THE UPDATED COSO ERM FRAMEWORK: WHAT TO EXPECT AS INTERNAL AUDIT – Part 3
Background
In the previous newsletter we explored updated COSO ERM framework and discussed the five interrelated components of Enterprise Risk Management. In this edition, and the last part of our discussion, we will further investigate the changes to the ERM framework and discuss the principles. The principles represent the fundamental concepts associated with each component. These principles are worded as things organisations would do as part of the entity’s enterprise risk management practices.
Before we look at the principles, just a quick note on the assessment of Enterprise Risk Management and the role that Internal Auditors can play. Remember that an organisation should be able to provide some comfort to its stakeholders that it is able to manage risks associated to its strategy and business objectives to an acceptable level. The organisation therefor has to assess the adequacy and effectiveness of its risk management practices and processes in place. As part of Internal Audit’s mandate we must provide an opinion on the organisations Governance, Risk Management and Control processes and we are therefore in an ideal position to assist in this assessment. Using the new COSO ERM framework as a guide Internal Audit can assess whether:
- The components and principles relating to enterprise risk management are present and functioning.
- The components relating to enterprise risk management are operating together in an integrated manner.
- Controls necessary to affect principles are present and functioning.
We will now briefly discuss these principles as they pertain to each of the five components:
1. Risk Governance and Culture
The following Principles relate to Risk Governance and Culture:
- Exercises Board Risk Oversight
The board of directors provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives.
- Establishes Governance and Operating Model
The organisation establishes governance and operating structures in the pursuit of strategy and business objectives.
- Defines Desired Organisational Behaviours
The organisation defines the desired behaviours that characterize the entity’s core values and attitudes toward risk.
- Demonstrates Commitment to Integrity and Ethics
The organisation demonstrates a commitment to integrity and ethical values.
- Enforces Accountability
The organisation holds individuals at all levels accountable for enterprise risk management, and holds itself accountable for providing standards and guidance.
- Attracts, Develops, and Retains Talented Individuals
The organisation is committed to building human capital in alignment with the strategy and business objectives.
2. Risk, Strategy, and Objective-Setting
The following Principles relate to Risk, Strategy, and Objective-Setting:
- Considers Risk and Business Context
The organisation considers potential effects of business context on risk profile.
- Defines Risk Appetite
The organisation defines risk appetite in the context of creating, preserving, and realizing value.
- Evaluates Alternative Strategies
The organisation evaluates alternative strategies and impact on risk profile.
- Considers Risk while Establishing Business Objectives
The organisation considers risk while establishing the business objectives at various levels that align and support strategy.
- Defines Acceptable Variation in Performance
The organisation defines acceptable variation in performance relating to strategy and business objectives.
3. Risk in Execution
The following Principles relate to Risk in Execution:
- Identifies Risk in Execution
The organisation identifies risk in execution that impacts the achievement of business objectives.
- Assesses Severity of Risk
The organisation assesses the severity of risk.
- Prioritises Risks
The organisation prioritises risks as a basis for selecting responses to risks.
- Identifies and Selects Risk Responses
The organisation identifies and selects risk responses.
- Develops Portfolio View
The organisation develops and evaluates a portfolio view of risk.
- Assesses Risk in Execution
The organisation assesses operating performance results and considers risk.
4. Risk Information, Communication, and Reporting
The following Principles relate to Risk Information, Communication, and Reporting:
- Uses Relevant Information
The organisation uses information that supports enterprise risk management.
- Leverages Information Systems
The organisation leverages the entity’s information systems to support enterprise risk management.
- Communicates Risk Information
The organisation uses communication channels to support enterprise risk management.
- Reports on Risk, Culture, and Performance
The organisation reports on risk, culture, and performance at multiple levels of and across the entity.
5. Monitoring Enterprise Risk Management Performance
The following Principles relate to Monitoring Enterprise Risk Management Performance:
- Monitoring Substantial Change
The organisation identifies and assesses internal and external changes that may substantially impact strategy and business objectives.
- Monitors Enterprise Risk Management
The organisation monitors enterprise risk management performance.
The above Principles can clearly also be excellent guidance to Internal Auditors during their assessment of the adequacy and effectiveness of the organisation’s Enterprise Risk Management structures.
We trust that you will be able to use this guidance, together with the detail provided in the COSO framework to be able to assess and provide an opinion on your organisation’s Enterprise Risk Management efforts. Kindly look at the courses that Crest Advisory Africa has to offer on various topics relating to ERM to further enhance your understanding and knowledge of the topic: View courses here
Happy auditing.