COSO ERM Framework Lessons Eligible 2april2018

New Lessons on COSO ERM Framework
Eligible for Testing April 2, 2018
efficientlearning.com/cpa
April 2, 2018
Dear CPA Exam Candidate,
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently
released the ERM Framework: Enterprise Risk Management—Integrating with Strategy
and Performance. The new framework integrates risk management into strategy building,
acknowledging that risk consideration and management is integral to strategy and the entire
business cycle.
This framework, released in September 2017 and the first new framework in 13 years, is
eligible for testing on the BEC section of the CPA Exam on April 2, 2018.
To address this change, we are replacing two lessons (The COSO ERM Model, Risk
Management Policies and Procedures) with seven new lessons to fully cover the new
framework. In advance of the next courseware release, planned for May 2018, we are
releasing the new lessons here to provide immediate access to this vital information.
If you are preparing to take the BEC exam on or after April 2, 2018, we urge you to study the
new lessons provided in this pdf. Please look for another announcement in late May when
the new lessons have been integrated in to the Wiley CPAexcel online course, test bank and
study guides.
We are here to support you 100% of the way. Please contact us at any time with your
questions and feedback.
The Team at Wiley CPAexcel
Need to access your Committed to passing Want to take a

Log in Shop Products Free Trial
updated products? the exam in 2018? free test drive?
efficientlearning.com/cpa Page 2
TABLE OF CONTENTS
1. Introduction to Enterprise Risk Management: Strategy and Risk........................................................ 4
2. ERM Components, Principles, and Terms........................................................................................... 11
3. ERM Governance and Culture.............................................................................................................. 14
4. ERM Strategy and Objective Setting.................................................................................................... 20
5. ERM Performance, Review, and Communication............................................................................... 30
6. ERM Monitoring, Review, and Revision............................................................................................... 40
7. ERM Communication and Reporting................................................................................................... 44
Need to access your Committed to passing Want to take a

Log in Shop Products Free Trial
updated products? the exam in 2018? free test drive?
Introduction to Enterprise Risk Management: Strategy

and Risk
After studying this lesson, you should be able to:

1. Describe the importance, value, and purpose of organizational ERM.
2. Describe the relationship between an organization’s mission and values, strategy selection, and
performance.
3. Describe the board of director’s role in ERM.
4. Explain how an entity’s mission, vision, core values, and strategy relate to and support one another.
5. Define and give examples of the concepts and terminology of ERM.
6. Explain the role of ERM in strategy selection.
7. Identify some emerging opportunities in ERM.
8. Describe the relationship between risk, performance, and target performance.
I. What Is Enterprise Risk Management (ERM)?—ERM is the culture, capabilities, and practices by
which organizations manage risk to create, preserve, and realize value (performance).
A. ERM must be integrated with strategy setting and linked to organizational performance.
B. Risk is an uncertain event that will influence whether an organization achieves its strategic
business goals. That is, risk is the likelihood that performance will be different from targeted.
1. Note that COSO defines risk (counterintuitively for most people) as a neutral (i.e., neither
negative nor positive) event. Hence, to COSO, risks can be negative or positive. For example:
a. A negative risk is that the new accounting system that your company implemented
fails to work and you cannot keep track of sales and inventory (e.g., the 1999 Hershey’s
chocolate enterprise resource planning disaster).
b. A positive risk might be that your company’s servers fail because demand for your
project is so high (which occurred repeatedly in the early days of eBay).
Example
Cruise Ship Risk Identification
By assessing risks to achieving its business objectives, Purple Rain Cruises identifies
potential viral outbreaks (e.g., of influenza) while its ships are at sea as a significant
risk. Cruise ships cannot follow some accepted risk practices for viral outbreaks, such as imposing a
quarantine on passengers. Hence, Purple Rain must consider responses that can be enacted on ships
at sea.
1
Introduction to COSO Enterprise Risk
C. Managing ERM includes focus on the following elements of an organization:

1. Entity culture—An organization’s culture is the way that people in the organization think and
behave.
a. Culture reinforces and amplifies the organization’s mission and strategy when the culture
backs these written documents with supportive actions and behaviors.
b. Culture undermines these documents when it is hypocritical (i.e., when the mission and
strategy say one thing but the organization’s culture and its leaders act inconsistently
with these documents).
2. Developing capabilities—Organizations must hire, foster, promote, and nurture skills and
competence. One critical competence is the capacity to adapt to change, including changes
in technology.
3. Adaptation and integration of ERM practices—ERM is dynamic; it requires adaptation to
special projects, new initiatives, and innovative technologies. ERM is also integrated into all
divisions, business units, and functions in an organization.
4. Integrating with strategy-setting and performance—ERM must be integrated with an
organization’s strategy, mission, and performance goals.
5. Managing risk to strategy and business objectives—Well-designed and implemented ERM
provides an entity with a “reasonable expectation” (see definition in Section IV of this lesson)
of achieving strategic goals.
a. Reasonable expectations of achieving goals are not guarantees of success. Unforeseen
events will occur; risks cannot be predicted with certainty. However, the chances of
success increase to the extent that an organization regularly reviews and revises its ERM
practices to changing conditions.
6. Linking to value through risk appetite—ERM occurs relative to an organization’s risk
appetite (defined later in this lesson). The organization’s risk appetite is reflected in its mission,
values, and strategy.
a. Differing strategies expose an entity to different risks. Risk appetite must evolve and
adapt to changing conditions. For example, a successful company will likely accept more
risk in an economic downturn than when economic conditions are favorable.
D. Correcting Some Misconceptions of ERM
1. ERM is not simply a listing of risks (this is called a “risk inventory”). ERM includes the
practices, including creating an appropriate culture, to manage risks.
2. ERM is not just for big corporations. ERM is essential for all organizations, regardless of
size or mission.
3. ERM is not the same as internal control. ERM includes a broader mandate than internal
control, in that ERM considers risk appetite and strategy as central concerns.
4. ERM cannot be an add-on activity that functions independent of the organization’s
structure and processes. Instead, ERM must be integrated into and throughout the
organization. Hence, ERM initiatives that are isolated (not integrated) are likely to be less
effective at managing dynamic risks.
II. Why Is ERM important? What is its organizational value?
A. Expanding Opportunities—Considering risk enables management to identify new opportunities
and the challenges of existing opportunities. For example, considering the risks and opportunities
of blockchain technologies may enable management to identify new applications of those
technologies (e.g., enabling an automated multifactor security recognition system).
B. Identifying and Managing Entity-Wide Risk—Identifying and managing risk at an entity
level enables considering the interactions of risks across the entity and their unique effects on
segments or portions of the entity.
2
Introduction to Enterprise Risk Management: Strategy and Risk
C. Increasing Positive and Reducing Negative Outcomes—By better identifying and managing
risks, ERM enables entities to achieve superior performance.
D. Reducing Performance Variability—ERM enables assessing the risks of performance variability
and acting to reduce undesirable variance.
E. Better Deploying Assets (and Human Resources)—Every risk demands resources. Better risk
assessments and responses enable superior resource allocations.
F. Increasing Enterprise Resilience—Organizational survival depends on anticipating and
responding to changing risks. Therefore, ERM improves survivability and organizational resilience.
III. What Is the Board of Director’s Role in ERM? The board of directors provides oversight of
organizational ERM including reviewing, challenging, and concurring with management on:
A. Proposed strategy and risk appetite (see the definition below).
B. Aligning strategy and objectives with the entity’s mission and core values.
C. Major business decisions including mergers, acquisitions, capital allocations, funding, and
dividend-related decisions.
D. Responding to significant fluctuations in entity performance or the entity’s portfolio risk assessment.
E. Responding to deviations from core values including fraud.
F. Approving management incentives and compensation.
G. Engaging in managing investor and stakeholder relations.
H. Creating and sustaining an organizational culture that enables responsible risk taking and risk
management.
IV. ERM Terms
• Core values—The entity’s beliefs and ideals about what is good or bad, acceptable or
unacceptable, which influence the behavior of the organization.
• Enterprise risk management—The culture, capabilities, and practices, integrated with strategy-
setting and its performance, that organizations rely on to manage risk in creating, preserving, and
realizing value.
• Entity—Any form of for-profit, not-for-profit, or governmental body. An entity may be publicly
listed, privately owned, owned through a cooperative structure, or any other legal structure.
• Event—An occurrence or set of occurrences.
• Mission—The entity’s core purpose, which establishes what it wants to accomplish and why it exists.
• Organizational sustainability—The ability of an entity to withstand the impact of large-scale
events.
• Performance management—The measurement of efforts to achieve or exceed the strategy and
business objectives.
• Portfolio view—A composite view of risk the entity faces, which positions management and the
board to consider the types, severity, and interdependencies of risks and how they may affect the
entity’s performance relative to its strategy and business objectives.
• Reasonable expectation—The amount of risk of achieving strategy and business objectives that is
appropriate for an entity, recognizing that risk cannot be predicted precisely.
• Risk—The possibility that events will occur and affect the achievement of strategy and business
objectives. “Risks” (plural) refers to one or more potential events that may affect the achievement
of objectives. “Risk” (singular) refers to all potential events collectively that may affect the
achievement of objectives. Note that to COSO, a risk may be positive (an opportunity) or negative
(a failure or setback).
• Risk appetite—The types and amount of risk that an organization is willing to accept in pursuit of value.
3
• Risk profile—A composite view of the risk assumed at a level of the entity or aspect of the business
that positions management to consider the types, severity, and interdependencies of risks, and
how they may affect performance relative to the strategy and business objectives.
• Severity—A measurement of considerations such as the likelihood and impact of events or the
time it takes to recover from events.
• Strategy—The organization’s plan to achieve its mission and vision and apply its core values.
• Uncertainty—The state of not knowing how or if potential events may occur.
• Vision—The entity’s aspirations for its future state or what the organization aims to achieve over time.
V. Mission, Vision, Values, and Strategy in ERM
A. ERM begins with an entity’s mission, vision, values, and strategy. These are:
1. Mission—Why the entity exists (i.e., its core purpose). States what the entity wants to achieve.
2. Vision—The entity’s aspirations for its future; states what the organization wants to achieve
and be known for and as.
3. Core values—The entity’s beliefs and ideals about morality (i.e., what is good or bad,
acceptable or unacceptable); influences individuals’ and organizational behavior.
4. Strategy—The organization’s plan to achieve its mission and vision and apply its core values.
Example
A Regional Hospital’s Mission, Vision, and Core Values
Mission: To improve the health of the people we serve by providing high-quality care,
a comprehensive range of services, and convenient and timely access with exceptional
patient service and compassion.
Vision: Our hospital will be the healthcare provider of choice for physicians and patients, and be
known for providing unparalleled quality, delivering celebrated service, and being a terrific place to
practice medicine.
Core Values: Our values serve as the foundation for everything we think, say, and do. We will treat our
physicians, patients, and our colleagues with respect, honesty, and compassion, while holding them
accountable for these values.
The next example presents the hospital’s strategy (i.e., the plan for realizing the mission, vision, and values
just stated).
Example
The Hospital’s Strategy
• Maximize value for our patients by improving quality across a diverse spectrum of
services.
• Curtail trends in increasing costs.
• Integrate operating efficiency and cost-management initiatives into operations.
• Leverage clinical program research and innovation.
• Grow strategic partnerships.
• Manage patient service delivery; reduce wait times where practical.
4
B. Role of Risk in Strategy Selection—Three key risks exist in strategy selection and implementation.
1. Risk #1—Misalignment. Does our strategy align with our mission, vision, and core values?
a. An organization or its executives may engage in behaviors that are inconsistent with the
organization’s values. For example, Enron’s Code of Ethics (easily findable online) included
many lofty statements about Enron’s outstanding reputation for fairness and honesty.
This is a slam-dunk example of a deceitful strategy (cheat shareholders and customers)
misaligning with a lofty mission and values statement.
2. Risk #2—Implications. Do we understand the risk implications of our chosen strategy?
a. Every strategy has its own risk profile. Identifying and quantifying these risks is a
part of matching the strategy with the organization’s risk appetite. Identifying and
quantifying risk—as a portfolio view of risk (discussed in “ERM Performance, Review, and
Communication” lesson)—is challenging but essential to understanding the risk profile of
the strategy chosen.
3. Risk #3—Risks to Success. Will we be successful? Will we achieve the goals specified in our
strategy? What are the influences on the viability of our strategy? (This is the least important
of the three risks.)
a. For example, what might threaten our sales goals for this quarter?
The next figure illustrates the role of risk in strategy selection. It illustrates the foundational (beginning)
role of mission, vision, and core values to strategy selection. It next identifies the three risks just discussed.
And finally, it notes that the result of this process is superior performance.
© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.
VI. ERM and Performance—ERM is designed to improve organizational performance.

