COSO: Current ERM Challenges and Our Responses RIMS 2012 Annual Conference April 17, 2012 by David Landsittel COSO Chairman
About COSO Formed in 1985 to sponsor a Commission to examine fraudulent financial reporting A joint initiative of five private sector organizations Sponsors: – American Accounting Association (AAA) – American Institute of Certified Public Accountants (AICPA) – Financial Executives International (FEI) – Institute of Management Accountants (IMA) – The Institute of Internal Auditors (IIA)
COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.” COSO’s Fundamental Principle Good risk management and internal control are necessary for long term success of all organizations Mission
COSO’s Three Areas of Focus 1.Enterprise Risk Management 2.Internal Control 3.Fraud Deterrence
: Treadway Commission Report 1992: Internal Control – Integrated Framework 1999: Fraud Study I - Fraudulent Financial Reporting: : Enterprise Risk Management Framework 2006: Guidance for Smaller Businesses on Internal Control over Financial Reporting 2009: Guidance on Monitoring Internal Control Systems Timeline 1996: Internal Control Issues in Derivatives 2010: Fraud Study II - Fraudulent Financial Reporting: : Recent ERM thought papers on current issues
COSO ERM Framework Issued in 2004 Fundamental characteristics – A portfolio view of risks at the entity-level – Risk identification, prioritization, and response – Managing risk within the entity’s risk appetite – Consideration of risks in formulation of strategy Widely but not universally used Implementation not as robust
Some Current ERM Challenges that Impact COSO Uneven support to adopt any formal risk management process Less than robust ERM implementation Difficulty “getting started” with ERM implementation Failure to consider low likelihood but high impact risks – overconfidence Inadequate board oversight of risk management – and regulatory pressure mounting for better oversight Immature development of risk appetite
COSO ERM Response Our objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process 8
COSO ERM “Thought Papers” 9 1.“Effective Enterprise Risk Oversight: The Role of Board of Directors” – 09/ “Strengthening Enterprise Risk Management for Strategic Advantage” – 10/ “Board Risk Oversight – A Progress Report” – 12/ “COSO’s 2010 Report on ERM” – 12/ “Embracing Enterprise Risk Management: Practical Approaches for Getting Started” – 01/ “Developing Key Risk Indicators to Strengthen Enterprise Risk Management” – 01/ “Understanding and Communicating Risk Appetite” – 01/ “Enhancing Board Oversight: Avoiding Judgment Traps and Biases” – 03/2012 Coming Soon: – “COSO Enterprise Risk Management for Cloud Computing”
Outlines four areas contributing to effective ERM board oversight 1.Understanding risk appetite 2.Understanding how an entity’s portfolio of risks aligns with risk appetite 3.Understanding most significant risks and how management is responding 4.Understanding and assessing risk management processes 1. “Effective Enterprise Risk Oversight: The Role of Board of Directors”
Focuses on how management can work with board to enhance board’s oversight capabilities Discusses the four ERM focus areas noted on preceding slide, but from a management perspective 2. “Strengthening Enterprise Risk Management for Strategic Advantage”
3. “Board Risk Oversight – A Progress Report” Major findings: – Strong majority reports boards not executing mature/robust risk oversight processes – Overall dissatisfaction in the way risk is considered in context of enterprise’s strategy – Processes for monitoring and reporting of risks should be enhanced – Public companies report better processes than other enterprises
The state of ERM appears to be relatively immature, with a notable level of dissatisfaction with how organizations are currently overseeing enterprise-wide risks Reporting of top risk exposures to the board appears to be casual and unstructured Most respondents believe that the COSO ERM Framework is theoretically sound and describes key elements of a robust ERM process 4. “COSO’s 2010 Report on ERM: Current State of Enterprise Risk Oversight”
Describes how an organization can start to move from informal risk management to ERM Discusses the increasing importance of an enterprise focus on risks Examines perceived barriers to starting ERM and working through those barriers 5. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started”
6. “Developing Key Risk Indicators to Strengthen Enterprise Risk Management” Emphasizes need for ERM processes that focus on forward looking information – i.e. key risk indicators or ”KRI’s” Illustrates how KRIs heighten board and management enterprise risk awareness Provides practical examples to help executives develop effective KRI’s
7. “Understanding and Developing Risk Appetite” Emphasizes that risk appetite is the amount of risk an organization is willing to accept in pursuit of its objectives Stresses that risk and strategy are intertwined – strategy must be formulated with due regard to risk appetite Points out that risk appetite should be communicated by management, embraced by the board, and integrated throughout the entity Emphasizes that well communicated risk appetite serves as a boundary around the amount of risk an organization might take on
8. “Enhancing Board Oversight: Avoiding Judgment Traps and Biases” Observes that the complexities of the global business environment place a premium on sound judgment and decision making Highlights some pitfalls and biases in judgment to which decision makers are vulnerable Details a five-step judgment process that board members and others can use to overcome common pitfalls and mitigate the effects of judgment bias
“COSO Enterprise Risk Management for Cloud Computing” – Coming Soon Emphasizes that cloud computing entails new business risks because it brings to organizations a different dimension of collaboration and human interaction et al Applies COSO ERM model to risk considerations Points out that for many organizations applying cloud computing with appropriate risk mitigation in place will bring multiple benefits
David Landsittel Thank You