Subunit 3: COSO ERM Framework Flashcards
The COSO ERM Framework is designed to do what?
Enhance awareness and oversight of enterprise risk management to allow organizations to improve their approach to managing risk
Effective integration of the COSO ERM framework provides what benefits?
- Improves decision making
- Enhances performance
How can effective ERM help an organization?
- Increase the range of opportunities
- Identify and manage risk entity-wide
- Increase positive outcomes and advantages while reducing negative surprises
- Reduce performance variability
- Improve resource deployment
- Enhance enterprise resilience
How is enterprise risk management (ERM) defined in COSO’s Enterprise Risk Management – Integrating with Strategy and Performance? (MEMORIZE VERBATIM)
ERM is defined as the (1) culture, (2) capabilities, and (3) practices, integrated with (4) strategy-setting and (5) performance, that organizations rely on to (6) manage (7) risk in creating, preserving, and realizing (8) value.
What does culture consist of?
The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization
Mission is the entity’s core purpose (what it wants to accomplish and why it exists)
Vision is the entity’s aspirations for what it intends to achieve over time
Core values are the entity’s essential beliefs about what is acceptable or unacceptable
What are capabilities?
The skills needed to carry out the entity’s mission and vision
What are practices?
The collective methods used to manage risk
When does a business consider risk?
In setting strategy, business objectives, performance targets, and tolerance
What is a risk profile?
A composite view of the types, severity, and interdependencies of risk related to a specific strategy or business objectives and their effects on performance. It may be created at any level or aspect of the org.
What is the portfolio view?
A composite view of the risks related to entity-wide strategy and business objectives and their effects on entity performance.
What are the key concepts related to managing risk?
- Risk: the possibility that events will occur and impact achieving strategy and business objectives
- Opportunity: any action or potential action that creates or alters goals or approaches for creating, preserving, and realizing value
- Reasonable expectation: (not absolute assurance) the risk assumed is appropriate and provided by effective ERM practices
- Risk inventory: consists of all identified risks that could affect strategy and business objectives
- Risk capacity: the maximum amount of risk the entity can assume
- Risk appetite: the amount and types of risks the organization is willing to accept in pursing value
- Inherent risk: risk absent of management actions to alter severity (actual residual risk remains)
- Risk response: action taken to bring identified risks within the org’s risk appetite (included in a residual risk profile)
- Target residual risk: risk the entity prefers to assume knowing that management has acted or will act to alter its severity
- Actual residual risk: risk remaining after taking management actions to alter severity; should be equal to or less than target residual risk
When should an entity consider risk appetite:
- Aligning with developing strategy
- Aligning with business objectives
- Prioritizing risks
- Implementing risk responses
What is the difference between inherent risk and residual risk?
- Inherent risk is the risk in the absence of a risk response by management.
- Residual risk is the risk remaining after taking a risk response action by management.
What are the components of value?
- It is created when the benefits obtained from the resources used exceed costs
- It is preserved when the value of resources used is sustained
- It is realized when benefits are transferred to stakeholders
- It is eroded when management’s strategy does not produce expected results or management does not perform day-to-day tasks
Who has ERM roles and what are their responsibilities?
- The board provides risk oversight of ERM culture, capabilities, and practices. Certain board committees may be formed and include an audit committee, a risk committee that directly oversees ERM, an executive compensation committee, and a nomination or governance committee.
- Management has overall responsibility for ERM and usually day-to-day risk management, including implementing and developing the COSO framework. The CEO has ultimate responsibility for ERM and achieving strategy and business objectives.
- Orgs may designate a risk officer as a centralized coordinator to facilitate risk management
What are the three lines of management accountability?
- Principal owners of risk: manage performance and risks taken to achieve strategy and business objectives
- Supporting (business-enabling) functions: provide guidance on performance and ERM requirements, evaluate adherence to standards, and challenge the first line to take prudent risks
- Assurance functions: perform ERM audits, identify issues and improvements, make recommendations, and inform the board and executives of matters needing resolution
When assessing the risks to achieve objectives, what should management consider?
(1) the risk capacity,
(2) the risk appetite,
(3) the inherent risk,
(4) the target residual risk,
(5) the risk response,
(6) the actual residual risk, and
(7) the risk inventory.
What are the five components of enterprise risk management (ERM)?
Supporting aspect components: governance and culture; information, communication, and reporting
Common process components: strategy and objective-setting; performance; review and revision
What are the five principles relating to the governance and culture component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?
- Board oversight
- Organizational operating structures
- Definition of desired culture
- Commitment to core values
- Attraction, development, and retention of capable individuals
When is risk oversight by the board most effective?
- When the board has the necessary skills, experience, and business knowledge to understand the org’s strategy and industry, and maintains this understanding as the business context changes
- Is independent of the org
- Determines whether ERM capabilities and practices enhance value
- Understands the organizational biases influencing decision making and challenges management to minimize them
What is the difference between a company’s legal structure and management structure?
Legal structure determines how the entity operates. Management structure establishes reporting lines, roles, and responsibilities.
What factors should a company consider when establishing and evaluating operating structures?
Strategy and business objectives, including related risks
Nature, size, and geographic distribution
Risks related to the entity’s strategy and business objectives
Assignment of authority, accountability, and responsibility at all levels
Types of reporting lines and communication channels
Reporting requirements
What are the four principles relating to the strategy and objective-setting component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?