A. Risk and performance typically exist in a relationship such as is illustrated in the next figure.
1. The horizontal axis in this figure illustrates performance outcomes, measured in return on
assets (ROA).
2. The vertical axis illustrates the risks associated with each performance outcome (with risk
increasing from the bottom to the top of the figure).
3. Note that risk increases with higher levels of performance.
4. In this example, the organization has chosen a target performance of a 7% return on assets
(ROA).
a. Choosing a higher target performance would require accepting more risk. Choosing a
lower target performance would mean accepting less risk.
5
© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Modified and used with
permission.
B. Performance measures may include:

1. Financial measures, such as return on investments, revenue, or profitability.
2. Operating measures, such as hours of operation, production volumes, or capacity
percentages.
3. Obligation (or contractual) measures, such as adherence to service-level agreements or
regulatory compliance requirements.
4. Project measures, such as having a new product launch on schedule.
5. Growth measures, such as expanding market share in an emerging market.
6. Stakeholder measures, such as the delivery of education and basic employment skills to those
needing upgrades when they are out of work.
VII. Emerging Issues and Opportunities in ERM
A. Integrating Big Data into ERM—The growth and availability of big data will create emerging
opportunities for continuous monitoring, advanced analytics, and data visualization. It will
also create organizational risks related to data privacy, ethics, and information availability and
transparency.
B. Integrating Artificial Intelligence (AI) into ERM—The pairing of big data with AI will enable the
discovery of hidden relationships in data, which will create faster, more accurate, risk identification
and responses.
C. Managing ERM Costs—Managing risk is costly; as ERM practices evolve, seeking maximum
benefits at lower costs is an important challenge and goal.
6
Example
Cruise Ship Risk Mitigation
To address the risk of viral outbreaks on ships at sea, Purple Rain Cruises implements
procedures to minimize the spread of germs. These procedures include installing hand-
sanitizing stations throughout the ship, providing laundry facilities, and daily disinfecting of handrails,
washrooms, and other public spaces.
Despite these actions, however, viral outbreaks (e.g., of influenza) can still occur. This risk is deemed
severe enough to warrant additional mitigation actions. Accordingly, Purple Rain implements the
following additional procedures: When in port, all passengers must disembark to allow trained staff
to disinfect the ship and test for viruses. If virus samples are found, additional cleaning protocols are
implemented, and the departure date is delayed as needed.
Summary: By implementing strong ERM practices that respond and adapt to changing risks, Purple
Rain Cruises minimizes the inconvenience to passengers while sustaining passenger confidence in the
cruise line.
Source: Committee of Sponsoring Organizations (COSO), 2017, ERM: Integrating with Strategy and Performance, https://www.coso
.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf.
7
ERM Components, Principles, and Terms

1. Identify and describe the five components of the COSO ERM framework.
2. Identify and describe the 20 principles of the COSO ERM framework.
3. Define the ERM terms listed in this lesson.
4. Identify and apply the ERM terms to business scenarios.
I. COSO’s Risk Management Framework

A. The ERM framework includes five components and 20 principles. These are illustrated below and
discussed in this and the next lesson, “Governance and Culture.”
B. The five components of the ERM framework are:
1. Governance and Culture—These are the cornerstones for the other ERM components.
Governance is the allocation of roles, authorities, and responsibilities among stakeholders,
the board, and management. An organization’s culture is its core values, including how the
organization understands and manages risk.
2. Strategy and Objective-Setting—ERM must integrate with strategic planning and objective
setting. For example, an organization’s risk appetite is partly a function of its strategy. Business
objectives are the practical implementation of a chosen risk appetite and strategy.
3. Performance—The “Introduction to Enterprise Risk Management: Strategy and Risk” lesson
gives examples of performance measures. Risk identification and assessment is concerned
with developing an organization’s ability to achieve its strategy and business objectives, as
measured by performance.
4. Review and Revision—Periodic and continuous review and revision of ERM processes
enables an organization to increase the value of its ERM function.
5. Information, Communication, and Reporting—Communication is the continual, iterative
process of obtaining and sharing information to facilitate and enhance ERM. This function
includes reporting on the organization’s risk, culture, and performance.
C. ERM Assessment
1. Organizations must assure their stakeholders that they can manage risk by assessing the
entity’s capacity to manage risk. Such assessments:
a. May be voluntary or may be required by law regulation.
b. Should provide assurance that:
i. The five components and 20 principles articulated herein are present and
functioning in the organization.
ii. These components and principles are fully integrated, to ensure that decisions and
actions respond appropriately to changing environments.
iii. The controls needed to achieve the principles articulated herein are present and
functioning.
1
Management: Strategy and Risk ERM Components, Principles, and Terms
II. Terms
• Business context—The trends, events, relationships and other factors that may influence, clarify, or
change an entity’s current and future strategy and business objectives.
• Culture—An entity’s core values, including its attitudes, behaviors, and understanding about risk.
• Governance—The allocation of roles, authorities, and responsibilities among stakeholders, the
board, and management. Some aspects of governance fall outside ERM (e.g., board member
recruiting and evaluation; developing the entity’s mission, vision, and core values).
• Practices—The methods and approaches deployed within an entity relating to managing risk.
• Risk appetite—The types and amount of risk, on a broad level, an organization is willing to accept
in pursuit of value.
• Risk capacity—The maximum amount of risk that an entity can absorb in the pursuit of strategy
and business objectives.
• Risk ceiling—The maximum level of risk established by an entity.
• Risk floor—The minimum level of risk established by an entity.
• Risk profile—A composite view of the risk assumed at a level of the entity, or aspect of the
business that positions management to consider the types, severity, and interdependencies of risks,
and how they may affect performance relative to the strategy and business objectives.
2
ERM Components, Principles, and Terms
• Risk range—The acceptable level of risk (highest to lowest) established by the organization. Similar
to tolerance, but tolerance is a measure of performance while risk range is a statement about (or
measure of ) risk.
• Target risk—The desired level of risk set by an entity.
• Tolerance—The boundaries of acceptable variation in performance related to achieving business
objectives. Like risk range but risk range is a statement (or measure) of risk while tolerance is a
measure of performance.
Source: Committee of Sponsoring Organizations (COSO), 2017, ERM: Integrating with Strategy and Performance, https://www.coso.org/
Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf.
3
ERM Governance and Culture
Governance and culture includes the first five principles of the ERM framework: exercise board risk
oversight; establish operating structures; define desired culture; demonstrate commitment to core
values; and attract, develop, and retain capable individuals.
1. Identify and describe the Governance and Culture component of the COSO ERM framework.
2. Define “culture” and describe how organizations create and sustain it.
3. Describe the first five COSO ERM principles.
4. Apply the first five COSO ERM principles to organizational scenarios.
I. Exercise Board Risk Oversight—The board of directors provides oversight of the strategy and
carries out governance responsibilities to support management in achieving strategy and business
objectives.
A. Accountability and Responsibility
1. The board of directors has primary responsibility for risk oversight; management’s
responsibility is the day-to-day management of risk.
2. The board must have the skills, experience, and business knowledge to exercise its risk
oversight function. The expertise needed to exercise oversight may change with the business
(e.g., increasing cyber risks may require IT expertise on a board).
B. Independence—The board must be independent of management. Potential impediments to
board member independence include:
1. A substantial financial interest in the entity
2. Employment in an “executive capacity” in the organization (i.e., in a management position) or
3. Acting in a capacity to advise the board (e.g., as a consultant).
4. A material business or contractual relationship with the entity (e.g., as a supplier, customer, or
service provider)
5. Substantial donations to the entity
6. A business or personal relationship with key stakeholders
7. Membership on a board with a potential conflict of interest to this board
8. Holding a position on the board for an extended period
C. Organizational Bias—The board must understand the potential for organizational biases
(e.g., dominant personalities, disregarding information contrary to management’s wishes) and
challenge management to overcome them.
II. Establish Operating Structures—The organization establishes operating structures that support the
strategy and business objectives.
A. Operating Structure and Reporting Lines—The operating structure maps how an entity fulfills
its daily responsibilities and aligns with the organization’s legal and management structure.
Influences on an entity’s operating structure include:
1. Strategy and business objectives and related risks
2. Nature, size, and geographical distribution of the business
1
3. Assignment of authority, accountability, and responsibility across all levels

