Professional Documents
Culture Documents
com
October 2017
Agenda
1 Introducing
COSO
2 Why update
the
3 What has
changed?
4 What does
it mean for
5 More
information
Framework you?
now?
Who is COSO and what What prompted the How does this compare What does the new How to obtain a copy of
is the COSO ERM Framework update? to the 2004 COSO Framework mean for the new Framework
Framework? What was the feedback ERM Framework and you and your and obtain more
received during Public why where changes organisation? information
comment? introduced?
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 2
www.pwc.com
Introducing COSO
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
COSO’s 2004
Enterprise Risk COSO and PwC have collaborated on
Management- frameworks and publications for 25 years
Integrated
Framework
is one of the
world’s most
widely used risk
management
frameworks.
www.coso.org
2012 Understanding and 2006 Internal Control over Financial 1992 Internal Control – Integrated
2013 Internal Control – Integrated 2013 Internal Control – Integrated
Communicating Risk Appetite Reporting Guidance for Smaller Public Framework
Framework Executive Summary Framework
Companies
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 4
www.pwc.com
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
32
CEO confidence is rising…..
Leaders are looking to ERM to give them greater confidence in managing the risks to the
achievement of their strategy and business objectives
83%
Question 1: Do you %
believe global 70
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 6
At the same time, many Boards
are not receiving the information
they need
58% of Boards do not Question: How often does your board get updates and reports from
receive updates at management on:
every meeting on the
amount of risk the
company is taking
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 7
Boards recognize that there are opportunities for
ERM to add greater value
Question: How well do you believe management performs the following activities:
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 8
So what are risk and business professionals
saying?
I want to reduce
performance
variability and
As an I need insights When I develop
respond more
innovative that help me my strategy, I
quickly to
company, I understand risks want to have a
opportunities
want to use and full picture of
I want an ERM opportunities the potential
risk to create
Framework that and evaluate risks and the
value and not
drives strategic options capabilities I
only to protect
improvements to need to create
value
business functions advantage
beyond risk
avoidance
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 9
Why update the ERM
framework now?
• Boards are expecting more from their
organisation’s ERM practices and capabilities
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 10
www.pwc.com
What’s changed?
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
A new framework with global input
As part of the drafting process, the Framework was made publicly available for review and comment
between June and September 2016.
Global
Website visits interest
1 Over 24,000
website visits
2 46% of the
downloads
outside of
the US
Entity
interest Engagement
3 Wide spread
interest
4 Equal interest by
private & public
companies
across
industry
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 12
Key highlights from feedback received
Feedback received was reviewed by the project team and informed the final updates to the
Framework prior to publication.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 13
Introducing the 10 key changes to the
2017 Framework
A new framework structure–five Explores the different benefits of
components and twenty principles that ERM–from loss mitigation through to
align to the business lifecycle, making strategic advisor and how they inform the
risk conversation more intuitive for you. design of a risk framework.
5 20
Components that align Supporting principles
to the business life cycle that collectively describe
the ERM Framework
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 15
The new Framework adopts a components
and principles structure
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 16
Explores the benefits of ERM
• Enterprise risk management frameworks are as varied as the • The effectiveness of an enterprise risk management
organisations they support. Framework is founded on fostering, designing and
• In their infancy, many frameworks focus on increasing implementing the culture, capabilities and practices that
positive outcomes and identifying entity-wide risks. align to intended benefits.
• Boards, senior management and stakeholders are • A more detailed discussion of the benefits of ERM can be
increasingly expecting ERM to reduce performance found in the COSO Executive Summary
variability, improve resource deployment and enhance
enterprise resilience.
• This will often require that the capabilities and practices of
an organisation to evolve in line with increasing expectations.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 17
Focusing on
integrating risk and strategy 81% of the greatest
losses in
The strategy setting process is a critical area of shareholder value
integration for enterprise risk management
management
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 18
Where do your Focusing on integrating risk
ERM efforts
currently focus and strategy
and how closely The updated Framework elevates the discussion of integrating
does it align to strategy and risk through three different dimensions:
value creation,
1. The possibility of strategy not aligning with mission, vision and core values;
realisation and
preservation? 2. The implications from the strategy chosen; and
3. Risk to strategy and performance.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 21
Explores managing risk at all
altitudes of the organisation
The Framework highlights that risks
emanate and must be managed Entity Strategy
at all levels of the organisation.
The Framework explores how risks
can manifest at multiple levels within
an organization with some risks Entity Level Business Entity Level Business
directly impacting the entity strategy Objective 1 Objective 2
while others impacting business
objectives.
• Risk frameworks should ensure • Risk capabilities should account • Management should designate
existing risk identification and for how risk ratings and appropriate roles and
assessment practices account for responses may exist and change responsibilities for the
risks occurring at different levels at different altitudes within an management of risk and
of the organisation organisation execution of risk responses
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 20
How the Framework
emphasises technology
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 21
Written from the perspective Inset a quotable quote…
of the business
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 23
Risk Appetite Risk Assessment Portfolio View
and Aggregation
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 24
Compendium of Examples
A compendium of Examples:
examples is also being
• Governance in a higher
developed. The proposed
education institution
compendium will
illustrate: • Culture in a government entity
• All principles; • Culture in a financial services
company
• A variety of entity sizes
from global through to • Strategy and objective-setting
national, regional, and in an energy company
local entities;
• Strategy and objective-setting
• A variety of industry types; in a not-for-profit entity
• Actual company practices
Coming Soon…. and be augmented with
• Performance in a consumer
products company
expected practices in select
areas, as needed; and • Performance in a technology
company
• Written from the
perspective of • Review and revision in an
the business. industrial products company
• Risk information in a
healthcare company
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 25
www.pwc.com
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
What does this mean for Internal Audit?
Assurance role:
• Joint internal audit and ERM risk assessments to provide
integrated view of risks
• Validating management’s action plans and assessing
progress against those plans
• Auditing processes and controls that address higher risk
areas
• Assessing maturity and effectiveness of ERM processes
Consulting role:
• Participate in strategy discussions to provide a point of view
on risk implications of selected strategies
• Reviewing risk appetite framework of the organization
• Understanding how organization creates, realizes and
preserves value and the supporting assumptions
• Encouraging risk professionals to sync with the language of
business in the organization
• Spreading awareness within organization and challenging
the organization to think about ERM as a process and not a
function, department or standalone tool
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Percentage of How can Internal Audit help their
respondents that
stated organization get started…..
implementation
1) Identify the benefits 2) Determine the desired 3) Prioritize the
being sought from ERM by integration of enterprise initiatives and resources
your organization risk management within the required to implement or
organisation enhance existing cultures,
capabilities and practices
How can the board better understand what risks may Push executives for regular forward-looking, strategic
emerge in the future? input on emerging risks.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 29
www.pwc.com
More information
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance
Staying involved
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance 31
Thank you
© 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should
not be used as a substitute for consultation with professional advisors.
At PwC, our purpose is to build trust in society and solve important problems. PwC is a network of firms in 157 countries with more than 223,000 people who are
committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com/us.
PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance