L14: Enterprise Risk Management COSO Framework Assignment No.

2 Appropriate Answer:

Enterprise Risk Management: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Top CEO’s/CFO’s are generally…. v ineffective at considering risk, return and capital issues when making decisions. v lack of alignment between their company's strategy and appetite for risk v it is really hard (whine, whimper) to align strategy to effective risk management v we will attempt to do it in the next 3 to 4 sessions COSO…. v Companies today face a array of risks. Driving forces like technology advances and the internet, global competition, complex financial instruments, mergers, downsizing, deregulation, and increased consumer demands all create a riskier operating environment for organizations.

Notes by Gautam Chitanis

Pg 1

portfolio view. v Once implemented. Refer: www. #2-Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses. v This framework is now being used by organizations around the world to design and implement effective ERM processes. v This framework defines essential enterprise risk management components.coso. and enterprise risk management facilitates effective response to the interrelated impacts. risk tolerance. and integrated responses to multiple risks. and acceptance. management is positioned to identify and proactively realize opportunities. reduction. Recognizing the need for a well-defined ERM model. setting related objectives. #5-Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. v The guidance introduces an enterprise-wide approach to risk management as well as concepts such as: risk appetite. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations.v Stakeholders no longer accept a lack of planning or imagination as leadership excuses for bad decisions. These capabilities inherent in enterprise risk management help management achieve the entity’s performance and profitability targets and prevent loss of resources. these components provide a new way of thinking about and managing risks. discusses key ERM principles and concepts. and efficiently and effectively deploys resources in pursuit of the entity’s objectives. and provides clear direction and guidance for enterprise risk management. #3-Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization. v In a new paradigm— enterprise risk management (ERM)—the management of risk is integrated and coordinated across the organization. #4-Seizing opportunities – By considering a full range of potential events. and developing mechanisms to manage related risks. v In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management. reducing surprises and associated costs or losses. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks. Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance. sharing. suggests a common ERM language. and helps avoid damage Notes by Gautam Chitanis Pg 2 . the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published an ERM framework with eight interrelated components in September 2004. COSO issued the Enterprise Risk Management – Integrated Framework in 2004.org/ (Hyperlink) Why the focus on Enterprise Risk Management? Here's what COSO says. Enterprise risk management encompasses: #1-Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives.

Basics “Value”: Notes by Gautam Chitanis Pg 3 . In sum.to the entity’s reputation and associated consequences. enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.

Importantly. efficient. It sponsors and disseminates frameworks and guidance based on in-depth research. directors and others talk about risk management. you will also be able to place an order for either a hard copy or electronic copy of the two-volume set that includes the executive summary as well as the Enterprise Risk Management – Integrated Framework and associated Application Techniques. The framework also describes roles of key players in the enterprise risk management process.coso. so that when executives. setting forth how all important risks should be identified. FAQs for COSO's Enterprise Risk Management — Integrated Framework A. What is in the framework?The framework describes the critical principles and components of an effective enterprise risk management process. and best practices. The same charge ($75 or $50 for members of COSO organizations) applies to both hard and soft copy B.org. the framework emphasizes how an effective enterprise risk management process identifies not only the downside. and ethical business operations on a global basis. What is the framework and how do I get it? 1. 2. Where can I find the framework?An executive summary of the Framework is posted in . COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective. or opportunities that can be seized to enhance profitability and return.pdf format on www. the Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization. There. assessed. they are truly communicating. responded to and controlled. It also provides a common language. The framework sets forth how a company applies enterprise risk management in its strategic planning and also describes techniques some companies are using in identifying and managing risk. Why is this a framework that organizations should support? Notes by Gautam Chitanis Pg 4 .FAQs for COSO's Enterprise Risk Management — Integrated Framework COSO Comprising the professional associations listed above. analysis. but also the upside.

