SlideShare a Scribd company logo

Coso erm frmwrk

Download as PPT, PDF
Ravinder Kumar Bhan
Ravinder Kumar Bhan
EducationBusinessEconomy & Finance
1 of 50
Applying COSO’s Enterprise Risk Management — Integrated Framework www.theiia.org
Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting) www.theiia.org
ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. www.theiia.org
Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. www.theiia.org
Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. www.theiia.org
Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. www.theiia.org
The ERM Framework • Entity objectives can be viewed in the • context of four categories: – Strategic – Operations – Reporting – Compliance www.theiia.org
The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or subsidiary • Business unit processes www.theiia.org
The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk. www.theiia.org
The ERM Framework • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level www.theiia.org
The ERM Framework The eight components of the framework are interrelated … www.theiia.org
Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture. www.theiia.org
Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. www.theiia.org
Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. www.theiia.org
Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile. www.theiia.org
Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives. www.theiia.org
Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis. www.theiia.org
Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses. www.theiia.org
Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls. www.theiia.org
Information & Communication • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization. www.theiia.org
Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two. www.theiia.org
Internal Control A strong system of internal control is essential to effective enterprise risk management. www.theiia.org
Relationship to Internal Control — Integrated Framework • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.” www.theiia.org
ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors www.theiia.org
Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements www.theiia.org
Internal Auditors Visit the guidance section of The IIA’s Web site for The IIA’s position paper, “Role of Internal Auditing’s in Enterprise Risk Management.” www.theiia.org
Standards • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. www.theiia.org
Key Implementation Factors 1. Organizational design of business 2. Establishing an ERM organization 3. Performing risk assessments 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management www.theiia.org
Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage) www.theiia.org
Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under- performing hospitals and negotiate agreements with two this year www.theiia.org
Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities www.theiia.org
Example: ERM Organization Vice President and Chief Risk Officer Insurance ERM Corporate Credit Risk Manager Director Risk Manager FES ERM ERM Commodity Manager Manager Risk Mg. Director Staff Staff Staff www.theiia.org
Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. www.theiia.org
Example: Risk Model • Environmental Risks – Capital Availability – Regulatory, Political, and Legal – Financial Markets and Shareholder Relations • Process Risks – Operations Risk – Empowerment Risk – Information Processing / Technology Risk – Integrity Risk – Financial Risk • Information for Decision Making – Operational Risk – Financial Risk – Strategic Risk www.theiia.org
Risk Analysis Risk Risk Risk Assessment Management Monitoring Process Identification Control It Level Share or Activity Measurement Transfer It Level Diversify or Prioritization Entity Level Avoid It www.theiia.org
DETERMINE RISK APPETITE • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation). www.theiia.org
DETERMINE RISK APPETITE Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) www.theiia.org
IDENTIFY RISK RESPONSES • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage) www.theiia.org
Impact vs. Probability High Medium Risk High Risk I M Share Mitigate & Control P A Low Risk Medium Risk C T Accept Control Low PROBABILITY High www.theiia.org
Example: Call Center Risk Assessment High Medium Risk High Risk • Loss of phones • Credit risk Loss of computers Customer has a long wait I • • • Customer can’t get through M • Customer can’t get answers P A Low Risk Medium Risk C Fraud • Entry errors T • • Lost transactions • Equipment obsolescence • Employee morale • Repeat calls for same problem Low PROBABILITY High www.theiia.org
Example: Accounts Payable Process Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing www.theiia.org
Communicate Results • Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments www.theiia.org
Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks www.theiia.org
Management Oversight & Periodic Review • Accountability for risks • Ownership • Updates -Changes in business objectives - Changes in systems - Changes in processes www.theiia.org
Internal auditors can add value by: • Reviewing critical control systems and risk management processes. • Performing an effectiveness review of management's risk assessments and the internal controls. • Providing advice in the design and improvement of control systems and risk mitigation strategies. www.theiia.org
Internal auditors can add value by: • Implementing a risk-based approach to planning and executing the internal audit process. • Ensuring that internal auditing’s resources are directed at those areas most important to the organization. • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. www.theiia.org
Internal auditors can add value by: • Facilitating ERM workshops. • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management. www.theiia.org
For more information On COSO’s Enterprise Risk Management — Integrated Framework, visit www.coso.org or www.theiia.org www.theiia.org
Applying COSO’s Enterprise Risk Management — Integrated Framework This presentation was produced by www.theiia.org
www.theiia.org

