1

Enterprise Risk Management

Integrating with Strategy and Performance
Dr. Sandra B. Richtermeyer, PhD, CPA, CMA
COSO Board Member
Dean of the Manning School of Business
University of Massachusetts Lowell - USA
New ERM Framework – Focus on Integration
Two COSO Frameworks
• Internal Control Integrated Framework
• Enterprise Risk Management
Framework

Both focus on
• Thought leadership
• Organizational improvement

3
Integrity and Ethical Values are CRITICAL

• Consistent with most organizational values

• Fundamental to our culture, interactions
• Integral to professionalism as a person
• Integral to accounting profession as an expected core behavior
• Provides confidence in you by others
• Foundational to COSO
• Accountability is a consequence
• NOT EASY
4
5
Cover Story…

6
COSO Announces Project to Update Enterprise
Risk Management- Integrated Framework…
• NEW YORK, October 21, 2014 -- The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) today announced a project to review and update the 2004
Enterprise Risk Management–Integrated Framework (Framework).
• The Framework, originally published in 2004, is a widely accepted framework used by
management to enhance an organization’s ability to manage uncertainty and to consider
how much risk to accept as it strives to increase stakeholder value.
• This initiative is intended to enhance the Framework’s content and relevance in an
increasingly complex business environment so that organizations worldwide can attain
better value from their enterprise risk management programs. The initiative also will
develop tools to assist management in reporting risk information and in reviewing and
assessing the application of enterprise risk management.
7
Why Update the Framework?
• Concepts and practices have evolved
• Lessons learned
• Bar raised with respect to enterprise risk management
• Business and operating environments more complex, technologically
driven, and global in scale
• Stakeholders more engaged, seeking greater transparency and
accountability
• Risk discussions increasingly prominent at the board level

8
Key takeaway from
ERM update process
- global interest and
application have
increased
significantly!

9
U.S. Securities & Exchange Commission (SEC)
Proxy Requirement…
Boards are required to disclose items related to leadership structure and
the board’s role in risk oversight. The rules require disclosure about:
• A company's board leadership structure, including whether the company has combined or
separated the chief executive officer and chairman position, and why the company believes
its structure is the most appropriate for the company at the time of the filing.
• In certain circumstances, whether and why a company has a lead independent director
and the specific role of such director.

• The extent of the board's role in the risk oversight of the

company.
10
Why a title change?
• Retitles the framework with integration as a
key feature
• Recognizes the importance of strategy and
entity performance
• Delineates between internal control and
enterprise risk management
• Integrates enterprise risk management with
decision making

11
The Strategic Value of Enterprise Risk
Management
• Increases the range of opportunities
• Identifies and manages entity-wide risks
• Reduces surprises and losses
• Reduces performance variability
• Improves resource deployment
• Anticipates, identifies, adapts, and responds to change

12
A Key Introduction…
• Our understanding of the nature of risk, the art and science of
choice lies at the core of our modern market economy.

• Every choice we make in the pursuit of objectives has its risks.

From day-to-day operational decisions to the fundamental trade-
offs in the boardroom, dealing with uncertainly in these
choices is a part of our organizational lives.

13
The Project Update Goals
• Provide insight into strategy and the role of ERM when setting and executing
strategy
• Enhance alignment between performance and ERM
• Accommodate expectation for governance and oversight
• Recognize globalization and need to apply a common but tailored approach
• Present new ways to view risk in setting and achieving objectives in the
context of greater complexity
• Expand reporting to address greater transparency
• Accommodate evolving technology
14
Project Governance
COSO Board

• The Advisory Council is comprised of

senior executives, academics and PwC Project Team
professional risk practitioners
• Observers include representatives
from regulators and industry Advisory Council Observers
associations

15
ERM Update Approach and Timing
Q3 2014 Q4 2014 Q2 2016 Q4 2016 - Q2 2017

Assess and Build and Public

Envision Finalization
Design Exposure

16
 What is Included in Update?
• Revises the 2004 Enterprise Risk Management–
Integrated Framework
• Includes both the core Framework and related
Executive Summary
• The Application Techniques volume is not being
updated
• Additional thought leadership will be considered
by COSO in the future
17
What is Available Now?
• Executive Summary
• FAQ document
• Draft Framework
• Numerous articles
• Accounting/consulting
firm publications

18
Top Changes to the Framework
Updates components and adopts principles

Simplifies definitions

Emphasizes value

Renews the focus on integration

Examines role of culture

19
Top Changes to the Framework, continued
Elevates discussion of strategy

Enhances alignment with performance

Links with decision making

Delineates enterprise risk management from internal control

Refines risk appetite and acceptable variation in performance

20
1. Updates Components and Adopts Principles

21
1. Updates Components and Adopts Principles

22
2. Simplifies Definitions

The possibility that events will occur and

Risk affect the achievement of strategy and
business objectives (or will not occur).