2. The pursuit of that goal is paramount in most organizations. How does an organization determine the right amount of risk for the value it is trying to create for stakeholders and how should it communicate its risk policy to stakeholders?The level of risk that an entity is willing to accept is a management decision – and there is no right answer to this question. The Enterprise Risk Management – Integrated Framework presents an enterprise-wide perspective of risk and standardizes terms and concepts to promote effective implementation across the organization. What limitations of existing enterprise risk management models prompted creation of a new framework?There have been a wide variety of frameworks utilized across companies and across countries. Moreover. As a result. 3. In addition.e.In addition. It starts with the top of the organization and supports an organization’s major mission. What is the relationship between effective enterprise risk management and improved financial reporting and transparency?There are natural linkages between enterprise risk Notes by Gautam Chitanis Pg 5 . but not consider how actions of other parts of the organization affect their risks. of the organization). management will want to ensure that sound risk management processes are in place and functioning. the COSO Enterprise Risk Management – Integrated Framework addresses enterprise risk management applicable to all industries and encompassing all types of risk. 2. Others focus on specific industries or specific types of risk. the framework recognizes that an effective enterprise risk management process must be applied within the context of strategy setting. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives. This is a fundamental difference from most risk models used to date. How might the framework assist organizations in structuring their entities to best manage exposure to risk?By formally organizing risk management responsibilities and activities an organization is much better positioned to achieve its objectives. 3. When the same company says that it does not wish to accept risks that would cause revenue from its top-10 customers to decline by more than 10% it is expressing tolerance. For instance. What is the difference between risk appetite and risk tolerance?Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. One company’s management will pursue a higher-risk strategy while another will pursue a lower risk strategy. quarterly and annual reports. many of the pre-existing frameworks stood by themselves. in one part or one function. Consequently. Some of these focus narrowly on risk management (rather than enterprise risk management). Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite. Board and audit committees have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective.. What are some of the key concepts established in this framework? 1. Is there such a thing as being overly conscientious about risk?The purpose of an entity is to provide goods and services that people value. C.1. or it might not capture the overall significant risks that the organization faces. many of these focus on mechanisms for reducing — rather than managing — risk. provides a higher degree of comfort that the company will achieve its objectives. The shareholder should understand the risk chosen by management and invest in accordance with his/her own tolerances for potential variation in stock performance. investor calls. Organizations communicate the levels of risk accepted through the MDA. a company that says that it is does not accept risks that could result in a significant loss of its revenue base is expressing appetite. risk management may be done very well in one section. in turn. By contrast. press releases. many risk management practices have been implemented in silos (i. etc. and thus tended to be implemented within functions. which. To achieve its business objectives. The COSO Enterprise Risk Management – Integrated Framework provides comprehensive guidance on each of these points and includes numerous examples of approaches used by risk management practitioners in a diverse group of organizations. An organization that focuses more on risk management than on pursing its primary goals is likely to under perform.

The framework is scalable. risk. enterprise risk management is much broader than internal control. The Enterprise Risk Management – Integrated Framework details. isn’t that a way of managing risk?A strong system of internal control supports the achievement of the organization’s business objectives and therefore good internal control is a way of managing risk. enabling companies to be able to match the process to the company’s complexity and sophistication. each work to manage risk. objective setting. There is an intrinsic expectation that all organizations be they for profit. Controls related to technology. The current emphasis on control in Sarbanes-Oxley is primarily focused on financial reporting. measure actions and decisions against that risk appetite and communicate results. However. Appendix C of the Enterprise Risk Management – Integrated Framework provides a detailed discussion of the relationship to Internal Control – Integrated Framework. We believe the consistent conceptual underpinnings are a major strength of the two models. What is the relationship between technology controls and effective enterprise risk management?The Enterprise Risk Management – Integrated Framework requires feedback of information from throughout the company. However. With the significant amount of implementation efforts companies are currently undertaking for Sarbanes-Oxley compliance and adoption of new accounting standards. one approach to risk is to develop controls to mitigate the risks. 4. The Enterprise Risk Management – Integrated Framework will facilitate the process. for the first time. also referred to as general computer controls. strategy. Communication of enterprise risk management to users of financial information clearly enhances transparency. What does the new framework offer clients that are focusing on internal control?Companies that want to move beyond internal control and get more out of their efforts. Enterprise risk management cannot be effective if the technology that provides the data used to manage risk is flawed. why should companies be motivated to implement enterprise risk management?The implementation of COSO’s Enterprise Risk Management – Integrated Framework will provide long term benefits to an organization and therefore should be viewed with a longer term implementation perspective. How does this framework relate to COSO's Internal Control Framework? 1. Are you replacing the Internal Control Framework with the Enterprise Risk Management Framework?The Internal Control – Integrated Framework is conceptually sound and has stood the test of time. As the Enterprise Risk Management – Integrated Framework includes the concepts and components initially developed in the Internal Control – Integrated Framework. etc. performance measurement. 3. Is this intended for private organizations? Is there any organization this is not intended for?Enterprise risk management is a process that companies of all sizes and degrees of sophistication should consider. This information must be current and accurate and must be robust enough to support the analysis of different risk responses. Therefore. E. it aligns risk management with strategy setting and aids a company’s ability to assess whether the organization is accepting risk appropriately. not-for-profit. If you have good internal control. the technology that provides this data must have the highest levels of integrity and controls. 2. The Enterprise Risk Management – Integrated Framework requires that organizations establish a risk appetite. In addition to supporting management’s efforts to achieve business objectives. were also discussed in the Internal Control – Integrated Framework. D.management. improved financial reporting and transparency. risk response and control processes. In other words. 4. The Enterprise Risk Management – Integrated Framework is a broader framework that incorporates the internal control framework within it. expanding their practices to incorporate risk management will be more evolutionary and not require that they “throw away” all of the previous efforts. the link between value. The frameworks are compatible and are based on the same conceptual foundation. there are additional aspects of risk management that go beyond internal Notes by Gautam Chitanis Pg 6 . now have a framework that will help them go to the next level. How might organizations view the framework in the context of their Sarbanes-Oxley 404 compliance process? 1. government organizations.

