Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Tools and Techniques for Enterprise Risk Management (ERM)
7C9?9 41;87CAS7
JUR@U 4568V=RCW F
>EG=CA>4568
COSO
Internal Control
ERM Integrated Framework
Application Technique
ISO 31000
Guide 73 ( Terminology )
ISO 31000 - Principle and Guideline
- Principle
- Framework
- Process
ISO 31010 - Risk Assessment Technique
ERM Framework Comparison
Conclusion
Poor
Internal/
External
Audit
Financial
Collapse
Sponsored by
Co with
Price/
Waterhouse
ISO 31000
Internal Control
1992
Guide 73
2002
ERM Integrated
Framework
1994
ISO 31000
2009
Application
Technique
2004
ISO 31010
2010
a
er
Op
ns
tio
m
Co
ce
ian
pl
l
cia
an ting
n
i
r
F po
Re
Monitoring
Information &
Communications
Control Activities
Risk Assessment
Control Environment
Entities or
Activities
a
er
Op
ns
tio
ce
ng
an
rt i
pli
po
m
e
o
R
C
Risk Components
a
Str
can
risk
set
the
Event Identification
Event Categories
External Factors
Internal Factors
Event Identification
Event Categories
External Factors
Internal Factors
SWOT Analysis
Scenario Analysis
Using Technology
Value Chain Analysis
9
8
R-6
Significant
R-3
R-1
II
R-2
5
4
R-4
3
2
R-5
IV
III
1
1
Likelihood
Medium
Exceeding Risk
Appetite
Within Risk
Appetite
Low
Impact
High
Low
Medium
High
Likelihood
Risk Control
Comments on COSO 1/
1.
2.
3.
4.
The COSO process starts with the internal environment, not the
external ones and this fails to reflect the influence that the
business environment, regulatory conditions, and external
stakeholders have on the risks an organization faces, its
organizational culture, and how they influence its risk appetite
and risk treatment priorities.
Stakeholders, particularly external ones, are not mentioned and
stakeholders objectives and their influence on decisions about
the significance of levels and types of risk are omitted.
COSO ERM says that risks are described as events, and events are
described and illustrated by examples of sudden, acute
occurrences. There is no appreciation of the slow changes in
circumstance and situation that give rise to some of the most
critical risks.
COSO measures risk in terms of the probability of an event and its
typical consequences. However, we will not always get the
typical consequences every time an event occurs.
Comments on COSO 2/
5.
6.
7.
8.
Comments on COSO 3/
9.
The whole area of risk appetite and what COSO ERM calls risk
tolerance is handled in a mechanistic and naive way. The thought
that before you even do a risk assessment, a board can identify
the material risks and tell you how much they are prepared to
tolerate puts them on a par with the Gods.
10. The greatest sin is that the COSO document confuses and mixes
up the framework (the organizational structures, policies, and
arrangements put in place to promote, integrate and improve the
management of risk) with the process used for risk management,
particularly that used for risk assessment, risk treatment and
monitor and review.
Grant Purdy
November,2009
6. ISO 31010
Risk Effect
of uncertainty
on objectives
Event
Consequence
Likelihood
Uncertainty
Probability
Frequency
Level of risk
Risk source
Hazard
Vulnerability
Control Risk sharing Risk financing Risk retention Risk acceptance Risk
avoidance Residual risk Risk mitigation
COSO
ISO
31000
Targe
t
COSO
Principle
Framework
Process
Mandate &
Commitment
Design of
Framework for
Managing Risk
Continual
Improvement
of Framework
Implement Risk
Management
Monitor &
Review of the
Framework
assessment
Risk identification
Communication
and
consultation
Risk analysis
Risk evaluation
Risk treatment
Monitoring
and
Review
Strategic process
RM information system
Risk registers
Treatment plan
Assurance plan
Reporting template
Strategic process
Tactical process
Strategic process
Strategic process
Risk identification;
Risk analysis consequence analysis;
Risk analysis qualitative, semi-quantitative or
quantitative probability estimation;
Risk analysis assessing the effectiveness of any
existing controls;
Risk analysis estimation the level of risk;
Risk evaluation.
g ic
te
ce
an
Fin
ing
et
rk
er
Op
on
ati
Implement Risk
Management
Continual
Improvement of
Framework
Nattapol_chavalit@hotmail.com