4. Reporting lines (direct versus secondary) and communication channels
5. External reporting requirements (e.g., financial, tax, regulatory)
B. ERM Structures—Many organization have risk committees appointed by the board. Complex
organizations may have multiple risk committees. All committees that are responsible for
managing enterprise risk should include statements of committee authority, committee
membership, expected frequency of meetings, committee responsibilities, and operating
principles.
C. Authority and Responsibility—In entities with one board of directors, management designs and
implements practices to achieve strategy and objectives. In entities with dual-board structures,
a supervisory board focuses on long-term strategy and oversight while the management (or
executive) board oversees daily operations.
1. Risk management is improved when:
a. Management delegates responsibility only as required to achieve objectives.
b. Management identifies transactions that require review and approval.
c. Management identifies and assesses new and emerging risks.
III. Define Desired Culture—The board of directors and management define (and exhibit) the desired
behaviors that characterize the entity’s desired culture.
A. Culture and Desired Behavior
1. Internal and external factors influence organizational culture:
a. Internal influences include:
i. Management judgment
ii. The level of autonomy provided to employees, employee and management
interactions (e.g., formal vs. informal)
iii. Physical layout of the workplace (e.g., decentralized, centralized, or virtual)
iv. System of rewards, recognition, accountability, and compensation
2. External influences include regulatory requirements and customer and investor
expectations.
3. In relation to risk, organizational culture exists on a continuum of risk averse, risk neutral, and
risk seeking (aggression). A risk-aware culture may permit both approaches, if both are within
the organization’s risk tolerance and appetite.
a. Organizational units may choose to be more risk seeking or risk averse within the context
of the entity’s overall risk appetite.
b. For example, an aggressive sales unit may focus on sales without careful attention
to regulatory compliance. In contrast, the risks of cloud storage may cause an
organization to proceed with care and caution before contracting with a cloud
service provider.
2
Example
Two Endpoints on the Risk Continuum
Risk-averse culture—A nuclear power plant will likely have a risk-averse culture in its
day-to-day operations. (The TEPCO Fukushima Daiichi nuclear disaster illustrates why
this is important). Both management and external stakeholders expect decisions regarding new
technologies and systems to prioritize safety and plant reliability. A risk-aware nuclear power plant
is unlikely to invest heavily in innovative and unproven technologies for its operations. It is likely to
invest heavily in safety and risk prevention.
Risk-seeking culture—A private equity manager (who provides financial backing to startup
companies) is more likely to be risk aggressive (i.e., risk seeking). Management and external investors
in the fund will likely have high expectations for performance and will understand that high
performance expectations include potentially severe risks. Nevertheless, such a fund must still identify
its risk appetite and tolerance to ensure it is managing risk appropriately.
Example
Evolving Culture
A technology start-up is developing an algorithm to more accurately track customer
behavior and purchasing. In its infancy, the startup had a very aggressive risk culture as
it worked through the initial phases of establishing commercial operations and identifying potential
business partners, customers, and market opportunities. With maturity, the company entered into
more formal partnerships with larger clients. The startup eventually decided to become publicly listed
to access a larger group of investors. With this change, the company shifted to a more risk-averse
culture, which mirrored the company’s risk appetite and corresponding changes to its enterprise risk
management practices and capabilities.
B. Judgment
1. Good judgment involves making thoughtful, rational decisions from available information.
Judgment is required when little or contradicting information exists about alternatives or in
periods of disruption to strategy, objective, performance, or risk profiles.
2. Management judgment is susceptible to bias when over- or under-confidence exists in the
organization’s capabilities. Management teams with extensive experience, demonstrated
capabilities, and a well-defined risk appetite are likely to evidence better judgment than those
with less experience, fewer capabilities, and a poorly identified risk appetite.
C. The organizational culture influences risk identification, assessment, and response. For example:
1. Culture and strategy—A risk-averse organization (and culture) may decline to pursue a
strategy of fracking, mining, and drilling on untapped, suburban land where the risks of
environmental or health harm is high.
2. Culture and risk assessment—Organizations may view the same event as either a negative
or positive risk. For example, a risk-averse traditional retail organization (e.g., Sears) may
view online sales as a threat to its brick-and-mortar business. In contrast, a risk-aggressive
traditional retail company (e.g., Walmart) may see online sales as an opportunity to increase
sales and market share.
3. Culture and resource allocations—A risk-averse entity may allocate more resources to
increase its confidence in achieving specific objectives. In contrast, a risk-seeking entity may
expend fewer resources in pursuit of specific objectives. For example, a risk-averse entity
might purchase insurance to help achieve a business objective (e.g., reduced likelihood of
losses due to cyber breaches), whereas a risk-seeking entity may choose to self-insure for
these potential losses.
3
4. Culture and risk responses—A risk-averse entity may respond more quickly to variations in
performance compared with a risk-aggressive entity. For example, a risk-averse airline may
adjust flight schedules quickly in response to changing weather conditions. In contrast, a
more risk aggressive bus company may maintain existing operations and schedules longer in
response to adverse weather.
D. Aligning Core Values, Decision Making, and Behaviors—A failure to adhere to core values
generally occurs for one of these seven reasons:
1. An inappropriate tone at the top exists (e.g., management claims strong ethics but doesn’t
exhibit ethical behaviors).
2. The board fails to provide oversight of management.
3. Middle and functional managers are misaligned with the entity’s mission and core values.
4. Risk is not integrated into strategy setting and planning.
5. Unclear and untimely responses to risk and performance outcomes occur.
6. Excessive, inappropriate risk taking is not investigated or addressed.
7. Management or employees deliberately act inconsistently with core values.
IV. Demonstrate Commitment to Core Values—The organization demonstrates a commitment to its
core values.
A. Reflecting Core Values throughout the Organization
1. The communication of values within an organization is referred to as “tone.” A consistent tone
establishes a common understanding of core values and desired behaviors. Aligning the tone
and culture of an organization (e.g., “safety first”) enables stakeholders to feel confident that
the organization will act in a manner consistent with its core values.
B. Embracing a Risk-Aware Culture—A risk-aware culture includes:
1. Strong leadership endorsement of risk awareness and appropriate tone.
2. A participative management style that encourages employees to discuss risks to the strategy
and objectives. This includes open and honest discussions about risk.
3. Aligning risk awareness with behaviors and performance evaluation, including salary and
incentive programs that align with the organization’s core values.
4. Encouraging risk awareness across the entity, including awareness that risk awareness is
critical to success and survival.
C. Enforcing Accountability for Actions—This includes documenting and adhering to policies for
accountability. Accountability is in evidence when:
1. Management and the board of directors clearly communicate expectations of accountability.
2. Management communicates risk information throughout the organization.
3. Employees commit to business objectives, including individual targets and performance
within the entity’s objectives.
4. Management responds to deviations from standards and behaviors as appropriate (including
terminations and correction actions, as needed).
D. Keeping Communication Open and Free from Retribution—In the risk-aware organization,
managing risk is a part of all employees’ responsibilities. Open communication and risk
transparency enables management and employees to work together to manage risks.
E. Responding to Deviations in Core Values and Behaviors—Deviations from standards must be
addressed in a timely and consistent manner. Responses to deviations depend on the magnitude
of the deviation (e.g., were laws broken?) and may range from termination (or even prosecution)
to a formal warning. Consistency of responses enhances the entity’s risk-aware culture.
4
Example
When Deviations to Standards of Conduct Occur—Drug Testing
For a global pharmaceutical company, research and development (R&D) is among the
biggest costs and responsibilities; drugs may require 10 to 20 years (and millions of
dollars) to create, test, and market.
During the research phase, many side effects of a drug are often identified. The R&D unit must disclose
all potential side effects to management. A failure to do so would mean that management was
incapable of making an informed judgment about moving from drug trials to production. Further,
R&D’s failure to disclose side effects to management would likely be a violation of the desired conduct
of the company.
V. Attract, Develop, and Retain Capable Individuals—The organization is committed to building

human capital that aligns with its strategy and business objectives.
A. Establishing and Evaluating Competence—Management, with board oversight, defines the
human capital needed to achieve its strategy and business objectives.
B. Attracting, Developing, and Retaining Individuals—Management establishes structures and
processes to attract, train, mentor (guide and develop), evaluate, and retain (through incentives,
training, and credentialing) competent individuals.
C. Rewarding Performance—Incentives and rewards should be established by management and
the board, consistent with the entity’s short- and long-term objectives. Designing incentive
systems requires consideration of related risks (e.g., of ethical violations) and responses.
Nonmonetary rewards (e.g., responsibility, visibility, recognition) may be important components
of performance rewards. Management consistently applies performance measures and regularly
reviews the entity’s measurement and reward system.
D. Addressing Pressure—Many sources of pressure exist in organizations, including performance
targets, regular cycles of specific tasks (e.g., negotiating labor or sales contracts), unexpected
business changes, and economic downturns. Organizations may seek to positively influence
pressure by rebalancing workloads, increasing resource levels, or reiterating the importance
of ethical behavior. Excessive pressure (which can fuel unethical behavior) often results from
unrealistic performance targets (particularly for short-term results), conflicting business objectives
of differing stakeholders, and an imbalance between short-term financial rewards and longer-term
objectives (e.g., environmental sustainability).
Example
Performance, Incentives, and Rewards
A family-owned furniture manufacturer seeks customer loyalty with its high-quality
furniture. It engages its workforce to reduce production defect rates, and it aligns its
performance measures, incentives, and rewards with both the operating units’ production goals and
the expectation to comply with all safety and quality standards, workplace safety laws, customer
loyalty programs, and accurate product recall reporting. After aligning the business objectives with
incentives and rewards, the company sees evidence of greater accountability and teamwork to
address challenges. Ultimately, these positive changes reduce product defects.
5
Example
Pressure and Investment Fund Managers
Compensation and incentives may create pressure to enable in unethical behavior. For
example, investment managers take risks on behalf of their clients, and the performance
of the investment portfolios may affect the entity’s and investment manager’s compensation. A fee
based on short-term fund performance may result in very different investments (and fund manager
rewards) than a fee based on long-term fund value. Aligning an individual’s compensation with the
organization’s objectives can help reinforce the desired culture. Conversely, incentive structures that
fail to adequately consider the risks associated with excessive pressure can create inappropriate
behavior, such as falsifying performance reports (as occurred in the notorious Bernie Madoff case).
6
ERM Strategy
Strategy and Objective
and Objective Setting
Setting
Strategy and Objective Setting includes the following principles of the ERM framework: analyze the
business context; define risk appetite; evaluate alternative strategies; formulate business objectives.
1. Describe the COSO ERM Principles 6 through 9.
2. Recognize and apply COSO ERM Principles 6 through 9 to organizational scenarios.
3. Describe the process of defining, determining, and using risk appetite.
4. Describe the process of evaluating, and the implications of, considering alternative strategies.
5. Describe tolerance and explain its use in ERM.
6. Explain the difference between risk appetite and tolerance.
I. Analyze the Business Context—The “business context” consists of the trends, events, relationships,
and other factors that may influence, clarify, or change an entity’s strategy and business objectives.
The risk-aware organization considers the potential effects of the business context on its risk profile.
For example, the business context may be dynamic or static, complex or simple, and predictable or
unpredictable.
A. The external environment and stakeholders influence the business context. For example, a
regulatory agency may grant or deny an entity a license to operate or may force an entity to shut
down. An investor may withdraw capital if she disagrees with an entity’s strategy or performance.
The external environment can be categorized by the (quite weird) acronym: PESTLE (political,
economic, social, technological, legal, environmental), as is illustrated in the next figure.
B. The internal environment consists of influences on strategy and business objectives from
within. The next figure illustrates the categories of internal influences: capital, people, process,
technology.
1
ERM Strategy and Objective Setting
C. How Business Context Influences Risk Profile. The business context may influence an entity’s
risk profile at three stages: past, present, and future performance.
1. Past performance informs an organization’s expected risk profile.
2. Current performance provides evidence of trends and influences on the risk profile
3. Future expected performance helps an entity shape and create its risk profile
Example
A Retail Business Considers Business Context in Assessing Each of the Framework
Components
The management of a retail company integrates understanding of business context with
its ERM practices as follows:
• Governance and Culture—The organization identifies governance and associated regulatory