the framework is designed to promote entity-wide capabilities for identifying. and recommending improvements on the adequacy and effectiveness of management’s risk management processes. and dealing with risk on a consistent basis. finance. This is distinct from reporting on risk management. F. requires management to form a view of how much risk the organizations is prepared to accept – known as risk appetite – and requires that risk management be done outside of silos through a portfolio view of the organization's risks. What makes this different from the internal control framework? How does it relate to Sarbanes-Oxley reporting?The Enterprise Risk Management – Integrated Framework is broader than internal control.Much of the internal control focus today is on only one aspect of internal control – internal controls over financial reporting for Sarbanes-Oxley 404. reporting. 2. and actually incorporates the key concepts set out in COSO's earlier Internal Control – Integrated Framework. It works best when an organization develops an integrated process to address risk throughout the organization. The framework can be used in all functional areas. The CFO is well positioned to look across the businesses and functions within a company to develop and implement the portfolio view of risk. the board is not in the position of making choices on behalf of management and does not alleviate managements role in enterprise risk management. internal audit and risk specialists within any organization. the three points that are probably the most prominent are that risk management considers risks during strategy setting. 2. However. Chapter 10 of the Enterprise Risk Management Framework – Integrated Framework addresses roles and responsibilities in detail. What is the role of internal auditors in enterprise risk management? How will this framework help them?Board and audit committees have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. Internal auditors can assist both management and the audit committee by examining. They will be asked to understand key elements of enterprise risk management. Not all companies are at the same level of expertise or knowledge of risk management techniques and approaches vary widely. inquire of management about risks. 3. Who are the potential implementers of the framework?The framework is robust. 4. Continued adoption of the Enterprise Risk Management Framework by both companies and academics will result in a more consistent approach to risk management as companies strive to create value for stakeholders. that risk approach is led from the top of the organization. including information technology. How do people in an organization intersect with this framework? 1. evaluating. However.controls and are rooted in the strategy setting activities of a company and in the management analysis of risk appetite and risk tolerance necessary to pursue its objectives as a company. What is the role of the CFO and others in the financial management organization in enterprise risk management? How will this framework help them?The CFO and the financial organization play a key role in providing the needed disciplines and procedures to establish risk management as an integral part of the business strategy setting process. and concur on certain management decisions. accounting. He/she has the experience and knowledge to establish controls necessary to assure that the evaluation of risk is a continuing and integral part of the management process and is consistent with the risk management philosophy agreed to with the board. While there are several differences. The COSO Enterprise Risk Management – Integrated Framework provides a benchmark for internal auditors to use in the evaluation of their organization’s risk management efforts. The CFO provides the organization with analytical tools to help determine risk appetite and risk tolerance. Notes by Gautam Chitanis Pg 7 . What is the role of the board in enterprise risk management? How does this framework help them?The Board provides oversight of enterprise risk management. and further. documenting.

detail&semID=30 (Hyperlink) HOW TO APPLY COSO TO A FRAUD CASE v The five COSO control components are the core criteria for assessing the potential effectiveness of any internal control system and its vulnerability to fraud. I’ll demonstrate the effectiveness of the five COSO control components in the framework to highlight former WorldCom’s major control weaknesses. v A close look at what went wrong at WorldCom gives us a good understanding of how COSO concepts work. v And using the lessons learned. as the No. Notes by Gautam Chitanis Pg 8 .theiia. In this column.The auditors of today are trained to conduct audits on COSO framework Review this now: http://www.cfm?act=seminar. and professional organizations worldwide.org/training/index. potential mismanagement or even fraud in the future. v The framework is explicitly recommended by international standard-setting governmental. we can use them to avoid and/or detect unexpected misconduct. private. COSO can be used not only for the setup and development of an internal control system but also for the analysis and understanding of control system failures in historical fraud cases. The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework has been recognized since the early 1990s. v But they also can take a backward look at a fraud case to analyze how it happened. 1 internal control framework for any for-profit or nonprofit organization in any geographical area or culture in the world. which led to the spectacular $11 billion fraud. Furthermore.

