7/29/2019 COSO I e II
1/9
I AS Conference 1 November 25th
AnnieBressacConseil
The COSOThe COSO riskrisk frameworkframework ::
AA referencereference forfor internalinternal cont rol ?cont rol ?
Transit ion f rom COSO I t o COSO I I
Annie BressacAnnie BressacConsultantConsultant
I AS ConferenceI AS Conference
November 25t hNovember 25t h
I AS Conference 2 November 25th
AnnieBressacConseil
COSO IICOSO II
Enterprise Risk ManagementEnterprise Risk Management
Integrated FrameworkIntegrated Framework
ss Background & objectivesBackground & objectives
ss InsightsInsights
7/29/2019 COSO I e II
2/9
I AS Conference 3 November 25th
AnnieBressacConseil
u Every enti t y exists to real ize value for i tsshareholders
u Every enti t y has to deal w ith uncertainty
The COSO I I framework is designed toenable management :
To deal effectively with potential future events thatcreate uncertainty
To respond in a manner that reduces the likelihood ofdownside outcomes and increases the upside
UnderlyingUnderlying principlesprinciples of COSOof COSO--ERM:ERM:
I AS Conference 4 November 25th
AnnieBressacConseil
u Ent erprise Risk Management is :
A process
Effected by an entitys board of directors,management and other personnel,
Applied in strategy setting and across theentity
Designed to identify and manage potentialevents that may affect the entity, and
To provide reasonable assurance regardingthe achievement of entity objectives.
The ERMThe ERM DefinitionDefinition
7/29/2019 COSO I e II
3/9
I AS Conference 5 November 25th
AnnieBressacConseil
1. The Enterpr ise RiskManagement framew orkhas eight int errelatedcomponents
2. Ent it y objecti ves can beviewed in t he context offour categories
Strategic
Operations
Reporting
Compliance
3. ERM considers activit iesat all levels of t heorganization
The ERM Framew orkThe ERM Framew ork
I AS Conference 6 November 25th
AnnieBressacConseil
u I n ternal environment includes :
Risk management philosophy and risk culture
Risk appetite : a high-level view of how much risk themanagement and the board are willing to accept
All other aspects of how the organization's actions may affectits risk culture
u Objecti ve Sett ing
Is applied when management considers risks strategy in thesetting of objectives
Objectives are set with regard to the risk appetite
A level of variation is accepted for objectives (risk tolerance)
The ERM Framew orkThe ERM Framew ork
7/29/2019 COSO I e II
4/9
I AS Conference 7 November 25th
AnnieBressacConseil
u Event identi fication :
Identify those incidents, occurring internally or externally, thatcould affect strategy and achievement of objectives
Addresses how internal and external factors combine andinteract to influence the entity's risk profile
Distinguishes risk and opportunity
u Risk assessment :
Allows an entity to understand the extent to which potentialevents might impact objectives
Assesses risks : from two perspectives : likelihood and impact
on both an inherent and residual basis
Employs a combination of both qualitative and quantitative riskassessment methodologies
The ERM Framew orkThe ERM Framew ork
I AS Conference 8 November 25th
AnnieBressacConseil
u Risk response :
Identifies and evaluates possible responses to risk : avoiding,accepting, reducing, sharing
Evaluates options in relation to entitys risk appetite
Selects and executes response based on evaluation of theportfolio of risks and responses
u
Contr ol activit ies : Policies and procedures that help ensure that risk responses
are carried out
Occur throughout the organization, at all levels and in allfunctions
Include application controls and general informationtechnology controls
The ERM Framew orkThe ERM Framew ork
7/29/2019 COSO I e II
5/9
I AS Conference 9 November 25th
AnnieBressacConseil
u I nformation & Communication :
Management identifies, captures, and communicatespertinent information in a form and timeframe that enablespeople to carry out their responsibilities
Communication occurs in a broader sense, flowing down,across, and up the organization
u Monitoring :
Monitors the ongoing effectiveness of the other enterprise risk
management components through :
Ongoing monitoring activities Separate evaluations
A combination of the two
The ERM Framew orkThe ERM Framew ork
I AS Conference 10 November 25th
AnnieBressacConseil
Roles and Responsibi lit iesRoles and Responsibi lit ies
u Four broad areas of roles andresponsibilities:
The Board of Directors is responsible for overseeingmanagements design and operation of ERM
Management is responsible for the design of an entity'senterprise risk management framework
Risk officers work with managers in establishing andmaintaining effective risk management
Internal auditors contribute to the ongoing effectivenessof the enterprise risk management
7/29/2019 COSO I e II
6/9
I AS Conference 11 November 25th
AnnieBressacConseil
COSO ERM :COSO ERM :
AA referencereferenceforforinternalinternalcontrol ?control ?
ss TransitionTransitionfromfromCOSO I toCOSO I to
COSO IICOSO II
ss Value and utilityValue and utility
I AS Conference 12 November 25th
AnnieBressacConseil
u COSO I I doesnt replace COSO I w hich
remains as a stand-alone internal control
framework
u COSO ERM incorporates the I C framew ork : A
strong system of int ernal cont rol is essential
t o effective enterprise risk management.
u COSO ERM expands and elaborates on
elements of internal contr ol as set out in COSO
I nternal Control Framework
TransitionTransition fromfrom COSO I t o COSO I ICOSO I t o COSO I I
7/29/2019 COSO I e II
7/9
I AS Conference 13 November 25th
AnnieBressacConseil
TransitionTransition fromfrom COSO I t o COSO I ICOSO I t o COSO I I
I AS Conference 14 November 25th
AnnieBressacConseil
COSO ERM brings to all t he cont rolstakeholders :
A definition of risk management
A vocabulary, concepts and principles shared by all the
parties involved Criteria to evaluate the effectiveness of risk treatment
strategies
Guidelines for entities to improve their risk managementsystem
Value and ut il it y of COSO ERMValue and u t il it y of COSO ERM
7/29/2019 COSO I e II
8/9
I AS Conference 15 November 25th
AnnieBressacConseil
ERMERM processprocess improvesimproves capacitycapacity toto buildbuild valuevalue
Align strategy with risk appetite
Enhance risk response decisions
Reduce the likelihood and/or impact of negative events
and therefore operational losses
Seize opportunities
Identify and manage multiple and cross- enterprise
risks
Value and uti l i t y for m anagersValue and uti l i t y for managers
I AS Conference 16 November 25th
AnnieBressacConseil
u Play an impor tant role in monit oring ERM, but
u Do NOT have primary r esponsibilit y for it simplement ation or m aintenance.
u Assist management and the board or audit
commi t t ee in t he process by: Monitoring
Evaluating
Examining
Reporting
Recommending improvements
Value and uti l i t y forValue and uti l i t y for internalinternal auditorsauditors
7/29/2019 COSO I e II
9/9
I AS Conference 17 November 25th
AnnieBressacConseil
COSO I ICOSO I I extendsextends andand strengthensstrengthens
thethe evolutionevolution init iatedinit iated by COSO Iby COSO I
u Bring together r isk culture and control cul ture
u Strengthen the l ink betw een internal contro l ,risks, and achievement of obj ect ives:
Pertinence and legitimacy of internal control consideringits added value to an effective risk control
Relevance of the controls implemented to the previous
identification and assessment of risks
Top Related