trends in its industry. The board incorporates this understanding of emerging expectations into its
ERM oversight.
• Strategy and Objective-Setting—Management conducts a detailed analysis of social trends,
retail trends, and consumer confidence levels that drive its core customer base. It incorporates its
findings into its strategy-creating cycle to improve long-term value and success.
• Performance—Management assesses environmental trends and evaluates their impact on risks
relating to the objective of reducing packing by 50% (consistent with its core values).
• Review and Revision—Management considers how changes in workforce practices, including the
emergence of the mobile workforce, may influence the entity’s culture and ERM practices.
• Information, Communication, and Reporting—Management monitors legislation concerning
information privacy for its potential influence on capturing, communicating, and reporting risk
information.
II. Define Risk Appetite—The organization defines risk appetite in the context of creating, preserving,
and realizing value.
A. Applying Risk Appetite
1. Many organizations develop strategy and risk appetite simultaneously and allow them to
co-evolve.
2. Some organizations quantify risk appetite (i.e., state it in numbers); others state risk appetite
in words.
2
Strategy and Objective Setting
3. The next figure (which builds on the risk profile illustrated in the previous lesson) illustrates
the relationship of risk appetite, risk capacity, and performance.
a. The bottom right shaded area in the following figure illustrates the risk profile. The lower
horizontal line illustrates the risk appetite, while the upper horizontal line illustrates the
organization’s risk capacity (i.e., its maximum allowed risk). The vertical line shows the
organization’s target return.
b. Organizations will generally set risk capacity higher than risk appetite except in unusual,
high-risk cases (e.g., under threat of bankruptcy).
© 2017 Committee of Sponsoring Organizations of the Treadway Commission

(COSO). All rights reserved. Used with permission.
B. Determining Risk Appetite—Management and the board must make an informed choice of an
appropriate risk appetite.
1. Multiple acceptable approaches exist to determining and expressing risk appetite. (See the
next example for examples of risk appetite expressions.)
a. For some entities, “low” or “high” appetite may be sufficient. Other entities will prefer
a more detailed or quantitative approach: for example, by expressing risk appetite in
financial results or a beta measure (i.e., a measure of the volatility of a stock compared to
the stock market) of its stock.
2. Risk appetite may include considering an entity’s:
a. Risk profile (i.e., a composite assessment of risks, including consideration of risk types,
severity, and interdependence).
b. Risk capability (i.e., the maximum amount of risk that an entity can absorb in pursuing its
strategy and business objectives).
c. ERM capability and maturity. Organizations with more mature and capable ERM initiatives
are likely to have greater insight into risk appetite and influences on risk capacity than are
entities with less mature and less capable ERM functions.
3
Example
Risk Appetite Expressions Used in Different Organizations
Target Risk—A credit union with a low risk appetite for loan losses sets a loan loss target
of 0.50% (i.e., ½ of 1%) of the overall loan portfolio.
Risk Range—A medical supply company operates within a low overall risk range. Its lowest risk
appetite relates to safety and compliance objectives, including employee health and safety, with
a marginally higher risk appetite for its strategic, reporting, and operations objectives. This means
reducing, where possible and practical, health and safety risks, including (1) the risks from medical
systems, products, equipment, and the work environment and (2) risks related to its legal obligations.
Risk Ceiling (Maximum)—A university accepts a moderate risk appetite as it seeks to expand its
offerings where financially prudent; it actively seeks opportunities to attract new students and
related revenue. The university favors new programs where it has or can readily attain the capabilities
to deliver them. However, the university will not accept programs that present severe risk to the
university mission and vision (i.e., its risk ceiling).
Risk Floor (Minimum)—A technology company has aggressive growth goals and invests capital
consistent with these goals. While it does not invest capital unwisely, management commits to
investing, at a minimum, 25% (i.e., the floor) of the operating budget on technology innovation.
C. Articulating Risk Appetite. Risk appetite may be articulated relative to strategy and business
objectives, business objective categories, or performance targets. The next example illustrates a
university’s articulation of its risk appetite.
4
The example illustrated in the following figure shows how one organization “cascades” risk appetite
through statements that align high-level strategy and objectives, with lower, entity-level strategies. It
illustrates the alignment of mission, vision, values, strategy, objectives, and risk appetite.
5
D. Using Risk Appetite

1. Risk appetite guides an organization’s resource allocations including to operating units. In
making such allocations, management may, for example, allocate more resources to business
objectives with a lower risk appetite and fewer resources to business objectives with a higher
risk appetite.
2. Risk appetite must align and articulate with related concepts such as risk tolerance (i.e.,
the acceptable boundaries of performance) and risk indicators and triggers (which tie risk
measures to actions). The next figure illustrates these relationships.
III. Evaluate Alternative Strategies—The organization evaluates alternative strategies and their
potential impact on the risk profile.
A. The strategy must align with the mission, vision, and core values and with the organization’s risk
appetite
B. The organization must understand the implications of the chosen strategy related to the business
context, resources, and organizational capabilities. The organization must also understand the
assumptions underlying the strategy.
C. Popular approaches to evaluating strategy include a SWOT analysis (strengths, weaknesses,
opportunities, threats).
The example in the next figure illustrates one organization’s approach to evaluating alternative strategies.
6
1. The strategy must be periodically reevaluated and assessed. A change in strategy must be
implemented if the organization determines that the current business context will lead it to
exceed its risk capacity or will require more resources than are available.
7
Example
Changing a Strategy
Historically, a global camera manufacturer sold only film cameras, but digital cameras
have reduced sales of film cameras. In response, the company modified its strategy to
include developing and selling digital cameras. The strategy reduces the risk of product obsolescence.
These changes to strategy are supported by aligned changes to relevant business objectives and
performance targets.
IV. Formulate Business Objectives—The organization considers risk while establishing the business
objectives at various levels that align and support strategy.
A. Business objectives must align with the strategy.
B. Management must fully understand the implications of a chosen business strategy.
1. A chosen strategy must have a reasonable expectation of achievement within the
organization’s risk appetite and available resources. The next example illustrates
organizational consideration of the implications of a chosen business strategy.
Example
Implications of a Chosen Business Objective
As part of its five-year strategy, an agricultural producer is considering cultivating organic
produce as a competitive differentiator. The company analyzes the cost of transitioning
to an organic environment and determines that significant investment would be required, which
would threaten the financial performance objectives. Given the importance of maintaining financial
performance, the organization chooses to abandon the selected business objectives of selling organic
produce.
a. Setting performance measures and targets. Organizations set performance targets to

monitor performance and support the achievement of business objectives. The example
in the next figure illustrates business objectives and related performance measures and
targets.
8
b. Understanding and using tolerance. Tolerance is the acceptance range of variation in

performance. To illustrate tolerance, the next figure adds a range of acceptable variation
around the desired target risk to the analysis of risk shown previously. In the figure, the
maximum acceptable risk (i.e., the risk ceiling) is found at point A, where the level of risk
appetite intersects with the upper limit of tolerance.
i. While risk appetite is broad, tolerance is tactical (operational) and focused.
Specifically, tolerance should be measurable and measured. In contrast, risk
appetite may be stated in numbers (quantitatively) or in words (qualitatively, e.g.,
“low” or “high”).
© 2017 Committee of Sponsoring Organizations of the Treadway

Commission (COSO). All rights reserved. Used with permission.
9
ii. Variations in performance can exceed or trail targeted performance. Exceeding

variation is called positive while trailing variation is called negative.
a. Tolerance may be set at different distances from target performance, as is
illustrated in the next example. That is, tolerance limits need not be symmetrical.
Specifically, in the example, the target number of incidents is five, the ceiling
number of incidents is seven (two away from the target) while the floor number
of incidents is zero (five away from the target).
Example
Target Variation
A large beverage bottler sets a target of having no more than five lost-time incidents in
a year and sets the tolerance as zero to seven incidents. The “exceeding variation” (i.e.,
between five and seven lost-time incidents) represents greater potential for lost time and an increase
in health and safety claims, which is a negative result for the entity. In contrast, the “trailing variation”
(i.e., of up to five lost-time incidents) represents a benefit (i.e., fewer incidents of lost time and fewer
health and safety claims. The organization must also determine the cost of striving for zero lost-time
incidents.
iii. While risk appetite is broad, tolerance is tactical (operational) and focused.
Specifically, tolerance should be measurable and measured. In contrast, risk appetite
may be stated in numbers (quantitatively) or in words (qualitatively, e.g., “low” or
“high”). The example in the next figure illustrates tolerance statements. Notice
that the “Minimize missed calls” example that is discussed in the figure illustrates
asymmetric tolerance.
10
ERM Performance, Review, and Communication

