COSO ERM Framework

Dennis Chesley
Global Risk & APA Risk Consulting Leader

dennis.l.chesley@pwc.com

June 2016
PwC 1
Why Update the ERM Framework now

COSO’s 2004 Enterprise Risk Management-Integrated Framework is one of the world’s most widely
used risk management frameworks.

Since 2004 however, the market has continued to evolve and the COSO
Framework is evolving with it.
• ERM concepts and practices have evolved and the bar is rising
• There is a need to incorporate lessons learned from recent
events
• Business and operating environments are increasingly
complex, technologically driven, and global in scale
• Stakeholders are more engaged and seeking greater
transparency and accountability
• Risk discussions are increasingly prominent at the board
level

June 2016
.
PwC 2
Project Governance Structure

• PwC serves as the author for updating the Framework

COSO Board
• The COSO Board provides independent feedback and provides
final approval
• The PwC Project Team includes senior resources, many whom
were involved in previous COSO projects, who bring in-depth PwC Project Team
understanding of the original Framework
• To capture views of a broad range of professionals in the
market place, the COSO Board formed an Advisory Council
COSO Advisory Council
representing industry practitioners, academia, government and Observers
agencies, and non-profit organizations

June 2016
PwC 3
What is Being Updated

• The update will focus on revising the 2004 Enterprise Risk Management–
Integrated Framework
- This will include both the core Framework and related Executive Summary

• The Application Techniques volume developed to support the understanding of the

2004 ERM-IF is not going to be updated

June 2016
PwC 4
Project Timing

The update is structured around five main phases, including a public exposure period.
Following completion of these phases, COSO will prepare the document for publication,
anticipated to occur in the first half of 2017.
Q3 2014 End of Q2 2016 ~ Q4 2016/ Q2 2017
(105+ Days) Q1 2017

3. Design and 4. Public

1. Assess 2. Envision 5. Finalize Publication
Build Exposure

Develop an Develop an outline Develop drafts of Conduct a public Review with the
understanding of of preliminary areas the Framework, exposure period to Board to agree on
views of the current for update review with the capture market any remaining
Framework Board, Advisory reactions and areas significant revisions,
Council, and other for update revising as
interested parties necessary and
prepare for
publication
June 2016
PwC 5
Depicting Enterprise Risk Management

The updated Framework includes a new graphic to illustrate the alignment of risk, strategy, and
performance.
2004 COSO ERM Updated COSO ERM
Framework Graphic Framework Graphic

June 2016
PwC 6
Clarifying Enterprise Risk Management

• Similar to recent COSO frameworks and

guidance, the updated Framework sets out a
series of principles
• These principles:
- Depict the essential aspects of enterprise
risk management
- Apply to organizations of all legal
structures, size, and purpose
- Are not specific rules that replace
management judgment

June 2016
PwC 7
What’s Changed

The more substantive changes are related to:

June 2016
PwC 8
Risk and Strategy

• Research suggests that organizations are looking to strengthen the integration between
strategy and enterprise risk management
• The updated Framework enhances the conversation of risk and strategy introduced in 2004

June 2016
PwC 9
Risk Culture
• Research suggests that culture continues to
escalate in prominence
• Risk culture is often linked to the
conversation of managements attitude
towards risk raking
• Measuring and reporting on culture remain
a key challenge and will likely evolve
significantly in the coming years
PwC
• Culture reflects the entity’s ethics:
the values, beliefs, attitudes,
desired behaviors, and
understanding of risk
• The Framework sets out a “culture
spectrum” which aligns closely to
the conversation on risk appetite
June 2016
10
Integration of Risk in Execution

• Similar to the 2004 Framework, the updated version focuses on

managing risk to achieve objectives
• Many entities have focused on developing a list of the “top-10” risks;
our research suggests that this causes entities to focus on isolated
risks versus focusing on achieving objectives and enhancing entity
performance
• The updated framework enhances the objective-centric view versus a
risk-centric view – with the goal of assisting entities in managing
risks throughout execution of a strategy
• Framework chapters have been retitled to better emphasize the
overall goal of managing risk in execution versus focusing on
process

June 2016
PwC 11
Risk and Performance

• Our research suggests that many ERM practices focus on the

potential for risk to impact objectives, and hence performance
• The updated Framework presents a second consideration – how risk
relates to performance
• For instance, it explores the questions:
- Does the entity understand the risk it is taking when setting
performance targets
- Did the entity take enough risk to attain its target
- Has the entity performed as expected and achieved its target
- What risks are occurring that may be affecting performance

June 2016
PwC 12
Relationship between ERM and Internal Controls

• Research suggested that Framework users agree that internal

control is an integral part of ERM, but are looking for a more
focused ERM document versus one that is “all inclusive”
• Unlike the 2004 Framework, aspects of internal control that are
common to both this publication and Internal Control—Integrated
Framework are not repeated in the updated Framework
• Where necessary, aspects of internal control are further developed
in the updated Framework
• These two frameworks are distinct from each other and provide a
different focus and neither supersedes the other

June 2016
PwC 13
Focus on Value

• The 2004 Framework reflected an underlying premise that “every entity— whether for-profit,
not-for-profit, or governmental—exists to provide value for its stakeholders; further the value
of an entity is largely determined by the decisions that management makes—from overall
strategy decisions through to day-to-day decisions”
• Research suggests that this view continues to hold, but could be more prominent; hence, the
updated Framework enhances the focus on value – how entities create, preserve, and realize
value
• This approach to focusing on value is embedded throughout, as for instance value is:
- Now prominent in the core definition of ERM
- Discussed extensively in principles
- Linked directly to risk appetite and the ability to manage risk to acceptable levels

June 2016
PwC 14
Staying Involved

The Framework will be in the public exposure period from June 15 until September 30. Here’s
what you can do during the exposure period to familiarize yourself with the draft Framework:
• Download the draft Framework and Executive Summary from
www.coso.org
• Read the FAQ for added insight
• Provide feedback using the online survey or in a comment letter
• Attend PwC’s ERM Framework Webcast
• Sign up for updates on the COSO framework at
www.pwc.com/coso-erm
• Reach out directly to PwC

June 2016
PwC 15