Session 1

Traditional ERM Practices

Course Overview
- Our Introductions
- Your introduction- Canvas Discussion postings

- Course Overview: From Syllabus in Canvas

- Course Learning Objectives and Segmentation
- Assignment/ Evaluation/ Grading
- Communication expectations and protocol

Enterprise risk in a state of flux, its an exciting time to be here and work
towards becoming a risk manager.

2
 Course Learning Objectives (From Syllabus)
L1: COSO
Understand and discuss the evolution of the formation of the COSO internal controls framework leading to an ERM framework.  The purpose is to use the COSO framework to assess a
company’s risk management practices and learn traditional ERM risk practices, and terminology
Foundation and conception of COSO to COSO ERM
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L2: Evolution towards ERM
Evaluate a company’s risk profile and synthesize a blended approach to evolving them towards an enhanced ERM framework, practices, and terminology  
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L3: Introduction to ERM
Implement the COSO framework and the COSO ERM framework 
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L4: Basel
Implement the Basel Regulatory framework 
Homework readings: Basel Regulatory Framework, Pillar II
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L5: ISO
Implement the ISO 31000 framework and its component elements 
Graded Elements Demonstrating Your Ability in this: Class participation, Assignments, Quiz, Midterm and ERM Team Project & Presentation (Final)
L6: ERM Frameworks
Differentiate ERM frameworks, practices, and terminology from traditional silo risk management frameworks, practices, and terminology 
Graded Elements Demonstrating Your Ability in this: Case Study – ERM at Hydro One (A), Team project/presentation (Final)

3
Evaluation/ Grading (Syllabus)

The evaluation will be based on the following weights:

 Attendance, preparedness, participation in class discussions, postings in
Canvas Discussions (Homework) and Meeting ERM Presentation
Milestones– 15%
 Quiz – 15%
 Individual Assignment 1 - 15%
 Individual Assignment 2 - 15%
 Midterm examination – 15%
 ERM Team Project & Presentation (Final)– 25% (15% Individual Grade;
10% Group Grade)

4
 Attendance Rubric- for Grading/ Eval
  Criteria Description (%)
1 Class Attendance Be present physically throughout the class 5%
 

2 Preparedness and Position clearly stated and professionally delivered. Examples include Required Ready Material, Hydro case 15%
quality of class study and Risk Assessments (when lecturer picks select Homework posted in Canvas Discussion to discuss in
participation and class.
discussions
Exhibit communication skills as taught in Strategic Communications, including the following:
● Face the audience at all times
● Project your voice so that the person on the last row can hear you clearly
● No reading from the slides/ paper
● Good posture
3 Quality of postings in Based on rubric, post in the Canvas as homework, by the due date. 50%
Canvas Discussions +
(25%
(Homework) Peer Feedback provided to associate on every team member’s contribution
each)
4 Meeting ERM Provide email/ upload draft presentation to as evidence per milestone – 10% 30%
Presentation +
(10%
Milestones
Between Milestones 2 and #5, Meet at least once with the lecturer (during class or office hours) to share the draft
and
presentation (make sure it’s in ready to be reviewed in a PowerPoint form and not in bullets/ notes) and discuss
your draft ERM presentation – 20% 20%)
- Milestone 1: Select Team & Unique Company and inform/email Associate
- Milestone 2: Risk Identification – as per rubric- document in slides to discuss in Office Hours by Appt
- Milestone 3: Assess risk as per rubric with Inherent risk and control weakness- same as above
- Milestone 4: Assess residual risk & propose corrective action to mitigate risks- same as above
- Milestone 5: Recommend/ propose ERM program- Same as above

    Total 100% 5
Agenda
• Overview: ERM Frameworks Origins and evolution
• COSO & its Frameworks
• COSO ERM Model- Old & New
• ISO 31000
• Basel
• Value-based ERM
• What is Internal Control
• Its Purpose
• Control Frameworks
• COSO Internal Controls and SOX
• COSO Internal Control Framework
• And its 17 Internal Control Principles

Group
Canvas Discussion- Internal Control#1: Continues in Session 2

6
 • COSO & its Frameworks
• ISO 31000
• Basel
• Value-based ERM

Overview: Introduction to Frameworks

COSO Frameworks: 1) Internal Control 2) ERM

2004 COSO ERM Integrated Framework 2013 COSO Internal Control Framework

Both frameworks can be in

use at a firm.
For example: Internal
Control for SOX testing and
ERM at Enterprise level

2017 COSO ERM -Integrating with Strategy

And Performance

8
Other Frameworks: ISO, BASEL, Value-based ERM

ISO 31000:2018 • Basel Accord/ Framework is a set of standards of

the Basel Committee on Banking Supervision
(BCBS), global standard setter for internationally
active banks.
• OCC Heightened Standards for large financial
institutions

