Enterprise Risk ManagementThe COSO Framework:

A Primer and Tool for the Audit Committee

PURPOSE OF THIS TOOL: Historically, risk management efforts in most organizations have been
focused on preventing losses of physical or financial assets at the operational level. However,
organizations now recognize the linkage between governance, enterprise risk management (ERM), and
organization performance.
ERM is an attempt to manage risk in a comprehensive manner that is aligned with the strategic direction
of the organization and integrated with the everyday management of the organization. Many
organizations, their boards, and audit committees are beginning to view risk management from this
strategic perspective and consider risk management oversight to be a critical element of governance.
This tool is intended to give boards an overview of ERM, its opportunities and limitations, the relationship
between ERM and internal control, and the roles and responsibilities for risk management in the
organization. Importantly, ERM is a management responsibility, subject to oversight of the board of
directors.

ERM PrimerBasics of ERM and its Relationship to Internal Control

In September 2004, the Committee of Sponsoring Organizations1 of the Treadway Commission (COSO)
published a document called Enterprise Risk ManagementIntegrated Framework,2 which defined ERM
as follows:
Enterprise risk management is a process, effected by an entitys board of directors, management and other
personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.

The ERM framework is geared to achieving an organizations objectives, set forth in the following four
categories:
1. Strategic. High-level goals, aligned with and supporting its mission.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) consists of the AICPA, the
Institute of Management Accountants, the Institute of Internal Auditors, Financial Executives International, and the
American Accounting Association.
2
The COSO publication Enterprise Risk ManagementIntegrated Framework (product code no. 990015), may be
purchased through the AICPA store at www.cpa2biz.com. The proceeds from the sale of the framework are used to
support the continuing work of COSO.
1

Copyright 2010. AICPA Inc. All Rights Reserved.

Permission is granted to download the tools and tailor or customize for internal use.

27

The AICPA Audit Committee Toolkit: Not-for-Profit Organizations

2. Operations. Effective and efficient use of its resources.

3. Reporting. Reliability of reporting.
4. Compliance. Compliance with applicable laws and regulations.
The COSO ERM framework consists of eight interrelated components as follows:
1. Internal environment. The internal environment sets the foundation for how risk is viewed and
addressed by an organizations people, including risk philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
2. Objective setting. Objectives must exist before management can identify potential risks affecting their
achievement. ERM ensures that management has in place a process to set objectives and that the
chosen objectives support and align with the entitiys mission and are consistent with its risk appetite.
3. Event identification. Internal and external events affecting the achievement of an organizations
objectives must be identified, distinguishing between risks and opportunities.
4. Risk assesment. Risks are analyzed, considering likelihood and impact, as a basis for how they should
be managed. Risks are assessed on an inherent and residual basis.
5. Risk response. Management selects risk responsesavoiding, accepting, reducing, or sharing risk
developing a set of actions to align risks with the organizations risk tolerances and risk appetite.
6. Control activities. Policies and procedures are established and implemented to help ensure the risk
responses are effectively carried out.
7. Information and communication. Relevant information is identified, captured, and communicated in a
form and time frame that enables people to carry out their responsibilities. Effective communication
also occurs in a broader sense, flowing down, across, and up the organization.
8. Monitoring. The entire ERM process is monitored and modifications are made as necessary.
Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
ERM is not a serial process, but a multidirectional iterative process with the eight components impacting
each other. Likewise, the eight components will not function identically in every organization. Application in
small and medium-sized organizations likely to be less formal and less structured.
The components are the criteria for the effectiveness of ERM. When each of the eight components is
determined to be present and functioning effectively, and risk has been brought within the organizations
risk appetite, management and the board of directors have reasonable assurance that they understand the
extent to which each of the four categories objectives is being achieved by the organization.

Relationship Between COSO Enterprise Risk ManagementIntegrated Framework and

Internal ControlIntegrated Framework
28

In 1992, COSO published a document called Internal ControlIntegrated Framework,3 which established a
comprehensive framework for internal control. In 2006, COSO issued its publication Internal Control over
Financial ReportingGuidance for Smaller Public Companies,4 which provides guidance on how to apply
the original framework, particularly as it relates to the objectives of financial reporting.