- Analysis of business context
- Definition of risk appetite
- Evaluation of alternative strategies
- Establishment of business objectives
Within the business context, what does the internal environment consist of?
Capital, people, processes, and technology
Within the business context, what does the external environment consist of? (PESTLE analysis)
Political, economic, social, technological, legal, and environmental
A business context may be:
Dynamic, complex, and unpredictable
How does an organization define risk appetite?
a) considers its mission, vision, culture, prior strategies, and risk capacity
b) seeks the optimal balance of opportunity and risk (appetite is rarely set above capacity)
c) risk appetite may be expressed qualitatively or quantitatively
d) entities may express risk appetite using the terms targets, ranges, ceilings, or floors
e) board approves risk appetite, and management communicates it throughout the org
Describe the three components of business objectives.
a) specific, measurable or observable, obtainable, and relevant
b) may relate to financial performance, operational excellence, compliance obligations, or other
c) establish performance measures, targets, and tolerances to evaluate achieving objectives
What are the five principles relating to the performance component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?
- Identification of risks
- Assessment of the severity of risks
- Prioritization of risks
- Identification and selection of risk responses
- Development and evaluation of the portfolio view of risk
The risk identification process includes:
a) identifying risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives
b) identifying new, emerging, and changing risks, along with opportunities
c) risk identification methods and approaches include day-to-day activities, simple questionnaires, facilitated workshops, interviews, or data tracking
d) risk inventory consists of all risks that could affect the entity
e) risk and opportunity identification should be comprehensive across all entity levels and functions
What does risk severity measure?
Impact, likelihood, and time to recover from events
What are examples of agreed-upon criteria to evaluate risk characteristics and determine capacity?
Complexity: nature and scope of a risk
Velocity: speed at which a risk affects the entity
Persistence: how long a risk affects the entity, including the recovery time
Adaptability: entity’s capacity to adjust and respond to risks
Recovery: entity’s capacity (not the time) to return to tolerance (return to normal operations)
List and describe the five categories of risk responses (AARPS)
Acceptance: no action is taken to alter severity; appropriate when the risk is within appetite
Avoidance: action is taken to remove the risk; suggests no response would reduce to acceptable levels
Reduction: action taken to reduce the risk severity so it is within the target residual risk profile and risk appetite
Pursuit: action taken to accept increased risk and improve performance without exceeding acceptable tolerance
Sharing: action taken to reduce severity by transferring a portion of the risk to another party
What factors are considered in selecting and implementing risk responses?
a) they should be chosen for (or adapted to) the business context
b) costs and benefits should be proportionate to the severity and priority of the risk
c) should further compliance with obligations and achievement of expectations
d) should bring risk within risk appetite and result in performance outcomes within tolerances
e) should reflect risk severity
What is the portfolio view of risk?
Identification, assessment, prioritization, and responses at the entity-wide perspective
List the four risk views, their integration levels, and describe them.
Risk view (minimal integration): Risks are identified and assessed, but emphasis is on the event and not the business objective
Risk category view (limited integration): identified and assessed risks are categorized
Risk profile view (partial integration): risks are linked to the business objectives they affect, and any dependencies between objectives are identified and assessed
Portfolio view (full integration): composite view of risks related to entity-wide strategy and business objectives and their effects on performance; at top level, greater emphasis is on strategy (responsibility for risks and objectives cascades throughout the entity)
What are the three principles relating to the review and revision component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?
- Identification and assessment of changes
- Review of entity performance and risk
- Pursuit of improvement
Performance results that deviate from target performance or tolerance may indicate what?
Unidentified risks, improperly assessed risks, new risks, opportunities to accept more risk, or the need to revise target performance or tolerance
What are the three principles relating to the information, communication, and reporting component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?
- Leverage of information systems
- Use of communication channels
- Reporting
Limitations of ERM result from the possibility of what?
(1) faulty human judgment
(2) cost-benefit considerations
(3) simple errors or mistakes
(4) collusion
(5) management override
What are the eight steps for the implementation of an effective ERM program?
(1) seek board and senior management involvement and oversight
(2) identify and position a leader to drive the ERM initiative
(3) establish a management working group
(4) inventory the existing risk management practices of the organization
(5) conduct an initial assessment of key strategies and related risks
(6) develop a consolidated action plan and communicate to board and management
(7) develop and/or enhance risk reporting
(8) develop the next phase of action plans and ongoing communications
What can cause cyber risks?
(1) poor information system design
(2) unintentional security breaches
(3) intentional security breaches
List the different classifications of cyber threat actors.
- Nation-states and spies
- Organized criminals
- Terrorists
- Hacktivists
- Company insiders
Which risk response is not effective for managing cyber risks?
Cyber risk avoidance is ineffective or nearly impossible due to the constantly evolving nature of cyber risks.
List the three criteria for choosing a communication channel based on the specific needs of the communication.
- Nature
- Urgency
- Sensitivity
Depending on the impact and severity of cybersecurity issues, to whom should the issues be reported?
Impact Level of Reporting
Minor Cyber risk management team
Major Executive management
NOTE: In certain circumstances, such as cybersecurity breaches by executive management, the issues are reported to the board of directors.
