COSO ENTERPRISE RISK MANAGEMENT

Enterprise risk management

Uncertainty

All entities face uncertainty

  • the challenge for management is
    to determine how much uncertainty to accept as it strives to grow stakeholder value

presents both risk and opportunity

Aligning risk appetite and strategy

Enhancing risk response decisions

Reducing operational surprises and losses

Identifying and managing multiple and cross-enterprise risks

Seizing opportunities

Improving deployment of capital

Events – Risks and Opportunities

Events can have:

Definition: Enterprise Risk Management

A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy setting

• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

• Able to provide reasonable assurance to an entity’s management and board of directors

• Geared to achievement of objectives in one or more separate but overlapping categories

Achievement of Objectives

Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – compliance with applicable laws and regulations.

safeguarding of resources

Achievement of strategic
objectives and operations objectives is subject to external events not always within
the entity’s control

Components of Enterprise Risk Management

Internal Environment

Objective Setting

Event Identification

Risk Assessment –

Risk Response –

Control Activities –

Information and Communication –

Monitoring –

Relationship of Objectives and Components

There is a direct relationship between objectives
and enterprise risk management components

The relationship is depicted in a three-dimensional matrix

Vertical columns:

Third dimension

Horizontal column

four objectives:

  • strategic
  • operations
  • reporting
  • compliance

8 components of ERM

Internal Environment

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Entity's units

BUSINESS UNIT

SUBSIDIARY

DIVISION

ENTITY-LEVEL

EFFECTIVENESS

  • The components of ERM are a criteria
    for effective enterprise risk management

Limitations

  • Negative impact- risks
  • Positive impact opportunities
  • or both
  • The eight components of ERM will not function identically in every entity

To determine if an entity’s enterprise risk
management is “effective” is a judgment resulting from an assessment of whether the eight
components are present and functioning effectively

  • In reality, human judgment in
    decision making can be faulty
  • Decisions on responding to risk and establishing controls need to consider the relative costs and benefits
  • Breakdowns can occur because of human failures
    such as simple errors or mistakes
  • Controls can be circumvented by collusion of two or more people
  • Management has the ability to override enterprise risk management decisions

Encompasses Internal Control

Internal control is an integral part of enterprise risk management

Roles and Responsibilities

Everyone in an entity has some responsibility for enterprise risk management.