Tools and Techniques for Enterprise Risk Management (ERM)

  (6CV7]=  COSO ERM V=R ISO ERM/

012 JSUUCd@= =6 F;

C;@DEC59FGF 31 >F;J> 2554

= 10:45 P 12:15 ;.

E2  @. 301, 302, 307
>EG=CA>4568 G3@R7C;G8

7C9?9 41;87CAS7
JUR@U 4568V=RCW F
>EG=CA>4568

COSO
Internal Control
ERM Integrated Framework
Application Technique
ISO 31000
Guide 73 ( Terminology )
ISO 31000 - Principle and Guideline
- Principle
- Framework
- Process
ISO 31010 - Risk Assessment Technique
ERM Framework Comparison
Conclusion

History of COSOs ERM

The Institute of Internal

Auditors
Financial
Frauds

Poor
Internal/
External
Audit

The Financial Executive

Institute
The American Accounting
Association
The Institute of Management
Accountants
The Committee of Sponsoring
Organization of the Treadway
Commission

The Enterprise Risk Management Integrated Framework

The American Institute of

Certified Public Accountants

The Internal Control-Integrated

Framework

Financial
Collapse

The Treadway Commission Report

Sponsored by

Co with
Price/
Waterhouse

COSO VS. ISO 31000

COSO

ISO 31000

Internal Control
1992

Guide 73
2002

ERM Integrated
Framework
1994

ISO 31000
2009

Application
Technique
2004

ISO 31010
2010

COSO Internal Control Framework

a
er
Op

ns
tio
m
Co

ce
ian
pl

l
cia
an ting
n
i
r
F po
Re

Monitoring
Information &
Communications
Control Activities
Risk Assessment
Control Environment
Entities or
Activities

From COSO Internal Control to ERM Framework

COSO ERM Framework

Risk Management Objectives
g ic
te

a
er
Op

ns
tio

ce
ng
an
rt i
pli
po
m
e
o
R
C

Risk Components

a
Str

Entity & Unit Level

Component

COSO Definition of Risk

Risk is the possibility that an event will occur and

adversely affect the achievement of objectives.

Opportunity is the possibility that an event

will occur and positively affect the achievement of
objectives.

COSO Definition of ERM

A process, ongoing and flowing through an entity
Effected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and
includes taking an entity level portfolio view of risk
Designed to identify potential events affecting the entity and
manage risk within its risk appetite
Able to provide reasonable assurance to an entitys
management and board
Geared to the achievement of objectives in one or more
separate but overlapping categories it is a means to an end, not
an end in itself

COSO Definition of ERM

Value is maximized when management sets strategy and objectives to
strike an optimal balance between

COSO ERM Encompasses

Aligning risk appetite and strategy
Enhancing risk response decisions
Reducing operational surprises and losses
Identifying and managing cross-enterprise risks
Providing integrated responses to multiple risks
Seizing opportunities

COSO Achievement of Objectives

COSO enterprise risk management framework is geared to

achieving an entitys objectives in four categories:
Strategic high-level goals, aligned with and supporting its
mission
Operations effective and efficient use of its resources
Reporting reliability of reporting
Compliance compliance with applicable laws and
regulations.

COSO Components of ERM

Internal Environment The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entitys people, including risk management philosophy
and risk appetite, integrity and ethical values, and the environment in
which they operate.

Objective Setting Objectives must exist before management

identify potential events affecting their achievement. Enterprise
management ensures that management has in place a process to
objectives and that the chosen objectives support and align with
entitys mission and are consistent with its risk appetite.

can
risk
set
the

Event Identification Internal and external events affecting

achievement of an entitys objectives must be identified, distinguishing
between risks and opportunities. Opportunities are channeled back to
managements strategy or objective-setting processes.

COSO Components of ERM

Risk Assessment Risks are analyzed, considering likelihood and
impact, as a basis for determining how they should be managed. Risks are
assessed on an inherent and a residual basis.
Risk Response Management selects risk responses avoiding,
accepting, reducing, or sharing risk developing a set of actions to align
risks with the entitys risk tolerances and risk appetite.
Control Activities Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried out.
Information and Communication Relevant information is
identified, captured, and communicated in a form and timeframe that
enable people to carry out their responsibilities.

