Professional Documents
Culture Documents
Enterprise risk in a state of flux, its an exciting time to be here and work
towards becoming a risk manager.
2
Course Learning Objectives (From Syllabus)
L1: COSO
Understand and discuss the evolution of the formation of the COSO internal controls framework leading to an ERM framework. The purpose is to use the COSO framework to assess a
company’s risk management practices and learn traditional ERM risk practices, and terminology
Foundation and conception of COSO to COSO ERM
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L2: Evolution towards ERM
Evaluate a company’s risk profile and synthesize a blended approach to evolving them towards an enhanced ERM framework, practices, and terminology
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L3: Introduction to ERM
Implement the COSO framework and the COSO ERM framework
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L4: Basel
Implement the Basel Regulatory framework
Homework readings: Basel Regulatory Framework, Pillar II
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L5: ISO
Implement the ISO 31000 framework and its component elements
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L6: ERM Frameworks
Differentiate ERM frameworks, practices, and terminology from traditional silo risk management frameworks, practices, and terminology
Graded Elements Demonstrating Your Ability in this: Case Study – ERM at Hydro One (A), Team project/presentation (Final)
3
Evaluation/ Grading (Syllabus)
4
Attendance Rubric- for Grading/ Eval
Criteria Description (%)
1 Class Attendance Be present physically throughout the class 5%
2 Preparedness and Position clearly stated and professionally delivered. Examples include Required Ready Material, Hydro case 15%
quality of class study and Risk Assessments (when lecturer picks select Homework posted in Canvas Discussion to discuss in
participation and class.
discussions
Exhibit communication skills as taught in Strategic Communications, including the following:
● Face the audience at all times
● Project your voice so that the person on the last row can hear you clearly
● No reading from the slides/ paper
● Good posture
3 Quality of postings in Based on rubric, post in the Canvas as homework, by the due date. 50%
Canvas Discussions +
(25%
(Homework) Peer Feedback provided to associate on every team member’s contribution
each)
4 Meeting ERM Provide email/ upload draft presentation to as evidence per milestone – 10% 30%
Presentation +
(10%
Milestones
Between Milestones 2 and #5, Meet at least once with the lecturer (during class or office hours) to share the draft
and
presentation (make sure it’s in ready to be reviewed in a PowerPoint form and not in bullets/ notes) and discuss
your draft ERM presentation – 20% 20%)
- Milestone 1: Select Team & Unique Company and inform/email Associate
- Milestone 2: Risk Identification – as per rubric- document in slides to discuss in Office Hours by Appt
- Milestone 3: Assess risk as per rubric with Inherent risk and control weakness- same as above
- Milestone 4: Assess residual risk & propose corrective action to mitigate risks- same as above
- Milestone 5: Recommend/ propose ERM program- Same as above
Total 100% 5
Agenda
• Overview: ERM Frameworks Origins and evolution
• COSO & its Frameworks
• COSO ERM Model- Old & New
• ISO 31000
• Basel
• Value-based ERM
• What is Internal Control
• Its Purpose
• Control Frameworks
• COSO Internal Controls and SOX
• COSO Internal Control Framework
• And its 17 Internal Control Principles
Group
Canvas Discussion- Internal Control#1: Continues in Session 2
6
• COSO & its Frameworks
• ISO 31000
• Basel
• Value-based ERM
2004 COSO ERM Integrated Framework 2013 COSO Internal Control Framework
8
Other Frameworks: ISO, BASEL, Value-based ERM
10
What is Control?
12
Who is Responsible for Internal Control?
15
What is a Control Framework?
Provides means to ensure all relevant aspects of controls are covered.
In the US, widely used control frameworks (standards) are:
• Committee of Sponsoring Org. (COSO)- Control Framework & ERM Framework
• International Organization for Standardization (ISO) Framework- to be covered later
Also, there are risk management guidance (standards) specific to certain risk types
some of which are recommended by regulators (FRB, FDIC, OCC etc.).
• Model Risk (SR 11-7) by FRB or FIL-22-2017 by FDIC
• IT/ IS Example: Control Objectives for Information and Related Technology (COBIT) and National Institute of Standards and
Technology (NIST) for Cybersecurity.
