www.pwc.

com

COSO Enterprise Risk

Management Framework-
Integrating Strategy and
Performance

November, 2017
Agenda

1 Introducing
COSO
2 Why update
the
3 What has
changed?
4 What does
it mean for
5 More
information
Framework you?
now?

Who is COSO and what What prompted the How does this compare What does the new How to obtain a copy of
is the COSO ERM Framework update? to the 2004 COSO Framework mean for the new Framework
Framework? What was the feedback ERM Framework and you and your and obtain more
received during Public why where changes organization? information
comment? introduced?

COSO recognizes the growing expectation

of organizations to manage, in an
integrated and cohesive manner, risks
emanating from across an enterprise.

Robert B. Hirth Jr., COSO Chair

August 2017
PwC | COSO Enterprise Risk Management – Integrating Strategy and Performance 2
www.pwc.com

Introducing COSO
COSO’s 2004
Enterprise Risk COSO and PwC have collaborated on
Management- frameworks and publications for 25 years
Integrated
Framework
is one of the
world’s most
widely used risk
management
frameworks.
www.coso.org

2004 2017 Publication

Other COSO publications authored by PwC

2013 Internal Control – Integrated
Framework Executive Summary
2012 Understanding and 2006 Internal Control over Financial 1992 Internal Control – Integrated
2013 Internal Control – Integrated
Communicating Risk Appetite Reporting Guidance for Smaller Public Framework
Framework
Companies

PwC | COSO Enterprise risk management – Aligning risk with strategy & performance 4
www.pwc.com

What prompted the

Framework update?
 32
CEO confidence is rising, but so are their
expectations of risk management…..
Leaders are looking to ERM to give them greater confidence in managing the risks to the

83%
achievement of their strategy and business objectives
%
70 Notable CEO Comments:
60
52
50 Risk needs to help me look
50
44 around corners.
48 38
39
40 35
41 It’s nice that we have a risk
Pull out of an
40 39
36 37
30 register… but so what?
31 31
important statistic
29
27
20 21
There has to be more value
goes in this area
18
Global economic growth (improve) 15
10
Confidence next 12 months (very confident)
we can get from risk than
0
2004 2005
20pt Georgia (white)
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
just a compliance program.

Source: 2017 PwC 20th Annual CEO Survey

COSO ERM Discussion August 2017
PwC 6
 At the same time, many Boards
are not receiving the information
they need
Over 60% of Boards do Question: How often does your board get updates and reports from
not receive updates at management on:
every meeting on the
amount of risk the
company is taking…

Yet this represents the

biggest area of personal
liability…

Risk needs to step up to

this challenge.

Source: PwC, 2016 Annual Corporate Directors Survey,

October 2016.

COSO ERM Discussion August 2017

PwC 7
Boards recognize that there are opportunities for
ERM to add greater value
Question: How well do you believe management performs the following activities:

Source: PwC, 2016 Annual Corporate Directors Survey, October 2016.

COSO ERM Discussion August 2017

PwC 8
So what are risk and business professionals
saying?
I want to reduce
performance
variability and
As an I need insights When I develop
respond more
innovative that help me my strategy, I
quickly to
company, I understand risks want to have a
opportunities
want to use and full picture of
I want an ERM opportunities the potential
risk to create
Framework that and evaluate risks and the
value and not
drives strategic options capabilities I
only to protect
improvements to need to create
value
business functions advantage
beyond risk
avoidance

COSO ERM Discussion August 2017

PwC 9
 Why update the ERM
framework now?
• Boards are expecting more from their
organization’s ERM practices and capabilities

• Stakeholders are seeking greater transparency

and accountability

• Business environments are increasingly

complex, technologically driven, and global

• There is a need to incorporate lessons learned

from recent events and the bar is rising

• Risk professionals are looking for a more up to

date resource describing ERM concepts
Since 2004, the market has continued to
• The range of ERM practices continues to
evolve and the COSO Framework is
evolve
evolving with it.

COSO ERM Discussion August 2017

PwC 10
www.pwc.com

What’s changed?
 A new framework with global input
As part of the drafting process, the Framework was made publicly available for review and comment
between June and September, 2016.

Global
Website visits interest

1 Over 24,000
website visits,
2 46% of the
downloads
over 2 million outside of
impressions the US

400/11/5

Entity
interest Engagement

3 Wide spread
interest
4 Equal interest by
private & public
companies
across
industry

COSO ERM Discussion August 2017

PwC 12
 Key highlights from feedback received
Feedback received was reviewed by the project team and informed the final updates to the
Framework prior to publication.

