Module 4 - Quiz 2 Flashcards
2017 COSO ERM Framework
- mission, vision, and core values = governance and culture
- strategy development = strategy & objective setting
- business objective formulation = performance
- implementation and performance = review and revision
- enhanced value = information, communication, and reporting
Four Principles of strategy & objective setting
- Analyze Business Context
- Define Risk Appetite
- Evaluate Alternative Strategies
- Formulate Business Objectives
By integrating ERM into the strategy-setting phase
you gain insights into the risk profile associated with each strategy and business objective
COSO ERM: Component 2
Strategy & Objective Setting
Five Principles of governance and culture
- Board exercises risk oversight
- Establishes operating structures
- Defines desired culture
- Commitment to core values
- Attracts, develops and retains capable individual
Five Principles of performance
- Identifies Risk
- Assesses Severity of Risk
- Prioritizes Risks
- Implements Risk Responses
- Develops Portfolio View
Three Principles of review and revision
- Assesses Substantial Change
- Reviews Risk and Performance
- Pursues improvement in Enterprise Risk Management
Three Principles of information, communication, and reporting
- Leverages Information and Technology
- Communicates Risk Information
- Reports on Risk, Culture, and Performance
COSO ERM: Component 1
Governance & Culture
What is the “business context”?
Factors that influence current and future strategy and business objectives
What are examples of “business context”?
Trends, political landscape, customers, suppliers
How should it “business context” be viewed?
In three stages: Past, Present & Future
When should “business context” be considered?
In all five components of the COSO ERM Framework
State of the World (Reality)
VUCA – Volatility, Uncertainty, Complexity, Ambiguity [ascending order of risk]
Aspects of business context
✓ Dynamic: Risks can emerge at any time
✓ Complex: Interconnected / interdependent
✓ Unpredictable: Changes happen quickly / can be unanticipated
Two types of business contexts
External Environment & Internal Enviornment
CATEGORIES OF EXTERNAL BUSINESS
ENVIRONMENT
PESTLE
- Political
- Economic
- Social
- Technological
- Legal
- Environment
CATEGORIES OF INTERNAL BUSINESS
ENVIRONMENT
- Capital
- People
- Process
- Technology
Principle 7
Define Risk Appetite
Principle 6
Analyze Business Context
How is “Risk Appetite” defined?
The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value
Risk appetite is expressed in a form of
a risk appetite statement
Risk Capacity
Maximum amount of risk entity is able to absorb in pursuit of strategy and business objectives
Risk Profile
Composite view of the risks assumed by the entity at a particular time
ERM capabilities & maturity
Strength of ERM practices within the entity
How is Risk Appetite governed?
- Management with Board input (sometimes) develops risk appetite; Board approves
- Management is responsible for communicating
& disseminating - Management, with Board oversight, continuously
monitors risk appetite and makes changes, when needed - Mission, vision, and prior strategies provide significant inputs into risk appetite development
Can strategy and risk appetite be developed in
parallel?
Yes
The approaches used to communicate risk appetite
- Create an overall risk appetite statement
- Communicate risk appetite for each major class of organizational objectives
- Communicate risk appetite for different categories of risk
Steps in Defining Risk Appetite
- Develop Risk Appetite
- Communicate Risk Appetite
- Monitor & Update Risk Appetite
