The New COSO Framework Amanda Herron

www.pwc.
com
COSO Enterprise Risk

Management Framework-
Integrating Strategy and
Performance
October 2017
Agenda
1 Introducing
COSO
2 Why update
the
3 What has
changed?
4 What does
it mean for
5 More
information
Framework you?
now?
Who is COSO and what What prompted the How does this compare What does the new How to obtain a copy of
is the COSO ERM Framework update? to the 2004 COSO Framework mean for the new Framework
Framework? What was the feedback ERM Framework and you and your and obtain more
received during Public why where changes organisation? information
comment? introduced?
COSO recognises the growing expectation

of organisations to manage, in an
integrated and cohesive manner, risks
emanating from across an enterprise.
Robert B. Hirth Jr., COSO Chair
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 2
www.pwc.com
Introducing COSO
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
COSO’s 2004
Enterprise Risk COSO and PwC have collaborated on
Management- frameworks and publications for 25 years
Integrated
Framework
is one of the
world’s most
widely used risk
management
frameworks.
www.coso.org
2004 2017 Publication

Other COSO publications authored by PwC
2012 Understanding and 2006 Internal Control over Financial 1992 Internal Control – Integrated
2013 Internal Control – Integrated 2013 Internal Control – Integrated
Communicating Risk Appetite Reporting Guidance for Smaller Public Framework
Framework Executive Summary Framework
Companies
www.pwc.com
What prompted the

Framework update?
32
CEO confidence is rising…..
Leaders are looking to ERM to give them greater confidence in managing the risks to the
achievement of their strategy and business objectives
83%
Question 1: Do you %
believe global 70
economic growth will

60
improve, stay the 52
50
same, or decline over 50
44
the next 12 months? 48 38
39
40 35
41 40 39
Question 2: How Pull out of an
30
36 37
confident are you 31 31

about your company’simportant statistic
20 21
27
29
prospects for revenue

growth over the nextgoes in this area
10 Series1 Series2
15
18
12 months and next 3

years?
20pt Georgia (white)
0
1 2 3 4 5 6 7 8 9 10 11 12 13
Source: 2017 PwC 20th Annual CEO Survey
At the same time, many Boards
are not receiving the information
they need
58% of Boards do not Question: How often does your board get updates and reports from
receive updates at management on:
every meeting on the
amount of risk the
company is taking
Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.
Boards recognize that there are opportunities for
ERM to add greater value
Question: How well do you believe management performs the following activities:
Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.
So what are risk and business professionals
saying?
I want to reduce
performance
variability and
As an I need insights When I develop
respond more
innovative that help me my strategy, I
quickly to
company, I understand risks want to have a
opportunities
want to use and full picture of
I want an ERM opportunities the potential
risk to create
Framework that and evaluate risks and the
value and not
drives strategic options capabilities I
only to protect
improvements to need to create
value
business functions advantage
beyond risk
avoidance
Why update the ERM
framework now?
• Boards are expecting more from their
organisation’s ERM practices and capabilities
• Stakeholders are seeking greater transparency

and accountability
• Business environments are increasingly

complex, technologically driven, and global
• There is a need to incorporate lessons learned

from recent events and the bar is rising
• Risk professionals are looking for a more up to

date resource describing ERM concepts
Since 2004, the market has continued to
evolve and the COSO Framework is • The range of ERM practices continues to
evolve
evolving with it.
www.pwc.com
What’s changed?
A new framework with global input
As part of the drafting process, the Framework was made publicly available for review and comment
between June and September 2016.
Global
Website visits interest
1 Over 24,000
website visits
2 46% of the
downloads
outside of
the US
Entity
interest Engagement
3 Wide spread
interest
4 Equal interest by
private & public
companies
across
industry
Key highlights from feedback received
Feedback received was reviewed by the project team and informed the final updates to the
Framework prior to publication.
Letters and Comments Themes Feedback

Surveys
• 2,000 individual comments • Encouraging breadth of • Positive ratings

• 217 online surveys
themes addressed in outnumbered negative
submitted • Comments covered every
comments by 4.5:1
section of the draft
• 47 comment letters
Framework • Comments ranged from the
received
highlighting conceptual
• All comments reviewed by
• Relatively consistent differences, requests for
the PwC Project Team and
volume of feedback clarity and suggested
categorised according to
compared to other COSO editorial changes
nature (e.g., conceptual,
Framework projects
editorial, commentary etc.)
Introducing the 10 key changes to the
2017 Framework
A new framework structure–five Explores the different benefits of
components and twenty principles that ERM–from loss mitigation through to
align to the business lifecycle, making strategic advisor and how they inform the
risk conversation more intuitive for you. design of a risk framework.
A focus on integrating risk Suite of new graphics highlighting