Letters and Comments Themes Feedback

Surveys

• 2,000 individual comments • Encouraging breadth of • Positive ratings

• 217 online surveys
• Comments covered every themes addressed in outnumbered negative
submitted
comments by 4.5:1
• 47 comment letters section of the draft
Framework • Comments ranged from the
received
• All comments reviewed by highlighting conceptual
• Relatively consistent differences, requests for
the PwC Project Team and
volume of feedback clarity and suggested
categorized according to
compared to other COSO editorial changes
nature (e.g., conceptual,
Framework projects
editorial, commentary etc.)
COSO ERM Discussion August 2017
PwC 13
 Introducing the 10 key changes to the
2017 Framework
A new framework structure–five
components and twenty principles that
align to the business lifecycle, making to
risk conversation more intuitive for you
A focus on integrating risk
management–linking risk with
strategy setting and day-to-day activities,
helping you to use ERM principles to
support the creation, realization, and
preservation of value
Written from the perspective of the
business–risk management concepts
are discussed in terms of helping an
organization create value, enabling you
to realize true benefits from ERM
Explores management of risk at all
altitudes of the organization–from
entity level through to procedural level
risks, making ERM more than just an
isolated view of risk in the business.
Greater emphasis on culture–
reflecting the changing demands and
expectations of today’s markets, helping
your organization make responsible risk
decisions
COSO ERM Discussion
PwC
Explores the different benefits of
ERM–from loss mitigation through to
strategic advisor and how they inform the
design of a Framework
Suite of new graphics–highlighting
the relationships between risk, strategy,
and performance
Deeper discussions on challenging
topics–such as risk appetite and the
portfolio view of risk
Addresses the evolving role of
technology–in influencing an
organization’s strategy, business context
and how it manages risk
Coming soon: Compendium of
Examples–highlighting the
implementation of principles across a
variety of industries and entity types
August 2017
14
The new Framework adopts a components
and principles structure

COSO ERM Discussion August 2017

PwC 15
Explores the expanded benefits of ERM

Increasing the Identifying and Increasing Reducing performance

Improving Enhancing
range of managing risks positive variability resource enterprise
opportunities entity-wide outcomes deployment resilience

By considering all Management Improve Management can Risk information Enhance

possibilities, both identifies and management’s anticipate the enables management’s
positive and manages these ability to identify risks that would management, in ability to
negative aspects entity-wide risks risks and affect the face of finite anticipate and
of risk, to sustain and establish performance and resources, to respond to
management can improve appropriate put in place the prioritize resource change, not only
identify new performance responses, actions needed to deployment and to survive but
opportunities and reducing minimize enhance also to evolve
associated surprises and disruption and resource and thrive
challenges related costs or maximize allocation
losses opportunity

• Enterprise risk management frameworks are as varied as the
organizations they support.
• In their infancy, many frameworks focus on increasing
positive outcomes and identifying entity-wide risks.
• Boards, senior management and stakeholders are
increasingly expecting ERM to reduce performance
variability, improve resource deployment and enhance
enterprise resilience.
• This will often require that the capabilities and practices of
an organization to evolve in line with increasing
expectations.
COSO ERM Discussion
PwC
• The effectiveness of an enterprise risk management
Framework is founded on fostering, designing and
implementing the culture, capabilities and practices that
align to intended benefits.
• A more detailed discussion of the benefits of ERM can be
found in the COSO Executive Summary
August 2017
16
Question 1:
During the development of the ERM Framework, we heard repeated calls for a closer
link with risk and strategy.  Do you feel: 

a) it is time to get risk b) many are still trying c) this is a wasted effort
at the strategic planning to find their way in this and nothing will change
table conversation at the strategy level

COSO ERM Discussion August 2017

PwC 17
 Focuses on integrating risk and strategy

81% of the greatest

Operational Compliance Strategic External
losses in
Studies have confirmed that the strategy setting
process is a critical area of integration for shareholder value
enterprise risk management

• Strategic blunders account for a

majority of the losses in shareholder
value compared to operational events,
incidents or compliance failures
• Research suggests that organizations
are looking to strengthen the
integration between strategy and
enterprise risk management
since 2002 were
attributable to
‘strategic blunders’
*U.S. public companies around the world with at least US$1 billion
in enterprise value on January 1, 2002 (1,053 companies met these
criteria). Dann, Le Merle and Pencavel, “The Lesson in Lost Value”
Strategy+Business, November, 2012