Recommended

2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017Jorge A. Gomez P.
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementGAURAV SHARMA
 

Recommended

2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summaryVALUES & SENSE
 
COSO ERM
COSO ERMCOSO ERM
COSO ERMSophia Abigayle
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017Jorge A. Gomez P.
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementGAURAV SHARMA
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Frameworkssuser6ea258
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
Risk appetite
Risk appetite Risk appetite
Risk appetite Michel Rochette
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkAziz Fataliyev, Internal Audit Practitioner
 
ERM overview
ERM overviewERM overview
ERM overviewHisham Haridy MBA, PMP®, RMP®, SP®
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk AppetiteTowers Perrin
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Governance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskGovernance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
 
Iso 37000
Iso 37000Iso 37000
Iso 37000Mayada EL Moaaz
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceSegun Ogunwale
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEneni Oduwole
 
Iso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesIso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesMohsen Gharakhani
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.pptSashaKing4
 

More Related Content

What's hot

COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Frameworkssuser6ea258
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Processregio12
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Governance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskGovernance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceSegun Ogunwale
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEneni Oduwole
 
Iso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesIso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesMohsen Gharakhani
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 

What's hot (20)

COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Framework
 
Coso erm
Coso ermCoso erm
Coso erm
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
 
Risk appetite
Risk appetite Risk appetite
Risk appetite
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
 
ERM overview
ERM overviewERM overview
ERM overview
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
Risk Appetite
Risk AppetiteRisk Appetite
Risk Appetite
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Governance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskGovernance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational Risk
 
Iso 37000
Iso 37000Iso 37000
Iso 37000
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
Enterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational ExcellenceEnterprise Risk Management & Organizational Excellence
Enterprise Risk Management & Organizational Excellence
 
Iso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelinesIso 31000 Risk management Principles and guidelines
Iso 31000 Risk management Principles and guidelines
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 

Similar to Coso erm frmwrk

Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingveritama
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...PECB
 
The role of ia in erm process
The role of ia in erm processThe role of ia in erm process
The role of ia in erm processSALIH AHMED ISLAM
 
The role of auditing in the erm process
The role of auditing in the erm processThe role of auditing in the erm process
The role of auditing in the erm processSalih Islam
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfabdo badr
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyИван Вали-Пур
 

Similar to Coso erm frmwrk (20)

COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINAL
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
PECB Webinar: Enterprise Risk Management - Unsuccessful efforts due to lack o...
 
The role of ia in erm process
The role of ia in erm processThe role of ia in erm process
The role of ia in erm process
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
The role of auditing in the erm process
The role of auditing in the erm processThe role of auditing in the erm process
The role of auditing in the erm process
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
Internal auditing
Internal auditingInternal auditing
Internal auditing
 
Hoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO ConferenceHoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO Conference
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc anenyRisk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
 

Recently uploaded

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 

Recently uploaded (20)

