Chapter 7, Enterprise Risk Management: COSO ERM

Particularly to support an understanding of both COSO and SOx internal controls, internal
auditors need to have a good understanding of risk management on an enterprise level and how it
impacts their skills for building and developing effective internal control processes. Management
and external auditors should consider relative risks when implementing and assessing internal
controls to achieve compliance with the SOx Section 404 internal control rules.

COSO released their Enterprise Risk Management Integrated Framework (COSO ERM). This
is an approach to allow an enterprise and internal audit to consider and assess its risks at all
levels, whether it be in an individual area such as an information technology (IT) development
project, or global risks regarding an international expansion. While released by the same COSO
guidance‐setting function that has developed and maintains the COSO internal controls
framework, COSO ERM sometimes looks like its internal controls brother, but it has a much
different feel and approach.

RISK MANAGEMENT FUNDAMENTALS

Risk management is an insurance‐related concept where an individual or enterprise typically
uses insurance mechanisms to provide a shield or protection from those risks. We make these
insurance‐related decisions based on assessments of the relative risks and the costs to cover them
through the purchase insurance. An effective risk management process requires four steps:
1) risk identification,
2) quantitative or qualitative assessment of the documented risks,
3) risk prioritization and response planning, and
4) risk monitoring.
There is always a need to identify and understand the various risks facing an enterprise, to
assess those risks in terms of their cost or impact and probability, to develop responses in the
event of a risk occurrence, and to develop documentation procedures to describe what happened
as well as corrective actions going forward. The same is true for enterprise‐wide risk
management decisions or the decisions of an internal auditor in the course of a single review
engagement. This section will focus on the management of risks across an enterprise. This four‐
step risk management process should be implemented at all levels of the enterprise and with the
participation of many different people.

- Risk Identification
Management should endeavor to identify all possible risks that may impact the success of the
enterprise, ranging from the larger or more significant risks to the overall business down to the
less major risks associated with individual projects or smaller business units. The risk
identification process requires a studied, deliberate approach to looking at potential risks in each
area of operations and then identifying the more significant risk areas that may impact each
operation in a reasonable time period.
 A good way to start the risk identification process is to begin with a high‐level enterprise
chart that lists corporate‐level as well as operating units. Each of those units may have facilities
in multiple global locations and also may consist of multiple and different types of operations.

- Key Risk Assessments

Having identified the significant enterprise risks, a next step should be to assess their
likelihood and relative significance. A variety of approaches can be used here, ranging from
best‐guess qualitative approaches to some detailed, very mathematical quantitative analyses.
The idea is to help decide which of a series of potentially risky events should give management
the most to worry about.

- Probability and Uncertainty

When a large number of risks have been identified, management should think of the
individual estimated risk likelihoods and occurrences in terms of two‐digit probabilities ranging
from 0.01 to 0.99. We have used this range because risks never have a 0% chance or 100%
chance of occurring—otherwise they would not be risks. A basic rule of probability is that we
cannot add up independent probability estimates to yield a joint estimate.

- Risk Interdependencies
We have discussed risks at an individual organizational unit level, but risk independencies
must always be considered. Risk independencies must be considered and evaluated throughout
the organizational structure. Any entity should be concerned about risks at all levels of the
organization but only really has control over the risks within its own sphere.

- Risk Ranking
The risk significance and probabilities of occurrence are often called the risk drivers or the
primary risks for a set of identified risks. An enterprise should then focus its attention going
forward on these primary risks. These types of risk‐ranked schedules can be organized on a
unit‐by‐unit basis and adjusted to accommodate all related risks in parallel with as well as
above or below the entity being ranked or evaluated.

- Quantitative Risk Analysis: Expected Values and Response Planning

There is little value in identifying significant risks unless an enterprise has at least some
preliminary plans for the action steps necessary if they incur one of them. The idea is to
estimate the cost impact of incurring some identified risk and then to apply that cost to a risk
factor probability to derive an expected value of the risk. This is often an exercise that does not
require detailed cost studies with lots of supporting historical trends and estimates. Rather,
expected cost estimates should be performed by frontline people at various levels of the
enterprise who would have a good level of knowledge of the area or risk implications. The idea
is to go through each of the identified risks—or if time is limited, only the key risks—and
estimate the costs of incurring the risk. Because the kinds of risks discussed involve such
matters as the failure of a hardware component, the drop in a market share, or the impact of a
 new government regulation, these are typically not the types of costs that one can just look up
in a current vendor catalog.