COSO ERM Discussion August 2017

PwC 18
Where do your
ERM efforts
Focuses on integrating risk and
currently focus strategy (cont’d)
and how closely The updated Framework elevates the discussion of integrating
does it align to strategy and risk through three different dimensions
value creation,
1. The possibility of strategy not aligning with mission, vision and core values
realization and
preservation? 2. The implications from the strategy chosen
3. Risk to strategy and performance

COSO ERM Discussion August 2017

PwC 19
Question 2:
We've been getting lots of input about the need to bring risk considerations into
decision-making.  Would you say that is: 

a) a widely held view b) necessary but far c) a voice from the

from reality louder minority

COSO ERM Discussion August 2017

PwC 20
New graphics depict the alignment between
risk and performance
Questions for your organization Business objective: Increase sales
Where on the curve should
Is the risk assumed by the ERM focus?
Acceptable Variation
entity, when setting
performance targets,
understood? Risk Curve

What assumptions inform

the shape of the risk Amount of Risk Risk Appetite
curve?

Do existing key indicators

demonstrate movement
along the curve?

What level of performance

is assumed when Performance Target Number of
assessing impact and Units Sold
likelihood?

COSO ERM Discussion August 2017

PwC 21
 Explores managing risk at all
altitudes of the organization
The Framework highlights that risks
emanate and must be managed Entity Strategy
at all levels of the organization.
The Framework explores how risks
can manifest at multiple levels within
an organization with some risks Entity Level Business Entity Level Business
directly impacting the entity strategy Objective 1 Objective 2
while others impacting business
objectives.

The Framework also addresses how Business Business Business

risks can change in severity and Objective 1 Objective 2 Objective 3
prioritization at different levels
of the organization and how the
impacts of correlation and
diversification are considered when
analyzing the risk profile of portfolio Risk 1 Risk 2 Risk 3 Risk 4
view of risk.

• Risk frameworks should ensure
existing risk identification and
assessment practices account for
risks occurring at different levels
of the organization
• Risk capabilities should account
for how risk ratings and
responses may exist and change
at different altitudes within an
organization
• Management should designate
appropriate roles and
responsibilities for the
management of risk and
execution of risk responses

COSO ERM Discussion August 2017

PwC 22
 How the Framework
emphasizes technology

The Framework recognizes the importance of

enterprise risk management keeping pace with
technological developments

• Framework emphasizes how enterprise risk

management practices and capabilities need to align
with the velocity of changes to the business context,
90% 0.5% 27% emerging and changing risks

• Information, Communication and Reporting principles

now have a greater focus on integrated risk and
performance reporting

Data Data Analysis Impact on • Developments in data generation and analytics

Generation Industry including ‘big data’, artificial intelligence and social
media have been acknowledged
Proportion of data Percentage of
that exists today Only a small CEOs that believe • Discussions on the accuracy, completeness and
was created in the fraction of technology will timeliness of data have been retained in the COSO
past two years available data is completely Internal Control Integrated Framework
currently analyzed reshape their
industry
COSO ERM Discussion August 2017
PwC 23
Written from the perspective
of the business
The framework was written from the perspective of the
business to facilitate the integration of ERM and support
acceptance and adoption by the business
• Research has confirmed
that there is often a ‘siloed’
approach to risk that is
separate from the day to
day management of an
organization
• Risk management is
perceived as an
incremental activity
performed by those
independent of the
business
• The lack of integration can
contribute to difficulties
engaging with the business,
the ability to gain and offer
insight and ultimately curbs
the value that ERM can
offer
COSO ERM Discussion
PwC
What we heard…
“We need more from risk.”
“Risk isn’t enough of a business
partner.”
Quem graecis quali sque
no to
“Risk shouldn’t be done nam,
us, itcu enim necessi
should be done with us.”
tatibus usu. Aeque urb
anitas delicatissimi amet,
consect etu ipsum dolor.
• The Framework endeavors
to removes risk ‘jargon’ and
adopts the language of
business to discuss
concepts and practices
• By using the same
language, the Framework
hopes to promotes
acceptance and adoption of
ERM by the organization
Note: In practice, ERM often
refers to a team, department
or as a part of the ‘lines of
defense’ however, it is
discussed in the context of an
organization’s culture,
capabilities and practices used
to manage risk within the
Framework
August 2017
24
How the Framework addresses culture

Culture now features in the definition of ERM and is part of the

Framework’s Governance and Culture Component

Principles on culture are now more focused on decision-

making and the alignment to expected behaviors in line with the
core values of the organization

The importance of aligning the core values and risk

appetite of the organization to promote consistent and risk-
based decision making