Monitoring The entirety of enterprise risk management is monitored

and modifications made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations, or both.

Event Identification
Event Categories
External Factors

Internal Factors

Event Identification

Event Categories
External Factors

Internal Factors

COSO Approach to Identify Risk Events

SWOT Analysis
Scenario Analysis
Using Technology
Value Chain Analysis

Risk Assessment Techniques

Risk Assessment Analysis Chart

9
8

R-6

Significant

R-3
R-1

II

R-2

5
4

R-4

3
2

R-5

IV

III

1
1

Likelihood

Medium

Exceeding Risk
Appetite

Within Risk
Appetite
Low

Impact

High

Risk Appetite Map

Low

Medium

High

Likelihood

Risk Response and Control

Risk Response

Risk Control

Key Points in COSO ERM

Comments on COSO 1/
1.

2.

3.

4.

The COSO process starts with the internal environment, not the
external ones and this fails to reflect the influence that the
business environment, regulatory conditions, and external
stakeholders have on the risks an organization faces, its
organizational culture, and how they influence its risk appetite
and risk treatment priorities.
Stakeholders, particularly external ones, are not mentioned and
stakeholders objectives and their influence on decisions about
the significance of levels and types of risk are omitted.
COSO ERM says that risks are described as events, and events are
described and illustrated by examples of sudden, acute
occurrences. There is no appreciation of the slow changes in
circumstance and situation that give rise to some of the most
critical risks.
COSO measures risk in terms of the probability of an event and its
typical consequences. However, we will not always get the
typical consequences every time an event occurs.

Comments on COSO 2/
5.

6.

7.

8.

Throughout the document, the term risk likelihood is used, but

risk does not have a likelihood. Likelihood is one of the attributes
used to measure the level of risk.
While there are some concessions to what are called
opportunities, in COSO ERM risks are mostly about losses and
risk treatment (response) is about reducing the likelihood and
severity of losses. The COSO document is not mature enough to
explain that risk is just the effect of uncertainty in what you set
out to achieve and that outcomes can be beneficial.
The COSO is the whole thinking about risk responses, control
activities and monitoring most confusing and confused and
most people who read and try to use the code do as well.
The problems with the concept of inherent risk are well-known
and the COSO document does not explain why you need to use
this artificial, theoretical state where no controls exist, to justify
tolerating the present level of risk or doing something more to
modify it.

Comments on COSO 3/
9.

The whole area of risk appetite and what COSO ERM calls risk
tolerance is handled in a mechanistic and naive way. The thought
that before you even do a risk assessment, a board can identify
the material risks and tell you how much they are prepared to
tolerate puts them on a par with the Gods.
10. The greatest sin is that the COSO document confuses and mixes
up the framework (the organizational structures, policies, and
arrangements put in place to promote, integrate and improve the
management of risk) with the process used for risk management,
particularly that used for risk assessment, risk treatment and
monitor and review.
Grant Purdy

November,2009
6. ISO 31010

Risk Effect
of uncertainty
on objectives
Event
Consequence
Likelihood
Uncertainty
Probability
Frequency
Level of risk
Risk source
Hazard
Vulnerability

Risk management coordinated activities to direct and control and

organization with regard to risk
Risk management policy External context Internal context Risk profile
Risk management framework Risk management plan Risk appetite Risk
attitude Risk owner Risk management audit Exposure Resilience
Risk evaluation process of comparing

Stakeholder those people and

the results of analysis against risk

criteria to determine whether the level
of risk is acceptable or tolerable (part of
risk management process)

organizations who can affect, be

affected , or perceive themselves to be
affected by a decision or activity

Risk criteria Risk tolerance Risk

aversion Risk matrix Risk aggregation

Communication and Consultation

Risk perception Risk reporting

Risk management process systematic application of management policies

,procedures and practices to the tasks of communicating , consultation ,establishing the
context ,identifying , analyzing , evaluating , treating , monitoring and reviewing risk
Risk assessment Risk identification Risk analyzing Monitoring Review
Risk register
Risk treatment process of developing, selecting , and implementing measures to
modify risk ( part of risk management process )

Control Risk sharing Risk financing Risk retention Risk acceptance Risk
avoidance Residual risk Risk mitigation

COSO

Risk is the possibility that an event will occur and

adversely affect the achievement of objectives.