This lesson introduces COSO ERM Principles 10 through 14, which are: identifies risk, assesses severity of
risk, prioritizes risks, implements risk responses and develops portfolio view.
1. Identify and describe COSO ERM Principles 10 through 14.
2. Apply COSO ERM Principles 10 through 14 to organizational scenarios.
3. Identify factors that motivate a need to identify risk.
4. Explain how risks may have differing impacts on strategy and the levels of business objectives.
5. Describe approaches for identifying risks
6. Identify and create well-formed risk statements.
7. Describe prospect theory and its relevance to ERM.
8. Define the severity of a risk and explain how risk severity may occur at differing levels (e.g., entity
versus units within the entity).
9. Describe and give examples of measures of risk severity.
10. Explain how to align business objectives, risk, and severity.
11. Identify and describe a heat map.
12. Explain how to prioritize risks.
13. Describe and give examples of risk responses.
14. Define a portfolio view of risk and explain how the portfolio view may evidence differing levels of
entity integration of ERM.
I. Identify Risk—The organization identifies risk that impacts the performance of strategy and business
objectives.
A. More specifically, the entity uses operating structures to identify new and emerging risks to enable
timely responses. Such risks may arise from:
1. A change in business objectives (e.g., the entity adopts a new strategy)
2. A change in business context. For example, a change in:
a. Customer preferences for digital or environmentally friendly products
b. Regulation that results in new requirements for the entity
3. Discoveries. For example, the discovery of detrimental environmental effects from fracking
(i.e., the process of injecting liquid at high pressure into subterranean rocks to obtain oil or
gas)
4. Cascading effects from previous changes. For example, a significant increase in sales results in
inadequate production quantity and capacity.
B. Disruptive (substantial) effects may also occur from events or circumstances. Examples of
potentially disruptive effects include:
1. Emerging technologies (e.g., the digitalization and globalization of data and information).
2. Expanding role and use of big data and data analytics, which may improve the ability of both
the entity and its competitors to identify risks and their implications.
1
ERM and Performance
3. Depleting natural resources, which may influence the supply, demand, and location of
products and services.
4. Rise of virtual entities, such as bots (see definition at the end of this lesson) and AI (artificial
intelligence)—driven intelligent systems, which can influence the supply, demand, and
distribution channels of markets.
5. Mobile workforces (e.g., the widespread availability of online, temporary labor, such as
Upwork).
6. Labor shortages (i.e., the difficulty of finding and retaining appropriate skills and talent).
7. Shifts in lifestyle, healthcare, and demographics (i.e., the aging of some countries, such as
Japan and Germany, and the growth of young consumers in other countries, such as in
Central Africa).
C. Risk Inventory—A risk inventory is a listing of an entity’s known risks. Risk inventories are more
useful when risks are categorized—for example, by financial, customer, compliance, or IT risks.
1. The next figure illustrates that risks may have differing levels of impact. For example, risk 1
potentially impacts the strategy, risk 2 potentially impacts two business objectives, risk 3
potentially impacts two entity-level objectives, and risk 4 potentially impacts one entity-level
objective.
Risk Impacts at Differing Levels
Strategy
Entity Business Entity Business

Objective 1 Objective 2
Business Business Business

Objective 1 Objective 2 Objective 3
Risk 1 Risk 2 Risk 3 Risk 4
© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO).

All rights reserved. Used with permission.
D. Approaches and Methods of Identifying Risk

1. Multiple, acceptable approaches exist to identifying risks. Risk identification may be
integrated into:
a. Ongoing processes, such as budgeting, planning and performance reviews, and
b. Activities targeted at risk identification such as questionnaires, workshops, and
interviews.
2. Many approaches to risk identification are technology-based (e.g., data analytics and AI).
Larger and more complex organizations are likely to use multiple risk identification methods.
3. Risk identification methods may include:
a. Cognitive computing—AI methods of data mining and analysis.
b. Data tracking of past events to help predict future occurrences. Data sources may include
third-party databases that provide industry or region data about potential risks.
c. Interviews that probe individual’s knowledge of past and potential events. For large
groups, questionnaires or surveys may be used.
2
d. Key risk indicators (KRIs) are qualitative or quantitative measures that help identify risk
changes. Risk indicators should not be confused with performance measures, which are
typically retrospective.
e. Process analysis involves diagramming a work process to better understand the
interrelationships of its inputs, tasks, outputs, and responsibilities. Once mapped, risks
can be identified and considered in relation to business objectives.
f. Workshops bring together individuals from divergent functions and levels to draw on the
group’s collective knowledge and develop a list of risks.
g. Assumptions (defined at the end of this lesson) [underlie risk assessments. When entities
make assumptions explicit, risk assessments improve. In one case, management set
objectives based on an assumption that the exchange rate for a local currency (where a
product was manufactured) would remain unchanged. However, when the exchange rate
increased by more than 10%, a new risk (to meeting profitability targets) emerged.
4. Crafting precise, well-formed versus vague risk statements.
a. Precise risk statements are preferred to vague risk statements. The example in the
following figure illustrates precise and imprecise risk statements:
Describing Risks with Precision
Other Considerations Imprecise Risk Descriptions Preferred Risk Descriptions
Potential root causes • Lack of training increases the • The risk that processing errors
risk that processing errors and impact the quality of manufacturing
incidents occur units
• Low staff moral contributes • The risk of losing key employees
to the risk that key employees and turnover, impacting
leave, creating high turnover staff retention targets
Potential impacts • New product is more successful • The risk that demand exceeds
associated with a risk than planned; production capacity production targets impacting
occurring struggles to keep up with increased customer service
demand, resulting in delivery delays,
unhappy customers, and adverse • The risk of denial of service
effects on the company’s reputation attacks impacting the ability
• The risk of denial of service to retain the confidentiality of
attacks due to legacy IT customer data
systems that result in leaked
customer data, regulatory
penalties, loss of customers,
and negative press
Potential effects of • The risk that bank reconciliations • The risk of incorrect payments
poorly implemented risk fail to identify incorrect to customers impacting the
responses payments to customers entity’s financial results
• The risk that quality assurance • The risk of product defects
checks fail to detect product impacting quality and safety
defects prior to distribution goals
© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with
permission.
3
ERM and Performance
5. Prospect theory and the “framing” of risks

a. Prospect theory argues that, in most settings, losses are more consequential than gains
and that how a risk is “framed” (i.e., presented) influences how people respond to it. For
example, when a risk is framed as a gain (i.e., getting a sure thing versus a likelihood
of getting something), most people prefer the sure thing (i.e., a risk-averse choice). In
contrast, when a risk is framed as a loss (i.e., losing something versus a likelihood of losing
something), most people prefer the risky alternative (i.e., a risk-seeking choice).
b. Prospect theory matters to ERM since the way that a risk is presented (as a gain or a loss)
can influence people’s response to it.
II. Assess Severity of Risk—The organization assesses the severity of risk.
A. The severity of risks should be assessed at multiple levels. Risks at higher levels (i.e., that influence
strategy and entity-wide objectives) are more likely to influence the entity’s overall reputation and
brand than risks that occur at lower levels (e.g., to a business unit’s objectives).
B. The next figure illustrates four scenarios that relate to addressing differing levels of risk severity.
1. In scenario 1, risk 1 could impact the overall business objectives and entity objective 1. For
example, a safety failure in a manufacturing process can, if sufficiently severe, impact the
entity’s business objectives.
2. In scenario 2, risk 2 could impact entity-level business objectives but not the overall business
objectives. For example, a backlog of transactions waiting to be processed may pose a risk
to the operating unit business objectives but not overall business objectives. However, if the
backlog grows, overall objectives could be imperiled.
3. In scenario 3, two risks have moderately severe assessments, but together they impact
business objectives and the entity more significantly and therefore are assessed as more
severe. For example, an inability to recruit competent support employees (risk 1) (e.g., in
a legal department), represents a low risk to each operating unit but may be exacerbated
(worsened) in an economic downturn (risk 2). Hence, the two risks together pose a more
severe impact than either risk does alone.
4. In scenario 4, some risks impact the entire entity. For example, the risk of a hostile takeover
bid by competitors impacts the strategy of the entity but may not impact business-level
objectives individually.
4
Assessing Severity at Different Levels
1) Business objective–level risk retains severity 2) Business objective–level risk decreases in

at higher levels severity at higher levels
Objective Objective
Entity Business Entity Business Entity Business Entity Business

Objective 1 Objective 2 Objective 1 Objective 2
Risk 1 Risk 2 Risk 3 Risk 1 Risk 2 Risk 3
3) Business objective–level risk increases in 4) Entity business objective–level risk

severity at higher levels decreases in severity at lower levels
Objective Objective
Entity Business Entity Business Entity Business Entity Business

Objective 1 Objective 2 Objective 1 Objective 2
Risk 1 Risk 2 Risk 3 Risk 1 Risk 2 Risk 3
C. Selecting Severity Measures—Severity measures should align with the size, complexity, and
nature of the entity and its risk appetite. Severity measures may include:
1. Impact—The result or effect of a risk, which may be stated as a possible range of impacts and
may be positive or negative.
2. Likelihood—The possibility of a risk occurring expressed as a probability (in words or
numbers) or as a frequency. For example:
a. In words (qualitative)—“The possibility of a major fire in a manufacturing plant (with
associated impacts on production and sales) within the next 12 months is remote.”
b. In numbers (quantitative)—“The possibility of a major fire in a manufacturing plant (with
associated impacts on production and sales) within the next 12 months is 5%.”
c. Frequency—“A major fire in a manufacturing plant (with associated impacts on
production and sales) is likely to occur once every 25 years.”
3. Risk severity should be assessed on the same time horizon as strategy and business
objectives. Risks related to the mission, vision, and core values should be assessed on a longer
time horizon.
4. Risk assessment may use qualitative (words) approaches (e.g., interviews, workshops,
benchmarking) or quantitative (numbers) approaches (e.g., modeling, decision trees, Monte
Carlo simulations).
5. The example in the following figure illustrates the alignment of business objectives and risk
with measures of risk severity.
5
ERM and Performance
Aligning Business Objectives, Risk, and Severity Measures
Objective Business Identified Risk Target and Severity Measures

Type Objective Tolerance
Rating/Impact Likelihood
Type (Probability)
Business objec- Continue to The possibility that the Target: 8 products Moderate impact Possible
tives for Snacks develop inno- organization fails to in development at all to consumer
(operating unit) vative products develop new products times satisfaction
that interest and that exceed customer Tolerance: Number of
excite consumers expectations new products in devel-
opment to be between
6 and 12 at all times
Business objec- Recruit and train The possibility that the Target: Recruit Minor impact Possible
tives for Human product sales organization is unable 50 product sales to operational/
Resources managers in the to identify appropriately managers Human
coming year qualified people for sales Resources
Tolerance: The entity
managers
recruits between 35
and 50 product man-
agers in the coming
year
The possibility that the Target: Train 95% of Unlikely

organization is unable to sales managers
schedule training for new
Tolerance: The entity
sales managers
trains a minimum
of 85% of product
sales managers in the
coming year
D. Risk assessment should consider:

1. Inherent risk (i.e., the risk in the absence of efforts to address it);
2. Target residual risk (i.e., the desired amount of risk after actions to address it); and
3. Actual residual risk (i.e., the realized risk after taking actions to address it).
E. Actual residual risk should be less than or equal to target residual risk. When actual residual risk
exceeds target risk, additional actions must be taken to reduce risk.
F. Displaying risk assessment results—Assessment results are often displayed on a heat map (the
next figure), which plots risk likelihood against risk impact. The heat map is color coded to indicate
risk severity. Management may use the risk profile to confirm that performance is within tolerance
and that risk is within appetite.
6
Business Objective Heat Map
Likelihood Rating
3
Risk 4 Risk 1
2
Risk 3 Risk 2
1 2 3 4
Impact Rating
Red Green Yellow
© 2017 Committee of Sponsoring Organizations of the Treadway