- Quantitative Risk Analysis: Risk Monitoring

Risk identification processes are not continuous exercises. Once these risks have been
identified, the enterprise needs to monitor them and make ongoing adjustments as needed. This
risk monitoring can be performed by the process owner or by an independent reviewer. Internal
audit is often a very credible and good source to monitor the current status of identified risks. It
may gather this information through surveys or face‐to‐face reviews. Internal audit always has
a level of extra credibility and authority.

COSO ERM: ENTERPRISE RISK MANAGEMENT

The COSO ERM framework starts by defining enterprise risk management as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management
and other personnel, applied in a strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.
Professionals should consider these key points and concepts supporting the COSO ERM
framework definition, including
1. ERM is a process.
2. The ERM process is implemented by people in the enterprise.
3. ERM is applied through the setting of strategies across the overall enterprise.
4. An enterprise’s risk appetite must be considered.
5. ERM provides only reasonable, not positive, assurance on objective achievements.
6. An ERM is designed to help attain the achievement of objectives.

COSO ERM KEY ELEMENTS

This COSO ERM framework is shown

in Exhibit 7.5 as a cube with the
components of:
 Four columns representing the
strategic objectives of enterprise
risk;
 Eight horizontal rows or risk
components; and
 Multiple levels to describe any
enterprise, from a headquarters
entity level to individual
subsidiaries. Depending on organization size, there can be many slices of the model here.
 - COSO ERM: The Internal Environment Component
The COSO ERM internal environment component consists of the following elements:
 Risk management philosophy  Organizational structure.
 Risk appetite  Assignments of authority and
 Board of directors’ attitudes. responsibility
 Integrity and ethical values.  Human resources standards.
 Commitment to competence.

- COSO ERM Objective Setting

This ERM element says that in
addition to an effective internal
environment, an enterprise must
establish a series of strategic
objectives, aligned with its mission and
covering operations, reporting, and
compliance activities. COSO ERM
emphasizes that a mission statement is
a crucial element for setting objectives;
it is a general, formalized statement of
purpose and a building block for the
development of specific functional
strategies. Often just a simple,
straightforward statement, a mission statement should summarize an enterprise’s objectives and
its overall attitude toward risks.

- COSO ERM Event Identification

Events are enterprise incidents or occurrences, internal or external, that affect the
implementation of an ERM strategy and the achievement of its objectives. While an internal
auditor’s tendency is to think of events in a negative sense—determining what went wrong—
they can be positive as well. Monitoring processes should include:
 External economic events
 Natural environmental events
 Political events.
 Social factors
 Internal infrastructure events.
 Internal process–related events.
 External and internal technological
events
 COSO ERM supporting
materials suggest that an enterprise
should establish processes to review
potentially significant risks and then
consider some of the following
approaches:
 Event inventories.
 Facilitated workshops.
 Interviews, questionnaires, and
surveys.
 Leading events and escalation
triggers.
 Loss event data tracking.

- COSO ERM Risk Assessment

Risk assessment allows an enterprise to consider the impact that potential risk‐related events
may have overall on an enterprise’s achievement of its objectives. These risks should be assessed
from two perspectives: the likelihood of the risk occurring, and its potential impact. A key part of
this risk assessment process, however, is the need to consider the very important concepts of
inherent and residual risks as well as:
 Inherent risk. Inherent risk is the potential for waste, loss, unauthorized use, or
misappropriation due to the nature of an activity itself. Major factors that affect enterprise‐
inherent risk are the size of its budget, the strength and sophistication of management, and
simply the very nature of its activities. Inherent risk is outside the control of management
and usually stems from external factors.
 Residual risk. This is the risk that remains after other management responses to risk threats
and countermeasures have been applied. There will virtually always be some level of
residual risk.