COSO ERM Definition

The culture, capabilities and
practices, integrated with
strategy setting and its Discussions on the importance and commitment to integrity and ethics have
execution, that organization rely been retained in the COSO Internal Control Integrated Framework
on to manage risk in creating,
preserving and realizing value

COSO ERM Discussion August 2017

PwC 25
 Risk Appetite Risk Assessment Portfolio View
and Aggregation

Deeper discussions on other

challenging topics
Requests for
Enhanced discussions Additional focus on: Greater detail additional guidance
on: provided on:
• Alignment of Risk • Articulating risks • Graphical represented some of
Appetite and Strategy relative to business representations of the most common
objectives and portfolio view
• Delineation between performance feedback the PwC
risk appetite and
• Developing severity
• Emphasis on an Project Team
tolerance business objective
measures and centric view of risk received during the
• Consideration of risk prioritization criteria Public Comment
appetite as a evaluative given the risk appetite • Alignment to strategy
vs decision-making tool of the organization and resource Period
deployment
• Alignment of risk • Risk assessments at
appetite to risk different levels • Tie to integrated
assessment and the including new performance
portfolio view of risk illustrative graphics monitoring and
relating to aggregation reporting
COSO ERM Discussion August 2017
PwC 26
Compendium of Examples
A compendium of
examples is also being
developed. The proposed
compendium will
illustrate:
• All principles
• A variety of entity sizes
from global through to
national, regional, and
local entities
• A variety of industry types
• Actual company practices
Coming Soon…. and be augmented with
expected practices in select
areas, as needed
• Written from the
perspective of
the business
COSO ERM Discussion
PwC
Examples:
• Governance in a Higher
Education Institution
• Culture in a Government Entity
• Culture in a Financial Services
Company
• Strategy and Objective-Setting
in an Energy Company
• Strategy and Objective-Setting
in a Not-for-Profit Entity
• Performance in a Consumer
Products Company
• Performance in a Technology
Company
• Review and Revision in an
Industrial Products Company
• Risk Information in a
Healthcare Company
August 2017
27
Question 3:
Where do you see yourself choosing to focus with regards to the Framework’s
adoption? 

a) risk's relevance to b) risks relationship to c) culture's

strategy performance consideration of risk

OR

d) I have no idea or
don’t plan to do
anything with my
program

COSO ERM Discussion August 2017

PwC 28
 Percentage of Practical ideas for how to get
respondents that
stated started…
implementation 1) Identify the benefits 2) Determine the desired 3) Prioritize the
being sought from ERM by integration of enterprise initiatives and resources
your organization risk management within the required to implement or
organization enhance existing cultures,
capabilities and practices

Aligning Culture Augmenting Enhancing

of effective ERM Capabilities Practices
Frameworks
• Secure board and senior • Invest in tools, templates • Evaluate whether
as the most management or technology that support current practices align
common endorsement for risk management activities with desired integration
implementing or enhancing and decision-making and achieve benefits sought
challenge in the Enterprise Risk from ERM
• Include third party
deriving its Management Framework
providers and vendors in • Review risk
expected benefits • Incorporate risk discussions on risk and identification,
management performance assessment,
expectations into training prioritization and
and incentives to enhance • Encourage discussion of response processes for
consistency in decision- entity’s risk appetite and opportunities for
making profile within governance enhancement
forums and as part of
• Communicate and clarify management decision- • Analyze reporting
roles and responsibilities for making practices for opportunities
risk management to further integrate with
performance
reporting
COSO ERM Discussion August 2017
PwC 29
 32
Where to next?
Encourage your risk professionals to:
• Sync with the language of business in your
organization
• Understand how organization creates,
realizes and preserves value and the
supporting assumptions
• Develop a clear understanding of where
ERM is integrated… from strategy through
performance
• Understand the relationship between risk
and culture… and form thoughts specific to
your organization
COSO ERM Discussion
PwC
Challenge your organization to not:
• View ERM simply as a function, team
or department
• Focus solely on managing the list of
risks
• Consider ERM to be a stand alone,
periodic risk assessment or heat map
• View GRC technology as the entire
approach for implementing ERM
August 2017
30
www.pwc.com

More information
Staying involved

Access the Framework at www.coso.org

View videos, blogs and articles at

http://www.pwc.com/us/en/risk-management/coso-erm-framework

Dennis L Chesley
Partner
Tel: 917-348-1705
Dennis.l.chesley@pwc.com

COSO ERM Discussion August 2017

PwC 32
Thank you

© 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should
not be used as a substitute for consultation with professional advisors.

At PwC, our purpose is to build trust in society and solve important problems. PwC is a network of firms in 157 countries with more than 223,000 people who are
committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com/us.