Commission (COSO). All rights reserved. Used with permission.
G. A risk-aware organization identifies triggers that will prompt a reassessment of risk severity.
Triggers are often changes in the business context but may also include changes in risk appetite.
Examples of potential triggers include an increase in customer complaints, a downturn in a critical
economic index, a sales decrease, or a spike in employee turnover or accidents. Triggers may also
come from a competitor—such as the recall of a competitor’s product or the competitor releasing
a new competing product.
H. Bias (e.g., through framing) may result in a risk being over- or underestimated. The careful
presentation of risks (remember prospect theory) may reduce potential biases.
III. Prioritize Risks—The organization prioritizes risks as a basis for selecting risk responses. Prioritization
assesses risk severity compared to risk appetite.
A. Greater priority (importance) may be given to risks that are likely to approach or exceed risk appetite.
B. The criteria for prioritizing risks may include:
1. Adaptability—The capacity of an entity to adapt and respond to risks (e.g., responding to
changing demographics, such as the age of the population and the impact on business
objectives relating to product innovation).
2. Complexity—The scope and nature of a risk to the entity’s success. The interdependency of
risks will typically increase with complexity (e.g., risks of product obsolescence and low sales
to a company’s objective of being market leader in technology and customer satisfaction).
3. Velocity—The speed with which a risk impacts an entity. A high-velocity risk may move the entity
quickly away from the acceptable variation in performance (e.g., the risk of disruptions due to
strikes by port and customs officers affecting objectives of efficient supply chain management).
4. Persistence—How long a risk impacts an entity (e.g., the persistence of adverse media
coverage and impact on sales objectives following the identification of potential brake
failures and subsequent global car recalls) influences its priority.
5. Recovery—The capacity of an entity to return to tolerance (e.g., continuing to function
after a severe flood or other natural disaster). Recovery excludes the time taken to return to
tolerance, which is considered part of persistence, not recovery.
C. Risks with similar severity may receive differing priorities. For example, two risks may be assessed
as “medium” severity, but one may receive higher priority because it has greater velocity and
persistence. The next example illustrates this point.
7
ERM and Performance
Example
Prioritizing Risk
At a large restaurant chain, responding to the risk that customer complaints remain
unresolved and attract adverse attention in social media (e.g., go viral) is considered
a higher priority than responding to the risk of protracted contract negotiations with vendors and
suppliers. Both risks are severe, but the speed and scope of online scrutiny has more likely and severe
impacts on the restaurant’s performance and reputation, necessitating a quicker response. Hence, the
restaurant has a team of social media experts who monitor, harvest, and respond quickly to online
customer complaints.
1. Risk appetite also influences prioritization, as illustrated in the next example.
Example
Relationship of Risk Profile to Risk Appetite
A utility company’s mission is to be the most reliable electricity provider in its region.
A recent increase in the frequency and persistence of power outages indicates that
the company is approaching its risk appetite and is less likely to achieve its business objectives of
providing reliable service. This situation triggers a heightened priority for the risk. A review of the
risk may result in implementing additional responses and allocating more resources to reduce the
likelihood of the risk breaching the organization’s risk appetite. For example, the utility may replace
aging utility lines and power stations earlier than originally planned, to reduce the frequency of power
outages.
2. Risk prioritization should occur at all levels of an organization; different risk priorities may be
assigned at different levels. For example, high-priority risks at the operating level may be low-
level risks at the entity level.
IV. Implement Risk Responses—The organization identifies and selects risk responses. Acceptable risk
response categories include:
A. Accept—No action is taken to change the severity of the risk. Appropriate when the risk is already
within risk appetite. Risk that is outside the entity’s risk appetite and that management seeks to
accept will generally require approval from the board or other oversight bodies.
B. Avoid—Act to remove the risk, which may mean ceasing a product line, declining to expand to a
new geographical market, or selling a division. Choosing avoidance suggests that the organization
was unable to identify a response that would reduce the risk to an acceptable level of severity.
C. Pursue—Accept increased risk to achieve improved performance. This may include adopting
more aggressive growth strategies, expanding operations, or developing new products and
services. When choosing to pursue risk, management understands the nature and extent of
any changes required to achieve desired performance while not exceeding the boundaries of
acceptable tolerance.
D. Reduce—Act to reduce the severity of the risk. This includes many possible business decisions that
reduce risk to an amount of severity aligned with the target residual risk profile and risk appetite.
E. Share—Reduce the severity of the risk by transferring or sharing a portion of it. Common
techniques include outsourcing to specialist service providers, purchasing insurance products,
and engaging in hedging transactions. As with the “reduce” response, sharing risk lowers residual
risk.
F. In some situations, an entity may need to revisit its business objectives and strategy to reformulate
them as a part of responding to a severe risk (e.g., the threat the bankruptcy).
8
G. Influences on management’s decision to select and deploy risk responses include the business
context, costs and benefits, obligations and expectations, risk priority, risk appetite, and risk severity.
1. It is often easier to measure the costs of risk responses than their benefits (since costs are
more tangible and measurable than are expected losses)
H. The next example illustrates a risk response.
Example
Relationship of Risk Profile to Risk Appetite
An insurance company implements risk responses to address new regulatory requirements
requiring record confidentiality and privacy for customer data across the insurance
industry. These responses will require investments in technology infrastructure, changes in work
processes, and added staff to implement the company’s objectives related to regulatory compliance.
V. Develop Portfolio View—The organization develops and evaluates a portfolio view of risk.
A. Using the portfolio view of risk enables an organization to identity risks that are severe at the
entity level. This enables management to assess whether the entity’s residual risk profile aligns
with its risk appetite.
B. Developing a Portfolio View—Multiple acceptable methods exist for creating a portfolio view of
risk. One approach is to begin with major risk categories with metrics such as capital at risk (i.e., a loss
to investors’ principal investment). The next figure illustrates a portfolio view of risk. It begins with a
strategy view and proceeds to entity objective, business objective, risk, and risk categories views.
Portfolio View of Risk
Strategy View (Portfolio)
Our strategy is to leverage product design and customer service to become the industry leader
Entity Objective View (Risk Profile)
Strengthening Balance Sheet Enhancing Operational Excellence Growing Market Share
Business Objective View (Risk Profile)
Improving Investing in
Optimizing Minimizing Satisfying all Maintaining Market Leader
Quality Best-in-Class
Working Losses and Compliance Customer on Innovative
of Credit Technology
Capital Inefficiencies Obligations Satisfaction New Products
Portfolio Solutions
Risk View
Risk of Risk of Risk of Risk of Risk of Risk of Poor

Risk of Risk of Risk of Low
Counterparty Technology Compliance Product Product Customer
Funding Gap Fraud Sales
Default Disruption Breach Recall Obsolescence Experience
Risk Category View
Financial Risk Operational Risk Compliance Risk Customer Risk
9
ERM and Performance
C. A portfolio view of risk may represent differing levels of integration. COSO identifies four levels of
risk integration, which are presented below from least to most integrated.
1. Minimal integration—the risk view. The entity identifies and assesses risk at the event level.
The focus is on events, not objectives. An example of minimal integration is focusing on the
risk of a breach of an IT system in relation to the risk of complying with local regulations.
2. Limited integration—risk category view. The entity identifies and assesses risk at the risk
inventory (i.e., category) level. For example, the creation of a compliance department will aid
the entity in managing the risk of complying with local regulations.
3. Partial integration—risk profile view. The entity identifies and assesses risk at the business
objective level and considers dependencies among objectives. For example, the entity
considers all business objectives that have compliance-related risks.
4. Full integration—portfolio view. The entity identifies and assesses risk at the strategy and
business objectives level. Greater integration improves support for risk-related decision
making. Compared to the previous examples, the board and management focus more on
the achievement of strategy. For example, the board reviews and challenges management to
articulate its strategy related to achieving operational excellence, including the management
of compliance-related objectives and related risks.
D. Analyzing the Portfolio View
1. The portfolio view of risk requires both quantitative (numeric) and qualitative (in words) risk
assessment methods.
2. Management should “stress test” the risk portfolio, to assess the effect of hypothetical
changes in the business context (e.g., “what if sales drop by 10%?”). Such analysis is likely to
reveal new and emerging risks and to clarify the adequacy of planned risk responses.
VI. Terms
• Assumption—An assertion (belief ) about a characteristic of the future that underlies an
organization’s ERM plan. For example, a business might assume that the demand for routers will not
change substantially.
• Bot—A software application that runs automated (usually simple) tasks (scripts) on the internet.
For example, bots to search a website (e.g., eBay, airlines) for bargains. Also called an internet bot or
web robot.
• Key performance indicators (KPIs)—High-level measures of historical performance of an entity
and/or its major units.
• Performance measures—Measurable targets that are compared with outcomes. For example, a
goal of no more than seven lost-time incidents at a factory is a performance measure.
• Severity—A measurement of considerations such as the likelihood and impact of events or the
time it takes to recover from events.
• Stress testing—A method (that is common and often required by regulators for banks) for testing
a risk portfolio (e.g., of loans in a bank) using simulation. In a stress test, the assumptions about risk
are manipulated to assess how different “stressors” (i.e., risks) will affect a risk portfolio.
10
ERM Monitoring, Review, and Revision

