectives.

• Likelihood: The possibility of a risk occurring.”

35

Traditional Heat Map

36

Like

lihoo

d

Impact

Prioritizing Risk

“Organizations prioritize risks in order to inform decision-making and optimize the allocation of resources. Risk prioritization considers the severity of a risk and informs the selection of the risk response. The priorities are determined by applying agreed-upon criteria. Examples of these criteria include:• Adaptability: The capacity of an entity to adapt and respond to risks…• Complexity: The scope and nature of a risk to the entity’s success. The

interdependency of risks will typically increase their complexity.• Velocity: The speed of onset at which a risk impacts an entity… • Persistence: How long a risk impacts an entity…• Recovery: The capacity of an entity to return to acceptable variation in performance…

37

Charge to You

• Risk is an inherent aspect of internal audit• Digest the revisions to COSO ERM and ISO 31000• Become a “master” of risk theory and practical

application

38

Thank YouThe Institute of Internal Auditors

Douglas J AndersonManaging Director – CAE Solutionsdoug.anderson@theiia.org