• Value-based ERM Framework (Out of scope of this course)

Financial regulators: Who are they?
Bank regulation is intended to maintain banks’ solvency by avoiding
excessive risk through reserve and capital requirements etc.
• Federal and state regulators include: Federal Reserve Board (FRB), or
the Office of the Comptroller of the Currency (OCC), Federal Deposit
Insurance Corporation (FDIC), New York State Deptt. of Financial
Services (NYS-DFS); SEC for Broker-dealers; Financial Protection
Bureau (CFPB) etc.
Consumer Regs include: Regulation P (Privacy), Bank Secrecy Act (BSA), USA PATRIOT Act, and Office of
Foreign Assets Control (OFAC), California Consumer Privacy Act (CCPA), European General Data Protection
Regulation (GDPR), Dodd-Frank Wall Street Reform Act, Securities Exchange Act, Health Insurance Act (HIPAA),
Community Reinvestment Act (CRA); Home Mortgage Disclosure Act (HMDA), Equal Credit Opportunity Act, Truth
in Lending Act, Loans to Insiders (Regulation O) and many others.

Important: Relevant federal, state laws, regulations, regulatory

expectations/standards should be addressed in the firm’s Policy.

10
What is Control?

Control is any action taken by

management, the board & others
to manage risk and increase the
likelihood that established
objectives/ goals will be achieved.

In short- ensure that right things

happen

-- and the wrong things don’t

11
Purpose of Internal Control

Execute activities and processes as intended

12
Who is Responsible for Internal Control?

Everyone in an organization has responsibility

for internal control.

Senior Management sets the “tone at the

top” that affects integrity, ethics and other factors
of a positive control environment.
13
 Internal Control: Definition & Examples
Internal control is a process, affected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following
categories:
• Effectiveness and efficiency of operations;
• Reliability of financial reporting; and,
• Compliance with applicable laws and regulations
• Safeguarding of Assets
Control Processes include:
• Policies and procedures
• Technology controls (access, authentication)
• Separation of duties
• Code of Ethics
• Supervision and monitoring
• Board Governance and oversight
• 2nd and 3rd line: Risk, Compliance and Audit
Figure Source: COSO textbook by Moelller, Pg. 2 14
 Types of Controls with examples
1) Preventative Controls deter occurrence of unwanted events.
For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information. There are
also physical or administrative segregation of duties – trading and middle office operations. 
– Assigning one person to write checks, and another staff member to authorize the payments, are segregation of duties that fall
under the umbrella of preventative controls from an administrative standpoint. Others, like video surveillance or posting
security guards at entry points verifying ID credentials and restricting access, are illustrative of physical safeguards. 
– Training programs, drug testing, firewalls, computer and server backups are all types of preventative internal controls that
avoid asset loss and undesirable events from occurring.

2) Detective Controls alert the proper people after an unwanted event.

For example, internal audit, credit review/approval, reconciliations, financial reporting, financial statements, and physical
inventories. 

3) Corrective Controls correct the negative effects of unwanted events.

For example, disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as
employee tailgating. 

15
What is a Control Framework?
Provides means to ensure all relevant aspects of controls are covered.
In the US, widely used control frameworks (standards) are:
• Committee of Sponsoring Org. (COSO)- Control Framework & ERM Framework
• International Organization for Standardization (ISO) Framework- to be covered later

There are banking regulatory requirements and guidelines:

• Basel banking regulatory requirements- to be covered later
• OCC Heightened Standards for Large Financial Institutions – guidelines to strengthen
governance and risk management practices- to be covered later

Also, there are risk management guidance (standards) specific to certain risk types
some of which are recommended by regulators (FRB, FDIC, OCC etc.).
• Model Risk (SR 11-7) by FRB or FIL-22-2017 by FDIC
• IT/ IS Example: Control Objectives for Information and Related Technology (COBIT) and National Institute of Standards and
Technology (NIST) for Cybersecurity.
• Vendor risk by OCC (2013-19)

16
Committee of Sponsoring Organizations (COSO)
• COSO was organized in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting, a private-sector initiative that studied the
causal factors that can lead to fraudulent financial reporting.
• Over years, COSO has published many frameworks, that have been
revised over the years to address the changing risk landscape.
• In this course, we will cover two COSO frameworks, both of which are
considered new or revised as they replaced the older versions:
1) 2013 COSO Internal Control and
2) COSO ERM Framework (old is 2004 and new is 2017)

The only difference between old and new is introduction of certain new
concepts to address changing risk landscape. For example in new COSO
ERM, the concept of embedding risk in strategic planning was introduced.
COSO Internal Control & Sarbanes-Oxley (SOX)
• Designed to remove fraudulent business practice (Enron, Tyco, Worldcom)
• SOX became a law in 2002 to protect the public from fraudulent or erroneous
practices & increase transparency in financial reporting.

