What is ERM?

Enterprise Risk Management (ERM) is

defined by the Committee of Sponsoring
Organizations (COSO) as a process,
effected by an entitys board of directors,
management and other personnel, applied
in strategy-setting and across the
enterprise, designed to identify potential
events that may affect the entity, and
manage risk to be within its risk appetite,
to provide reasonable assurance regarding
the achievement of entity objectives.

What is ERM?
Enterprise Risk Management (ERM) is
defined by the Committee of Sponsoring
Organizations (COSO) as a process,
effected by an entitys board of directors,
management and other personnel, applied
in strategy-setting and across the
enterprise, designed to identify potential
events that may affect the entity, and
manage risk to be within its risk appetite,
to provide reasonable assurance regarding
the achievement of entity objectives.

What is ERM? (contd)

To help assist with the implementation of the ERM
process, COSO developed the ERM Integrated
Framework (2004), also known as the COSO Cube. This
cube is an update to the initial COSO I framework
developed in 1992:

What is ERM? (contd)

These are the high level

goals that are aligned with
and support the
institutions mission.

What is ERM? (contd)

Relate to the ongoing

management process and
daily activities of the
organization.

What is ERM? (contd)

Relates to the protection of

the organizations assets
and quality of financial
reporting.

What is ERM? (contd)

Relates to the
organizations adherence
to applicable laws and
regulations.

What is ERM? (contd)

The Internal
Environment relates to
the general culture,
values and
environment in which
an organization or
entity operates (e.g.
Tone at the top)

What is ERM? (contd)

Objective Setting
relates to the process
management uses to
set its strategic goals
and objectives.
Establishes the
organizations risk
appetite and risk
tolerance.

What is ERM? (contd)

Event Identification is
the process by which
an organization
identifies events that
influence strategy and
objectives, or could
affect an
organizations ability
to achieve its
objectives.

What is ERM? (contd)

Risk Assessment
relates to the
organizations process
of evaluating the
impact and likelihood
of events, and
prioritizing related
risks.

What is ERM? (contd)

Risk Response relates

to determining how
management will
respond to the risks an
organization faces.
Will they avoid the
risk, share the risk, or
mitigate the risk
through updated
practices and policies.

What is ERM? (contd)

Control Activities
represent policies and
procedures that an
institution implements
to address the risks
the organization
chooses to accept.

What is ERM? (contd)

Information and
Communication relate
to those practices that
ensure that the right
information is
communicated at the
right time to the right
people.

What is ERM? (contd)

Monitoring consists of
ongoing evaluations to
ensure controls are
functioning as
designed, and taking
corrective action to
enhance control
activities if needed.

ERM Life Cycle

Goal
Cultur settin
e
g

Identify
and
prioritize
risks

Evaluate
Performan
Impleme ce
Confir nt

Evaluatem next
options steps

What is ERM? (contd)

Each of these components

are considered at multiple
levels of the organization,
rather than within a single
function, unit, or
department.

ERM
Provides a comprehensive and systematic
approach to more proactive and holistic risk
management
Provides a common lexicon of risk terminology,
and provides direction and guidance for
implementing ERM
Requires that organizations examine their
complete portfolio of risks, consider how those
risks interrelate, and that management develops
an appropriate risk mitigation approach to
address these risks in a manner that is consistent
with the organizations strategy and risk appetite

ERM is not
A silver bullet to prevent risks
from occurring
A methodology or a checklist of
items that need to be completed
that guarantee results
The only way organizations can
take a more proactive approach
to managing risk

Other Frameworks
CoCo Stands for Criteria of
Control and is a risk management
tool developed by the Canadian
Institute of Chartered Accountants
to assist managers and internal
auditors in designing, assessing,
and reporting on control systems
of an organization

Other Frameworks (contd)

Cadbury Report Published in 1992, this
report sets out recommendations on the
arrangement of company boards and
accounting systems to mitigate corporate
governance risks and failures.
Recommendations focus primarily on practices
related to transparency and accountability at
the top levels of an organization, (e.g. Board
of Directors members) rather than in
throughout organization as a whole.

Other Frameworks (contd)

Australian and New Zealand Standard on
Risk Management (AS/NZS 4360:2004, or
ASNZS) Considered by some to be the
gold standard for all other risk
management standards.
The ASNZS is widely used internationally,
and is desirable for its simplicity. (Where
the original draft of the COSO ERM Model
ran about 154 pages, the ASNZS is only 23
pages.)

Other Frameworks (contd)

Below is a diagram of the ASNZS
framework:

Other Frameworks (contd)

ISO 31000:2009 Developed by the International
Organization for Standardization (ISO) and based
off the AS/NZS, ISO 31000 provides principles and
generic guidelines on risk management. Provides a
universally recognized paradigm for practitioners
and companies employing risk management
processes across different industries, subject
matters and regions.
ISO 31000 is defined as a process that provides
confidence that planned objectives will be achieved
within an acceptable degree of residual risk.

ISO 31000 Framework Overview

Wheres the Value???

The biggest value in
each of these
frameworks lay in their
promotion of
continuous
improvement, diligent
management practices
and ongoing
monitoring.

Relevance (contd)
Organizations are increasingly
looking to expand their risk
management functions to help
reduce potential future losses
through:
Improved monitoring and reporting
Better risk identification and
response
More risk-based decision making

Relevance (contd)
Based on a recent survey conducted by Towers
Watson, the table below illustrates motivating
factors to improving various risk management
activities in the near term

Relevance (contd)
A survey conducted by RIMS and Marsh titled
Excellence in Risk Management VI (2009), lists
the main barriers to adopting a more strategic
approach to risk management as follows:

Questions?