• Vendor risk by OCC (2013-19)
16
Committee of Sponsoring Organizations (COSO)
• COSO was organized in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting, a private-sector initiative that studied the
causal factors that can lead to fraudulent financial reporting.
• Over years, COSO has published many frameworks, that have been
revised over the years to address the changing risk landscape.
• In this course, we will cover two COSO frameworks, both of which are
considered new or revised as they replaced the older versions:
1) 2013 COSO Internal Control and
2) COSO ERM Framework (old is 2004 and new is 2017)
The only difference between old and new is introduction of certain new
concepts to address changing risk landscape. For example in new COSO
ERM, the concept of embedding risk in strategic planning was introduced.
COSO Internal Control & Sarbanes-Oxley (SOX)
• Designed to remove fraudulent business practice (Enron, Tyco, Worldcom)
• SOX became a law in 2002 to protect the public from fraudulent or erroneous
practices & increase transparency in financial reporting.
B) Develop a risk and control matrix (see next slide), that identifies all internal controls in the process in addition to specific
descriptions and category attributes related to each control.
• Control number (unique identifier); Control description; Objective of control
• Risk associated with objective of control
• Frequency of control (usage); Control owner (role/title)
• Key or non- key control type; IT or manual control type
• Preventive or detective control type; Fraud or non-fraud control type
• COSO principle (related to control); Financial statement assertion (related to control)
C) Finally Risk Rate each using Impact and Likelihood scale to establish Inherent risk rating and key controls to be tested.
Since not all controls can be tested every time, risk-based approach is taken to sample key high to medium risk controls.
Source: COSO.org
Sample Process: Risk Control Matrix (SOX)
e nt
g em s
a
an ctive
is k M bje
R O
Level Components
Entity & Unit
Risk Components
Source: https://www.coso.org 22
Relationship between 3 sides of cube:
Objectives, Components and the Entity
23
Effective system of internal control
Per COSO, an effective system of internal control requires:
– Each of the five components of internal control and relevant
principles to be present and functioning
– The five components to be operating together in an
integrated manner
Control
Environment
Information &
Control Activities
Communication
24
Objectives & Operations: Top of the cube
t
ve e n
cti m
je age
s
● Operations
Ob an
M
sk
○ Meets its business objectives
Ri
○ Efficient and effective
○ Control environment supports business objectives
● Reporting
○ Stakeholder reporting
○ Accuracy of financial and business reports
○ Disclosure of material control weakness and opportunities
● Compliance
○ Complies with internal and external requirements
○ Process to ensure good operations (IT, Operations, External customers, etc.)
○ Appropriate for the risk profile of the firm
Level Components
Entity & Unit
● Cover every aspect of the business
○ Risk profile that varies by its various operations
● External business partners can pose significant risks
● Legal risks can materialize from operations (products,
services, etc.)
● Employee behavior & decision-making is a primary cause of risks
○ Senior executives to the “so-called” Insider Threat (Edward Snowden effect)
● Interdependencies Risk
○ Value chain in and across an organization
○ Shared data
○ IT controls
○ Key man/woman or processes (Single point-of-failure)
Risk Components
● Control Environment –for every part of the firm
Culture, Policies, Procedures, Risk Appetite, Board/ Mgmt. Oversight
● Risk Assessment – Process needed to evaluate risks
Risk & Control Self-Assessments & Quantitative analysis
● Internal Control Activities – Adequate for the risks
Primary, Secondary, Tertiary (Detect, Correct, Prevent, & Mitigate)
● Information & Communications – Reporting & Awareness
Dashboards, Reports, Training & Awareness programs, “Tone at the Top”
● Monitoring Activities – Audits, Checklists, Automated controls
Operations are efficient and mitigate material weakness
Source: Wikipedia
29
Sinking of Titanic
Define the problem >> Analyze the causes >> Select the best solutions.
https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
30
Why did the Titanic sink?
Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
31
Why did the Titanic sink?
• The important distinction between what DID happen and what COULD happen.
• How a thorough analysis of what DID happened is essential for effective risk management.
Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
32
Bow Tie / Root Cause: Titanic Example
Too far Titanic hits For Root Cause analysis, start with risk event or end event (in red
North here- loss) and work your way (by keep asking whys) to the left till
iceberg
you reach the risk factors (in blue and green here)
Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
34
Group CANVAS Homework #1
Form Groups of 4-5 students each.
36
Appendix