Session 2. The COSO ERM Framework in Detail

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

The COSO ERM Framework in

Detail
COSO: Committee of Sponsoring
Organizations
• In response to Congressional and SEC criticism
in mid-1980s, a group of five private
accounting firms created a commission to
study accounting fraud and write a report.
– James Treadway (former SEC Commissioner) was
chairman.
– The Treadway commission recommended that its
sponsoring organizations create guidelines for an
accounting system that would be able to detect
fraud.
Continued…
2
COSO: Committee of Sponsoring
Organizations (Continued)
• The Committee of Sponsoring Organizations
extended their original framework to include
enterprise risk management (ERM).
• The COSO ERM framework:
– Satisfies the regulatory requirements related to
financial reporting required by FCPA and SOX.
– Is widely used.

3
How does COSO define ERM?
• “A process, effected by an entity’s board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”

• Source: See page 2 of COSO, "Summary of Enterprise Risk Management—Integrated Framework,” 2004,
www.coso.org/documents/coso_erm_executivesummary.pdf.

4
Key Points of ERM
• Process
• Top to bottom involvement
• Includes strategy as well as tactics
• From corporate level all the way to units
• Identifies, assess, respond
• Explicit risk appetite
• Reporting system

5
The COSO ERM Framework: Three
Dimensions
• Level of the organization
– Entity level; division; business unit; and subsidiary
• Categories of objectives
– Strategic; operations; reporting; and compliance
• Risk management components
– See next slides.

6
The COSO ERM Components
• 1. Internal environment
– Mission and vision
– Culture
– Risk appetite
• 2. Objective setting
– Explicit objectives set at all levels in organization

Continued… 7
The COSO ERM Components (Continued)
• 3. Risky event identification
– Event is something that affects the achievement of
an objective
• 4. Risky event assessment
– How likely?
– How bad?

Continued… 8
The COSO ERM Components (Continued)
• 5. Risky event responses
– Responses include prevention
– Should correspond with the previously identified
risk appetite
– Should consider the portfolio of risky events and
not just each event in isolation

Continued… 9
The COSO ERM Components (Continued)
• 6. Control activities
– Ways to ensure that people apply the previously
identified responses—handbooks, guidelines,
policies, etc.
• 7. Information & Communication
– Reliable and timely information regarding risk
events and responses
• 8. Monitoring

10
How to Categorize Risk?
• No single set of categories is best for all
companies.
• Following is a set of categories that are widely
used.

11
Seven Major Categories of Risk
• 1. Strategy and reputation:
– Include competitors’ actions, corporate social
responsibilities, the public’s perception of its
activities, and reputation among suppliers, peers,
and customers.
• 2. Control and compliance:
– Include regulatory requirements, litigation risks,
intellectual property rights, reporting accuracy,
and internal control systems.

Continued… 12
Seven Major Categories of Risk
(Continued)

• 3. Hazards:
– Fires, floods, riots, acts of terrorism, and other
natural or man-made disasters.
– All downside, no upside.
• 4. Human resources:
– Risk related to recruiting, succession planning,
employee health, and employee safety.

Continued… 13
Seven Major Categories of Risk
(Continued)

• 5. Operations:
– Risk events include supply chain disruptions,
equipment failures, product recalls, and changes
in customer demand.
• 6. Technology:
– Risk events related to innovations, technological
failures, and IT reliability and security.

Continued… 14
Seven Major Categories of Risk
(Continued)

• 7. Financial management:
– Foreign exchange risk
– Commodity price risk.
– Interest rate risk.
– Project selection risk.
– Liquidity risk.
– Customer credit risk.
– Portfolio risk.

15
What are some actions that companies can
take to minimize or reduce risk exposures?

• Transfer risk to an insurance company by


paying periodic premiums.
• Transfer functions which produce risk to
third parties.
• Share risk with third party by using
derivatives contracts to reduce input and
financial risks.

(More...)
16
What are some actions that companies can
take to minimize or reduce risk exposures?

• Take actions to reduce the probability of


occurrence of adverse events.
• Take actions to reduce the magnitude of
the loss associated with adverse events.
• Avoid the activities that give rise to risk.

17
Questions?

You might also like