- COSO ERM Risk Response Elements

Having assessed and identified its more significant risks, the COSO ERM’s risk response
process calls for a careful review of estimated risk likelihoods and potential impacts, with
consideration given to their associated costs and benefits, to develop appropriate risk response
strategies, following any of four basic risk strategies:
 Avoidance. This is a strategy of walking away from a risk—such as selling a business unit
that gives rise to a risk, exiting from a risky geographical area, or dropping a product line.
 Reduction. A wide range of business decisions may be able to reduce certain risks.
  Sharing. Virtually all enterprises regularly share some of their risks through the purchase of
insurance, but other risk‐sharing techniques are available as well. For financial transactions,
an enterprise can engage in hedging operations to protect from possible price fluctuations, or
an enterprise can share potential business risks and rewards through corporate joint venture
agreements or other structural arrangements
 Acceptance. This is the strategy of no action, such as when an enterprise self insures by
taking no action to reduce a potential risk.

- COSO ERM Control Activities

ERM’s control activities are the policies and procedures necessary to ensure action on
identified risk responses. Having selected appropriate risk responses, an enterprise should select
control activities necessary to ensure that they are executed in a timely and efficient manner.
Many control activities under COSO internal controls are fairly easy to identify and test due to
the accounting nature of many internal controls and generally include the following areas:
 Separation of duties. Essentially, the person who initiates a transaction should not be the
same person who authorizes that transaction.
 Audit trails. Processes should be organized such that final results can be easily traced back
to the transactions that created those results.
 Security and integrity. Control processes should have appropriate control procedures such
that only authorized persons can review or modify them.
 Documentation. Processes should be appropriately documented.

- COSO ERM Information and

Communication
This COSO ERM component is a
separate set of risk‐related processes linking
other COSO ERM components, as described
in Exhibit 7.9 showing the information flows
across the COSO ERM components.

- COSO ERM Monitoring

ERM monitoring is necessary to determine
that all installed ERM components work
effectively. People in an enterprise change, as
do supporting processes and both internal and
external conditions, but the monitoring
component helps assure that ERM is working
effectively on a continuous basis.
OTHER DIMENSIONS OF COSO ERM: ENTERPRISE RISK OBJECTIVES
 - Operations Risk Management Objectives
Following the three‐dimensioned ERM framework, the operations‐level risk objective calls
for the identification of risks for each enterprise unit or component. This identification of
operations‐level risk objectives often requires detailed information gathering and analysis,
particularly for a larger enterprise covering multiple geographic areas, product lines, or business
processes
- Reporting Risk Management Objectives
This ERM objective covers the reliability of an enterprise’s reporting, including the internal
and external reporting of financial and nonfinancial data. Accurate reporting is critical to an
enterprise’s success in many dimensions.
- Legal and Regulatory Compliance Risk Objectives
Enterprises of any nature must comply with a wide range of laws and government‐imposed
or industry regulations. While compliance risks can be monitored and recognized, legal risks are
sometimes totally unanticipated.

ENTITY‐LEVEL RISKS
COSO ERM framework shows four divisions or slices in this framework dimension: entity‐
level, division, business unit, and subsidiary risks. This is not a prescribed company‐type
division, and ERM suggests that risks should closely follow the given enterprise’s official
organization chart. COSO ERM risks should be identified and managed within each significant
organizational unit, including risks on an entity‐wide basis through individual business units. An
enterprise with four major operating divisions and with multiple business units or subsidiary
units under each would have an ERM framework that reflected all of these units. While these
risks are important on an overall organizational level, there should be a level of consideration on
a unit‐by‐unit basis to as low a level as necessary to allow the enterprise to understand and
manage its risks.

PUTTING IT ALL TOGETHER: AUDITING RISK AND COSO ERM PROCESSES

Because the two framework models look quite similar on first observation, it is very easy to
miss thinking about the unique characteristics of COSO ERM. Risk management, and COSO
ERM in particular, are standards that should be part of every internal auditor’s CBOK. Internal
auditors should use risk management principles when deciding which areas to select for their
reviews, risk‐based audit planning, and then to use risk principles when assessing audit evidence.
Perhaps even more important, COSO ERM will grow in importance and recognition as more
enterprises understand and adopt the ERM framework. Internal auditors should understand
COSO ERM both in order to audit compliance with these processes and to consult with
management to ensure more effective implementations.