Internal ControlIntegrated Framework remains in place as a tool for evaluating internal control by itself
and is also encompassed within ERM. The relationship between internal control and ERM is possibly best
captured by the phrase: you can have effective internal control without effective enterprise risk
management, but you cannot have effective enterprise risk management without effective internal control.
Internal control is an integral part of ERM, which is a broader conceptual tool, expanding and elaborating
on internal control, focusing more fully on risk, especially as it relates to strategic considerations.
Certain of the key areas where the ERM framework expands on the internal control framework include the
following:
Objectives. The internal control framework specifiec three categories of objectivesoperations, financial
reporting, and compliance. The ERM framework adds strategic objectives and expands the reporting
objective to cover all reports developed and disseminated internally or externally, and expands the scope to
cover nonfinancial information.
Environment. The ERM framework discusses an organizations risk management philosphy, which is the
set of shared beliefs and attitudes characterizing how an organization considers risks, and reflects its
culture and operating style.
Key components of a risk management philosophy are risk appetite and risk tolerences. Risk appetite, set
by management with oversight by the board of directors, is a broad-based conceptualization of the amount
of risk that an organization is willing to take to achieve its goals. An organizations risk appetite serves as a
guidepost for making strategic choices and resource allocation decisions that are consistent with its
established risk appetite.

The COSO publication Internal ControlIntegrated Framework (product code no. 990012), may be purchased
through the AICPA store at www.cpa2biz.com. The proceeds from the sale of the framework are used to support the
continuing work of COSO.
4
The COSO publication Internal Control over Financial ReportingGuidance for Smaller Public Companies (product
code no. 990017), may be purchased through the AICPA store at www.cpa2biz.com. The proceeds from the sale of
the framework are used to support the continuing work of COSO.
3

Copyright 2010. AICPA Inc. All Rights Reserved.

Permission is granted to download the tools and tailor or customize for internal use.

29

The AICPA Audit Committee Toolkit: Not-for-Profit Organizations

The risk appetite is supported by more specific risk tolerances that reflect the degree of acceptable
variation in executing the organizations activities. Risk tolerances are usually best measured in the same
units as the objectives that they relate to, and are aligned with the overall risk appetite.
The ERM framework also introduced the notion of taking a portfolio view of risklooking at the composite
of organization risks from a portfolio perspective. A portfolio view of risk can be depicted in a variety of
ways. A portfolio view may be gained from looking at major risks or event categories across units, or by
focusing on risk for the organization as a whole using net assets, changes in net assets, or other metrics.
Taking a portfolio view enables management to determine whether it remains within its risk appetite, or
whether additional risks should be accepted in some areas in order to enhance returns.
Risk assessment and response. In addition to considering risk from a portfolio perspective, the ERM
framework calls attention to interrelated risks, when a single event or decision may create multiple risks.
The framework also identifies four categories of risk response that are taken into consideration by
management in looking at inherent risks and achieving a residual risk level that is in line with the
organizations risk tolerances and overall risk appetite.
The following are the four risk response categories:
1. Avoidance. Not engaging in activities giving rise to the risk or exiting those activities.
2. Reduction. Any action taken to reduce risk likelihood, impact, or both.
3. Sharing. Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk.
Insurance products, hedging transactions, and outsourcing are common examples.
4. Acceptance. No action is taken to affect risk likelihood or impact.

Other Key Terms in ERM

You will hear a few additional terms when discussing ERM, described as follows:
Event identification techniques. An organizations event identification methodology may comprise a
combination of techniques and supporting tools ranging from interactive group workshops and process flow
analysis to technology-based inventories of potential events. These tools and techniques look to both past
trends as well as to the future. Some are industry specific; most are derived from a common approach.
They vary widely in level of sophistication and most organizations use a combination of techniques.
Risk assessment techniques. Risk assessment methodologies comprise a combination of qualitative and
quantitative techniques. An example of the use of qualitative risk assessment is the use of interviews or
group assessment of the likelihood or impact of future events. Quantitative techniques include probablistic

30

and nonprobabilistic models. Probabilistic models are based on certain assumptions about the liklihood of
future events. Nonprobabilistic models such as scenario-planning, sensitivity measures, and stress tests,
attempt to estimate the impact of events without quantifying an associated likelihood.