The culture, capabilities, and practices,

Enterprise integrated with strategy and execution,
Risk that organizations rely on to manage risk
Management in creating, preserving, and realizing
value.
23
3. Emphasizes Value
• Enhances the focus on value – how entities
create, preserve, and realize value
• Embeds value throughout the framework, as evidenced by its:
–Prominence in the core definition of enterprise risk management
–Extensive discussion in principles
–Linkage to risk appetite
–Focus on the ability to manage risk to acceptable levels
24
4. Renews the Focus on Integration
• Integrates enterprise risk management with other business processes:

Governance Objectives Performance

Strategy Setting
Processes Setting Management

• Focuses on applying enterprise risk management at various levels of the organization (e.g.
entity level, business unit, division)

25
5. Examines the Role of Culture
• Addresses the growing focus, attention and importance of
culture within enterprise risk management
• Influences all aspects of enterprise risk management
• Explores the relationship with culture in the context of:
– Risk governance
– Oversight of the entity
– Connection between framework Components
• Depicts the behavior within a risk spectrum from risk averse to risk aggressive
• Affects the entity’s decision making
• Explores the alignment of culture between individual and entity behavior

26
6. Elevates Discussion of Strategy
• Explores enterprise risk management and strategy from three different perspectives:
• The possibility of strategy and business objectives not aligning with mission, vision and
values
• The implications from the strategy chosen
• Risk to executing the strategy

27
7. Enhances Alignment with Performance
• Enables the achievement of business objectives
by actively managing risk and performance
• Focuses on how risk is integral to performance by:
– Exploring how enterprise risk management practices support the
identification and assessment of risks that impact performance
– Discussing acceptable variations in performance
• Manages risk in the context of achieving business objectives not as
individual risks
• Seeks to enhance the integrated reporting on risk and performance
28
7. Enhances Alignment with Performance, continued
• Introduces a new depiction referred to as a risk
profile Illustrative Risk Profile
• Incorporates:
- Risk
- Performance
- Risk appetite
- Risk capacity
• Dynamic and comprehensive view of risk
• Enables more risk-aware decision making
• Provides a complete depiction of how to build a risk
profile
29
8. Links into Decision Making
Assumptions
• Explores how enterprise risk
management drives risk aware Risk Profile
Risk
Appetite

decision making Risk Aware

Decision
• Highlights how risk awareness Making

optimizes and aligns decisions Business

Context
Culture

impacting performance
• Explores how risk aware
Strategy

decisions affect the risk profile

30
 Incrementalism…

How would you like to

meet more of your
objectives more of the
time?

31
9. Delineates Between Enterprise Risk
Management and Internal Control
• The document does not replace the 2013
Internal Control – Integrated Framework
• The two frameworks are distinct and
complementary
• Both use a components and principles structure
• Aspects of internal control common to
enterprise risk management are not repeated
• Some aspects of internal control are developed
further in this framework
32
10. Refines Risk Appetite and Acceptable
Variation in Performance
The amount of risk, on a broad
Risk Appetite level, an organization is willing to
accept in pursuit of value

Acceptable The boundaries of acceptable

Variation in outcomes related to achieving
Performance
business objectives
33
Public Exposure Period
• June 15, 2016 – September 30, 2016
• Allowed for the development of awareness and
acceptance by the public
• Provides the ability to gain input across:
- Geography
- Industry
- Risk disciplines
• Included Executive Summary, Framework &
Appendices
34
Public Comments
• Integral to the COSO framework revision process
• Enhances confidence by regulators
• Leverages other good thinking
• Provides non-US perspective
• Challenges our assumptions
• Provides confirmation
• Creates improvement
35
 Summary of Public Exposure Feedback
• Over 200 survey responses – double that of the • 48 letters received – many of which
Internal Control-Integrated Framework update demonstrated considerable
investment
• Over 70% of responses from individuals, who
are often less inclined to write letters • Comments on concepts (flawed
missing, unnecessary) collectively
• Over 50% of participation outside of North represented less than 15% of the total
America number of comments received
• Almost 50% of those responding had affiliations • Greatest number of comments
beyond COSO memberships requested clarity of drafted content
• Almost 50% of respondents had 10 or more versus adding/deleting content
years of risk management experience
• Positive ratings outnumbered negative ratings
by 4.5:1
36
Downloads of the updated Feedback to the PwC Project
Framework Team
• Almost 10,000 downloads of the document Four channels for capturing input
during the public exposure period represented the most diverse approach
undertaken for any COSO project, consisting
• Strong international interest in the Update, of:
with 46% of the downloads occurring outside
North America • Survey feedback provided through the
website
• Widespread interest across industries
• Letters provided by associations,
• Proportional interest between private and companies, and individuals
public companies
• Meetings, Conferences, Seminars
• Risk management and internal audit roles attended by the PwC Project Team,
combined to represent 40% of total providing direct feedback on the update
downloads
• Social Media outreach with over 3 million
connections 37
Key Areas of Feedback Related to:

– Culture
– Decision-making
– Definitions
– Integration of ERM
– Risk assessment
– Risk information
– Strategy
38
Timeline of Public Exposure Period Activities
PwC Project Team analyzes The COSO Board approves
surveys and comment letters the final framework and
publishes

Public Exposure Public Exposure Framework Framework

Period Comment Revisions Release
Analysis

Draft framework PwC Project Team revises

released for comment framework
and survey launched

39
What Might Change…
• # of Principles
• Graphics
• Linkage to internal control
• Definitions
• Change “Execution”
• More integration explanation
• “Wordsmithing”
40
What’s Not Likely to Change…
• Integration with strategy setting
• Board oversight
• Link to performance
• Use in decision-making
• Components and principles structure
• Risk profiles concept
• “DNA” embedded- not a function
• Examples compendium (not in public comment) 41
COSO Can Help ALL Organizations!

42
A Suitable Model Everywhere…

43
It’s All About Performance …

44