1. Identify and describe COSO ERM Principles 15 through 17.
3. Explain, and give examples of, when an entity must assess the risks of substantial changes.
4. Explain the purpose of periodic and continuous reviews of ERM capabilities and practices.
I. Assess Substantial Change—The organization identifies and assesses changes that may substantially
affect strategy and business objectives.
A. Substantial changes bring new or altered risks, which must be identified and integrated into the
organization’s risk portfolio. Hence, organizations must continually monitor for new or altered risks.
B. Identifying substantial changes, evaluating their effects, and responding to the changes are
iterative processes. Postevent reviews, following substantial changes, can help determine the
lessons that can be applied to future events.
C. Examples of substantial changes include:
1. In the internal environment:
a. Rapid growth—When operations expand quickly, existing structures, business
activities, information systems, or resources may be inadequate to address expanding
roles and responsibilities. Risk oversight roles and responsibilities may need to be
redefined accordingly. For instance, supervisors may fail to adequately supervise added
manufacturing shifts or an increase in employees.
b. Innovation—Major innovations introduce new risks. For example, introducing consumer
sales through mobile devices may require new system access controls.
c. Major changes in leadership or personnel—A new management team member may
misunderstand the entity’s culture or may focus on performance to the exclusion of risk
appetite or tolerance.
2. In the external environment, a changing regulatory or economic environment can increase
competitive pressures or change operating requirements. Such changes can introduce new or
altered risks. For instance, if toxic chemicals are released in a populated area (e.g., at the Union
Carbide plant in Bhopal, India), new industry-wide restrictions may regulate production,
shipping, or logistics.
II. Review Risk and Performance—The organization reviews entity performance and considers related
risks.
A. Periodically, organizations must review their ERM capabilities and practices. Such reviews seek
answers to questions such as:
1. How has the entity performed? This review will identify variances and seek their causes. This
may include using measures relating to objectives or other key metrics.
a. For example, consider an entity that has committed to opening five new office locations
every year to support its longer-term growth strategy to build a presence across the
country. The organization has determined that it could continue to achieve its strategy
with only three offices opening and would be taking on more risk than desired if it
opened seven or more offices. The organization therefore monitors performance and
determines whether the entity has opened the expected number of offices and how
those new offices are performing. If the growth is less than planned, the organization may
revisit the strategy.
1
2. What risks influence performance? Reviewing performance confirms whether risks were
previously identified or whether new, emerging risks have occurred. The organization also
reviews whether the actual risk levels are within the boundaries established for tolerance.
For example, reviewing performance helps confirm that the risk of delays due to additional
permit requirements for construction did occur and affected the number of new offices
opened, and whether the number of offices to be opened is still within the range of
acceptable performance.
3. Is the entity taking sufficient risk to attain its target? When failing to achieve its target,
the organization must determine if the failure is due to the impact of risks or due to assuming
insufficient risk to achieve the target.
a. Using the example related to opening new office locations, imagine that the entity opens
only three offices. In this case, management observes that the planning and logistics
teams operate below capacity and that other resources set aside to support the opening
of new offices are unused. Hence, insufficient risk was taken by the entity despite having
allocated sufficient resources.
4. Were risk estimates accurate? When risk has been inaccurately assessed, the organization
determines why. To answer that question, the organization must challenge the understanding
of the business context and the assumptions underpinning the initial risk assessment. It must
also determine whether new information will help refine the risk assessment.
a. For example, suppose that in the earlier example, the entity opens five offices. It also
observes that the estimated amount of risk was lower than the actual risks that occurred
(e.g., there were fewer problems and delays than expected).
B. A finding that performance fell outside of tolerance or that the risk profile significantly
differed from expected may motivate a review of business objectives, strategy, culture, target
performance, severity of risk analysis, risk prioritization, risk responses, or risk appetite.
1. Revising risk appetite will require review and approval by the board or other risk oversight
body (e.g., a risk committee).
Example
Review and Revision at a Small Retailer
A small retailer purchases most of its inventory from local producers. Weekly, the retailer
monitors its financial results. These reviews reveal that locally produced goods are
insufficiently profitable to meet its financial goals. It therefore revises its business objective of sourcing
locally and begins to import higher-margin goods to improve its financial performance. The retailer
also recognizes that this change may influence other risks, including logistics (e.g., shipping), currency
fluctuations, and lag times to acquiring inventory.
Example
A Local Colorado Government and Tourism
For a local government in west-central Colorado, the economy is largely supported
by tourism. City officials understand the minimum, targeted, and maximum levels of
tourism required to support their financial objectives. Specifically, analysis has determined how much
income can be generated through tourism based on metrics such as hotel reservations and occupancy
rates. Results indicate that an occupancy rate of 50% (its target) provides the city with sufficient
revenue to support its annual operating budget and related programs. However, an occupancy rate
greater than 85% increases risks relating to the public transportation system, demands for police
officers, and stresses on natural resources (e.g., hiking and mountain biking trails). The city tracks
patterns in and collects data about its tourism industry to make more risk-aware decisions on the
timing of its marketing campaigns to attract tourists and in allocating resources to public safety.
2
III. Pursue ERM Improvement—The organization pursues improvement of its ERM activities and
functions. Continual evaluation of ERM activities may be fruitfully embedded in ongoing business
processes and practices (e.g., budgeting, performance reviews). Separate, periodic evaluations are also
useful. Opportunities to improve ERM may arise in any of the following areas:
A. New technology may provide opportunities for efficiency.
1. For example, emerging data mining and automated content (e.g., sentiment) analysis
methods can provide quick assessments of customer satisfaction with products.
B. Historical Shortcomings—Reviewing performance can identify historical shortcoming, including
the causes of past failures. This can inform ERM efforts.
1. For example, an auto parts manufacturer notes that it has insufficiently captured past
currency fluctuation risks. It implements new monitoring processes to improve its assessment
of these risks.
C. Organizational change may be needed to support changing risks or governance structures.
1. For example, in one organization the ERM function reported to the chief financial officer.
However, to improve its alignment of strategy and ERM, the entity created a strategy group
to whom the realigned ERM function reported. These changes enabled the organization to
better align its strategy with its ERM function.
D. Risk Appetite—Performance reviews enable refinement of risk appetite.
1. For example, management monitored the performance of a new product over a year
and determined that the market was less volatile than originally forecasted. Accordingly,
management assesses whether it can increase its risk appetite for similar product launches.
E. Risk Categories—Continuous improvement efforts can identify patterns and relationships that
lead to revised risk categories.
1. For example, one organization did not include cyber risk as a threat until it began offering
online products. After offering online products, it revised its categories to include cyber risk.
F. Communications—Reviewing performance can identify outdated or inadequate communication
processes.
1. For example, through review, an organization determines that employees are not reading
emails related to monitoring emerging risks. In response, the organization works with
supervisors to highlight the relevance of these communications; in addition, it moves the
most important of these communications to the organization’s instant messaging system.
G. Peer Comparison (Benchmarking)—Reviewing industry peer data may provide insight into
industry performance tolerance (i.e., the range of acceptable outcomes).
1. For example, a global shipping organization discovers during a benchmarking exercise that
operations in Asia are performing far below its major competitor. As a result, it reviews and
revisits its strategy and objectives to increase its performance in Asia.
H. Rate of Change—Management must consider the rate of business context change and
disruption.
1. For example, a software company that makes a mobile app for retailers (i.e., a rapidly
changing market and industry) will have more frequent opportunities to improve its ERM
processes than a company in the metal wholesaling business (i.e., which buys and delivers
metal for manufacturing), a currently stagnant industry.
3
Example
Continuous Improvement
Through self-assessment, a government agency concludes that it has strong practices
in place for establishing and implementing governance capabilities and for instilling
the desired culture. However, the organization concludes that its practices for establishing and
implementing information and communications need improvement. While management monitors
improvement opportunities for all ERM components, it concentrates on developing its information
and communication practices.
4
ERM Communication and Reporting

1. Describe and identify COSO ERM Principles 18 through 20.
3. Define the ERM terms listed in Section VI.
4. Explain and give examples of how organizations can use information systems to support ERM.
5. Identify and give examples of structured and unstructured information.
6. Identify and give examples of ERM topics about which management should communicate.
7. Identify and give examples of methods by which management can communicate risk information.
8. Identify and give examples of the categories of risk reports.
9. Define and distinguish key risk indicators from key performance indicators.
I. Leverage Information Systems—The organization leverages the entity’s information and technology
systems to support enterprise risk management.
A. Obtaining and using relevant information to support ERM may include the following actions:
1. For governance and culture-related practices, information on standards of conduct and
individual performance relative to those standards is valuable. For instance, professional
service firms have specific standards of conduct to help maintain independent relationships
with clients. Annual staff training reinforces those standards, and management gathers
information by testing the staff’s knowledge.
2. For practices related to strategy and objective-setting, the organization may value
information on stakeholder expectations of risk appetite. Stakeholders such as investors and
customers may express their expectations through analyst calls, blog postings, contract terms
and conditions, and others. These actions will provide information on the risk an entity may
be willing to accept and the strategy that it pursues.
3. For performance-related practices, organizations may need information on their competitors
to assess risk changes. For example, a large residential real estate company may assess the risk
of losing market share to smaller boutique firms by reviewing their competitors’ commission
pricing models and online marketing. If competitors’ commission rates are low and aggressive
and their online presence is widespread, the large company may review its ability to achieve
its sales targets.
4. For review and revision-related practices, organizations may value information on emerging
ERM trends. Such information may be available at ERM conferences and industry-specific
blogs and consortiums.
B. Relevant information may be structured (organized and searchable) or unstructured (unstructured
and disorganized). The next figure gives examples of structured and unstructured internal data
sources.
1
© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Modified and used with
permission.
Example
Using Unstructured Information in Decisions
A consumer retailer uses artificial intelligence (AI) to mine sources (e.g., social media
posts and online ratings) and structure data on the customer experience. In this way,
management gains insights from social media about purchasing behavior, including historical
patterns and preferences. These insights help reduce the risk of over- or under-stocking inventory. This
improved inventory management reduces costs and improves customer satisfaction.
Example
Determining Compliance Requirements
A pharmaceutical company’s strategy is to expand its market share by developing a new
drug targeted to a specific population. To receive product approval, regulators demand
information that meets compliance requirements, such as testing results and conclusions regarding
drug safety. These conclusions rely on data such as the demographics of the testing population,
number of side effects, duration of studies, and type of proposed application. Data is captured from
internal patient physiology and experience (i.e., self-reports).
2
C. Effective data management includes three key elements:

1. Data and information governance includes governance processes for identifying data and
risk owners and holding them accountable.
2. Processes and controls help an entity create and maintain reliable data. For example,
organizations may have processes to identify instances and patterns of both low- and high-
quality data and whether that data meets requirements and standards (e.g., the accuracy
of posted transactions). Managing data requires more than using processes and controls to
ensure its quality. It also involves preventing issues of quality from occurring in the first place
through strong governance processes.
3. Data management architecture refers to the fundamental design of the technology and
related data. It includes models, policies, rules, or standards that determine which data
is collected and how it is stored, arranged, integrated, and used in systems and in the
organization.
D. Additional considerations in data management:
1. Organizations implement standards and provide rules for structuring information so that the
data can be reliably harvested, sorted, indexed, retrieved, and shared with both internal and
external stakeholders, ultimately protecting its long-term value.
2. Emerging technologies increasingly support task execution. Examples of such activity include
robotics (in manufacturing), the Internet of Things (IoT), smart appliances (that manage
energy use), and wearable technologies (for monitoring human and livestock activity). The
next example illustrates an application of information systems to harvesting and managing
relevant data.
Example
Using Wearable Technologies to Reduce Risk
A healthcare organization seeks to reduce incidents of elderly patients missing doses of
prescription medicines. Missing prescribed dosages reduces the benefits of medications
and increases patient health risk. In response, the company distributes wearable technology to
patients. The wearable devices help identify cases of missed doses and tracks some measures of
patient health. This information both helps manage an important risk and informs patient-physician
consultations.
II. Communicate Risk Information—The organization uses communication channels to support ERM.
A. Important internal communications from management include:
1. The entity’s strategy, business objectives, and performance expectations.
2. Desired behaviors and core values that define the entity’s culture.
3. The value and importance of ERM.
4. The entity’s risk appetite and tolerance.
5. Expectations related to cases of ERM weakness, degradation, or failure.
B. Communication between the board and management begins with a shared understanding of the
entity’s strategy and business objectives.
1. Board members must have a deep understanding of the business, including its strategy
and value and cost drivers. Board and management discussion of risk appetite may occur in
quarterly meetings or in special meetings to discuss specific events or risks, such as cyber
terrorism, chief executive succession, or mergers.
3
C. Methods of communicating risk information may include;