Roles and Responsibilities

Everyone in the organization has some role to play in ERM.
Board of directors. Authority for key decisions involving strategic direction, broad-based resource
allocation, and setting high-level objectives is reserved for the board. Ensuring that objectives are met,
determining that resources are utilized effectively, and ascertaining that risks are managed appropriately in
the execution of strategy are key functions of the board and its committees.
The boards role in providing oversight of ERM in an organization include the following:
1. Influencing and concurring with the organizations risk philosophy and risk appetite
2. Determining that overall strategy and strategic decisions are in alignment with the organizations risk
appetite and philosophy
3. Ascertaining the extent to which management has established effective ERM in the organization
4. Reviewing the organizations portfolio view of risk and considering it in relation to the organizations risk
appetite
5. Being apprised of the most significant risks and ascertaining whether management is responding
appropriately
Internal audit. If the organization has an internal audit function, its role in ERM is twofold. In addition to
identifying and evaluating risk exposures, International Standards for the Professional Practice of Internal
Auditing charge the internal audit function with the responsibility for monitoring and evaluating the
effectiveness of the organizations risk management system. In this role, internal auditors may support
management by providing assurance on the:
ERM processesboth design and function
Effectiveness and efficiency of risk responses and related control activities
Completeness and accuracy of ERM reporting
This responsibility for evaluating the effectiveness of the organizations risk management efforts requires
the internal audit function to maintain its independence and objectivity. Accordingly, best practice from a
governance perspective would suggest that reporting responsibility for the risk function be a management
responsibility that is separate from internal audit.

Copyright 2010. AICPA Inc. All Rights Reserved.

Permission is granted to download the tools and tailor or customize for internal use.

31

The AICPA Audit Committee Toolkit: Not-for-Profit Organizations

Limitations of ERM
Effective ERM will provide reasonable assurance to management and the board of directors regarding the
achievement of an organizations objectives. However, achievement of objectives is affected by limitations
inherent in any management process and the inherent uncertainty of all human endeavor.
The role and reality of human judgement in all aspects of management, including the selection of
appropriate objectives, the inevitability of some degree of failure or error, and the possibility of collusion or
management, override of the process are all limiting factors. Another important limitation that must be
considered is the cost of various risk response alternatives in relation to their projected benefits.

Conclusion
This primer should have given you a sense of what is meant by ERM and what the responsibilities of a
board of directors and audit committee are with respect to risk management within an organization.
Whereas some risk management practices and techniques are complex and sophisticated, the overall
concept of ERM is not. Essentially, COSO ERM is a robust comprehensive framework that organizations,
management, and boards can use to effectively manage risks and opportunities in line with strategic
choices.
Much of what is encompassed in ERM are board and management responsibilities that have previously
been carried out intuitively or in a manner less comprehensive and systematic than is comtemplated by an
enterprise approach.
All organizations from small single unit organizations to large multinationals face myriad risks and
opportunities in a rapidly changing world. Whether large or small, local or global, a more explicit, enterprise
approach to risk management can help an organization maximize its opportunities while avoiding
unnecessary pitfalls or surprises.

Enterprise Risk ManagementThe COSO Framework: A Tool for Strategic Oversight

The following tool, Enterprise Risk ManagementThe COSO Framework: A Tool for Strategic Oversight,
contains questions modeled on the framework in the COSO report, Enterprise Risk Management
Integrated Framework.

32

Enterprise Risk ManagementThe COSO Framework:

A Tool for Strategic Oversight5
PURPOSE OF THIS TOOL: This tool is created around the eight interrelated components of the COSO
ERM Framework.* Refer to Enterprise Risk ManagementThe COSO Framework: A Primer and Tool
for the Audit Committee for a discussion of the components.
When each of the eight components is determined to be effective in each of the four categories of
objectives, the board of directors and management have reasonable assurance that they understand the
extent to which the organizations strategic and operations objectives are being achieved and that the
organizations reporting is reliable and that applicable laws and regulations are being complied with.
INSTRUCTIONS FOR USING THIS TOOL: Within each section is a series of questions that the audit
committee should focus on to assure itself that each of the components of the enterprise risk
management is present and functioning properly.
These questions should be discussed in an open forum with the individuals that have a basis for
responding to the questions. The audit committee should ask for detailed answers and examples from
management team, including key line and staff managers as well as members of the financial
management, risk management, and internal audit teams to assure itself that the enterprise risk
management function is operating as management represents.
Evaluation of the risk management process is not a one-time event, but rather a continuous activity for
the audit committeethe audit committee should always be alert for potential deficiencies, and should
continually probe the responsible parties regarding risks and opportunities. These questions are written
in a manner such that a No response indicates a weakness that must be addressed.

