COSO ERM Framework Flashcards
COSO ERM Framework is called
Enterprise Risk Management—Integrating with Strategy and Performance
The purpose of the COSO ERM Framework
The purpose of this framework is to help organisations accelerate growth and enhance performance by integrating ERM at every organisational level and applying the principles of the framework to everything from strategic decision making to performance management. It is applicable to all industries and all types of risk.
The 5 components of the ERM framework
- Governance and culture
- Strategy and objective setting
- Performance
- Review and revision
- Information, communication, and reporting
COSO ERM component 1:
5 Principles of Governance and culture
Governance sets the organisation’s tone, reinforcing the
importance of, and establishing oversight responsibilities for, enterprise risk management.
Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity
- Exercises board risk oversight
- Establishes operating structures - in the pursuit of business objectives
- Defines desired culture - the desired behaviors
- Demonstrates commitment to core values -
- Attracts, develops, and retains capable individuals - in alignment with business objectives
COSO ERM Component 2:
4 Principles of Strategy and objective setting
Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
- Analyzes business context - considers potential effects of business context on risk profile
- Defines risk appetite - in the context of creating, preserving, and realizing value.
- Evaluates alternative strategies - and potential impact on risk profile.
- Formulates business objectives - considers risk while establishing the business objectives at various levels that align and support strategy.
COSO ERM Component 3:
5 Principles of Performance
Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
- Identifies risk - that impacts the performance of strategy and business objectives.
- Assesses severity of risk
- Prioritizes risks - as a basis for selecting risk responses.
- Implements risk responses
- Develops a portfolio view of risk
COSO ERM Component 4:
3 Principles of Review and Revision
By reviewing entity performance, an organisation can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
- Assesses substantial change - that may substantially affect strategy and business objectives.
- Reviews risk and performance
- Pursues improvement in enterprise risk management
COSO ERM Component 5:
3 Principles of Information, Communication, and Reporting
Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organisation.
- Leverages information and technology - technology systems support enterprise risk management.
- Communicates risk information
- Reports on risk, culture, and performance - at multiple levels