In the previous newsletter we explored updated COSO ERM framework and discussed the five interrelated components of Enterprise Risk Management. In this edition, and the last part of our discussion, we will further investigate the changes to the ERM framework and discuss the principles. The principles represent the fundamental concepts associated with each component. These principles are worded as things organisations would do as part of the entity’s enterprise risk management practices.

Before we look at the principles, just a quick note on the assessment of Enterprise Risk Management and the role that Internal Auditors can play. Remember that an organisation should be able to provide some comfort to its stakeholders that it is able to manage risks associated to its strategy and business objectives to an acceptable level. The organisation therefor has to assess the adequacy and effectiveness of its risk management practices and processes in place. As part of Internal Audit’s mandate we must provide an opinion on the organisations Governance, Risk Management and Control processes and we are therefore in an ideal position to assist in this assessment. Using the new COSO ERM framework as a guide Internal Audit can assess whether:

  • The components and principles relating to enterprise risk management are present and functioning.
  • The components relating to enterprise risk management are operating together in an integrated manner.
  • Controls necessary to affect principles are present and functioning.

We will now briefly discuss these principles as they pertain to each of the five components:

1. Risk Governance and Culture

The following Principles relate to Risk Governance and Culture:

  1. Exercises Board Risk Oversight

The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives.

  1. Establishes Governance and Operating Model

The organisation establishes governance and operating structures in the pursuit of strategy and business objectives.

  1. Defines Desired Organisational Behaviours

The organisation defines the desired behaviours that characterize the entity’s core values and attitudes toward risk.

  1. Demonstrates Commitment to Integrity and Ethics

The organisation demonstrates a commitment to integrity and ethical values.

  1. Enforces Accountability

The organisation holds individuals at all levels accountable for enterprise risk management, and holds itself accountable for providing standards and guidance.

  1. Attracts, Develops, and Retains Talented Individuals

The organisation is committed to building human capital in alignment with the strategy and business objectives.

2. Risk, Strategy, and Objective-Setting

The following Principles relate to Risk, Strategy, and Objective-Setting:

  1. Considers Risk and Business Context

The organisation considers potential effects of business context on risk profile.

  1. Defines Risk Appetite

The organisation defines risk appetite in the context of creating, preserving, and realizing value.

  1. Evaluates Alternative Strategies

The organisation evaluates alternative strategies and impact on risk profile.

  1. Considers Risk while Establishing Business Objectives

The organisation considers risk while establishing the business objectives at various levels that align and support strategy.

  1. Defines Acceptable Variation in Performance

The organisation defines acceptable variation in performance relating to strategy and business objectives.

3. Risk in Execution

The following Principles relate to Risk in Execution:

  1. Identifies Risk in Execution

The organisation identifies risk in execution that impacts the achievement of business objectives.

  1. Assesses Severity of Risk

The organisation assesses the severity of risk.

  1. Prioritises Risks

The organisation prioritises risks as a basis for selecting responses to risks.

  1. Identifies and Selects Risk Responses

The organisation identifies and selects risk responses.

  1. Develops Portfolio View

The organisation develops and evaluates a portfolio view of risk.

  1. Assesses Risk in Execution

The organisation assesses operating performance results and considers risk.

4. Risk Information, Communication, and Reporting

The following Principles relate to Risk Information, Communication, and Reporting:

  1. Uses Relevant Information

The organisation uses information that supports enterprise risk management.

  1. Leverages Information Systems

The organisation leverages the entity’s information systems to support enterprise risk management.

  1. Communicates Risk Information

The organisation uses communication channels to support enterprise risk management.

  1. Reports on Risk, Culture, and Performance

The organisation reports on risk, culture, and performance at multiple levels of and across the entity.

5. Monitoring Enterprise Risk Management Performance

The following Principles relate to Monitoring Enterprise Risk Management Performance:

  1. Monitoring Substantial Change

The organisation identifies and assesses internal and external changes that may substantially impact strategy and business objectives.

  1. Monitors Enterprise Risk Management

The organisation monitors enterprise risk management performance.

The above Principles can clearly also be excellent guidance to Internal Auditors during their assessment of the adequacy and effectiveness of the organisation’s Enterprise Risk Management structures.

We trust that you will be able to use this guidance, together with the detail provided in the COSO framework to be able to assess and provide an opinion on your organisation’s Enterprise Risk Management efforts. Kindly look at the courses that Crest Advisory Africa has to offer on various topics relating to ERM to further enhance your understanding and knowledge of the topic: View courses here

Happy auditing.