7.1

avatar
Created by
Ivy

Cards (111)

  • All entities face uncertainty, and the challenge for management is to determine how much uncertainty it is prepared to accept as it strives to grow stakeholder value
  • Enterprise risk management
    Enables management to identify, assess, and manage risks in the face of uncertainty, and is integral to value creation and preservation
  • COSO has published comprehensive guidance on Enterprise Risk Management (ERM) practices in response to growing recognition of the need for organizations to effectively manage risks to achieve their objectives and enhance overall performance
  • With the increasing complexity of business environments and the rising tide of global uncertainties, there was a clear demand for a standardized framework that could guide organizations in identifying, assessing, and mitigating risks across various facets of their operations
  • COSO's publications, including the original Internal Control-Integrated Framework and subsequent updates such as the Enterprise Risk Management Framework, aim to fulfill this need by offering practical guidance and best practices for implementing effective risk management processes
  • Enterprise risk management (ERM)

    Concerns the identification and management of events and circumstances that can affect the ability of a firm to achieve its objectives
  • ERM
    The process of a coordinated, organization-wide risk management system. It is not a department or a function, but rather a holistic approach to a firm's culture, capabilities, and practices
  • Benefits of integrating ERM practices
    • Increasing the range of opportunities
    • Identifying and managing risk entity-wide
    • Increasing positive outcomes and advantages while reducing negative surprises
    • Reducing performance variability
    • Improving resource deployment
    • Enhancing enterprise resilience
  • The benefits of integrating enterprise risk management practices with strategy setting and performance management practices will vary by entity. There is no one-size-fits-all approach available for all entities
  • Implementing enterprise risk management practices will generally help an organization achieve its performance and profitability targets and prevent or reduce the loss of resources
  • COSO Framework
    A system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards
  • The initial mission of COSO was to study financial reporting and develop recommendations to prevent fraud
  • The early 2000s witnessed a series of high-profile corporate scandals, including Enron, WorldCom, Tyco International, and others. These scandals involved accounting irregularities, corporate fraud, and governance failures, which led to significant financial losses for investors, damage to shareholder confidence, and calls for regulatory reform
  • Following the high-profile business scandals and failures in the early 2000s, in 2004 the COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM model was developed to facilitate a broader understanding of an entity's overall strategies and goals and the threats to those strategies and goals
  • COSO ERM cube
    An Enterprise Risk Management (ERM) version of the COSO cube was produced in 2004 and this has both risk management and internal control within its scope. The approach adopted by the COSO ERM cube suggests that enterprise risk management is not strictly a serial set of activities, where one component affects only the next. It is considered to be a multidirectional, iterative process in which almost any component can and does influence all other components
  • No two entities will, or should, apply enterprise risk management in the same way. Companies and their enterprise risk management capabilities and needs differ dramatically by industry and size, and by management philosophy and culture
  • Categories of business objectives
    • Strategic objectives
    • Operations objectives
    • Reporting objectives
    • Compliance objectives
  • An objective in one category may overlap or support an objective in another. The category in which an objective falls sometimes depends on circumstances
  • Effective enterprise risk management provides reasonable assurance that an entity's reporting objectives are being achieved. Similarly, there should be reasonable assurance that compliance objectives are being achieved
  • Achieving strategic and operations objectives is not solely within the entity's control as they are subject to external events
  • Components of Enterprise Risk Management
    • Internal Environment
    • Objective Setting
    • Event Identification
    • Risk Assessment
    • Risk Response
    • Control Activities
    • Information and Communication
    • Monitoring
  • Enterprise risk management
    Focuses primarily on developing consistency of objectives and goals throughout the organization; identifying key success factors and risks; assessing the risks and making informed responses; implementing appropriate risk responses and establishing needed controls; and timely reporting of performance and expectations
  • Enterprise risk management
    Can provide reasonable assurance that management and the board are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of strategic and operations objectives
  • Components of Enterprise Risk Management
    • Internal Environment
    • Objective Setting
    • Event Identification
    • Risk Assessment
    • Risk Response
    • Control Activities
    • Information and Communication
    • Monitoring
  • Internal Environment
    • Encompasses the tone of an organization, influencing the risk consciousness of its people and is the basis for all other components of enterprise risk management, providing discipline and structure
    • Influences how strategies and objectives are established, business activities are structured, and risks are identified, assessed, and acted upon
    • Influences the design and functioning of control activities, information and communication systems, and monitoring activities
  • Internal Environment Factors
    • Entity's risk management philosophy
    • Risk appetite
    • Oversight by the board of directors
    • Integrity and ethical values
    • Commitment to competence
    • Organizational Structure
    • Assignment of Authority and Responsibility
    • Human Resource Standards
  • Objective Setting
    Ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite
  • Categories of Related Objectives
    • Operations Objectives
    • Reporting Objectives
    • Compliance Objectives
  • Event Identification
    • Involves identifying potential events from internal or external sources affecting the achievement of objectives
    • Includes distinguishing between events that represent risks, those representing opportunities, and those that may be both
  • Event Identification Techniques
    • Event inventories
    • Internal analysis
    • Escalation or threshold triggers
    • Facilitated workshops and interviews
    • Process flow analysis
  • Risk Assessment
    • Identified risks are analyzed in order to form a basis for determining how they should be managed
    • Risks are associated with objectives that may be affected
    • Risks are assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact
  • Risk Assessment Techniques
    • Benchmarking
    • Probabilistic Models
    • Non-probabilistic Models
  • Risk Response
    Management selects appropriate actions to align risks with risk appetite and tolerance, including risk avoidance, reduction, sharing, and acceptance
  • Control Activities
    • Policies and procedures that help ensure that management's risk responses are carried out
    • Occur throughout the organization, at all levels and in all functions
  • Types of Control Activities
    • Top-level reviews
    • Direct functional or activity management
    • Information processing
    • Physical controls
    • Performance indicators
    • Segregation of duties
  • Information and Communication

    • Relevant information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities
    • Effective communication also occurs in a broader sense, flowing down, across, and up the entity
  • Information Quality Criteria

    • Content is appropriate
    • Information is timely
    • Information is current
    • Information is accurate
    • Information is accessible
  • Monitoring
    • The entirety of enterprise risk management is monitored, and modifications made as necessary
    • Accomplished through ongoing management activities, separate evaluations, or both
  • Monitoring Activities
    • Ongoing Monitoring Activities
    • Separate Evaluations
  • 2017 COSO ERM - Integrating Strategy and Performance Framework
    Aims to more clearly connect ERM with stakeholder expectations, position risk in the context of performance rather than as an isolated exercise, enable organizations to better anticipate risk, and provide an understanding that change creates opportunities