• SOX Internal Control Report holds management responsible for an adequate

internal control structure for their financial records.
• SOX requires consistent enforcement of data security to protect from data theft
by insider threat or cyberattack, both within the firm and across third party
vendors.
• SOX team generally resides in Risk group, and their SOX testing work is
reviewed/ utilized by External Auditors for annual financial reporting process.
Let us introduce how COSO Internal Control framework is being used to for SOX Compliance testing
annually- in which company's management assesses internal controls over financial reporting.
The process includes documenting a Risk Control Matrix for key process identifying the risks and controls
 Documenting Risk Control Matrix (SOX)
1.Identify the scope of a process.
2.Review existing documentation (policy, procedures) and conduct interviews.
3.Identify risks, controls, and gaps of existing processes and document using process flow and Risk Control Matrix

A) Develop current-state process narratives or flowcharts, including

• Basic flow of transactions from initiation to completion; Personnel involved in the process flow; Controls performed as part
of the process flow, as well as the personnel responsible for performing controls versus those responsible for reviewing
control performance; Systems used in the process and reports generated by these systems; Segregation of duties,
whether manual or automated

B) Develop a risk and control matrix (see next slide), that identifies all internal controls in the process in addition to specific
descriptions and category attributes related to each control.
• Control number (unique identifier); Control description; Objective of control
• Risk associated with objective of control
• Frequency of control (usage); Control owner (role/title)
• Key or non- key control type; IT or manual control type
• Preventive or detective control type; Fraud or non-fraud control type
• COSO principle (related to control); Financial statement assertion (related to control)

C) Finally Risk Rate each using Impact and Likelihood scale to establish Inherent risk rating and key controls to be tested.
Since not all controls can be tested every time, risk-based approach is taken to sample key high to medium risk controls.

Source: COSO.org
Sample Process: Risk Control Matrix (SOX)

Source: Office of Internal Auditor

SOX Act Highlights
SOX established standards of accountability for Public Accounting
firms (External Auditors) and Senior Management.

Major Highlights include:

• Requires the CEO & CFO to “certify” their periodic financial reports
• Required External auditors to rotate engagements every 5 years
• Established Audit Committee Independence
• Annual Management Assessment of Internal Controls
• Enhanced financial disclosures of “material weakness”
• Established prohibitions of certain actions by Officers and Directors
COSO Internal control Framework (2013)

e nt
g em s
a
an ctive
is k M bje
R O

Level Components
Entity & Unit
Risk Components

Source: https://www.coso.org 22
Relationship between 3 sides of cube:
Objectives, Components and the Entity

Objective What an entity 1) Operations, 2) Reporting,

desires to
(top) achieve 3) Compliance

Component What is required

See circular depiction in next
to achieve
(front) Objective
slide

Entity Operating and Internal Control is adaptable

Structure for entire entity (head office,
legal subsidiary, division, operating
(side) entity/structure unit/business process

23
Effective system of internal control
Per COSO, an effective system of internal control requires:
– Each of the five components of internal control and relevant
principles to be present and functioning
– The five components to be operating together in an
integrated manner
Control
Environment

Monitoring Risk Assessment

Information &
Control Activities
Communication
24
Objectives & Operations: Top of the cube

t
ve e n
cti m
je age
s
● Operations

Ob an
M
sk
○ Meets its business objectives

Ri
○ Efficient and effective
○ Control environment supports business objectives
● Reporting
○ Stakeholder reporting
○ Accuracy of financial and business reports
○ Disclosure of material control weakness and opportunities
● Compliance
○ Complies with internal and external requirements
○ Process to ensure good operations (IT, Operations, External customers, etc.)
○ Appropriate for the risk profile of the firm

Source: COSO Internal Control: Integrated Framework 25

Business Unit/Entity Level: Right Side of the cube

Level Components
Entity & Unit
● Cover every aspect of the business
○ Risk profile that varies by its various operations
● External business partners can pose significant risks
● Legal risks can materialize from operations (products,
services, etc.)
● Employee behavior & decision-making is a primary cause of risks
○ Senior executives to the “so-called” Insider Threat (Edward Snowden effect)
● Interdependencies Risk
○ Value chain in and across an organization
○ Shared data
○ IT controls
○ Key man/woman or processes (Single point-of-failure)

