AKUNTANSI

FAKULTAS EKONOMI DAN BISNIS

COMPARISON OF RISK MANAGEMENT STANDARDS

Prof. Rizal Yaya, S.E., M.Sc., Ph.D., Ak, CA. CRP.
RISK MANAGEMENT DEVEPOMENT
COSO
• COSO : Committee of Sponsoring Organizations of the Treadway Commission: an initiative of the
private sector established in 1985.
• Its main purpose is to identify the factors that cause the embezzlement of financial statements
and make recommendations to reduce such events..
• COSO has compiled a general definition of control, standards, and internal criteria that
companies can use to assess their control systems.
• COSO is sponsored and funded by 5 professional accounting associations and
institutions; American Institute of Certified Public Accountants (AICPA), American Accounting
Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) and
The Institute of Management Accountants (IMA)
• COSO deliberately developed a broad definition for ERM so that it could be applied across a wide
range of organizations, industries and sectors.
Coso Standard Development Basis
• COSO: Committee of Sponsoring Organizations of the Treadway Commission is an initiative of
the private sector formed in 1985.
• The main purpose is to identify the factors that cause the embezzlement of financial
statements and make recommendations to reduce such events.
• COSO has compiled a general definition for control, standards, and internal criteria that
companies can use to assess their control systems.
• COSO is sponsored and funded by 5 professional accounting associations and institutions; The
American Institute of Certified Public Accountants (AICPA), The American Accounting
Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA)
and The Institute of Management Accountants (IMA)
• COSO deliberately developed a broad definition for ERM so that it can be applied across a
wide range of organizations, industries and sectors.
COSO Standards

▪ COSO also sees the need for a broader framework that can provide the
principles of key concepts, the same language, direction and clear guidelines
for a more complete risk management process
▪ COSO develops an "Enterprise risk management-integrated network",
which was published in 2004
▪ COSO deliberately developed a broad definition for ERM so that it can be
applied across various organizations, Industry and sector
Coso Standard Development Basis
• Identification of ERM in COSO:
✓ Aligning risk appetite and strategies
✓ Improving the quality of decisions related to risk
✓ Reducing operational shocks and losses
✓ Identifying and managing many risks that are cross-enterprise
✓ Capture opportunities
✓ Improve capital use
• In the ERM framework, internal control risk assessment is divided into: objective settings, event
identificaion, risk assessment and risk response
• Because ERM also includes a framework In internal control, COSO believes that the company can
decide to adopt an ERM framework to meet its internal control needs and move towards a more
detailed risk management process.
Internal Control of COSO
COSO internal control Purpose

Level
component
Components of COSO Standard
1. Internal environment – The internal environment encompasses the tone of an organization and sets the
basis for how risk is viewed and addressed.
2. Objective setting – Objectives must exist before management can identify potential events affecting their
achievement.
3. Event identification – Internal and external events affecting achievement of objectives must be
identified, distinguishing between risks and opportunities.
4. Risk assessment – Risks are analysed, considering likelihood and impact, as a basis for determining how
they should be managed.
5. Risk response – Management selects risk responses: avoiding, accepting, reducing, or sharing risk.
6. Control activities – Policies and procedures are established and implemented to help ensure the risk
responses are effectively carried out.
7. Information and communication – Relevant information is identified, captured, and communicated so
that people can fulfil their responsibilities.
8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as
necessary.
COMMITTEE OF SPONSORING ORGANIZATIONS (COSO): 2004

The company's
objectives can be seen
from four categories,
namely:
1. Strategic
2. Operations
3. Compliance
4. Reporting
While the level in the
organization is:
1. Enterprise-level
2. Business Unit
3. Division
4. Subsidiary
COSO Standard Category
Purpose High-level goals, Strategi
aligned with and (Strategy)
supporting its mission;

Pelaporan Operasi Effective and efficient

Reliability of reporting (Reporting) COSO (Operations) use of its resources;

Kepatuhan Compliance with

(Compliance) applicable laws and
regulations.
Coso level in an organization

Entity-
Division Level
Business
Subsidiary Unit
Risk Management Framework in Corporations and
Banks

▪ The function of risk management was originally established as a control function

▪ Definition, interpretation and implementation of ERM can vary from each corporation and
bank
▪ The first component of the ERM framework is a culture of management control and
supervision that is formed and clearly defined
▪ The Board of Directors and senior management emphasizes the philosophy of risk
management and control that sets the 'tone'
▪ Risk appetite risk management culture set by directors and senior management.
▪ Risk is defined to include all risks faced
▪ Risk is considered on a portfolio-wide basis – all types of risks and all business units.
Australia/New Zealand (AS/NZS) Standard 4360: 2004

Risk Management Process

Determining context

Monitoring &Review
Risk Identification
Communication &

Risk Analysis
Consulting

Risk Treatment
ISO 31000-2009 architecture
Principles of Risk Management I
SO 31000: 2009

1. Added value
2. Integrated parts of organizational processes
3. Part of decision-making
4. Specifically addressing uncertainty
5. Systematic, structured dam on time
6. Based on the best available information
7. Is typical for organizations
8. Considering human factors and culture
9. Transparent and inclusive
10. Dynamic, repetitive and responsive to change
11. Facilitate continuous improvement and improvement
of organizational performance
Risk Management Framework
ISO 31000: 2009
Mandate and Commitment

Design a
framework for
managing risk

Continuous Implementatio
improvement of n of risk
the framework management

Monitoring and
reviewing
frameworks
Risk Management Process
ISO 31000: 2009

Determining context

Komunikasi & Konsultasi

Communication & Consulting

Monitoring
Monitoring &Review

Monitoring
Risk Identification

&Review
Risk Analysis

&Review
Risk Treatment
Comparison of Risk Management Standards
❖ The Australia/New Zealand AS/NZS 4360:2004 and COSO
Enterprise Risk Management standards are standards that
set a systematic approach to managing risk to achieve goals
for an organisation.
❖ AS/NZS Standard 4360:2004 applies to "all types of
organizations", while COSO Enterprise Risk Management
emphasizes "business organizations".
❖ The similarities and differences between the two standards
have different influences on the application of risk
management in an organization.
Comparison of Risk Management Standards
❖ Companies that have implemented the AS/NZS 4360:2004
risk management standard, have similarities between the risk
management processes introduced by ISO 31000:2009.
❖ ISO 31000:2009 adopts the AS/NZS 4360:2004 risk
management process to support the framework it developed.
❖ ISO 31000 is a comprehensive risk management
implementation standard published by the International
Organization for Standardization (ISO) in 2009.
❖ ISO 31000:2009 is a standard that adopts and updates the
COSO Risk Management Standard: 2004.
The advantages of ISO 31000 compared to COSO, are:
1. ISO 31000 fully compliant with COSO ERM,
2. ISO 31000 is more practical,
3. Easy to apply (less than 30 pages),
4. Can be applied to companies from all industries whether large
companies or small companies,
5. Clearer and concrete writing and definition,
6. As a reference to risk management standards,
7. There is no need to redesign existing management systems,
8. Can be applied at all levels in the company for every type of risk,
Whether positive or negative impact,
9. be open to improvements to future risk management standards.
 AKUNTANSI
FAKULTAS EKONOMI DAN BISNIS