* The questions in this tool are adapted from the Committee of Sponsoring Organizations of the Treadway
Commissions (COSOs) Enterprise Risk ManagementIntegrated Framework (product code no. 990015), published
September 2004, by COSO. It may be purchased through the AICPA store at www.cpa2biz.com. The proceeds from
the sale of the framework are used to support the continuing work of COSO.
5

COSO Framework
Internal Environment
1. Are the audit committees responsibilities for
strategic oversight of risk assessment and risk
management defined in its charter?
2. Is the organizations philosophy for managing
risk articulated in a comprehensive code of
conduct and/or other policies addressing
acceptable practices and expected
behavior?
3. Is the risk appetite for the organization
formally articulated in qualitative and/or
quantitative terms?
4. Is the risk appetite consistent with the stated
risk management philosophy and aligned
with the organizations strategy?
5. Is the risk management approach of the
organization consistent with the strategy,
structure, and delegation of authority and
responsibility in the organization (that
is, is the approach to risk assessment
and response and the resulting portfolio
view appropriate in the context of these
dimensions)?
Objective Setting
1. Has the board established high-level
objectives that are consistent with the strategic
direction, key strategic options, and risk
appetite for the organization?
2. Has the board identified critical success
factors, relevant performance measures,
milestones, and risk tolerances for the
achievement of the organizations strategic
objectives?
3. Has the board identified breakpoints and/

Yes

No

Not
Sure

Comments

COSO Framework

Yes

No

Not
Sure

Comments

or risk tolerances that will trigger board

discussion of potential need for intervention or
modification of strategy?
(continued)
Objective Setting (cont.)
4. Has management established operations,
reporting, and compliance objectives that are
aligned with the overall strategic objectives?
5. Does the board have a relevant and timely
progress reporting mechanism in place
to monitor implementation of the strategy
consistent with the risk philosophy and
within the established risk appetite for the
organization?
Event Identification
1. Has management employed a systematic
approach in the identification of potential
events that could affect the organization?
2. Is the categorization of events across the
organization, vertically through operating
units, by type, by objective, and so on,
appropriate to the organization and
consistent with the risk philosophy and
appetite of the organization?
Risk Assessment
1. Has management conducted a systematic
assessment of the likelihood and impact of
all events with the potential for significant
impact on the organization?
2. Has management sufficiently considered the
interdependency of potentially related events
in its event identification and risk assessment
process?

COSO Framework
Risk Response
1. Has management adopted an appropriate
and cost effective array of risk responses at
the activity level of the organization to reduce
inherent risks to levels in line with established
risk tolerances?
Risk Response (cont.)
2. Has management taken a portfolio view to
assure that the selected risk responses have
reduced the organizations overall residual risk
to a level within the identified risk
appetite for the organization?
3. If the residual risk level at the organization
level is below the organizations risk appetite,
has management provided incentives in
appropriate target areas to enhance the
organizations overall performance?
Control Activities
1. Has management implemented adequate
control activities throughout the organization
to assure that its risk responses are carried
out properly and in a timely manner?
Information and Communication

Yes

No

Not
Sure

Comments

COSO Framework

Yes

No

Not
Sure

Comments

1. Do the organizations management

information systems capture and provide
reliable, timely, and relevant information
sufficient to support effective enterprise risk
management?
2. Have adequate communication vehicles
been implemented to assure that relevant
risk related information is communicated
by front-line employees upward in the
organization and across its units or
processes?
Monitoring
1. Are sufficient ongoing monitoring activities
built into the organizations operating
activities and performed on a real-time
basis to allow for appropriate reaction to
dynamically changing risk conditions?
(continued)
Monitoring (cont.)
2. Has evaluation of the enterprise risk
management process, either in its entirety,
or specific aspects, been given adequate
consideration in the scope of the monitoring
activities including internal audit work, if
applicable?
3. Have all deficiencies in risk management
processes identified as a result of ongiubg
monitoring activities, or by the internal audit
work, been communicated to the appropriate
levels of management and/or the board?
4. Have all deficiencies and recommendations
for improvement in risk management
processes been addressed and appropriate
corrective actions taken?