COSO Slides

COSO Enterprise Risk
Management – Integra5ng
with Strategy and
Performance
AFERM Summit
November, 2017
1
Agenda
1 Introducing 2 Why update 3 What has 4 What does 5 More

COSO the changed? it mean for information
Framework you?
now?
COSO recognizes the growing expectation of

organizations to manage, in an integrated and
cohesive manner, risks emanating from across
an enterprise.
Robert B. Hirth Jr., COSO Chair
COSO Enterprise Risk Management Framework - Integrating with Strategy and Performance 2
Introducing COSO

3
Updating one of the world’s most widely used
risk management frameworks
2004 Publication 2017 Publication
Other COSO publications
What prompted the
Framework update?

5
What are risk and business professionals
saying?
I want to reduce
performance
variability and
As an I need insights When I develop
respond more my strategy, I
innovative quickly to that help me
company, I understand risks want to have a
opportunities full picture of
want to use and
risk to create opportunities the potential
I want an ERM and evaluate risks and the
value and not
Framework that strategic options capabilities I
only to protect
drives improvements need to create
value
to business functions advantage
beyond risk
avoidance
Why update the ERM framework now?
•  Boards are expecting more from their

organization’s ERM practices and
capabilities
•  Stakeholders are seeking greater

transparency and accountability
•  Business environments are

increasingly complex, technologically
driven, and global
•  There is a need to incorporate lessons

learned from recent events and the bar is
rising
•  Risk professionals are looking for a more

up to date resource describing ERM
concepts Since 2004, the market has continued to
evolve and the COSO Framework is
•  The range of ERM practices continues to evolving with it.
evolve
What’s changed?

8
Introducing the 10 key changes to the
2017 Framework

A new framework structure Explores the different
benefits of ERM
A focus on integrating risk Suite of new graphics

management highlighting the relationship
between risk and
performance
Written from the Deeper discussions on

perspective of the business challenging topics
Explores management of Addresses the evolving role

risk at all altitudes of the of technology
organization
Greater emphasis on Coming soon: Compendium

culture of Example
9
A new framework structure

The graphic symbolizes the dynamic, integrated nature of ERM that begins with the mission,
vision and core values of the organization through to the creation of enhanced value.
5 Components that align to

the business life cycle 20 Supporting principles that
collectively describe the ERM
Framework
The new Framework adopts a components
and principles structure
Explores the benefits of ERM
Reducing
•  Enterprise risk management nega5ve
frameworks are as varied as outcomes
the organizations they
support. Enhancing
Iden5fy and
manage risks
enterprise
•  In their infancy, many resilience
en5ty-wide
frameworks focus on
reducing negative surprises ERM
and identifying entity-wide Beneﬁts
risks.
Improving Increasing the
•  Boards, senior management resource range of
and stakeholders are deployment opportuni5es
increasingly expecting ERM
Reducing
to go further to deliver performance
greater benefits. variability

Ques5on 1:

During the development of the ERM Framework, we heard
repeated calls for a closer link with risk and strategy. Do you feel:
a) it is time to get risk at

the strategic planning
table
b) many are still trying to

find their way in this
conversation
c) this is a wasted effort

and nothing will change
at the strategy level
Focusing on integrating risk and strategy

81% of the greatest

losses in
Opera5onal Compliance Strategic External
shareholder value
since 2002 were
•  Strategic blunders account for a
majority of the losses in shareholder value attributable to
compared to operational events, incidents or
compliance failures ‘strategic blunders’
•  Research suggests that organizations are
looking to strengthen the integration *U.S. public companies around the world with at least US$1 billion in enterprise
between strategy and enterprise risk value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle and
Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012
management
Focusing on integrating risk and strategy
The updated Framework elevates the discussion of integrating strategy and risk through
three different dimensions
1.  The possibility of strategy not aligning with mission, vision and core values
2.  The implications from the strategy chosen
3.  Risk to strategy and performance
Ques5on 2:

We've been getting lots of input about the need to bring risk
considerations into decision-making. Would you say that is:
a) a widely held view
b) necessary but far

from reality
c) a voice from the

louder minority
New graphics depict the alignment between
risk and performance
Questions for your organization Business objective: Increase sales
Is the risk assumed by the

entity, when setting Acceptable Variation
performance targets,
understood?
Risk Curve
What assumptions inform

the shape of the risk curve? Amount of Risk Risk Appetite
Do existing key indicators Where on the curve should

demonstrate movement ERM focus?
along the curve?
What level of performance

is assumed when Performance Target Number of
assessing impact and Units Sold
likelihood?
Explores managing risk at all altitudes of the
organization
Entity Strategy
The Framework highlights that
risks emanate and must be
managed at all levels of the
organization.
Entity Level Business Entity Level Business
Objective 1 Objective 2
The Framework also addresses
how risks can change in
severity and prioritization
at different levels of the
organization Business Business Business
Objective 1 Objective 2 Objective 3
Risk 1 Risk 2 Risk 3 Risk 4
Written from the perspective
of the business
Quem graecis quali sque

