Study Unit 5.1: ERM Introduction and understanding the terms Flashcards
When was COSO formed?
Originally formed in 1985
What is COSO?
Is a joint initiative of five private sector organizations
Is a generic ERM framework for entities of all sizes
What is the purpose of COSO?
Provide guidance on:
Enterprise risk management (ERM)
Internal control
Fraud prevention
What is COSO’s fundamental principle?
Good risk management are necessary for long term success
Why update the 2004 COSO publication in 2017?
The risk landscape has evolved dramatically - organizations need to be more adaptive to changes
Stakeholders more engaged, seeking greater transparency and accountability
Bar is raised with respect to ERM
What is the underlying premise of ERM?
every entity, whether for-profit, not-for-profit or a governmental body, exists to provide value for its stakeholders
What does ERM do for an entity?
All entities face uncertainty and ERM provides a framework for management to effectively deal with uncertainty, associated risk (in the pursuit of value) and opportunity.
ERM helps an entity to enhance its capacity to create, preserve and realize value
What does ERM affect?
VALUE
What is VALUE?
Value is (1) created, (2) preserved, (3) eroded or (4) realized by management decisions in overall decisions, from strategy setting to operating the enterprise day-to-day
Definition: Value creation
When the benefits derived from resources deployed exceed the cost of those resources used. Resources include people, financial capital, technology, processes, and brand.
Example: Value creation
A new product is successfully designed and launched and its profit margin is positive
Define: Value preservation
Focusing on resources (people, processes and systems used in day-to-day operations) to create sustained value
Example: Value preservation
The delivery of superior products, services and production capacity, which results in loyal and satisfied customers and stakeholders
Define: Value Erosion
Management implements a strategy not yielding expected outcomes. Thus, a poor strategy or fails to execute day-to-day activities
Example: Value erosion
Extensive resources are consumed to develop a new product that is consequently abandoned
Define: Value Realization (Achieved)
When stakeholders receive benefits (monetary or non-monetary) created by the entity.
Why is ERM important to apply?
Achieve an entity’s performance and profitability targets
To avoid negative surprises (loss) of resources
Ensure effective reporting
Gain competitive advantage
Create value and stakeholder confidence
What is ERM linked to?
Governance
Performance management
Internal control
Define: Enterprise Risk Management (ERM)
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value
In depth into ERM definition: “Recognizing Culture”
Each person has a unique point of reference, which influences how he/she put ERM practices in place
ERM helps people to understand that culture plays an important role in shaping their decisions
In depth into ERM definition: “Developing Capabilities”
An organization that has the capacity to adapt to change is more resilient and better able to evolve in the face of marketplace and resource constraints and opportunities
ERM adds to the skills needed to carry out the entity’s mission and vision and to anticipate the challenges that may hinder organizational success.
In depth into ERM definition: “:Applying Practices”
ERM is continually applied to the entire scope of activities. It is part of management decisions at all levels of the entity
The practices used in ERM are applied from the highest levels of an entity and flow down through divisions, business units, and functions
In depth into ERM definition: “Integrating with Strategy-Setting and Performance”
An organization sets strategy that aligns with and supports its mission and vision
An organization that integrates ERM into daily tasks is more likely to have lower costs and is likely to identify new opportunities
In depth into ERM definition: “Managing Risk to Strategy and Business Objectives”
ERM is fundamental to achieving strategy and business objectives
ERM practices provide management and the board of directors with a reasonable expectation that they can achieve the overall strategy and business objectives of the entity
In depth into ERM definition: “Linking to Value”
An organization must manage risk to strategy and business objectives in relation to its risk appetite
Risk appetite is not static; it may change between products or business units and over time
Managing risk within risk appetite enhances an organization’s ability to create, preserve, and realize value
Benefits of ERM: Shareholders benefits
Increasing the range of opportunities
Identify & manage risk entity-wide
Enhancing enterprise resilience
Increasing positive outcomes while reducing negative surprises
Reducing performance variability
Improving resource development
Why is ERM not a function or department?
It does not operate in isolation in an entity
It is the culture, capabilities and practices integrated and applied with strategy- setting
Why is ERM more than risk listing?
Is includes practices that management applies to actively manage risk
Is ERM a checklist?
No, It is a ongoing/continuous system/process of monitoring, learning and improving performance. It’s a facilitator to a goal, not an end or goal itself
Can ERM be applied by any organization?
ERM can be used from small businesses, to government agencies, etc. as long the organization has a mission, strategy and objectives
What is COSO framework for ERM consist of?
It consists of five interrelated components:
- Governance and Culture
- Strategy and Objective-Setting
- Performance
- Review and Revise
- Information, Communication and Reporting
List the principles: Governance and Culture
Exercises board risk oversight
Establishes operating structures
Defines desired culture
Demonstrates commitment to core values
List the principles: Strategy and Objective-Setting
Analyses business context
Defines risk appetite
Evaluates alternative strategies
Formulates business objectives
List the principles: Performance
Identifies risk
Assesses severity of risk
Priorities risks
Implements risk responses
List the principles: Review and Revision
Assesses substantial change
Review risk and performance
Pursues improvement in ERM
List the principles: Information, Communication and Reporting
Leverages information and technology
Communicates risk information
Reports on risk, culture and performance
What alternative framework is there to COSO?
ISO 31000
What is ISO?
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies
What are the principals of ISO?
Continual improvement
Integrated
Structured and comprehension
Customized
Inclusive
Dynamic
Best available information
Human and cultural factors
Why implement ISO when my business is already adhering to COSO standards?
Increased international recognition for risk management
Enhanced alignment with other management systems
Is more practical and easier to understand
