COSO ENTERPRISE RISK MANAGEMENT
Enterprise risk management
Uncertainty
All entities face uncertainty
- the challenge for management is
to determine how much uncertainty to accept as it strives to grow stakeholder value
presents both risk and opportunity
Aligning risk appetite and strategy
Enhancing risk response decisions
Reducing operational surprises and losses
Identifying and managing multiple and cross-enterprise risks
Seizing opportunities
Improving deployment of capital
Events – Risks and Opportunities
Events can have:
Definition: Enterprise Risk Management
A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied in strategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
• Able to provide reasonable assurance to an entity’s management and board of directors
• Geared to achievement of objectives in one or more separate but overlapping categories
Achievement of Objectives
Strategic – high-level goals, aligned with and supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.
safeguarding of resources
Achievement of strategic
objectives and operations objectives is subject to external events not always within
the entity’s control
Components of Enterprise Risk Management
Internal Environment
Objective Setting
Event Identification
Risk Assessment –
Risk Response –
Control Activities –
Information and Communication –
Monitoring –
Relationship of Objectives and Components
There is a direct relationship between objectives
and enterprise risk management components
The relationship is depicted in a three-dimensional matrix
Vertical columns:
Third dimension
Horizontal column
four objectives:
- strategic
- operations
- reporting
- compliance
8 components of ERM
Internal Environment
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Entity's units
BUSINESS UNIT
SUBSIDIARY
DIVISION
ENTITY-LEVEL
EFFECTIVENESS
- The components of ERM are a criteria
for effective enterprise risk management
Limitations
- Negative impact- risks
- Positive impact opportunities
- or both
- The eight components of ERM will not function identically in every entity
To determine if an entity’s enterprise risk
management is “effective” is a judgment resulting from an assessment of whether the eight
components are present and functioning effectively
- In reality, human judgment in
decision making can be faulty
- Decisions on responding to risk and establishing controls need to consider the relative costs and benefits
- Breakdowns can occur because of human failures
such as simple errors or mistakes
- Controls can be circumvented by collusion of two or more people
- Management has the ability to override enterprise risk management decisions
Encompasses Internal Control
Internal control is an integral part of enterprise risk management
Roles and Responsibilities
Everyone in an entity has some responsibility for enterprise risk management.