ISO
31000

Risk is Effect of uncertainty on objectives .

ISO
31000

Targe
t

COSO

Principle

Framework

Process

Creates and protects value

Integral part of organizational processes
Part of decision making
Explicitly addresses uncertainty
Systematic, structured and timely.
Based on the best available information.
Tailored
Takes human & cultural factors into account
Transparent & inclusive
Dynamic , iterative & responsive to change
Facilitates continual improvement & enhancement of the
organization

Mandate &
Commitment

Design of
Framework for
Managing Risk

Continual
Improvement
of Framework

Implement Risk
Management

Monitor &
Review of the
Framework

Establish the context

Risk

assessment

Risk identification
Communication
and
consultation

Risk analysis

Risk evaluation

Risk treatment

Monitoring
and
Review

Strategic process

Communicate & train

Communication and
Reporting plan
Training strategy
RM Network

RM information system
Risk registers
Treatment plan
Assurance plan
Reporting template

Allocate & organize

Risk & audit committee
Exec RM committee
RM working group
Manager , RM
RM champion
Risk & control owners

Strategic process

Tactical process

Strategic process

Commit & mandate

Policy statement
Risk management plan
Assurance plan
Standards
Procedures/Guidelines

Measure & review

Control assurance
RM plan progress
Governance reporting
Benchmarking
Performance criteria

Strategic process

Principal benefits of risk assessment technique include

Understanding the risk and its potential impact upon objectives
Providing information for decision makers
Contributing to the understanding of risks, in order to assist in selection of
treatment options
Identifying the important contributors to risks and weak links in systems
and organizations
Comparing of risks in alternative systems, technologies or approaches
Communicating risks and uncertainties
Assisting with establishing priorities
Contributing towards incident prevention based upon post-incident
investigation
Selecting different forms of risk treatment
Meeting regulatory requirements
Providing information that will help evaluate whether the risk should be
accepted when compared with pre-defined criteria
Assessing risks for end-of-life disposal.

 Risk identification;
Risk analysis consequence analysis;
Risk analysis qualitative, semi-quantitative or
quantitative probability estimation;
Risk analysis assessing the effectiveness of any
existing controls;
Risk analysis estimation the level of risk;
Risk evaluation.

Applicability of Tools Used for Risk Assessment

Applicability of Tools Used for Risk Assessment

How to Select Risk Assessment Technique

Complexity of the problem and the methods needed to
analyze it
The nature and degree of uncertainty of the risk
assessment based on the amount of information
available and what is required to satisfy objectives,
The extent of resources required in terms of time and
level of expertise, data needs or cost,
Whether the method can provide a quantitative output.

What makes ISO 31000 Different from COSO

Criteria and Associated Measures in ISO 31000

First, the Risk Management Framework must be continually improved
using the well known quality improvement cycle of Design, Implement,
Monitor and Review, and Improve, also know as Plan-Do-Check-Act cycle.
Second, the framework must be comprehensive with accountability for
all risks - everyone in the organization will be able to tell ,what risks they
own, what controls they are responsible for, and the current status of those
controls, trends and current status of the risks, and the expected effects on
the objectives concerned.
Third, all decision making in the organization has explicit consideration
of risk, as evidenced by documentation of decisions. This expectation of
evidence is embedded in the framework.
Fourth, continuous communications and reporting that is highly visible
covers internal and external stakeholders as appropriate and talks about
performance indicators for risk management is part of the framework.
Fifth, risk management is a core element of the organizations
management processes including governance. Risk management is
regarded as essential by the organizations culture.

Comparison between COSO and ISO 31000

Dr. Roland Franz Erben Risk Management

Standards

* Both standards exclude business continuity/crisis management but ISO mentions

this topic in ISO22399

COSO or ISO 31000 ,Which One is Suitable for You ?

Design Your Tailored-made ERM Framework

May be better ?

Mandate & Commitment

Design of Framework
for managing Risk
a
Str

g ic
te

ce
an
Fin

ing
et
rk

er
Op

on
ati

Implement Risk
Management

Risk Effect of uncertainty

on objectives

Continual
Improvement of
Framework

Monitor & Review of

the Framework

ISO 31000 Terminology ,

Principle and ISO 22399

Nattapol_chavalit@hotmail.com