IN THIS ISSUE
Stakeholders Demand Better Corporate Accountability —
A new COSO study provides practical guidance for evaluating an organization's risk management efforts.
THE COMMITTEE OF SPONSORING ORGANIZATIONS of the Treadway Commission (COSO) is developing a new enterprise risk management (ERM) framework that can help companies achieve lasting, positive changes in their corporate governance. The new principles will provide a golden opportunity to influence the retooling of corporate governance reforms by championing good governance principles in the workplace.
COSO began the Enterprise Risk Management Framework project in response to organizations' need for clear guidance to identify, measure, prioritize, and respond to risk. The new framework expands and elaborates on the elements of internal control as defined by COSO's original model, Internal Control–Integrated Framework (IC-IF). It incorporates the key concepts of internal control necessary for both internal and external reporting by building ERM into the model's risk assessment component.
The ERM framework expands on the risk assessment component of IC-IF, separating it into three ERM components — event identification, risk assessment, and risk response — while elaborating on control processes within the internal environment and expanding information flow and communication. ERM requires the establishment of corporate risk tolerance with an entitywide view of risks applied in a strategic setting.
Stakeholders are demanding better accountability by corporate executive management. In surveys of board and audit committee members, risk and governance top the list of concerns. Recent accounting failures, such as those at WorldCom, Xerox, Adelphia Communications, and others, have been attributed, in some part, to failure in the corporate governance system. These incidents can be somewhat alarming because the alleged perpetrators were chief operating officers (COOs), chief financial officers (CFOs), and other high-ranking corporate officers. Many of the failed businesses were brought down by:
According to the new COSO study, effective risk management considers risks across the enterprise and the interdependence of those risks. It builds risk information into an organization's decision-making process, and when applied in a strategic setting, is designed to identify and manage the possibility that a potential event may adversely affect the achievement of corporate objectives. COSO's definition is broad, focusing on all aspects of a business, yet facilitates a directed focus on specific categories of objectives. The underlying premise applies to the organization's strategy and objectives to enable management to realize value for its stakeholders.
The new COSO ERM framework includes eight components that embody these concepts. Although five of the eight components are taken from the original IC-IF, the ERM framework is broader in its description of practical guidance.
1. Internal Environment
An entity's internal environment, established at the top, frames the ERM philosophy and control consciousness. It enables company personnel to understand how to manage risk, recognize that unexpected as well as expected events may occur, and form a risk tolerance, or how much risk it wants to accept, at the entity level. This risk tolerance is encompassed in management philosophy, policy, guidelines, and procedures. The internal environment also addresses how internal and external factors combine and interact to influence the entity's risk profile. Executive management, with oversight from the board, establishes the relationship among ERM, performance, and value.
2. Objective Setting
The overall objective of ERM is to provide the entity with enhanced capabilities to identify, assess, and manage risks that may impact the achievement of objectives. ERM attains this objective by providing management with:
3. Event Identification
Event identification involves potential events, whether occurring internally or externally, that could affect the implementation of strategy and achievement of objectives. Management identifies the precipitating reasons, or root causes, of potential events as a means to categorize risks and determines its risk tolerances. When identifying events, an entity reviews its entire organization, taking an entity wide view of events based on common categories. Events that may have a negative impact represent risks that the entity addresses through the risk assessment process. Events that may have a positive impact represent opportunities, which management channels back to its strategic and objective setting processes.
4. Risk Assessment
Risk assessment allows an entity to gain an understanding of the extent to which potential events might impact the achievement of objectives. Management considers both the positive and negative consequences of events underlying the identified risks across an entity. Management employs a combination of both qualitative and quantitative risk assessment methodologies to assess risk on both an inherent and residual basis from two perspectives. The first considers the likelihood, or chance, that a given event will occur, while the second considers the impact of the event. The units of measure used to assess risks are the same units used to measure the related objectives that may be impacted.
5. Risk Response
Management identifies and evaluates possible risk response options, including avoiding, accepting, reducing, and sharing risk. Management evaluates these options in relation to the entity's aggregate risk, cost versus benefit of potential risk responses, and the degree to which a response will reduce impact and/or likelihood. Assessment and response to risks are integral components of ERM; however, the choice of risk response and implementation by management are part of management's broader role, and not part of ERM. Effective ERM does not necessarily mean the best response was chosen, only that the response brings the expected likelihood and impact within the desired risk tolerances.
6. Control Activities
An entity uses control activities to help ensure the effectiveness of actions taken to address risk. Control activities occur through the organization at all levels and in all functions. They include a range of activities — as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Consistent implementation and monitoring is key to achieving control activity objectives.
7. Information and Communication
For ERM, data and information flow should be integrated in the overview of an entity's risk profile. Information is needed at all levels to identify, assess, and respond to risk in a form and time frame that enables people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the organization. Employees should receive a clear message from top management that ERM is taken seriously. They should understand their own role in ERM, as well as how individual activities relate to the work of others. In addition, there should be effective communication and exchange of relevant information with external parties, such as customers, vendors, regulators, and shareholders.
The ERM monitoring process assesses the presence and functioning of its components over time. It is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two, performed on an on going basis by the board of directors, management, supervisory activities, and employees performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. ERM deficiencies are reported upstream, with serious matters reported to top management and the board.
ERM, no matter how well designed and operated, cannot ensure that an entity's objectives will be achieved. Management should be aware that the entity's goals might be affected by limitations inherent in their systems. Human judgment in decision-making can be faulty, and breakdowns can occur because of human failures such as simple error or mistake. Controls can be circumvented by the collusion of two or more people. Additionally, management has the ability to override ERM processes, including risk response decisions and controls. Relative costs and benefits of risk responses need to be considered as well.
Everyone in the organization has responsibility for risk management. Management, however, is responsible for the design of an entity's ERM framework and should assume ownership of the process.
Management promotes the desired risk culture, frames risks in the context of strategy and activities, and establishes an entity-level risk tolerance. Management also provides an entitywide view of risk and enforces compliance individually and in the aggregate. Organization personnel are responsible for executing management's decisions on how to respond to risk and are responsible for communicating new events that arise to the appropriate individual or committee.
The board of directors is responsible for overseeing management's design and operation of ERM and ensuring effective risk-response decisions are made. Internal auditors contribute to the ongoing effectiveness of the ERM by their participation in separate evaluations and by providing up-front advice on ERM design issues. They test management's risk assessment for reliability and develop or adjust their audit plan accordingly.
Internal auditors can be a part of the solution to the recent problem of corporate governance failure. There is no better time for auditors to work with company executives to improve their governance processes. Stakeholders are demanding better corporate accountability, and ERM principles, when properly applied, can come to the rescue.
The draft ERM framework will be available after July 15 at www.coso.org.
Don Kirkendall served as inspector general at the U.S. Treasury from 1989 to 1993. He currently consults in the areas of internal auditing and risk management.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.