The framework was written from the perspective no nam, cu enim necessi
tatibus usu. Aeque urb
of the business to facilitate the integration of
anitas delicatissimi amet,
ERM consect etu ipsum dolor.
•  Research has confirmed that there is often a ‘siloed’ or

incremental approach to risk management that
is separate from the day to day management of an
organization
•  The lack of integration can contribute to difficulties

engaging with the business, the ability to gain and
offer insight and ultimately curbs the value that
ERM can offer
•  The Framework endeavors to remove risk ‘jargon’

and adopts the language of business to discuss concepts
and practices
How the Framework addresses culture
Culture now features in the definition of ERM and is part of the

Framework’s Governance and Culture Component
Principles on culture are now more focused on decision-

making and the alignment to expected behaviors in line with the
core values of the organization
The importance of aligning the core values and risk

appetite of the organization to promote consistent and risk-
based decision making
Discussions on the importance and commitment to integrity

and ethics have been retained in the COSO Internal Control
Integrated Framework
Compendium of Examples
A compendium of examples is also

being developed. The proposed
compendium will illustrate:
•  All principles
•  A variety of entity sizes from global

through to national, regional, and
local entities
•  A variety of industry types
•  Actual company practices and be

Coming Soon…. augmented with expected practices in
select areas, as needed
Coming Soon •  Written from the perspective of
the business
What does this mean for
you and your
organization?
22
Ques5on 3:

Where do you see yourself choosing to focus with regards to the
Framework’s adoption?
a) risk's relevance to
strategy
b) risks relationship to
performance
c) culture's consideration
of risk
d) I have no idea or don’t

plan to do anything with
my program
Where to next?
Encourage your risk professionals to: Challenge your organization to not:

•  Sync with the language of business in your •  View ERM simply as a function, team or
organization department
•  Understand how organization creates, •  Consider ERM to be a stand alone, periodic
realizes and preserves value and the risk assessment or heat map
supporting assumptions •  View GRC technology as the entire approach
•  Develop a clear understanding of where ERM for implementing ERM
is integrated
More information

25
Staying involved
Access the Framework at www.coso.org
Thank you

COSO Slides

Uploaded by

Copyright:

Available Formats

COSO Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COSO Slides

Uploaded by

Copyright:

Available Formats

COSO Enterprise Risk

1 Introducing 2 Why update 3 What has 4 What does 5 More

COSO recognizes the growing expectation of

2004 Publication 2017 Publication

Other COSO publications

• Boards are expecting more from their

• Stakeholders are seeking greater

• Business environments are

• There is a need to incorporate lessons

• Risk professionals are looking for a more

A focus on integrating risk Suite of new graphics

Written from the Deeper discussions on

Explores management of Addresses the evolving role

Greater emphasis on Coming soon: Compendium

5 Components that align to

a) it is time to get risk at

b) many are still trying to

c) this is a wasted effort

81% of the greatest

a) a widely held view

b) necessary but far

c) a voice from the

Is the risk assumed by the

What assumptions inform

Do existing key indicators Where on the curve should

What level of performance

Risk 1 Risk 2 Risk 3 Risk 4

Quem graecis quali sque

• Research has confirmed that there is often a ‘siloed’ or

• The lack of integration can contribute to difficulties

• The Framework endeavors to remove risk ‘jargon’

Culture now features in the definition of ERM and is part of the

Principles on culture are now more focused on decision-

The importance of aligning the core values and risk

Discussions on the importance and commitment to integrity

A compendium of examples is also

• A variety of entity sizes from global

• A variety of industry types

• Actual company practices and be

d) I have no idea or don’t

Encourage your risk professionals to: Challenge your organization to not:

Access the Framework at www.coso.org

You might also like

•  Boards are expecting more from their

•  Stakeholders are seeking greater

•  Business environments are

•  There is a need to incorporate lessons

•  Risk professionals are looking for a more

•  Research has confirmed that there is often a ‘siloed’ or

•  The lack of integration can contribute to difficulties

•  The Framework endeavors to remove risk ‘jargon’

•  A variety of entity sizes from global

•  A variety of industry types

•  Actual company practices and be