IN THIS ISSUE
COSO Releases New ERM Framework
Designed to offer organizations a commonly accepted model for evaluating risk management efforts, the framework expands on internal control concepts by providing a more robust focus based on the broader subject of enterprise risk management (ERM). Detailing the essential components of an effective ERM process, the framework provides guidance to help organizations build effective programs for identifying, measuring, prioritizing, and responding to risk. Encompassing the criteria set forth in COSO's 12-year-old Internal Control — Integrated Framework, the new guidance addresses essential components, principles, and concepts of ERM, suggests a common ERM language, and provides clear direction and guidance. It also discusses the roles and responsibilities of those within an organization as they relate to ERM and further identifies the interrelationships between risk and ERM.
Engaged by the COSO board to lead the study, PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations in reviewing the project plan, drafts of the framework, and other related matters. As part of the validation process, the framework was refined based on comments submitted to the COSO Advisory Council by interested parties and individuals.
A DYNAMIC PROCESS
Embedded within an organization's strategies and objectives, ERM's value is maximized when a balance is reached between growth, returns, risks, uncertainties, and opportunities. How much risk the entity is prepared to accept is inherent in ERM's capabilities, which encompass the following key components:
In addition, the new framework presents a standard definition of risk and ERM and provides direction to enhance risk management, including criteria for companies to use in determining whether their risk management is effective, and if not, what is needed.
Considering activities at all levels of the organization, the ERM framework views entity objectives at the entity, division, business-unit, and subsidiary levels, in four key categories: strategic, operations, reporting, and compliance. At the same time, the framework focuses on eight interrelated components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
ERM FRAMEWORK ACTIVITIES
The framework includes examples of ERM approaches used by various risk management practitioners. Activities to be established, which are each discussed and explained within the document, include:
IMPACT ON INTERNAL AUDITING
The new ERM — Integrated Framework will play a key role in the internal audit function. To help internal auditors understand these ERM relationships, The IIA developed answers to some commonly asked questions:
What is the internal auditor’s role in risk management and how will this framework help that role? Internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management’s risk processes. This framework provides a benchmark with detailed guidance for internal auditors to use in the evaluation of their organization’s risk management efforts. It also suggests guidance on various risk management processes and tools to consider when implementing or strengthening an organization's ERM process.
How does the ERM framework affect an organization that already has a sound system of internal controls? A strong system of internal control supports the achievement of the organization’s business objectives and therefore, good internal control is a way of managing risk. However, ERM is much broader than internal control and includes additional management efforts to ensure an organization achieves its business objectives.
How will the framework assist organizations to best reduce their exposure to risk? By formally organizing ERM responsibilities and activities, an organization is much better positioned to achieve its business objectives and to ensure that sound risk management processes are in place and functioning. The ERM—Integrated Framework provides a comprehensive road map for establishing the critical processes needed to ensure an effective ERM effort. The framework offers a structured, consistent, and continuous process to be used across the organization to identify, assess, respond to, and report on opportunities and threats that affect the achievement of objectives.
What are the benefits of implementing COSO’s ERM framework? According to advocates of the ERM framework, organizations that implement the process will have:
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.