Professional Documents
Culture Documents
▪ COSO also sees the need for a broader framework that can provide the
principles of key concepts, the same language, direction and clear guidelines
for a more complete risk management process
▪ COSO develops an "Enterprise risk management-integrated network",
which was published in 2004
▪ COSO deliberately developed a broad definition for ERM so that it can be
applied across various organizations, Industry and sector
Coso Standard Development Basis
• Identification of ERM in COSO:
✓ Aligning risk appetite and strategies
✓ Improving the quality of decisions related to risk
✓ Reducing operational shocks and losses
✓ Identifying and managing many risks that are cross-enterprise
✓ Capture opportunities
✓ Improve capital use
• In the ERM framework, internal control risk assessment is divided into: objective settings, event
identificaion, risk assessment and risk response
• Because ERM also includes a framework In internal control, COSO believes that the company can
decide to adopt an ERM framework to meet its internal control needs and move towards a more
detailed risk management process.
Internal Control of COSO
COSO internal control Purpose
Level
component
Components of COSO Standard
1. Internal environment – The internal environment encompasses the tone of an organization and sets the
basis for how risk is viewed and addressed.
2. Objective setting – Objectives must exist before management can identify potential events affecting their
achievement.
3. Event identification – Internal and external events affecting achievement of objectives must be
identified, distinguishing between risks and opportunities.
4. Risk assessment – Risks are analysed, considering likelihood and impact, as a basis for determining how
they should be managed.
5. Risk response – Management selects risk responses: avoiding, accepting, reducing, or sharing risk.
6. Control activities – Policies and procedures are established and implemented to help ensure the risk
responses are effectively carried out.
7. Information and communication – Relevant information is identified, captured, and communicated so
that people can fulfil their responsibilities.
8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as
necessary.
COMMITTEE OF SPONSORING ORGANIZATIONS (COSO): 2004
The company's
objectives can be seen
from four categories,
namely:
1. Strategic
2. Operations
3. Compliance
4. Reporting
While the level in the
organization is:
1. Enterprise-level
2. Business Unit
3. Division
4. Subsidiary
COSO Standard Category
Purpose High-level goals, Strategi
aligned with and (Strategy)
supporting its mission;
Entity-
Division Level
Business
Subsidiary Unit
Risk Management Framework in Corporations and
Banks
Monitoring &Review
Risk Identification
Communication &
Risk Analysis
Consulting
Risk Treatment
ISO 31000-2009 architecture
Principles of Risk Management I
SO 31000: 2009
1. Added value
2. Integrated parts of organizational processes
3. Part of decision-making
4. Specifically addressing uncertainty
5. Systematic, structured dam on time
6. Based on the best available information
7. Is typical for organizations
8. Considering human factors and culture
9. Transparent and inclusive
10. Dynamic, repetitive and responsive to change
11. Facilitate continuous improvement and improvement
of organizational performance
Risk Management Framework
ISO 31000: 2009
Mandate and Commitment
Design a
framework for
managing risk
Continuous Implementatio
improvement of n of risk
the framework management
Monitoring and
reviewing
frameworks
Risk Management Process
ISO 31000: 2009
Determining context
Monitoring
Monitoring &Review
Monitoring
Risk Identification
&Review
Risk Analysis
&Review
Risk Treatment
Comparison of Risk Management Standards
❖ The Australia/New Zealand AS/NZS 4360:2004 and COSO
Enterprise Risk Management standards are standards that
set a systematic approach to managing risk to achieve goals
for an organisation.
❖ AS/NZS Standard 4360:2004 applies to "all types of
organizations", while COSO Enterprise Risk Management
emphasizes "business organizations".
❖ The similarities and differences between the two standards
have different influences on the application of risk
management in an organization.
Comparison of Risk Management Standards
❖ Companies that have implemented the AS/NZS 4360:2004
risk management standard, have similarities between the risk
management processes introduced by ISO 31000:2009.
❖ ISO 31000:2009 adopts the AS/NZS 4360:2004 risk
management process to support the framework it developed.
❖ ISO 31000 is a comprehensive risk management
implementation standard published by the International
Organization for Standardization (ISO) in 2009.
❖ ISO 31000:2009 is a standard that adopts and updates the
COSO Risk Management Standard: 2004.
The advantages of ISO 31000 compared to COSO, are:
1. ISO 31000 fully compliant with COSO ERM,
2. ISO 31000 is more practical,
3. Easy to apply (less than 30 pages),
4. Can be applied to companies from all industries whether large
companies or small companies,
5. Clearer and concrete writing and definition,
6. As a reference to risk management standards,
7. There is no need to redesign existing management systems,
8. Can be applied at all levels in the company for every type of risk,
Whether positive or negative impact,
9. be open to improvements to future risk management standards.
AKUNTANSI
FAKULTAS EKONOMI DAN BISNIS