management–linking risk with the relationship between risk and
strategy setting and day-to-day activities, performance–demonstrating a new
helping you to use ERM principles to way to identify and assess the relationship
support the creation, realisation, and between the amount of risk and the level of
preservation of value. performance.
Written from the perspective of the Deeper discussions on challenging
business–risk management concepts topics–such as risk appetite and the
are discussed in terms of helping an portfolio view of risk.
organisation create value, enabling you
to realise true benefits from ERM.
Explores management of risk at all Addresses the evolving role of

altitudes of the organisation–from technology–in influencing an
entity level through to procedural level organisation’s strategy, business context
risks, making ERM more than just an and how it manages risk.
isolated view of risk in the business.
Greater emphasis on culture– Coming soon: Compendium of

reflecting the changing demands and Examples–highlighting the
expectations of today’s markets, helping implementation of principles across a
your organisation make responsible risk variety of industries and entity types.
decisions
A new framework structure
The graphic symbolizes the dynamic, integrated nature of ERM that begins with the mission,
vision and core values of the organisation through to the creation of enhanced value.
5 20
Components that align Supporting principles
to the business life cycle that collectively describe
the ERM Framework
The new Framework adopts a components
and principles structure
Explores the benefits of ERM
Increasing the Identify and Increasing Reducing Improving Enhancing

range of manage risks positive performance resource enterprise
opportunities entity-wide outcomes variability deployment resilience
By considering all Management Improve Management can Risk information Enhance

possibilities - both identifies and management’s anticipate the enables management’s
positive and manages these ability to identify risks that would management, in ability to
negative aspects entity-wide risks risks and affect the face of finite anticipate and
of risk - to sustain and establish performance and resources, to respond to
management can improve appropriate put in place the prioritise resource change, not only
identify new performance responses, actions needed to deployment and to survive but
opportunities and reducing reduce disruption enhance also to evolve
associated surprises and and improve resource and thrive
challenges related costs or opportunity allocation
losses
• Enterprise risk management frameworks are as varied as the • The effectiveness of an enterprise risk management
organisations they support. Framework is founded on fostering, designing and
• In their infancy, many frameworks focus on increasing implementing the culture, capabilities and practices that
positive outcomes and identifying entity-wide risks. align to intended benefits.
• Boards, senior management and stakeholders are • A more detailed discussion of the benefits of ERM can be
increasingly expecting ERM to reduce performance found in the COSO Executive Summary
variability, improve resource deployment and enhance
enterprise resilience.
• This will often require that the capabilities and practices of
an organisation to evolve in line with increasing expectations.
Focusing on
integrating risk and strategy 81% of the greatest
losses in
The strategy setting process is a critical area of shareholder value
integration for enterprise risk management
• Strategic blunders account for a

since 2002 were
majority of the losses in shareholder
value compared to operational events,
attributable to
incidents or compliance failures
‘strategic blunders’
• Research suggests that organisations are
looking to strengthen the integration *U.S. public companies around the world with at least US$1 billion in enterprise
value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle
between strategy and enterprise risk and Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012
management
Where do your Focusing on integrating risk
ERM efforts
currently focus and strategy
and how closely The updated Framework elevates the discussion of integrating
does it align to strategy and risk through three different dimensions:
value creation,
1. The possibility of strategy not aligning with mission, vision and core values;
realisation and
preservation? 2. The implications from the strategy chosen; and
3. Risk to strategy and performance.
Explores managing risk at all
altitudes of the organisation
The Framework highlights that risks
emanate and must be managed Entity Strategy
at all levels of the organisation.
The Framework explores how risks
can manifest at multiple levels within
an organization with some risks Entity Level Business Entity Level Business
directly impacting the entity strategy Objective 1 Objective 2
while others impacting business
objectives.
The Framework also addresses how Business Business Business

risks can change in severity and Objective 1 Objective 2 Objective 3
prioritization at different levels
of the organisation and how the
impacts of correlation and
diversification are considered when
analysing the risk profile of portfolio Risk 1 Risk 2 Risk 3 Risk 4
view of risk.
• Risk frameworks should ensure • Risk capabilities should account • Management should designate
existing risk identification and for how risk ratings and appropriate roles and
assessment practices account for responses may exist and change responsibilities for the
risks occurring at different levels at different altitudes within an management of risk and
of the organisation organisation execution of risk responses
How the Framework
emphasises technology
The Framework recognizes the importance of

enterprise risk management keeping pace with
technological developments
• The Framework emphasises how enterprise risk

management practices and capabilities need to align
with the velocity of changes to the business context,
90% 0.5% 27% emerging and changing risks.
• Information, Communication and Reporting principles

now have a greater focus on integrated risk and
performance reporting.
Data Data Analysis Impact on • Developments in data generation and analytics