WorldCom and MCI Communications announced their US$37 billion merger to form MCI WorldCom. which represented 28. On September 15. See the. opened for business. v WorldCom caused one of the largest fraud and bankruptcy scandals in American and global corporate history. CFO. But there were individual drivers also: personal financial enrichment through misappropriation of corporate assets (especially cash) and a mix of other personal targets such as the improvement of social and business status (for example. Former CEO Bernie Ebbers received 25 years in prison – a virtual life sentence because he was in his mid-60s at the time. MCI WorldCom. MCI WorldCom renamed itself to simply "WorldCom" without Sprint being part of the company. v However. 1998 the new company. WorldCom grew largely by aggressively acquiring other telecommunications companies. which were caused by the bursting dot-com and telecom bubbles. v In the year 2000. In addition. CEO. the advancement of a professional career (for example. 1999 Sprint Corporation and MCI WorldCom announced a $129 billion merger agreement between the two companies. In total. I screened the internal control system by applying the five COSO control components and mapping them – that is. making it the largest merger in US history. v On November 10. Notes by Gautam Chitanis Pg 9 .WorldCom Fraud in Brief v For a time. the corrupt senior accountants were jailed or faced long-term probation. v All WorldCom fraudsters were sentenced. chief controller).” v The scheme lowered line costs (the company’s largest single expense) by capitalizing them as “prepaid capacity” and reversing allowances without sufficient justification. v This fraud was significantly higher than the blockbuster fraud at Enron. WorldCom was the United States's second largest long distance phone company (after AT&T). CFO). and job security among several senior accountants. v Fraudulent accounting at WorldCom was a collusive action among top management and a few accountants. COSO PINPOINTS WHAT WENT WRONG To find the major weaknesses at WorldCom. v On October 5. v “Control Environment” v “Risk Assessment” v “Control Activities” and v “Monitoring” charts to view my findings. The corporate motive for this fraud was to meet Wall Street’s expectations for growth and also to hide real. plotting the weaknesses against the corresponding fraud exposures. 1997. deteriorating operative results. the deal did not go through because of pressure from the US Department of Justice and the European Union on concerns of it creating a monopoly. more than $11 billion worth of fraudulent accounting entries and misstatements were detected.” the collusion “resulted in a median loss over four times higher than the amount lost in schemes committed by a single perpetrator. According to the ACFE’s “2008 Report to the Nation. The CFO got a five-year prison sentence and his chief controller one year and one day. in conjunction with weak controls.9 percent of total annual revenue in 2002.

Notes by Gautam Chitanis Pg 10 .

Notes by Gautam Chitanis Pg 11 .

assurance to reach a tracked business target. we have to accept that: v Any control can give only reasonable. (Read it now) Oversight Systems Report on Corporate Fraud v According to the 2007 Oversight Systems Report on Corporate Fraud. v When fraud is conducted by collusive action of top management and their accountants. v Within this context. these motives parallel statistical data about why people say they commit fraud: o Pressure to do whatever it takes to meet goals (81 percent) o Personal gain (72 percent) o “I won’t get caught” (41 percent) o “I don’t consider it as fraudulent” (40 percent) o The belief that regulations can easily be bypassed (21 percent) v Additionally. as was the case at WorldCom. But apart from these discouraging facts.Following WorldCom’s experience. Notes by Gautam Chitanis Pg 12 . Managing the Business Risk of Fraud: A Practical Guide a $299 book is given free to the class. both business and personal. COSO also offers great support for anti-fraud management. weaknesses. 1 concept for internal controls. COSO v But apart from these discouraging facts. as in Ebbers’ case. COSO. His financial escapades. people are subject to overestimate their capabilities with a tendency to megalomania as they become more and more successful and admired by the public. as the world’s No. is still a reliable basis for the development and the analysis of internal control systems with special focus on risks.” which reflects on the control concept called COSO. and potential vulnerabilities to fraud. The ACFE. Note. but never absolute. v Fraud is overwhelmingly detected through tip-offs or by accident instead of systematic development of internal control activities or subsequent internal auditing. and Institute of Internal Auditors jointly published “Managing the Business Risk of Fraud: A Practical Guide. were legendary. almost any control can be overridden. American Institute of Certified Public Accountants.

3…. As discussed in the class Notes by Gautam Chitanis Pg 13 .Assignment No.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.