1. Electronic messages, including email, social media, text messages, and instant messaging;
2. External, third-party materials including industry, trade, and professional journals, and
reporting internal and external performance indices;
3. Informal and verbal communications;
4. Public events including presentations to investor groups and at conferences;
5. Training and seminars, including live and webcasts;
6. Written internal displays, including documents, dashboards, surveys, policies, and procedures;
and
7. Additional methods as required for sensitive matters, such as a whistleblower hotline and
procedures for communicating serious violations of policy or standards.
Example
Communicating with the Board
A company improved risk communication by revising its governance structure. It
removed its board committee related to risk and elevated its chief risk officer (CRO)
position to ensure risk discussion of strategy at the board level. As a result, important risk issues
are discussed by the full board. The company found that taking risk out of a board committee and
embedding ERM responsibilities in the management team—through the elevated CRO position—
better integrated risk and strategy discussions and increased board clarity about risk.
III. Report on Risk, Culture, and Performance—The organization reports on risk, culture, and
performance at multiple levels and across the entity.
A. Risk report users may include management, the board of directors, risk owners, assurance
providers (e.g., internal and external auditors), external stakeholders (including regulators, rating
agencies, community groups and others), and others.
B. Types of reporting may include those listed next.
1. The portfolio view of risk reports outlines the severity of risks at the entity level. These reports
highlight the greatest risks to the entity, interdependencies between specific risks, and
opportunities. These reports typically are found in management and board reporting.
2. The profile view of risk is narrower and more focused than the portfolio view. Like the
portfolio view, the profile view outlines risk severity but focuses on levels within the entity.
For example, the risk profile of a division or operating unit may be an important report for
management.
3. Analysis of root causes (asking “why”) enables users to understand assumptions and changes
underpinning the portfolio and profile views of risk.
4. Sensitivity analysis (e.g., using Monte Carlo simulation) measures the sensitivity of changes
in key assumptions embedded in strategy and the potential effect on strategy and business
objectives.
5. Analyses of new, emerging, and changing risks (e.g., through brainstorming) provide
the forward-looking view to anticipate changes to the risk inventory, effects on resource
requirements and allocation, and the anticipated performance of the entity.
6. Key performance indicators (KPIs) and measures outline the tolerance of the entity and
significant potential risks.
7. Trend (i.e., over time) analyses evaluate movements and changes in the portfolio view of risk,
risk profile, and performance of the entity.
4
8. Disclosures of incidents, breaches, and losses (as appropriate) provide insight into the
effectiveness of risk responses. Not all risk incidents will be disclosed to all stakeholders.
9. Reports to track ERM plans and initiatives summarize ERM practices and results. Reports on
investments in ERM resources, and the urgency by which initiatives are completed may also
reflect the board and management’s commitment to ERM and culture in risk responses.
C. Reporting risk to the board should include both formal and informal information sharing.
1. For example, the board may have informal discussions about the implications and risks of
alternative strategies. Formal reporting plays a significant role in the board’s oversight of the
ERM practices deployed by management.
2. Reporting to the board should focus on the links among strategy, business objectives, risk,
and performance and should include the entity’s portfolio view of risk.
D. Reporting on culture is challenging since measuring culture is a complex task. Reports about
culture may include:
1. Analytics of cultural trends (e.g., number and significance of reports to a whistleblower
hotline), benchmarking within an industry or to a standard, compensation systems and
their implications for behavior, “lessons learned” analyses, reviews of trends in behavior (e.g.,
downtime due to worker errors), and surveys of risk attitudes and awareness.
IV. Key risk indicators (KRIs) measure emerging risks. They are usually quantitative (e.g., expected
number of security incidents per quarter) but may be qualitative (e.g., likelihood of major fire at a
manufacturing plant). KRIs are often reported with key performance indicators (KPIs), which provide
high-level measures of organizational performance.
1. A key performance indicator for customer credit is likely to include data about customer
delinquencies and write-offs (Source: Beasley, Branson, & Hancock, 2010).
2. A key risk indicator might anticipate potential future customer collection issues so that the credit
function could be more proactive in addressing customer payment trends before risk events occur.
a. A relevant KRI for this example might be analysis of reported financial results of the company’s
25 largest customers or general collection challenges throughout the industry to see what
trends might be emerging among customers that could potentially signal challenges related
to collection efforts in future periods. (Source: Beasley, Branson, & Hancock, 2010)
Example
Using Key Risk Indicators
A government agency wants to retain competent staff. The business objective that
supports retaining competent staff has a target turnover rate of less than 5% per year.
A key risk indicator (KRI) would be a percentage of personnel eligible to retire within five years. If
more than 5% of personnel are eligible to retire, this indicates that risk to the target is potentially
manifesting. A key performance indicator (KPI) is the actual turnover rate. KPIs are based on historical
performance, and while analyzing historical performance can establish baselines, the KPI rate trending
upward will not always identify a manifesting risk.
V. Terms
• Key performance indicators (KPIs)—High-level measures of historical performance of an entity
and/or its major units.
• Key risk indicators (KRIs)—Leading (predictive) indicators of emerging risks.
• Portfolio view—A composite view of risk the entity faces, which positions management and the
board to consider the types, severity, and interdependencies of risks and how they may affect the
entity’s performance relative to its strategy and business objectives.
• Risk inventory—A listing of the entity’s known risks.
5
• Risk owners—Managers or employees who are accountable for the effective management of
identified risks.
VI. Summary: The Five Components and 20 Principles of Risk Management
Governance and Culture
1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and
carries out governance responsibilities to support management in achieving strategy and
2. Establishes Operating Structures—The organization establishes operating structures in the
pursuit of strategy and business objectives.
3. Defines Desired Culture—The organization defines the desired behaviors that characterize
the entity’s desired culture.
4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment
to the entity’s core values.
5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to
building human capital in alignment with the strategy and business objectives.
Strategy and Objective-Setting
6. Analyzes Business Context—The organization considers potential effects of business context
on risk profile.
7. Defines Risk Appetite—The organization defines risk appetite in the context of creating,
preserving, and realizing value.
8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and
potential impact on risk profile.
9. Formulates Business Objectives—The organization considers risk while establishing the
business objectives at various levels that align and support strategy.
Performance
10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and
11. Assesses Severity of Risk—The organization assesses the severity of risk.
12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses—The organization identifies and selects risk responses.
14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
Review and Revision
15. Assesses Substantial Change—The organization identifies and assesses changes that may
substantially affect strategy and business objectives.
16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.
17. Pursues Improvement in Enterprise Risk Management—The organization pursues
improvement of enterprise risk management.
Information, Communication, and Reporting
18. Leverages Information Systems—The organization leverages the entity’s information and
technology systems to support enterprise risk management.
19. Communicates Risk Information—The organization uses communication channels to support
enterprise risk management.
20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and
performance at multiple levels and across the entity.
6

COSO ERM Framework Lessons Eligible 2april2018

Uploaded by

Copyright:

Available Formats

COSO ERM Framework Lessons Eligible 2april2018

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

COSO ERM Framework Lessons Eligible 2april2018

Uploaded by

Copyright:

Available Formats

New Lessons on COSO ERM Framework

Eligible for Testing April 2, 2018

The Team at Wiley CPAexcel

Need to access your Committed to passing Want to take a

1. Introduction to Enterprise Risk Management: Strategy and Risk........................................................ 4

2. ERM Components, Principles, and Terms........................................................................................... 11

3. ERM Governance and Culture.............................................................................................................. 14

4. ERM Strategy and Objective Setting.................................................................................................... 20

5. ERM Performance, Review, and Communication............................................................................... 30

6. ERM Monitoring, Review, and Revision............................................................................................... 40

7. ERM Communication and Reporting................................................................................................... 44

Need to access your Committed to passing Want to take a

Introduction to Enterprise Risk Management: Strategy

After studying this lesson, you should be able to:

C. Managing ERM includes focus on the following elements of an organization:

VI. ERM and Performance—ERM is designed to improve organizational performance.

B. Performance measures may include:

ERM Components, Principles, and Terms

After studying this lesson, you should be able to:

I. COSO’s Risk Management Framework

ERM Governance and Culture

3. Assignment of authority, accountability, and responsibility across all levels

V. Attract, Develop, and Retain Capable Individuals—The organization is committed to building

• Governance and Culture—The organization identifies governance and associated regulatory

© 2017 Committee of Sponsoring Organizations of the Treadway Commission

D. Using Risk Appetite

a. Setting performance measures and targets. Organizations set performance targets to

b. Understanding and using tolerance. Tolerance is the acceptance range of variation in

© 2017 Committee of Sponsoring Organizations of the Treadway

ii. Variations in performance can exceed or trail targeted performance. Exceeding

ERM Performance, Review, and Communication

Risk Impacts at Differing Levels

Entity Business Entity Business

Business Business Business

Risk 1 Risk 2 Risk 3 Risk 4

© 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO).

D. Approaches and Methods of Identifying Risk

Describing Risks with Precision

Other Considerations Imprecise Risk Descriptions Preferred Risk Descriptions

5. Prospect theory and the “framing” of risks

Assessing Severity at Different Levels

1) Business objective–level risk retains severity 2) Business objective–level risk decreases in

Entity Business Entity Business Entity Business Entity Business

Risk 1 Risk 2 Risk 3 Risk 1 Risk 2 Risk 3

3) Business objective–level risk increases in 4) Entity business objective–level risk

Entity Business Entity Business Entity Business Entity Business

Risk 1 Risk 2 Risk 3 Risk 1 Risk 2 Risk 3

Aligning Business Objectives, Risk, and Severity Measures

Objective Business Identified Risk Target and Severity Measures

The possibility that the Target: Train 95% of Unlikely

D. Risk assessment should consider:

Business Objective Heat Map

Red Green Yellow

© 2017 Committee of Sponsoring Organizations of the Treadway

1. Risk appetite also influences prioritization, as illustrated in the next example.

Strategy View (Portfolio)

Entity Objective View (Risk Profile)

Strengthening Balance Sheet Enhancing Operational Excellence Growing Market Share