Generation Industry including ‘big data’, artificial intelligence and social
media have been acknowledged.
Proportion of data Only a small Percentage of
that exists today fraction of CEOs that believe • Discussions on the accuracy, completeness and
was created in the available data is technology will timeliness of data have been retained in the COSO
past two years currently analyzed completely Internal Control Integrated Framework.
reshape their
industry
Source: PwC Mega Trends – Technological
Breakthroughs
Written from the perspective Inset a quotable quote…
of the business
The Framework was written from the perspective of the

business to facilitate the integration of ERM and support
acceptance and adoption by the business
• There is often a ‘siloed’ • The Framework endeavors

approach to risk that is to removes risk ‘jargon’ and
separate from the day to adopts the language of
day management of an business to discuss
organisation. concepts and practices
• Risk management is • By using the same
perceived as an language, the Framework
incremental activity hopes to promote
performed by those acceptance and adoption of
independent of the ERM by the organization
business.
• The lack of integration can Note: In practice, ERM often
contribute to difficulties refers to a team, department
engaging with the business, or as a part of the ‘lines of
the ability to gain and offer defense’ however, in the
insight and ultimately curbs Framework it is discussed in
the value that ERM can the context of an
offer. organisation’s culture,
capabilities and practices used
to manage risk
How the Framework addresses culture
Culture now features in the definition of ERM and is part of the

Framework’s Governance and Culture Component
Principles on culture are now more focused on decision-

making and the alignment to expected behaviors in line with the
core values of the organization
The importance of aligning the core values and risk

appetite of the organization to promote consistent and risk-
based decision making
COSO ERM Definition

The culture, capabilities and
practices, integrated with
strategy setting and its
execution, that organisation rely
on to manage risk in creating, Discussions on the importance and commitment to integrity and ethics have
preserving and realising value been retained in the COSO Internal Control Integrated Framework
Risk Appetite Risk Assessment Portfolio View
and Aggregation
Deeper discussions on other

challenging topics
Requests for
Enhanced discussions Additional focus on: Greater detail additional
on: provided on:
• Alignment of Risk • Articulating risks • Graphical guidance
Appetite and Strategy relative to business representations of represented some of
objectives and portfolio view
• Delineation between performance the most common
risk appetite and • Emphasis on an feedback the PwC
tolerance • Developing severity business objective
measures and centric view of risk Project Team
• Consideration of risk prioritization criteria received during the
appetite as a evaluative given the risk appetite • Alignment to strategy
vs decision-making tool of the organisation and resource Public Comment
deployment Period
• Alignment of risk • Risk assessments at
appetite to risk different levels • Tie to integrated
assessment and the including new performance
portfolio view of risk illustrative graphics monitoring and
relating to aggregation reporting
Compendium of Examples
A compendium of Examples:
examples is also being
• Governance in a higher
developed. The proposed
education institution
compendium will
illustrate: • Culture in a government entity
• All principles; • Culture in a financial services
company
• A variety of entity sizes
from global through to • Strategy and objective-setting
national, regional, and in an energy company
local entities;
• Strategy and objective-setting
• A variety of industry types; in a not-for-profit entity
• Actual company practices
Coming Soon…. and be augmented with
• Performance in a consumer
products company
expected practices in select
areas, as needed; and • Performance in a technology
company
• Written from the
perspective of • Review and revision in an
the business. industrial products company
• Risk information in a
healthcare company
www.pwc.com
What does this mean for

you and your
organisation?
What does this mean for Internal Audit?
Assurance role:
• Joint internal audit and ERM risk assessments to provide
integrated view of risks
• Validating management’s action plans and assessing
progress against those plans
• Auditing processes and controls that address higher risk
areas
• Assessing maturity and effectiveness of ERM processes
Consulting role:
• Participate in strategy discussions to provide a point of view
on risk implications of selected strategies
• Reviewing risk appetite framework of the organization
• Understanding how organization creates, realizes and
preserves value and the supporting assumptions
• Encouraging risk professionals to sync with the language of
business in the organization
• Spreading awareness within organization and challenging
the organization to think about ERM as a process and not a
function, department or standalone tool
Percentage of How can Internal Audit help their
respondents that
stated organization get started…..
implementation
1) Identify the benefits 2) Determine the desired 3) Prioritize the
being sought from ERM by integration of enterprise initiatives and resources
your organization risk management within the required to implement or
organisation enhance existing cultures,
capabilities and practices
of effective ERM Aligning Culture Augmenting Enhancing