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

Coso erm frmwrk

  • 1. Applying COSO’s Enterprise Risk Management — Integrated Framework www.theiia.org
  • 2. Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting) www.theiia.org
  • 3. ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. www.theiia.org
  • 4. Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. www.theiia.org
  • 5. Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. www.theiia.org
  • 6. Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. www.theiia.org
  • 7. The ERM Framework • Entity objectives can be viewed in the • context of four categories: – Strategic – Operations – Reporting – Compliance www.theiia.org
  • 8. The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or subsidiary • Business unit processes www.theiia.org
  • 9. The ERM Framework Enterprise risk management requires an entity to take a portfolio view of risk. www.theiia.org
  • 10. The ERM Framework • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level www.theiia.org
  • 11. The ERM Framework The eight components of the framework are interrelated … www.theiia.org
  • 12. Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture. www.theiia.org
  • 13. Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. www.theiia.org
  • 14. Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. www.theiia.org
  • 15. Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile. www.theiia.org
  • 16. Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives. www.theiia.org
  • 17. Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis. www.theiia.org
  • 18. Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses. www.theiia.org
  • 19. Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls. www.theiia.org
  • 20. Information & Communication • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization. www.theiia.org
  • 21. Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two. www.theiia.org
  • 22. Internal Control A strong system of internal control is essential to effective enterprise risk management. www.theiia.org
  • 23. Relationship to Internal Control — Integrated Framework • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.” www.theiia.org
  • 24. ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors www.theiia.org
  • 25. Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements www.theiia.org
  • 26. Internal Auditors Visit the guidance section of The IIA’s Web site for The IIA’s position paper, “Role of Internal Auditing’s in Enterprise Risk Management.” www.theiia.org
  • 27. Standards • 2010.A1 – The internal audit activity’s plan of engagements should be based on a risk assessment, undertaken at least annually. • 2120.A1 – Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems. • 2210.A1 – When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. www.theiia.org
  • 28. Key Implementation Factors 1. Organizational design of business 2. Establishing an ERM organization 3. Performing risk assessments 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management www.theiia.org
  • 29. Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage) www.theiia.org
  • 30. Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under- performing hospitals and negotiate agreements with two this year www.theiia.org
  • 31. Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities www.theiia.org
  • 32. Example: ERM Organization Vice President and Chief Risk Officer Insurance ERM Corporate Credit Risk Manager Director Risk Manager FES ERM ERM Commodity Manager Manager Risk Mg. Director Staff Staff Staff www.theiia.org
  • 33. Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. www.theiia.org
  • 34. Example: Risk Model • Environmental Risks – Capital Availability – Regulatory, Political, and Legal – Financial Markets and Shareholder Relations • Process Risks – Operations Risk – Empowerment Risk – Information Processing / Technology Risk – Integrity Risk – Financial Risk • Information for Decision Making – Operational Risk – Financial Risk – Strategic Risk www.theiia.org
  • 35. Risk Analysis Risk Risk Risk Assessment Management Monitoring Process Identification Control It Level Share or Activity Measurement Transfer It Level Diversify or Prioritization Entity Level Avoid It www.theiia.org
  • 36. DETERMINE RISK APPETITE • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation). www.theiia.org
  • 37. DETERMINE RISK APPETITE Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) www.theiia.org
  • 38. IDENTIFY RISK RESPONSES • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage) www.theiia.org
  • 39. Impact vs. Probability High Medium Risk High Risk I M Share Mitigate & Control P A Low Risk Medium Risk C T Accept Control Low PROBABILITY High www.theiia.org
  • 40. Example: Call Center Risk Assessment High Medium Risk High Risk • Loss of phones • Credit risk Loss of computers Customer has a long wait I • • • Customer can’t get through M • Customer can’t get answers P A Low Risk Medium Risk C Fraud • Entry errors T • • Lost transactions • Equipment obsolescence • Employee morale • Repeat calls for same problem Low PROBABILITY High www.theiia.org
  • 41. Example: Accounts Payable Process Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing www.theiia.org
  • 42. Communicate Results • Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments www.theiia.org
  • 43. Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks www.theiia.org
  • 44. Management Oversight & Periodic Review • Accountability for risks • Ownership • Updates -Changes in business objectives - Changes in systems - Changes in processes www.theiia.org
  • 45. Internal auditors can add value by: • Reviewing critical control systems and risk management processes. • Performing an effectiveness review of management's risk assessments and the internal controls. • Providing advice in the design and improvement of control systems and risk mitigation strategies. www.theiia.org
  • 46. Internal auditors can add value by: • Implementing a risk-based approach to planning and executing the internal audit process. • Ensuring that internal auditing’s resources are directed at those areas most important to the organization. • Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies. www.theiia.org
  • 47. Internal auditors can add value by: • Facilitating ERM workshops. • Defining risk tolerances where none have been identified, based on internal auditing's experience, judgment, and consultation with management. www.theiia.org
  • 48. For more information On COSO’s Enterprise Risk Management — Integrated Framework, visit www.coso.org or www.theiia.org www.theiia.org
  • 49. Applying COSO’s Enterprise Risk Management — Integrated Framework This presentation was produced by www.theiia.org