Source: COSO Internal Control: Integrated Framework 26

Internal Control components: Front of the cube

Risk Components
● Control Environment –for every part of the firm
Culture, Policies, Procedures, Risk Appetite, Board/ Mgmt. Oversight
● Risk Assessment – Process needed to evaluate risks
Risk & Control Self-Assessments & Quantitative analysis
● Internal Control Activities – Adequate for the risks
Primary, Secondary, Tertiary (Detect, Correct, Prevent, & Mitigate)
● Information & Communications – Reporting & Awareness
Dashboards, Reports, Training & Awareness programs, “Tone at the Top”
● Monitoring Activities – Audits, Checklists, Automated controls
Operations are efficient and mitigate material weakness

Source: COSO Internal Control: Integrated Framework 27

COSO’s 17 Internal Control principles- Front Cube
• Control Environment • Control Activities
1. Integrity & Ethical values 10. Control design
2. Independent Board Oversight 11. IT General controls
3. Separation of duties, 12. Policies & Procedures
accountability
• Information & Communications
4. Competent people
5. Internal control accountability 13. Quality of communications/Insights
14. Clearly articulated internal
• Risk Assessment communications
6. Clear objectives 15. Clearly articulated external
7. Risk to Business Objectives communications
8. Fraud prevention • Monitoring Activities
9. Change = Risks 16. Continuous monitoring of controls
17. Evaluations of material weakness

Source: COSO Internal Control: Integrated Framework 28

  Root Cause Analysis- Five WHYs
Root Cause: Main cause of the incident; Without the root cause the incident would not have occurred; Controlling the root cause eliminates
the problem

Five whys (or 5 whys) – Originally developed by Toyota in 1930s.

The primary goal of the technique is to determine the root cause of a defect or problem by repeating the question "Why?".
Each answer forms the basis of the next question. An example of a problem is: The vehicle will not start.
1. Why? – The battery is dead. (First why)
2. Why? – The alternator is not functioning. (Second why)
3. Why? – The alternator belt has broken. (Third why)
4. Why? – The alternator belt was well beyond its useful service life and not replaced. (4th why)
5. Why? – The vehicle was not maintained according to the recommended service schedule. (5th why, a root cause)

Technique to perform a five whys analysis:  fishbone (or Ishikawa) diagram

• visual brainstorming tool that allows you to see all causes simultaneously
• helps to quickly identify if the same root cause is found multiple times.
• It was used in the development of the MX5 sports car

Source: Wikipedia
29
  Sinking of Titanic
Define the problem >> Analyze the causes >> Select the best solutions.

https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
30
 Why did the Titanic sink?

Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
31
  Why did the Titanic sink?
• The important distinction between what DID happen and what COULD happen.
• How a thorough analysis of what DID happened is essential for effective risk management.

Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
32
Bow Tie / Root Cause: Titanic Example
Too far Titanic hits For Root Cause analysis, start with risk event or end event (in red
North here- loss) and work your way (by keep asking whys) to the left till
iceberg
you reach the risk factors (in blue and green here)

Speed Turn was

ineffective Insufficient Hypothermia,
Titanic lifeboats drowning
Rudder Water
was too Titanic hits filled hull Sank
small Nearest People in
iceberg
ships too cold water
far
Lookouts
saw Hull plates
iceberg pulled apart Risk Factors
late Blues: Trigger events - root causes 1500
Greens: Conditions - root causes
Weak people
rivets Risk Event: Red died
Consequences
Yellows: Consequences and end event (loss)
 Solutions that may have reduced the risk of Titanic sinking
Reducing Risk
A combination of solutions produces a Cumulative Reduction in RISK.

Source: https://www.thinkreliability.com/wp-content/uploads/2016/06/CM-Titanic.pdf
34
Group CANVAS Homework #1
Form Groups of 4-5 students each.

Please use the remaining time to collaborate with your

team, and post in Canvas (Homework) as a team, prior
to Session 3 - see details on next slide.

Please review rubric and post your questions, concerns

in Canvas Discussion (assigned for this Assignment 1).

We will use good sample homework/s to be shared in

class in the coming sessions.
35
Group
Canvas Discussion- Internal Control#1
Assess a recent, unique risk event in the news (no duplicates, first come first
serve basis) and identify the root cause driver/s of the risk, the risk type/s and
determine what internal controls (using COSO 2013-17 principles) need to be
strengthened or introduced to mitigate the risk? 
1) Each Group should post as per below requirements to discussion thread.
2) In addition, review and provide feedback to at least one discussion post.

In the Title, provide News Topic/ Company Name

• Provide names of group members. Be prepared to summarize in class, if
asked.
• Provide two-there line description of the risk event. (Describe who, what,
when, why, how, and root cause)
• Identify at least two (or more) risk types/ threat sources.
• Use COSO’s 17 Internal Control principles, and identify at least three
Internal Controls that were lacking/absent/ or weak that may have led to
vulnerabilities being exploited and risk being realized?

36
Appendix