Frameworks Capabilities Practices
as the most
common • Secure board and senior • Invest in tools, templates • Evaluate whether
management or technology that support current practices align
challenge in endorsement for risk management activities with desired integration
deriving its implementing or enhancing and decision-making and achieve benefits sought
the Enterprise Risk from ERM
expected benefits Management Framework • Include third party
providers and vendors in • Review risk
• Incorporate risk discussions on risk and identification,
management performance assessment,
expectations into prioritization and
training and incentives to • Encourage discussion of response processes for
enhance consistency in entity’s risk appetite and opportunities for
decision-making profile within governance enhancement
forums and as part of
• Communicate and clarify management decision- • Analyse reporting
roles and responsibilities for making practices for opportunities
risk management to further integrate with
performance Insert date here
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance reporting 28
How Boards can take a fresh look at risk oversight
Key Challenges Board Actions
Enhance proxy disclosures to better describe risk

How can boards reassure investors that it is overseeing
oversight, so shareholders can better understand what
risks appropriately?
your board does and how.
Clearly allocate risk oversight among the board and its

committees. Ensure that the chairs share their
Are any key risks falling through the cracks?
committees’ insights about those risks with the full
board.
Dig into how well ERM works and whether changes

How can directors know if ERM is adding value?
should be made.
Discuss with senior management how they have put ERM

How can the board ensure that executives take their
into practice, including who’s accountable for key risks
responsibility for risk seriously?
and how ERM works at lower levels in the company.
How can the board better understand what risks may Push executives for regular forward-looking, strategic
emerge in the future? input on emerging risks.
Be clear on the kind of risk information you need from

How can the board get the reporting it really needs on risk?
management and how often you want to see it.
Source: PwC Governance Insights Center – Risk Series
www.pwc.com
More information
Staying involved
Access the Framework at www.coso.org
View videos, blogs and articles at www.pwc.com/coso-erm
Amanda Herron Meghana Dholabhai

Partner, Risk Assurance Director, Risk Assurance
Tel: 704-724-5708 Tel: 214-608-1152
amanda.c.herron@pwc.com dholabhai.meghana@pwc.com
Thank you
© 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should
not be used as a substitute for consultation with professional advisors.
At PwC, our purpose is to build trust in society and solve important problems. PwC is a network of firms in 157 countries with more than 223,000 people who are
committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com/us.

The New COSO Framework Amanda Herron

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The New COSO Framework Amanda Herron

Uploaded by

Copyright:

Available Formats

www.pwc.

COSO Enterprise Risk

COSO recognises the growing expectation

2004 2017 Publication

What prompted the

economic growth will

confident are you 31 31

prospects for revenue

12 months and next 3

Source: 2017 PwC 20th Annual CEO Survey

Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.

Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.

• Stakeholders are seeking greater transparency

• Business environments are increasingly

• There is a need to incorporate lessons learned

• Risk professionals are looking for a more up to

Letters and Comments Themes Feedback

• 2,000 individual comments • Encouraging breadth of • Positive ratings

A focus on integrating risk Suite of new graphics highlighting

Explores management of risk at all Addresses the evolving role of

Greater emphasis on culture– Coming soon: Compendium of

Increasing the Identify and Increasing Reducing Improving Enhancing

By considering all Management Improve Management can Risk information Enhance

• Strategic blunders account for a

The Framework also addresses how Business Business Business

The Framework recognizes the importance of

• The Framework emphasises how enterprise risk

• Information, Communication and Reporting principles

Data Data Analysis Impact on • Developments in data generation and analytics

The Framework was written from the perspective of the

• There is often a ‘siloed’ • The Framework endeavors

Culture now features in the definition of ERM and is part of the

Principles on culture are now more focused on decision-

The importance of aligning the core values and risk

COSO ERM Definition

Deeper discussions on other

What does this mean for

of effective ERM Aligning Culture Augmenting Enhancing

Key Challenges Board Actions

Enhance proxy disclosures to better describe risk

Clearly allocate risk oversight among the board and its

Dig into how well ERM works and whether changes

Discuss with senior management how they have put ERM

Be clear on the kind of risk information you need from

Source: PwC Governance Insights Center – Risk Series

Access the Framework at www.coso.org

View videos, blogs and articles at www.pwc.com/coso-erm

Amanda Herron Meghana Dholabhai

You might also like