BEC: 1B - Enterprise Risk Management (ERM) Framworks

COSO's ERM Framework (2004 vs. 2017)

-The original 2004 COSO Enterprise Risk Management (ERM) framework introduced a risk-based, rather than a controls-based, approach, and focused on the elements of an internal control integrated framework. One objective was to ensure compliance with laws, rules, and regulations. The 2017 updated framework (which did not replace the original framework but rather enhanced it) focuses on the importance of considering risk in both the strategy-setting process and in driving performance. -The 2017 framework's objectives include expanding reporting to address expectations for greater stakeholder transparency; enhancing alignment between performance and enterprise risk management; and accommodating evolving technologies and the proliferation of data and analytics.

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is:

-a manager within the department because a manager within the department has the most detailed knowledge of risks in that department

Enterprise Risk Management (ERM) definition:

-management plans, organizes, leads, and controls the organization's activities in order to minimize risk and cut back on costs

The Enterprise Risk Management—Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as a:

-process effected by an entity's board of directors, management, and other personnel

Per 2004 COSO, what does the ERM model include as internal environment issues?

-this is essentially the "tone at the top" -risk management philosophy -risk appetite -integrity and ethical values -accountability -commitment to competence

The 2017 COSO ERM Framework consists of five interrelated components:

1. Governance and Culture: This component includes the importance of an effective tone at the top and the role of culture in supporting effective ERM. 2. Strategy and Objective-Setting: This component emphasizes the important integration of ERM, strategy and objective-setting to emphasize how effective ERM should be an important strategic tool. 3. Performance: This component highlights the importance of identifying, assessing, responding, and reporting on risks that are linked to the achievement of strategy and business objectives. 4. Review and Revision: The component describes how the evaluation of performance may shed insights on how well the ERM process is functioning and what revisions may be needed. 5. Information, Communication, and Reporting: This component emphasizes that ERM is a continual process that requires ongoing identification and sharing of risk and strategy information.

COSO's ERM framework consists of 8 components which include:

1. internal environment 2. objective setting 3. event identification 4. risk assessment 5. risk response 6. control activities 7. information & communication 8. monitoring

COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, consists of XX interrelated components, which are supported by a set of XX principles

5, 20

Who is the person ultimately responsible for enterprise risk management within a company?

CEO

T/F: One of the benefits of an integrated ERM (enterprise risk management) is an decreased range of opportunities

False - increased

T/F: The external environment is part of the enterprise risk management (ERM) model per 2004 COSO

False - is not part of the ERM model

T/F: The ERM framework takes a risk-based approach rather than a controls-based approach

True

T/F: The ERM model does include internal environment issues per 2004 COSO

True